Data Processing Agreement
This Data Processing Agreement applies when modeleven IT GmbH processes personal data on behalf of a workshop through Reparova and forms part of the Terms and Conditions.
Roles and instructions
The workshop is the controller and modeleven IT GmbH is the processor. The processor processes personal data only on documented instructions from the controller, including instructions expressed through the configured use of Reparova, unless Union or Member State law requires otherwise. The processor will inform the controller before legally required processing unless prohibited by law and will immediately inform the controller if an instruction appears to infringe data-protection law.
Processing details
Subject matter and purpose: hosting and operating repair communication, status, photo, approval, and pickup workflows. Duration: the contract term plus the deletion and backup periods stated below. Data subjects: workshop customers, prospective customers, contacts, and workshop users. Data categories: identity and contact details, vehicle and repair information, photos, messages, approval records, access data, account data, and security data. No special-category data is intended.
Confidentiality and security
The processor ensures that persons authorized to process personal data are bound by confidentiality. Taking account of the state of the art, implementation costs, and processing risks, the processor maintains appropriate measures including role-based access control, authenticated accounts, secure random public links, encrypted transmission, logging, backups, recovery procedures, vulnerability handling, and incident response. The processor regularly reviews the effectiveness of these measures.
Subprocessor
The controller gives general authorization for Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, to provide application hosting and infrastructure in Germany and Finland. Processing takes place within the EEA.
The processor will notify the controller by email at least 30 days before adding or replacing a subprocessor. The controller may object on reasonable data-protection grounds within 14 days after notice. If the parties cannot resolve the objection, either party may terminate the affected service. The processor imposes equivalent data-protection obligations on subprocessors and remains responsible for their performance. Transfers outside the EEA require a valid mechanism under Chapter V GDPR.
Assistance
Taking account of the nature of processing and information available to it, the processor assists the controller with data-subject requests, security obligations, personal-data breach notifications, data-protection impact assessments, and prior consultations. The controller remains responsible for responding to data subjects and authorities. Assistance is included where it concerns Reparova’s ordinary operation; reasonable additional costs may be charged for exceptional requests not caused by the processor’s breach.
Personal-data breaches
The processor notifies the controller without undue delay after becoming aware of a personal-data breach affecting controller data. Notice will be sent to the workshop’s registered email address and will include the available information required for the controller’s assessment and notification duties. Information may be supplied in phases as it becomes available.
Deletion and return
At the controller’s choice, the processor will return or delete controller data after the service ends unless law requires storage. Account and workshop data is deleted within 30 days after termination; backups follow a 30-day rolling deletion cycle. The controller must request any export before deletion. Statutorily retained data is isolated from further processing except for the required purpose.
Evidence and audits
The processor provides information reasonably necessary to demonstrate compliance with Article 28 GDPR and permits proportionate audits by the controller or an independent auditor bound by confidentiality. Audits require at least 30 days’ notice, occur during normal business hours, avoid disruption and exposure of other customers’ data, and are limited to once per year unless a breach or authority request justifies an additional audit. The controller bears audit costs unless the audit identifies a material breach by the processor.
Priority and contact
If this agreement conflicts with the Terms on processing of controller data, this agreement prevails. Amendments must be recorded in text form. Data-protection notices, instructions, and requests must be sent to hello@modeleven.com or the contact address registered for the workshop.
Operator details
- Company
- modeleven IT GmbH
- Address
- Kurt-Tichy-Gasse 12/2/15, 1100 Wien, Österreich
- Registered office
- 1100 Wien
- Company register
- FN 542976 w, Handelsgericht Wien
- VAT ID
- ATU76085969
- GISA number
- 33256184
- Managing director
- Severin Burgstaller
- Phone
- +43 1 305 2 333
- hello@modeleven.com
- Privacy contact
- hello@modeleven.com