Data Processing Agreement (DPA)

Version 1.0, 21 April 2026. This Data Processing Agreement applies when you have personal data processed through Planvyo and supplements our terms and conditions.

1. Parties

This Data Processing Agreement ("Agreement") forms an integral part of the Terms and Conditions between the Customer (hereinafter: "Controller") and Planvyo, sole proprietorship, Chamber of Commerce no. 88806642, located at Palestinastraat 300, 6418 HS Heerlen, the Netherlands (hereinafter: "Processor"). This Agreement governs the processing of personal data by Processor on behalf of Controller, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

Article 1. Subject and term

1. Processor processes personal data on behalf of Controller in the context of delivering the Planvyo service.
2. This Agreement applies for the duration of the main agreement (the Subscription) between the parties.

Article 2. Nature and purpose of the processing

1. Nature of the processing: storage, consultation, modification and deletion of personal data within the Planvyo service for the purpose of staff scheduling and roster management.
2. Purpose of the processing: enabling Controller to schedule employees, manage availability and administer hours.

Article 3. Categories of data subjects and personal data

1. Data subjects: employees, on-call workers, planners and other staff of Controller.
2. Categories of personal data:
   • Name
   • Email address
   • Worked and scheduled hours
   • Availability
   • Notes entered by Controller

Controller does not process special categories of personal data (such as health or religion data) or Citizen Service Numbers (BSN) via the Service. If Controller does so nonetheless, it is at Controller's own account and risk.

Article 4. Instructions

1. Processor processes personal data only on written instructions from Controller. The main agreement and this Agreement count as such instructions.
2. Processor informs Controller immediately if, in its opinion, an instruction violates the GDPR or other privacy legislation.

Article 5. Security

Processor takes appropriate technical and organisational measures to protect personal data against loss and unlawful processing, including:

• Encrypted connection (TLS/HTTPS) for all data traffic
• Encrypted storage of passwords (hashing)
• Role-based access control and the "least privilege" principle
• Regular backups, stored at Hetzner within the EU
• Logging of access and modifications
• Physical security of our own hardware colocated at Cellnex Amsterdam
• Periodic evaluation of security measures

Upon request, Processor provides an overview of current security measures.

Article 6. Confidentiality

Processor ensures that everyone involved in the processing of personal data — employees, contractors and sub-processors — has committed to confidentiality or is subject to an appropriate statutory duty of confidentiality.

Article 7. Sub-processors

1. Controller grants Processor general authorisation to engage sub-processors. The current sub-processors at the effective date are:

Sub-processor	Purpose	Location
Stripe Payments Europe, Ltd.	Payment processing	EU
Hetzner Online GmbH	Backup storage	Germany (EU)

2. Processor informs Controller at least 30 days in advance about adding or replacing sub-processors, whereby Controller may reasonably object. If parties do not reach agreement, Controller may terminate the main agreement with effect from the effective date of the relevant change.
3. Processor concludes an agreement with each sub-processor that contains at least the same obligations as this Agreement.
4. Google Analytics and Meta Pixel are not used for processing Customer Data within the Service; they are only active on the marketing website and only with visitor consent.

Article 8. Transfer outside the EEA

1. Processor processes personal data within the European Economic Area (EEA). The production environment and database run on own hardware colocated at Cellnex Amsterdam; backups at Hetzner in Germany.
2. Should a transfer outside the EEA be necessary, it takes place only on the basis of appropriate safeguards such as an adequacy decision or Standard Contractual Clauses.

Article 9. Assistance to Controller

1. Processor provides Controller with reasonable assistance in:
   • responding to data subject requests (access, rectification, erasure, portability);
   • complying with security and breach notification obligations;
   • carrying out a Data Protection Impact Assessment (DPIA) where necessary.
2. Processor may charge reasonable costs for assistance outside its standard service.

Article 10. Data breaches

1. Processor informs Controller without undue delay, and in any case within 48 hours, after a data breach has been detected.
2. The notification contains at least the information Controller needs to fulfil its own notification obligation, including:
   • the nature of the breach;
   • the categories and number of data subjects involved;
   • the likely consequences;
   • measures taken or proposed.

Article 11. Audit

1. Controller may, at its own expense, have an audit conducted of compliance with this Agreement at most once per year, or more often if there is a legitimate reason.
2. The audit is performed by an independent, qualified third party subject to confidentiality. The audit is announced at least 30 days in advance and takes place during office hours.
3. Processor may satisfy its audit obligation by providing a current report of a recognised certification (such as ISO 27001) or an independent assessment.

Article 12. Termination and return

1. Upon termination of the main agreement, Controller has 30 days to export Customer Data.
2. After this period, Processor deletes all personal data, unless retention is required under laws and regulations.
3. Processor confirms deletion in writing upon request.

Article 13. Liability

1. The liability provisions of the main agreement (Terms and Conditions) apply by analogy to liability under this Agreement.
2. Fines imposed directly on Processor by supervisory authorities are borne by Processor insofar as they result from a shortcoming of Processor.

Article 14. Governing law

Dutch law applies to this Agreement. Disputes are submitted to the competent court in the district where Processor is established.

Article 15. Final provisions

1. In case of conflict between this Agreement and the main agreement, this Agreement prevails insofar as it concerns the processing of personal data.
2. In case of conflict between this Agreement and mandatory law (including the GDPR), mandatory law prevails.

Contact

Questions about this Data Processing Agreement? Email privacy@planvyo.com.