Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

Last updated: May 26, 2026
Version: 1.0

This Data Processing Agreement (“DPA”) is concluded between the Organization that registers for Consulting Cockpit (the “Controller”) and GRAN Software Solutions GmbH (the “Processor”). It forms part of the Terms of Service and is effective upon registration.

1. Subject Matter and Duration

The Processor provides a time tracking and invoicing SaaS platform (Consulting Cockpit) to the Controller. The processing of personal data under this DPA occurs for the duration of the contract under the Terms of Service, plus statutory retention periods as set out therein.

2. Nature and Purpose of Processing

The Processor processes personal data on behalf of the Controller to deliver the Service, including:

  • User account management and authentication
  • Time tracking, project management, and invoicing
  • Team collaboration and leave management
  • Support and maintenance
  • Data backup and recovery

3. Categories of Data Subjects

  • Users of the Controller (employees, contractors, and other authorized persons)
  • Clients and business partners of the Controller whose data is entered into the Service

4. Types of Personal Data

  • Name, email address, and profile information of Users
  • Authentication data
  • Time tracking records and activity data
  • Contact details of the Controller’s clients and partners
  • Invoicing and billing data
  • Any other data submitted or uploaded by the Controller through the Service

5. Obligations of the Processor

The Processor shall:

a) Process personal data only on documented instructions of the Controller, unless required by EU or Member State law;

b) Ensure that all persons authorized to process the personal data are bound by confidentiality obligations;

c) Implement appropriate technical and organizational measures (TOMs) as described in Section 10;

d) Comply with the conditions for engaging sub-processors as set out in Section 6;

e) Assist the Controller in fulfilling its obligations to respond to data subject rights requests (Art. 15–22 GDPR);

f) Assist the Controller with compliance regarding security of processing, data breach notification, data protection impact assessments, and prior consultations (Art. 32–36 GDPR);

g) At the choice of the Controller, delete or return all personal data after termination of the Service, and delete existing copies unless EU or Member State law requires storage;

h) Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits.

6. Sub-processors

6.1 The Controller provides general written authorization for the Processor to engage the following sub-processors:

Sub-processorServiceLocation
HetznerInfrastructure and cloud hosting (compute, networking)Germany / Finland
ScalewayObject storage and cloud infrastructurePoland / France

6.2 The Processor shall notify the Controller at least 14 days before engaging any new sub-processor. If the Controller objects on reasonable grounds related to data protection, the parties shall negotiate in good faith. If no agreement is reached, the Controller may terminate the Service with 14 days’ notice.

7. Data Subject Rights

7.1 The Processor shall assist the Controller in fulfilling its obligations regarding data subject requests under Art. 15–22 GDPR.

7.2 If a data subject makes a request directly to the Processor, the Processor shall forward it to the Controller without undue delay.

8. Personal Data Breach

8.1 The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting data processed under this DPA.

8.2 The notification shall include, to the extent available: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

8.3 The Processor shall cooperate fully with the Controller in investigating and remediating the breach.

9. Data Deletion and Return

Upon termination of the Service, the Processor shall, at the choice of the Controller, delete or return all personal data within 30 days, unless EU or Member State law requires retention (e.g., retention of invoices under §§ 257 HGB, 147 AO).

10. Technical and Organizational Measures (TOMs)

The Processor maintains appropriate TOMs in accordance with Art. 32 GDPR, including but not limited to:

  • Encryption at rest and in transit (TLS)
  • Role-based access controls (RBAC)
  • Regular security updates and patch management
  • Firewalls and intrusion detection
  • Data backup and disaster recovery procedures
  • Personnel confidentiality and data protection training
  • Incident response procedures

11. Audits

11.1 The Controller may audit the Processor’s compliance with this DPA upon reasonable suspicion of a breach of this DPA or following a personal data breach.

11.2 Audits shall be conducted at the Controller’s expense, with at least 14 days’ notice, and during business hours.

11.3 To avoid disruption, the Processor may fulfill audit requests by providing an independent security certification (e.g., SOC 2, ISO 27001) or a summary of its current TOMs, in lieu of an on-site audit.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany. Any disputes shall be subject to the exclusive jurisdiction of the courts of Berlin, Germany.

This DPA is incorporated into and forms part of the Terms of Service.