Data Processing Agreement (DPA)

Last updated: December 2025

This Data Processing Agreement (DPA) pursuant to Art. 28 GDPR applies between the Customer as Controller and Marco Kerwitz, kerwitz.dev, Birkenweg 21, 31226 Peine, Germany (hereinafter "Processor") for the use of the SaaS service "Kanman".

1. Subject Matter and Duration of Processing

1.1 Subject Matter

The Processor provides the Controller with the web-based project management software "Kanman" as a SaaS solution. In the course of this service provision, the Processor processes personal data on behalf of the Controller.

1.2 Duration

The duration of processing corresponds to the term of the main agreement for the use of Kanman. Upon termination of the main agreement, data will be deleted or returned in accordance with the provisions of this DPA.

2. Nature and Purpose of Processing

Processing serves to provide the Kanman SaaS service, in particular:

• Storage and management of projects, boards, and tasks
• User authentication and access management
• Provision of API and webhook functions (Pro/Teams)
• Technical support and troubleshooting

3. Types of Personal Data

The following categories of personal data may be processed:

• Master data: Name, email address of end users
• Usage data: Login data, activity logs, IP addresses
• Content data: Projects, tasks, and other content created by end users

4. Categories of Data Subjects

Data subjects are:

• Employees and agents of the Controller
• Other end users to whom the Controller grants access to Kanman

5. Obligations of the Controller

The Controller is responsible for the lawfulness of data processing and ensures that:

• an appropriate legal basis for processing exists;
• data subjects have been properly informed;
• instructions to the Processor are lawful;
• compliance with data protection regulations is regularly verified.

6. Obligations of the Processor

6.1 Instruction Binding

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

6.2 Confidentiality

The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security of Processing

The Processor shall implement all measures required under Art. 32 GDPR. The technical and organizational measures (TOMs) are described in Annex 1.

6.4 Sub-processors

The Controller hereby grants general authorization for the engagement of sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. Current sub-processors are listed in Annex 2.

6.5 Assistance to the Controller

The Processor shall assist the Controller:

• in fulfilling the obligation to respond to requests from data subjects (Art. 15-22 GDPR);
• in ensuring compliance with obligations under Art. 32-36 GDPR (security, data protection impact assessment, prior consultation);
• in case of personal data breaches pursuant to Art. 33-34 GDPR.

6.6 Deletion and Return

Upon termination of the main agreement, the Processor shall delete all personal data within 30 days, unless retention is required under Union or Member State law. Upon request of the Controller, data shall be returned in a common format before deletion.

6.7 Demonstration of Compliance and Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

7. Data Transfers to Third Countries

Transfer of personal data to third countries shall only take place if the special requirements of Art. 44-49 GDPR are met. For transfers to the USA, EU Standard Contractual Clauses (SCCs) and, where applicable, certifications under the EU-US Data Privacy Framework are used.

8. Liability

Liability is governed by Art. 82 GDPR. Each party shall be liable to data subjects for the entire damage resulting from processing that violates the GDPR. The party that has paid compensation may claim back from the other party the part of the compensation corresponding to their part of responsibility for the damage.

9. Final Provisions

Amendments and supplements to this DPA require text form. Should individual provisions be invalid, the validity of the remaining provisions shall remain unaffected. German law applies.

Annex 1: Technical and Organizational Measures (TOMs)

Physical Access Control

Server infrastructure is operated by certified data centers (Supabase EU, Cloudflare) that have physical access controls, surveillance, and security personnel.

System Access Control

• Password policies for all user accounts
• Encrypted storage of passwords (bcrypt)
• Session management with automatic timeout
• Administrator access only for authorized personnel

Data Access Control

• Role-based access control (RBAC) for Teams workspaces
• Permission separation between workspaces
• Access logging

Transmission Control

• TLS 1.3 encryption for all data transfers
• Encrypted database connections
• No unencrypted data transfer

Input Control

• Logging of data changes
• Data versioning where applicable

Availability Control

• Regular automatic backups
• Geo-redundant data storage
• Monitoring and alerting
• Disaster recovery procedures

Separation Control

• Logical separation of customer data through workspace IDs
• Separate database schemas per tenant
• Strict isolation between customers

Annex 2: List of Sub-processors

Changes to this list will be communicated to the Controller at least 14 days before taking effect.

Contact

For questions about this DPA or to request a signed version:

Email: [email protected]