Skip to content

Data Processing Agreement (DPA)

Agreement on data processing pursuant to Art. 28 GDPR between the cleanlist.app customer (controller) and Wogenfels GmbH (processor).

Stand:

This Data Processing Agreement (hereinafter “DPA”) sets out in concrete terms the data protection obligations of the parties for the processing of personal data carried out by the processor in the course of providing cleanlist.app on behalf of the customer. It applies upon conclusion of the main contract (use of cleanlist.app) and forms an integral part thereof.

Controller (hereinafter “customer”): the respective customer using cleanlist.app.

Processor (hereinafter “processor”):
Wogenfels GmbH, Pribelsdorf 87, 9125 Eberndorf, Austria · FN 494514 b, Regional Court of Klagenfurt (Landesgericht Klagenfurt) · Email: hallo@cleanlist.app

1. Subject Matter and Duration

1.1. The subject matter is the processing of personal data by the processor on behalf of the customer for the provision of the contractually agreed SaaS services (digital checklists, runs, proof/records, damage reports, API/MCP/webhooks).

1.2. The duration of this DPA corresponds to the term of the main contract. Termination of the main contract also constitutes termination of this DPA.

2. Nature and Purpose of the Processing

The processing serves to provide the cleanlist platform: creating and publishing checklists, login-free completion by operators via link/QR code, recording of results, notes, photo and damage proof, evaluation in the dashboard, and – where configured by the customer – transmission of event data via API and webhooks.

3. Categories of Data Subjects and Data

3.1. Data subjects: the customer’s employees and administrators, operators (e.g. cleaning staff), and, where applicable, other persons involved by the customer.

3.2. Data categories:

  • master/contact data of administrators (name, email address, organisation, password hash);
  • names and details of operators that they provide when completing a checklist;
  • content and usage data of the runs (checkmarks, values, notes, timestamps, report codes);
  • photo/image data as proof, as well as damage reports (description, location, severity, status);
  • technical metadata (e.g. language, timestamps).

3.3. The processing of special categories of personal data (Art. 9 GDPR) is not the subject of this DPA; the customer ensures that such data is not entered into the platform without a separate agreement and legal basis.

4. Obligations of the Processor

4.1. The processor processes personal data exclusively on documented instructions from the customer, unless required to process by law.

4.2. The processor ensures that persons authorised to process the data are bound by confidentiality.

4.3. The processor implements the technical and organisational measures (TOMs) required under Art. 32 GDPR (see Section 5).

4.4. The processor assists the customer, as far as possible, in responding to requests from data subjects and in complying with the obligations under Art. 32–36 GDPR.

4.5. The processor informs the customer without undue delay if it is of the opinion that an instruction infringes data protection provisions.

5. Technical and Organisational Measures (Art. 32 GDPR)

The processor implements, in particular, the following measures:

  • Encryption: TLS encryption of data transmission; secure storage of passwords as a hash.
  • Confidentiality & access control: role- and organisation-based access restrictions (strict multi-tenant separation), authentication via established libraries, API key/OAuth-based access.
  • EU data residency: hosting of the core data exclusively on servers within the EU (Hetzner, Germany).
  • Integrity & availability: secured server infrastructure, logging, backups as part of the hosting.
  • Storage limitation: automatic deletion of proof photos after the deletion periods configured for each workspace.
  • Data minimisation: login-free completion without profiling; collection of only the data required for the proof/record.

6. Sub-processors

6.1. The customer grants the processor general authorisation to engage the following sub-processors:

Sub-processorLocationPurpose
Hetzner Online GmbHGermany (EU)Hosting / server infrastructure
WebBuilds B.V. (Ploi)Netherlands (EU)Server management / deployment
Resend, Inc.USASending of system/transactional emails
Stripe Payments Europe, Ltd.Ireland (EU)Payment processing
HubSpot Ireland Ltd.Ireland (EU)CRM / handling of enquiries

6.2. For sub-processors located outside the EU/EEA, the processor ensures an adequate level of data protection (EU-US Data Privacy Framework or Standard Contractual Clauses).

6.3. The processor informs the customer of any intended changes regarding the addition or replacement of sub-processors. The customer may object to a change on important data protection grounds.

7. Bring Your Own AI (MCP) — Clarification of Responsibility

cleanlist does not operate its own artificial intelligence. If the customer connects an external AI model (e.g. ChatGPT or Claude) via the MCP interface, cleanlist transmits the requested data to the model chosen by the customer. This transmission takes place at the customer’s instigation and under the customer’s responsibility; the respective AI provider is not a sub-processor within the meaning of this DPA, but a recipient engaged independently by the customer. The customer is itself responsible for the lawfulness of this connection and for any contract that may be required with the AI provider.

8. Data Subject Rights and Cooperation

The processor assists the customer, by means of appropriate technical and organisational measures, in fulfilling requests from data subjects for access, rectification, erasure, restriction, data portability and objection. If a data subject contacts the processor directly, the processor forwards the matter to the customer without undue delay.

9. Notification of Personal Data Breaches

The processor notifies the customer without undue delay after becoming aware of a personal data breach and assists the customer in fulfilling its reporting and notification obligations under Art. 33 and 34 GDPR.

10. Erasure and Return After Termination

After the end of the processing services, the processor, at the customer’s choice, deletes all personal data or returns it and deletes existing copies, unless there is a statutory obligation to retain it. The transition period of a maximum of 30 days for data export agreed in the main contract applies.

11. Records and Audits

Upon request, the processor makes available to the customer the information necessary to demonstrate compliance with the obligations arising from this DPA and allows for reasonable audits.

12. Final Provisions

In all other respects, the provisions of the main contract and these T&C apply. In the event of conflicts between this DPA and other agreements, the provisions of this DPA prevail with regard to data processing. Austrian law applies.

We also provide this DPA on request as a signable document (PDF). Please contact hallo@cleanlist.app.