1. Parties & Purpose

This DPA governs processing of personal data by the Service provider (“Processor”) on behalf of the customer (“Controller”) in connection with use of phasi.app, pursuant to Art. 28 GDPR.

2. Subject Matter & Duration

Processing is limited to workspace/project data uploaded by Controller’s users and lasts for the subscription term.

3. Nature & Purpose of Processing

• Hosting, storage, retrieval, and display to authorized users
• Backups, security, support, troubleshooting
• Service improvement using aggregated, non-identifying metrics

4. Types of Data & Data Subjects

• Personal data: names, emails, organization info, usage metadata
• Data subjects: Controller’s employees, contractors, authorized users
• No special categories (Art. 9); no safety-critical/medical data

5. Processor Obligations

• Process only on documented instructions from Controller
• Confidentiality, access control, and security measures (see Security Policy)
• Assist with data subject requests (Arts. 15–21), breach notifications (Arts. 33–34)
• Delete/return personal data at termination, subject to legal retention

6. Sub-processors

Authorized sub-processors are listed at /subprocessors. Processor remains responsible for sub-processors and uses appropriate safeguards.

7. International Transfers

Transfers outside the EEA (if any) rely on appropriate safeguards (e.g., EU SCCs) and transfer impact assessments where required.

8. Audits & Assurance

Upon reasonable request, Processor provides information necessary to demonstrate compliance; audits subject to confidentiality and reasonable limitations.

9. Liability

Liability is governed by the Terms of Service. Nothing herein expands Processor’s liability beyond those Terms.

10. Term & Termination

This DPA forms part of the Agreement and terminates with it. In case of conflict, the DPA prevails with respect to data protection.