Back to Reparova

Data Processing Agreement

This Data Processing Agreement applies when modeleven IT GmbH processes personal data on behalf of a workshop through Reparova and forms part of the Terms and Conditions.

Effective date: 2026-07-15Version: 2026-07-15-v1

Roles and instructions

The workshop is the controller and modeleven IT GmbH is the processor. The processor processes personal data only on documented instructions from the controller, including instructions expressed through the configured use of Reparova, unless Union or Member State law requires otherwise. The processor will inform the controller before legally required processing unless prohibited by law and will immediately inform the controller if an instruction appears to infringe data-protection law.

Processing details

Subject matter and purpose: hosting and operating repair communication, status, photo, approval, and pickup workflows. Duration: the contract term plus the deletion and backup periods stated below. Data subjects: workshop customers, prospective customers, contacts, and workshop users. Data categories: identity and contact details, vehicle and repair information, photos, messages, approval records, access data, account data, and security data. No special-category data is intended.

Confidentiality and security

The processor ensures that persons authorized to process personal data are bound by confidentiality. Taking account of the state of the art, implementation costs, and processing risks, the processor maintains appropriate measures including role-based access control, authenticated accounts, secure random public links, encrypted transmission, logging, backups, recovery procedures, vulnerability handling, and incident response. The processor regularly reviews the effectiveness of these measures.

Subprocessor

The controller gives general authorization for Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany, to provide application hosting and infrastructure in Germany and Finland. Processing takes place within the EEA.

The processor will notify the controller by email at least 30 days before adding or replacing a subprocessor. The controller may object on reasonable data-protection grounds within 14 days after notice. If the parties cannot resolve the objection, either party may terminate the affected service. The processor imposes equivalent data-protection obligations on subprocessors and remains responsible for their performance. Transfers outside the EEA require a valid mechanism under Chapter V GDPR.

Assistance

Taking account of the nature of processing and information available to it, the processor assists the controller with data-subject requests, security obligations, personal-data breach notifications, data-protection impact assessments, and prior consultations. The controller remains responsible for responding to data subjects and authorities. Assistance is included where it concerns Reparova’s ordinary operation; reasonable additional costs may be charged for exceptional requests not caused by the processor’s breach.

Personal-data breaches

The processor notifies the controller without undue delay after becoming aware of a personal-data breach affecting controller data. Notice will be sent to the workshop’s registered email address and will include the available information required for the controller’s assessment and notification duties. Information may be supplied in phases as it becomes available.

Deletion and return

At the controller’s choice, the processor will return or delete controller data after the service ends unless law requires storage. Account and workshop data is deleted within 30 days after termination; backups follow a 30-day rolling deletion cycle. The controller must request any export before deletion. Statutorily retained data is isolated from further processing except for the required purpose.

Evidence and audits

The processor provides information reasonably necessary to demonstrate compliance with Article 28 GDPR and permits proportionate audits by the controller or an independent auditor bound by confidentiality. Audits require at least 30 days’ notice, occur during normal business hours, avoid disruption and exposure of other customers’ data, and are limited to once per year unless a breach or authority request justifies an additional audit. The controller bears audit costs unless the audit identifies a material breach by the processor.

Priority and contact

If this agreement conflicts with the Terms on processing of controller data, this agreement prevails. Amendments must be recorded in text form. Data-protection notices, instructions, and requests must be sent to hello@modeleven.com or the contact address registered for the workshop.

Operator details

Company
modeleven IT GmbH
Address
Kurt-Tichy-Gasse 12/2/15, 1100 Wien, Österreich
Registered office
1100 Wien
Company register
FN 542976 w, Handelsgericht Wien
VAT ID
ATU76085969
GISA number
33256184
Managing director
Severin Burgstaller
Phone
+43 1 305 2 333
Email
hello@modeleven.com
Privacy contact
hello@modeleven.com