Data Processing Agreement (DPA)

Version: July 2026

This Data Processing Agreement (DPA) specifies the parties' obligations under Art. 28 GDPR and forms an annex to the PlanElec Terms of Service. It is concluded between the professional business using PlanElec, as controller, and the operator of PlanElec, as processor, as soon as personal data of end customers is processed in PlanElec.

Parties

Controller: The electrical business using PlanElec that enters and processes the personal data of its end customers in PlanElec.

Processor: Stephan Behm, Heggen 34, 4837 Baelen, Belgium – operator of PlanElec.be.

1. Subject matter and duration

The subject matter is the processing of personal data by the processor on behalf of the controller for the purpose of providing the PlanElec software (planning of electrical installations, creation of schematics, floor plans and documents). The agreement applies for the duration of the use of PlanElec and ends upon termination of the usage relationship.

2. Nature and purpose of the processing

The processor processes the data exclusively to provide the agreed services – storage, processing and display of the project and end-customer data entered by the controller. No processing for the processor's own purposes takes place, in particular no analysis, disclosure or sale of the data.

3. Categories of personal data

In the context of use, the following categories of data are processed in particular:

  • Contact details of end customers (name, address, and where applicable email address and phone number)
  • Building and property data (address, floor plan, room layout)
  • Installation data (circuits, distribution board configuration, single-line diagrams, bills of materials)
  • Project metadata (project name, timestamps, editing status)

4. Categories of data subjects

The following groups of persons are affected by the processing:

  • End customers of the controller (developers, owners, tenants)
  • Other natural persons named in the project

5. Obligations of the processor

Pursuant to Art. 28(3) GDPR, the processor undertakes in particular to:

  • process the data only on documented instructions from the controller;
  • ensure that persons authorised to process the data are committed to confidentiality;
  • implement appropriate technical and organisational measures pursuant to Art. 32 GDPR;
  • engage sub-processors only under the conditions of this agreement;
  • assist the controller in responding to requests from data subjects;
  • assist the controller in complying with the obligations under Art. 32 to 36 GDPR;
  • notify the controller without undue delay of any personal data breach;
  • delete or return the data at the end of the processing, at the controller's choice;
  • make available to the controller all information necessary to demonstrate compliance with these obligations.

6. Sub-processors

The processor engages the following sub-processors to provide the services. The controller hereby grants its general authorisation:

Sub-processorPurposeLocation / basis
Supabase (AWS, EU-Region)Authentication, database and file storageEU
Resend, Inc.Sending transactional emails (account and system notifications)USA – EU-US Data Privacy Framework (Art. 45 GDPR)
PostHog, Inc. (PostHog Cloud EU)Anonymous product analytics (only with consent)EU (Frankfurt) – provider USA, DPF-certified
IONOS SE / CoolifyHosting and operation of the application infrastructureEU
PlanElec-Cockpit (MQTT Event-Bus)Internal event bus for operational monitoring (technical identifiers only)EU

The processor informs the controller of any intended changes to the sub-processors and provides the opportunity to object. All data processing takes place within the EU; transfers to providers established in the USA are made exclusively on the basis of the EU-US Data Privacy Framework (Art. 45 GDPR).

7. Technical and organisational measures (TOMs)

The processor maintains appropriate technical and organisational measures pursuant to Art. 32 GDPR, in particular:

  • encryption of data transmission (TLS/HTTPS);
  • access control through authentication and role-based permissions;
  • data storage in data centres within the European Union;
  • regular backups;
  • logging of security-relevant events;
  • protective measures against unauthorised access (rate limiting, brute-force protection).

8. Deletion and return

Upon termination of the usage relationship, the personal data will be deleted or returned at the controller's choice, unless a statutory retention obligation applies. The controller can export its project data at any time via the application.

9. Control and audit rights

The controller has the right to verify compliance with this agreement. Upon request, the processor makes available the information and evidence required for this purpose and allows for reviews to a reasonable extent.

10. Liability

Liability is governed by Art. 82 GDPR and by the Terms of Service. Each party is liable for damage caused by an attributable breach of this agreement or of the provisions of the GDPR.

11. Contact

For questions regarding this Data Processing Agreement, you can reach us at: info@planelec.be