PeopleWare CPS — Data Processing Agreement (DPA)
Last updated: [PENDING: effective date]
This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") between:
- the customer subscribing to the PeopleWare CPS service under the Terms of Service (the "Customer", acting as controller); and
- GeniusDiagram Unip Lda, a single-member private limited company incorporated under the laws of Portugal, with registered office at Rua 1.º de Dezembro, 47 - 3.º Dto., 2700-670 Amadora, Portugal and tax identification number PT515101290, trading as "PeopleWare" / "PeopleWare CPS" ("GeniusDiagram", acting as processor).
This DPA forms part of, and is incorporated into, the Terms of Service (the "Agreement"). In case of conflict regarding the processing of personal data, this DPA prevails.
1. Scope and Roles
1.1 This DPA applies to personal data processed by GeniusDiagram on behalf of the Customer in the provision of the Service, as described in Annex I.
1.2 The Customer is the controller (or, where applicable, a processor acting on behalf of another controller, in which case it warrants it has the necessary authorisations); GeniusDiagram is the processor.
1.3 GeniusDiagram's processing of personal data as a controller (e.g., billing and account administration of the Customer relationship) is governed by the Privacy Policy, not this DPA.
2. Processing on Documented Instructions
2.1 GeniusDiagram shall process personal data only on the Customer's documented instructions, including with regard to transfers to third countries, unless required by EU or Member State law (in which case GeniusDiagram informs the Customer before processing, unless prohibited by law).
2.2 The Agreement, this DPA and the Customer's configuration and use of the Service constitute the Customer's complete documented instructions. Additional instructions require written agreement.
2.3 GeniusDiagram shall inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
3. Confidentiality
GeniusDiagram ensures that persons authorised to process the personal data are bound by confidentiality obligations (contractual or statutory).
4. Security
GeniusDiagram implements and maintains the technical and organisational measures described in Annex II, taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, pursuant to Article 32 GDPR.
5. Sub-processors
5.1 The Customer provides a general authorisation for the engagement of the sub-processors listed in Annex III.
5.2 New sub-processors. GeniusDiagram shall notify the Customer by email of any intended addition or replacement of sub-processors. The Customer may object on reasonable data-protection grounds within 30 days of the notice. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected subscription as its sole remedy.
5.3 GeniusDiagram imposes data protection obligations on sub-processors that are materially equivalent to those in this DPA and remains liable to the Customer for the performance of its sub-processors.
6. Data Subject Rights Assistance
Taking into account the nature of the processing, GeniusDiagram shall assist the Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Customer's obligation to respond to data subject requests (Articles 12–23 GDPR). Requests received directly by GeniusDiagram that identify the Customer's tenant will be forwarded to the Customer without undue delay.
7. Personal Data Breach
7.1 GeniusDiagram shall notify the Customer without undue delay and in any event within 48 hours after confirming a personal data breach affecting the Customer's personal data.
7.2 The notification shall include, to the extent available: the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, measures taken or proposed, and a contact point.
7.3 GeniusDiagram shall cooperate with the Customer and take reasonable steps to mitigate and remediate the breach. Notification is not an acknowledgement of fault or liability.
8. DPIA and Prior Consultation Assistance
GeniusDiagram shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities (Articles 35–36 GDPR), insofar as related to the processing under this DPA and the information available to GeniusDiagram.
9. Audits
9.1 GeniusDiagram shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR.
9.2 Audit rights are satisfied by GeniusDiagram responding to written security questionnaires and providing relevant reports and documentation (e.g., descriptions of the measures in Annex II, summaries of relevant assessments). On-site audits are excluded, except where required by mandatory law or a competent supervisory authority, in which case they shall be conducted with reasonable prior notice, during business hours, at the Customer's cost, no more than once per year, and subject to confidentiality.
10. International Transfers
10.1 Personal data is hosted in the EU (Annex III). Where processing involves a transfer to a third country (currently: Anthropic PBC, USA, in connection with the AI Schema Assistant), the transfer is carried out under the EU-US Data Privacy Framework and/or the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), together with supplementary measures where required.
10.2 Error tracking uses GlitchTip on its EU instance (eu.glitchtip.com); event data is processed in the EU and does not leave it. Verified 2026-06-15.
11. Return and Deletion
11.1 Upon termination of the Agreement, and in accordance with the Terms of Service: the Customer may export its Schemas and data until the end of its regular access; GeniusDiagram shall delete the Customer's personal data 60 days after termination/cancellation, unless EU or Member State law requires longer storage.
11.2 Residual copies in backups are deleted in accordance with the backup rotation cycle (30 days) and remain protected by the measures in Annex II until deletion.
12. Liability and General
12.1 Liability under this DPA is subject to the limitations and exclusions of the Agreement, to the extent permitted by applicable data protection law. [LAWYER: confirm interaction with GDPR Art. 82 allocation between controller and processor.]
12.2 This DPA is governed by the same law and jurisdiction as the Agreement (Portuguese law; courts of Lisbon).
12.3 This DPA terminates automatically upon deletion of all Customer personal data pursuant to Section 11.
Annex I — Details of Processing
Subject matter: provision of the PeopleWare CPS SaaS platform (configure/price/sell engine, backoffice, API, e-commerce plugins, AI features).
Duration: the term of the Agreement plus the deletion periods in Section 11.
Nature and purposes: hosting, storage, computation of product configurations and prices, transmission to/from the Customer's e-commerce stores, account and access management, support, security monitoring and backups.
Categories of data subjects: (a) users of the Customer's tenant (the Customer's staff and authorised agents/integrators); (b) to a limited extent, the Customer's end customers (see below).
Categories of personal data: (a) tenant user account data: name, email address, role, authentication data, activity logs; (b) pseudonymised order references and product configuration data transmitted by the plugins: order reference, platform identifier, currency, completion timestamp, product configuration. The plugins do not transmit names, email addresses, postal addresses or other directly identifying data of end customers; only the Customer's own store can link order references to identifiable persons.
Special categories of data: none intended; the Customer shall not submit special-category data to the Service.
Frequency: continuous, for the duration of the Agreement.
Annex II — Technical and Organisational Measures (TOMs)
- Encryption in transit: TLS for all client, API and plugin communications.
- Credential protection: API keys stored as SHA-256 hashes; secrets management for service credentials.
- Internal secure channel: authenticated and encrypted internal service-to-service channel (X25519 key agreement + HMAC), with protocol-level enforcement preventing direct access to the core engine.
- Multi-tenant isolation: logical isolation of tenant data at application and data layers.
- Access control: role-based access control for tenant users; least-privilege access for GeniusDiagram personnel; reduced-privilege deployment accounts.
- Security monitoring: SIEM (Wazuh) with alerting, log collection and anomaly detection.
- Backups: automated daily database backups with 30-day retention, integrity-checked on creation; restore procedures verified periodically (quarterly recommended).
- Patching and hardening: regular security patching of OS, runtime and application dependencies; vulnerability monitoring.
- Hosting: EU datacenter (OVH, France) with physical and environmental security provided by the hosting provider.
- Incident response: documented detection and escalation procedures supporting the 48-hour customer breach notification commitment.
Annex III — Authorised Sub-processors
| Sub-processor | Entity / Country | Service | Transfer mechanism |
|---|---|---|---|
| OVH SAS | France (EU) | Cloud hosting and infrastructure (datacenter in France) | n/a (EU) |
| PeopleWare email infrastructure | EU GeniusDiagram Unip Lda (first-party, EU servers) | Transactional email | n/a (EU) |
| GlitchTip (EU) | GlitchTip — EU instance (eu.glitchtip.com) | Error tracking / diagnostics | n/a — EU processing |
| Anthropic PBC | USA | AI Schema Assistant (LLM processing) | EU-US Data Privacy Framework and/or SCCs |