Data Processing Agreement (DPA)
pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR)
As of: March 2026
§ 1 Preamble
This Data Processing Agreement (hereinafter “DPA”) is concluded between
the customer of the cloud-based production planning software “GanttWork”
– hereinafter “Controller” –
and
Fabricon Design e.U.
Am Anningerpark 2/1/31, 2351 Wiener Neudorf, Austria
Owner: Daniela Bartisch
FN 564201h, LG Wiener Neustadt
VAT ID: ATU83119206
Email: info@ganttwork.at
– hereinafter “Processor” –
– Controller and Processor hereinafter individually also referred to as “Party” and collectively as “Parties” –
The Processor operates the cloud-based production planning software “GanttWork” (hereinafter “Software” or “Service”) as Software-as-a-Service (SaaS). In the course of using the Software, the Processor processes personal data on behalf of the Controller. This DPA specifies the data protection rights and obligations of the Parties pursuant to Art. 28 GDPR.
This DPA supplements the main contract between the Parties regarding the use of the Software (hereinafter “Main Contract”). In the event of conflicts between this DPA and the Main Contract, the provisions of this DPA shall take precedence with regard to the protection of personal data.
§ 2 Subject and Duration of Processing
(1) The subject of this DPA is the processing of personal data by the Processor in the context of the provision and operation of the cloud-based production planning software “GanttWork” pursuant to the Main Contract.
(2) The duration of the processing corresponds to the term of the Main Contract. This DPA commences upon signature and ends automatically upon termination of the Main Contract, regardless of the reason, unless the provisions of this DPA give rise to obligations that extend beyond termination (in particular deletion obligations pursuant to § 7(4)).
(3) The Processor processes personal data exclusively within the European Union (EU) or the European Economic Area (EEA). There is no transfer to third countries.
§ 3 Scope, Nature, and Purpose of Data Processing
(1) The Processor processes personal data on behalf of and in accordance with documented instructions from the Controller. The processing encompasses the following activities:
- Storage and management of production orders, operations, and work sessions
- Recording and storage of working time data via the worker terminal
- Management of user accounts including access data (username, hashed password)
- Storage of resource and machine data
- Storage of customer data of the Controller (names, addresses)
- Provision of the Software via encrypted internet connections (HTTPS/TLS)
- Creation of data backups
- Maintenance and technical support of the Software
(2) The purpose of the data processing is to enable the Controller to use the Software “GanttWork” for digital production planning, production control, and time tracking.
(3) The processing is carried out exclusively on the basis of this DPA and the instructions of the Controller. Processing for the Processor’s own purposes does not take place.
§ 4 Types of Personal Data
The following types of personal data are processed in the course of the commissioned processing:
- Master data: Names, usernames, email addresses of the Controller’s users
- Access data: Usernames and hashed passwords (bcrypt)
- Usage data: Login times, session data, log data
- Working time data: Clock-in/clock-out times at the worker terminal, work sessions (start, end, duration), assignment to operations and resources
- Order data: Production orders with associated customer names and addresses of the Controller
- Worker names: First and/or last names of the Controller’s employees who use the worker terminal
The processing of special categories of personal data pursuant to Art. 9 GDPR is not the subject of this DPA.
§ 5 Categories of Data Subjects
The following categories of persons are affected by the processing:
- Employees of the Controller: Users of the Software (planners, administrators), workers who use the terminal for time tracking
- Customers of the Controller: Natural persons whose names and addresses are stored in production orders
- Contact persons of the Controller: Contact persons for contract performance and technical support
§ 6 Right of Instruction of the Controller
(1) The Processor processes personal data exclusively on the basis of documented instructions from the Controller (Art. 28(3)(a) GDPR), including with regard to the transfer of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
(2) Instructions shall generally be issued in text form (email). Oral instructions shall be confirmed in text form without delay.
(3) The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction infringes data protection provisions (Art. 28(3) sentence 3 GDPR). The Processor is entitled to suspend execution of the instruction concerned until it is confirmed or amended by the Controller.
(4) Persons authorised to issue instructions on behalf of the Controller and persons authorised to receive instructions on behalf of the Processor shall be designated in the Main Contract or separately. Changes shall be communicated to the other Party without delay in text form.
§ 7 Obligations of the Processor
7.1 Confidentiality
(1) The Processor shall ensure that the persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
(2) The confidentiality obligation shall continue to apply after termination of this DPA.
7.2 Technical and Organisational Measures
(1) The Processor shall take all technical and organisational measures required pursuant to Art. 32 GDPR to ensure the security of the processing. The current measures are documented in Annex 1 to this DPA.
(2) The Processor is entitled to adjust the technical and organisational measures during the term of the contract, provided that the contractually agreed level of protection is not reduced. Material changes shall be communicated to the Controller in text form.
7.3 Support Obligations
(1) The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of requests from data subjects exercising their rights under Chapter III of the GDPR (Art. 28(3)(e) GDPR).
(2) The Processor shall assist the Controller, taking into account the nature of the processing and the information available to the Processor, in ensuring compliance with the obligations referred to in Art. 32 to 36 GDPR (data security, notification of data breaches, data protection impact assessment, prior consultation).
(3) The Processor shall inform the Controller without delay, and in any event within 24 hours of becoming aware, of any personal data breach (Art. 33(2) GDPR). The notification shall contain at least:
- A description of the nature of the breach
- The categories and approximate number of data subjects and data records affected
- A description of the likely consequences
- A description of the measures taken or proposed
7.4 Deletion and Return
(1) After termination of the Main Contract, the Processor shall delete all personal data processed on behalf of the Controller, unless Union or Member State law requires retention of the personal data (Art. 28(3)(g) GDPR).
(2) At the Controller’s request, the Processor shall make a copy of the data available in a common, machine-readable format (data export) prior to deletion.
(3) Deletion shall take place within 30 days after the end of the contract, unless otherwise agreed. The Processor shall confirm deletion in text form upon request.
§ 8 Sub-processing
(1) The Controller hereby grants the Processor general written authorisation to engage further processors (sub-processors) (Art. 28(2) GDPR). The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors at least 30 days in advance in text form.
(2) The Controller may object to the change within 14 days of receipt of the information on legitimate data protection grounds. If no objection is raised within this period, the authorisation shall be deemed granted. In the event of a legitimate objection, the Processor is entitled to terminate the Main Contract on an extraordinary basis with a notice period of 3 months to the end of the month.
(3) The Processor shall impose the same data protection obligations on the sub-processor as set out in this DPA (Art. 28(4) GDPR). The Processor shall be liable to the Controller for the sub-processor’s compliance with the data protection obligations.
(4) At the time of conclusion of this DPA, the Processor engages the following sub-processor:
| Sub-processor | Address | Service | Location |
|---|---|---|---|
| netcup GmbH | Daimlerstraße 25, 76185 Karlsruhe, Germany | Server hosting, infrastructure (IaaS) | Germany (EU) |
(5) The Controller agrees to the engagement of the aforementioned sub-processor by signing this DPA.
§ 9 Audit Rights of the Controller
(1) The Controller has the right to verify the Processor’s compliance with the provisions of this DPA and applicable data protection regulations (Art. 28(3)(h) GDPR). The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
(2) Inspections, including audits, by the Controller or an auditor mandated by the Controller are permissible. They shall be announced with reasonable notice (at least 14 business days) and carried out taking into account the legitimate interests of the Processor (confidentiality, business operations).
(3) The Processor may alternatively demonstrate compliance with its obligations by:
- Submission of a current certificate or report from an independent auditor
- Submission of a suitable certification
- Self-assessment or questionnaire
provided the Controller has no justified doubts about compliance.
§ 10 Liability
(1) The liability of the Parties is governed by Art. 82 GDPR. Each Party shall be liable for damage caused by processing that does not comply with the GDPR, in accordance with the statutory provisions.
(2) The Processor shall be liable for damage caused by processing that does not comply with the obligations specifically directed at processors under the GDPR or that is carried out outside of or contrary to the lawful instructions of the Controller (Art. 82(2) GDPR).
(3) The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (Art. 82(3) GDPR).
(4) Any limitations of liability from the Main Contract shall also apply to this DPA, insofar as they do not contravene mandatory law.
§ 11 Term and Termination
(1) This DPA is concluded for an indefinite term and ends automatically upon termination of the Main Contract.
(2) The right to extraordinary termination of this DPA for good cause remains unaffected. Good cause exists in particular if the Processor repeatedly or seriously breaches the provisions of this DPA or data protection regulations and fails to remedy the situation despite a warning.
(3) Obligations that by their nature continue beyond termination of this DPA (in particular confidentiality and deletion obligations) shall continue to apply regardless of the termination of this DPA.
§ 12 Final Provisions
(1) Amendments and supplements to this DPA require text form. This also applies to the amendment of this text form clause.
(2) Should individual provisions of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. The Parties undertake to replace the invalid or unenforceable provision with a valid and enforceable provision that comes as close as possible to the economic purpose of the invalid or unenforceable provision.
(3) The law of the Republic of Austria shall apply, excluding the UN Convention on Contracts for the International Sale of Goods and the conflict of laws rules of private international law.
(4) The exclusive place of jurisdiction for all disputes arising from and in connection with this DPA is the competent court at the Processor’s registered office (Wiener Neustadt, Austria), to the extent permitted by law.
§ 13 Signatures
This Data Processing Agreement is drawn up in two identical copies, one for each Party.
Controller
Place, Date
Company / Name
Name of Signatory
Signature & Stamp
Processor
Place, Date
Company / Name
Fabricon Design e.U.
Name of Signatory
Daniela Bartisch, Owner
Signature & Stamp
Annex 1
Technical and Organisational Measures (TOM)
pursuant to Art. 32 GDPR — As of: March 2026
The Processor has implemented the following technical and organisational measures to protect personal data. The measures are regularly reviewed and adapted to the state of the art as necessary.
1. Physical Access Control
Measures to prevent unauthorised persons from gaining physical access to data processing facilities.
- The servers are located in a professional data centre operated by netcup GmbH in Germany (EU).
- The data centre has 24/7 access control systems, electronic access locking systems, video surveillance, and security personnel.
- Physical access to the servers is only possible for authorised personnel of the hosting provider.
- The Processor itself has no physical access to the servers – administration is carried out exclusively via encrypted remote connections.
2. System Access Control
Measures to prevent unauthorised persons from using data processing systems.
- Server access is exclusively via SSH with Ed25519 key authentication (no password login).
- User passwords are stored exclusively as bcrypt hashes – plaintext passwords are never stored.
- Role-based access control (RBAC): Distinction between administrator, planner, and worker roles with graduated permissions.
- Automatic session management with time-limited authentication tokens.
- Firewall rules restrict access to the necessary ports (HTTPS/443, SSH/22).
3. Data Access Control
Measures to ensure that only authorised data can be accessed.
- Strict multi-tenant architecture: Each customer receives their own isolated database instance (separate PostgreSQL databases).
- Application-level tenant separation: Each customer instance runs in its own Docker container with separate configuration.
- No cross-instance data access is possible – neither at the database nor at the application level.
- Administrative access to customer data is restricted to authorised employees of the Processor and is only carried out within the scope of support and maintenance.
4. Data Transfer Control
Measures to ensure that personal data cannot be read, copied, modified, or removed without authorisation during transmission and storage.
- All data transmission between client and server is exclusively via TLS/SSL-encrypted connections (HTTPS with Let’s Encrypt certificates).
- Administrative server access is exclusively via encrypted SSH connections.
- There is no transfer of personal data to third countries (outside EU/EEA).
- Personal data is not disclosed to third parties unless the Controller issues a corresponding instruction.
5. Input Control
Measures to ensure that it can be subsequently verified whether and by whom personal data has been entered, modified, or removed.
- Application-level logging of relevant user actions and data changes.
- Work sessions at the worker terminal are logged with timestamps and user assignment.
- Server logs are maintained and retained for error analysis and traceability.
6. Job Control
Measures to ensure that personal data processed on behalf of the Controller is processed only in accordance with the Controller’s instructions.
- This Data Processing Agreement documents the scope and conditions of the processing.
- Instructions from the Controller are documented and implemented in text form.
- Employees of the Processor are committed to confidentiality and compliance with data protection regulations.
- Only sub-processors that meet the requirements of this DPA are engaged.
7. Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss.
- Daily automated database backups (PostgreSQL dumps) with retention over a defined period.
- Server availability of at least 99.5% (SLA) through a professional data centre with redundant power and network supply.
- Docker-based containerisation enables rapid recovery of the application in the event of failure.
- Monitoring of system availability and automatic notification in the event of outages.
- Regular updating of operating system and software components (security updates).
8. Separation Control
Measures to ensure that data collected for different purposes is processed separately.
- Each customer receives their own physically separate PostgreSQL database.
- Separate Docker containers per customer instance with individual configuration and their own network namespace.
- Strict separation of production, development, and demo systems.
- No mixing of customer data from different controllers – neither at the database nor at the application level.