PeopleWare CPS ← Back to home
Draft under legal review. This document is published for transparency during the Early Adopter phase and is not yet in force. Items marked as pending are being finalised.

PeopleWare CPS — Data Processing Agreement (DPA)

Last updated: [PENDING: effective date]

This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") between:

This DPA forms part of, and is incorporated into, the Terms of Service (the "Agreement"). In case of conflict regarding the processing of personal data, this DPA prevails.

1. Scope and Roles

1.1 This DPA applies to personal data processed by GeniusDiagram on behalf of the Customer in the provision of the Service, as described in Annex I.

1.2 The Customer is the controller (or, where applicable, a processor acting on behalf of another controller, in which case it warrants it has the necessary authorisations); GeniusDiagram is the processor.

1.3 GeniusDiagram's processing of personal data as a controller (e.g., billing and account administration of the Customer relationship) is governed by the Privacy Policy, not this DPA.

2. Processing on Documented Instructions

2.1 GeniusDiagram shall process personal data only on the Customer's documented instructions, including with regard to transfers to third countries, unless required by EU or Member State law (in which case GeniusDiagram informs the Customer before processing, unless prohibited by law).

2.2 The Agreement, this DPA and the Customer's configuration and use of the Service constitute the Customer's complete documented instructions. Additional instructions require written agreement.

2.3 GeniusDiagram shall inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

3. Confidentiality

GeniusDiagram ensures that persons authorised to process the personal data are bound by confidentiality obligations (contractual or statutory).

4. Security

GeniusDiagram implements and maintains the technical and organisational measures described in Annex II, taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, pursuant to Article 32 GDPR.

5. Sub-processors

5.1 The Customer provides a general authorisation for the engagement of the sub-processors listed in Annex III.

5.2 New sub-processors. GeniusDiagram shall notify the Customer by email of any intended addition or replacement of sub-processors. The Customer may object on reasonable data-protection grounds within 30 days of the notice. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected subscription as its sole remedy.

5.3 GeniusDiagram imposes data protection obligations on sub-processors that are materially equivalent to those in this DPA and remains liable to the Customer for the performance of its sub-processors.

6. Data Subject Rights Assistance

Taking into account the nature of the processing, GeniusDiagram shall assist the Customer, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Customer's obligation to respond to data subject requests (Articles 12–23 GDPR). Requests received directly by GeniusDiagram that identify the Customer's tenant will be forwarded to the Customer without undue delay.

7. Personal Data Breach

7.1 GeniusDiagram shall notify the Customer without undue delay and in any event within 48 hours after confirming a personal data breach affecting the Customer's personal data.

7.2 The notification shall include, to the extent available: the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, measures taken or proposed, and a contact point.

7.3 GeniusDiagram shall cooperate with the Customer and take reasonable steps to mitigate and remediate the breach. Notification is not an acknowledgement of fault or liability.

8. DPIA and Prior Consultation Assistance

GeniusDiagram shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities (Articles 35–36 GDPR), insofar as related to the processing under this DPA and the information available to GeniusDiagram.

9. Audits

9.1 GeniusDiagram shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR.

9.2 Audit rights are satisfied by GeniusDiagram responding to written security questionnaires and providing relevant reports and documentation (e.g., descriptions of the measures in Annex II, summaries of relevant assessments). On-site audits are excluded, except where required by mandatory law or a competent supervisory authority, in which case they shall be conducted with reasonable prior notice, during business hours, at the Customer's cost, no more than once per year, and subject to confidentiality.

10. International Transfers

10.1 Personal data is hosted in the EU (Annex III). Where processing involves a transfer to a third country (currently: Anthropic PBC, USA, in connection with the AI Schema Assistant), the transfer is carried out under the EU-US Data Privacy Framework and/or the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), together with supplementary measures where required.

10.2 Error tracking uses GlitchTip on its EU instance (eu.glitchtip.com); event data is processed in the EU and does not leave it. Verified 2026-06-15.

11. Return and Deletion

11.1 Upon termination of the Agreement, and in accordance with the Terms of Service: the Customer may export its Schemas and data until the end of its regular access; GeniusDiagram shall delete the Customer's personal data 60 days after termination/cancellation, unless EU or Member State law requires longer storage.

11.2 Residual copies in backups are deleted in accordance with the backup rotation cycle (30 days) and remain protected by the measures in Annex II until deletion.

12. Liability and General

12.1 Liability under this DPA is subject to the limitations and exclusions of the Agreement, to the extent permitted by applicable data protection law. [LAWYER: confirm interaction with GDPR Art. 82 allocation between controller and processor.]

12.2 This DPA is governed by the same law and jurisdiction as the Agreement (Portuguese law; courts of Lisbon).

12.3 This DPA terminates automatically upon deletion of all Customer personal data pursuant to Section 11.


Annex I — Details of Processing

Subject matter: provision of the PeopleWare CPS SaaS platform (configure/price/sell engine, backoffice, API, e-commerce plugins, AI features).

Duration: the term of the Agreement plus the deletion periods in Section 11.

Nature and purposes: hosting, storage, computation of product configurations and prices, transmission to/from the Customer's e-commerce stores, account and access management, support, security monitoring and backups.

Categories of data subjects: (a) users of the Customer's tenant (the Customer's staff and authorised agents/integrators); (b) to a limited extent, the Customer's end customers (see below).

Categories of personal data: (a) tenant user account data: name, email address, role, authentication data, activity logs; (b) pseudonymised order references and product configuration data transmitted by the plugins: order reference, platform identifier, currency, completion timestamp, product configuration. The plugins do not transmit names, email addresses, postal addresses or other directly identifying data of end customers; only the Customer's own store can link order references to identifiable persons.

Special categories of data: none intended; the Customer shall not submit special-category data to the Service.

Frequency: continuous, for the duration of the Agreement.

Annex II — Technical and Organisational Measures (TOMs)

Annex III — Authorised Sub-processors

Sub-processor Entity / Country Service Transfer mechanism
OVH SAS France (EU) Cloud hosting and infrastructure (datacenter in France) n/a (EU)
PeopleWare email infrastructure EU GeniusDiagram Unip Lda (first-party, EU servers) Transactional email n/a (EU)
GlitchTip (EU) GlitchTip — EU instance (eu.glitchtip.com) Error tracking / diagnostics n/a — EU processing
Anthropic PBC USA AI Schema Assistant (LLM processing) EU-US Data Privacy Framework and/or SCCs