Data Processing Agreement (DPA)
This DPA forms part of the EULA/Order with CEEQ.IT (Strahberger Organisationsentwicklung).
1. Parties & Roles
Controller: the Customer as defined in the EULA. Processor: Strahberger Organisationsentwicklung (operating as "CEEQ.IT").
2. Subject matter & duration
Processing of personal data in the provision of the CEEQ.IT SaaS for the term of the subscription and as further required for offboarding obligations.
3. Nature & purpose; data categories; data subjects
- Nature/Purpose: hosting and processing workspace content (tasks, comments, sprint data); account/support operations.
- Categories: identification data (business contact), content entered by Users; no special categories intended.
- Data subjects: Customer's employees/contractors and authorized users.
4. Processor obligations
- Process personal data only on documented instructions of Controller.
- Ensure confidentiality and train authorized personnel.
- Implement and maintain technical and organizational measures (TOMs) (Annex A).
- Assist Controller with data subject requests, security, DPIAs and consultations as appropriate.
- Notify Controller without undue delay after becoming aware of a personal data breach.
- Make available information necessary to demonstrate compliance and allow audits as agreed (e.g., reports/certifications).
5. Sub-processors
Processor may engage sub-processors listed at subprocessors.html. Processor will notify Controller of changes and allow reasonable objection, in which case Processor and Controller will work in good faith toward a solution.
6. International transfers
Where personal data is transferred to countries without adequacy, Processor will implement appropriate safeguards such as the 2021 EU Standard Contractual Clauses (and UK addendum if applicable) with transfer risk assessments.
7. Return & deletion at end of services
At the choice of the Controller, Processor shall delete or return personal data after the end of the provision of services, subject to legal retention. Returns follow the EULA's Section 3.4 (Minimal-Variante A: values-only, no schemas/keys; commercially reasonable manner available in the Service). Data deletion will be completed within 30 days of termination unless otherwise instructed by Controller or required by law.
8. Liability & precedence
Liability follows the EULA. In case of conflict between the DPA and the EULA regarding data protection, this DPA prevails.
Annex A â Technical & Organizational Measures (summary)
- Encryption in transit (TLS) and at rest; key management via platform capabilities.
- Access control (RBAC, least privilege), MFA for administrative access.
- Logging/monitoring; vulnerability management; change management.
- Backup & restore; geo-redundancy per Customer region; regular recovery tests.
- Secure software development practices; segregation of environments.
- Incident response playbooks; breach notification process.
Contact: privacy@ceeq.it âĸ Legal: legal@ceeq.it