logo oficjalne planopia

Data Processing Agreement (DPA) for Planopia.pl


Version 1.0 - effective from January 7, 2026


1. Parties to the Agreement


Data Controller (Client): The Client of the Planopia.pl application, i.e., the company that registered an account in the Application (hereinafter: "Controller"). Controller's data is available in the Planopia.pl system after logging in under "Team Management".


Data Processor: ML Devworks Michał Lipka, with its registered office at Rynek Główny 34 lok. 15, 31-010 Kraków, Poland, Tax ID: 6762707876


2. Subject of Processing


2.1. The Controller entrusts, and the Processor accepts, the processing of personal data to the extent necessary for providing services through the Planopia.pl platform.


2.2. Processing includes: time tracking, leave management, work schedules, task boards, team communication.


3. Categories of Data and Data Subjects


3.1. Personal data of Controller's employees is processed:

- First and last name

- Email address

- Job position

- Working time data

- Leave and absence data


3.2. Processing concerns Controller's employees using the platform.


4. Processor's Obligations


4.1. The Processor undertakes to:

- Process data only within the scope and purpose specified by the Controller

- Ensure appropriate security measures

- Not take any action without the Controller's consent

- Assist the Controller in fulfilling data subjects' rights


4.2. The Processor may not disclose personal data to third parties without the Controller's consent, unless required by law.


5. Sub-processing (Sub-processors)


5.1. The Processor may entrust processing to subcontractors:

- Hosting service providers (Render.com, Netlify, Vercel)

- IT service providers supporting platform operation


5.2. The Controller grants general consent to use sub-processors indicated in this agreement.


5.3. All sub-processors are obligated to comply with data protection principles.


5.4. The Processor will inform the Controller of significant changes to the sub-processor list (e.g., in the application or by email) in advance.


5.5. The Controller has the right to information about sub-processors.


6. Security Measures


6.1. The Processor applies the following technical and organizational measures:

- Connection encryption (HTTPS/TLS)

- Access control (authentication, authorization)

- Regular backups

- Event monitoring and logging

- Security updates

- Staff training


6.2. A detailed description of security measures is provided in Appendix A.


7. Incidents and Breaches


7.1. In case of a personal data breach, the Processor undertakes to:

- Immediately inform the Controller (within 24 hours)

- Take remedial action

- Cooperate with the Controller in notifying supervisory authorities


8. Support in Fulfilling Data Subjects' Rights


8.1. The Processor undertakes to assist the Controller in fulfilling data subjects' rights (access, rectification, erasure, portability, objection).


8.2. The Processor forwards data subjects' requests to the Controller and executes their instructions.


9. Data Deletion/Return


9.1. Upon termination of services or at the Controller's request, the Processor:

- Deletes all personal data or

- Returns data to the Controller (if technically possible)


9.2. The Processor may retain data to the extent required by law.


10. Audits


10.1. The Controller has the right to conduct an audit of data processing by the Processor, after prior arrangement of the date.


10.2. The Processor provides information necessary to demonstrate processing compliance with this agreement.


10.3. The audit may not violate trade secrets or the security of other Clients.


11. Duration


11.1. The agreement is valid for the duration of services provided by the Processor to the Controller.


12. Final Provisions


12.1. GDPR and data protection laws apply to matters not regulated herein.


12.2. This agreement is an integral part of the Planopia.pl service agreement.


Appendix A: Technical and Organizational Measures (TOMs)


- Data transmission encryption (HTTPS/TLS)

- Access control with authentication. Multi-factor authentication (2FA) available for users (if feature is enabled)

- Event logging (security logs)

- Regular security updates and patches

- Backups (regular, stored according to procedures)

- Service monitoring and alerting to detect anomalies

- Staff training on GDPR

- Security incident management procedures


Last updated: January 7, 2026