Customers of the OpenProject Enterprise Cloud must sign a DPA. The contract can be reviewed and signed in the Administrations section of your OpenProject Cloud instance (Administration -> GDPR).

Data Processing Agreement

Last updated: 2022-04-22

Agreement for contract data processing pursuant to Article 28 GDPR between


- Controller within the meaning of Art. 4(7) GDPR, hereinafter referred to as the “Controller” -


OpenProject GmbH
Krausenstraße 9
D-10178 Berlin

- Processor within the meaning of Art. 4(8) GDPR, hereinafter referred to as the “Processor” -


This contract data processing agreement governs the obligations of the contracting parties with regard to data protection arising under the service agreement, including product descriptions.

Product: OpenProject Enterprise Cloud
Customer number: ________________________________
Contract number: ________________________________
URL: ________________________________
Contract date: ______________________________

It applies to all data-processing activities of the Processor which is required to provide the SaaS product OpenProject Enterprise Cloud. The processing of personal data includes the data of the users of OpenProject and also the user-generated data entered by the users in OpenProject (e.g. comments on work packages).

Upon conclusion of this agreement, all previously concluded Data Privacy Agreements, if any, shall become invalid.

§ 1 Scope and responsibilities

  1. The subject, type and purpose of the contract are activities whose specification is based on the service contract referred to above and the associated product descriptions.
  2. The Processor shall not use data provided to it for processing for any other purposes. Copies and/or duplicates may not be made without the knowledge of the Controller. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required to comply with the statutory retention obligations.
  3. The Controller is solely responsible for assessing the lawfulness of the processing of personal data by the Processor within the framework of their contractual relationship with regard to the provisions of the European General Data Protection Regulation (GDPR) and other relevant laws and regulations concerning data protection.

§ 2 Location of the intended data processing

The Processor shall process data through its own personnel only within the EEA. Processing in third countries only takes place if sub-processors are involved, which process the data outside the EEA. The list of sub-processors describes the cases when the Controller’s data is processed by sub-processors in third countries and specifies the legal basis according to Art. 44 ff. DS-GVO.

§ 3 Type of data processed and categories of data subjects

  1. The personal data undergoing processing pursuant to this agreement includes the following data types/categories (list/description of data categories):
    • Name
    • Email address
    • Telephone number (optionally for sending 2FA one-time-passwords)
    • Profile picture (avatar image)
  2. The categories of data subjects affected by the processing include:
    • Users of the application
    • Persons named by users in application data, e.g. customers, employees or contractors of the Controller

§ 4 Technical and organizational measures

  1. The Processor shall organize its internal organization in such a way that it meets the special requirements of data protection. The measures taken by the Processor are listed in the overview of technical and organizational measures.
  2. The Parties agree that changes to the technical and organizational measures may be necessary in order to adapt to technical and legal circumstances. The Contractor shall coordinate significant changes that may affect the integrity, confidentiality or availability of the personal data with the Controller in advance. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality and availability of the personal data may be implemented by the Processor without coordination with the Controller.

§ 5 Rectification, restriction and erasure of data

  1. The Processor may only rectify, erase or restrict the processing of data as processed pursuant to this contract if instructed to do so by the Controller. If a data subject contacts the Processor directly in this context, the Processor shall forward this request to the Controller.
  2. After completion of the contractual work, the Processor shall hand over to the Controller all data, documents and processing or usage results created in his possession and to subcontractors in connection with the contractual relationship or have them deleted or destroyed or have them destroyed in accordance with data protection regulations. The same applies to test and reject material. The deletion or destruction shall be confirmed to the Controller in writing or in a documented electronic format, stating the date. Any statutory storage obligations or other obligations to store the data shall remain unaffected.

§ 6 Obligations of the Controller

  1. The Controller is responsible for all data, automated procedures and data processing equipment within their area of responsibility as well as for safeguarding the rights of data subjects.
  2. The Client shall review the technical and organizational measures provided by the Contractor to determine whether they are appropriate for their data processing. Further measures shall be determined by the Client. The costs of such technical and organiational measures that must be implemented as part of the Contractor’s operations due to any special requirement by the Client shall be borne by the Client.
  3. The Controller has the right to issue instructions concerning the type, scope and sequence of the work. All such instructions must be issued in writing. Oral instructions must be confirmed by the Controller in writing without undue delay.

§ 7 Duties of the Processor

  1. In addition to complying with the provisions of this agreement, the Processor shall comply with the statutory obligations set out in Articles 28 to 33 GDPR. Without limitation, the Processor shall ensure compliance with the following requirements:
  2. Maintaining confidentiality in accordance with Articles 28(3)(b), 29, 32(4) GDPR. In carrying out their work, the Processor shall exclusively use employees who are bound to maintain confidentiality and who have previously been familiarized with the relevant data protection provisions. The Processor and any person under their authority who has access to personal data of the Controller may only process such data exclusively in accordance with instructions from the Controller, including the authority granted in this agreement, unless they are legally obliged to process such data.
  3. The implementation and compliance with all technical and organizational measures required for the respective contract data processing in accordance with Articles 28(3)(c), 32 GDPR.
  4. Notification of the Controller regarding control procedures and measures taken by the supervisory authority in so far as they relate to the underlying contractual relationship.
  5. The Processor may only provide information to data subjects or third parties concerning the underlying contractual relationship with the consent of the Controller unless it is legally obliged to do so.

§ 8 Sub-processors

  1. Subcontracting relationships within the meaning of this provision shall be understood to mean those services which relate directly to the provision of the principal service. This does not include ancillary services used by the Processor, e.g. telecommunications or postal/transport services. However, the Processor shall be obliged to undertake appropriate and legally binding contractual agreements and control measures to ensure the data protection and the data security of the Controller’s data, including in relation to outsourced ancillary services.
  2. The Controller agrees to the sub-processors named at the time of the conclusion of this contract. The Processor warrants that a data processing agreement has been concluded with all named sub-processors in accordance with Article 28 (2-4) GDPR.
  3. Customer shall permit Processor to engage additional sub-processors or to replace existing sub-processors provided that:
    • the Processor notifies the Controller of such new subcontracting in text form, e.g. by e-mail, before the start of processing by the sub-processor and the Controller does not object to the subcontracting in text form within two weeks. After expiry of the objection period, the modification shall be deemed approved within the meaning of Article 28 (2) GDPR.
    • The Processor concludes an agreement with the sub-processor in accordance with Art. 28 (2-4) GDPR.
  4. If a sub-processor is to be used who processes personal data of the Controller outside the European Economic Area, this is only permitted if the requirements for international data transfer pursuant to Art. 44 et seq. GDPR are complied with.
  5. The Processor shall regularly check the sub-processor’s compliance with GDPR. It shall be contractually stipulated that the sub-processor shall tolerate these control measures and possible on-site inspections. The Controller shall be entitled to receive information on request about the essential content of the contract and the implementation of the Sub-processor’s obligations relevant to data protection, if necessary also by inspecting the relevant contractual documents.
  6. The transfer of personal data of the Controller to the sub-processor shall only be permitted once all legal requirements for subcontracting have been met.

§ 9 Control rights of the Controller

  1. Upon appropriate advance notice, the Controller is entitled to have inspections performed by auditors to be appointed on a case-by-case basis. The Processor shall ensure that the Controller can satisfy themselves of the Processor’s compliance with the obligations in accordance with Art. 28 GDPR. The Processor shall grant the Controller access to the Processor’s property and business premises upon prior arrangement of an appointment during normal local operating and business hours. The Processor is required to furnish the necessary information to the Controller on request and to demonstrate, in particular, the implementation of the technical and organizational measures.
  2. Proof of such measures, which do not only relate to a specific engagement, may be provided in the form of compliance with approved rules of conduct in accordance with Art. 40 GDPR; certification according to an approved certification procedure pursuant to Art. 42 GDPR; current certificates, reports or report extracts from independent bodies (e.g. auditor, internal audit department, data protection officer); suitable certification by IT security or data protection audit (e.g. according to BSI Basic Protection).
  3. If the Controller falls within the scope of the Church Act on Data Protection of the Evangelical Church in Germany (DSG-EKD), the Processor submits to the Church’s data protection supervision pursuant to Section 30 para 5 sentence 3 DSG-EKD. The submission extends to the tasks and powers of the Church’s data protection supervision pursuant to sections 43, 44 DSG-EKD.

§ 10 Notification of breaches by the Processor

  1. The Processor shall inform the Controller of violations of the protection of personal data, disturbances, breaches of data protection regulations or the specifications made in a specific agreement by the Processor or persons employed by them or engaged by them. This is especially the case with regard to any legal obligations of the Controller to notify data subjects or the supervisory authorities.
  2. To the extent possible, the Processor shall assist the Controller in complying with the obligations set out in Articles 30 to 36 GDPR concerning the security of personal data, notification obligations in the event of personal data breaches, data protection impact assessments and prior consultations. This includes, in particular:

    • The obligation to report personal data breaches to the Controller;
    • The obligation to support the Controller in connection with their duty to inform data subjects;
    • Supporting the Controller in connection with their obligations to carry out data protection impact assessments;
    • Supporting the Controller in connection with prior consultations with the supervisory authority.
  3. The Processor is aware that the Controller may be subject to a notification obligation pursuant to Art. 33 of the GDPR, which provides for an initial notification to the supervisory authority within 72 hours of becoming aware of the matter. The Processor shall inform the Controller immediately in the event of corresponding reporting obligations.

§ 11 Contract term

  1. The validity of this agreement for contract data processing (“term”) corresponds to the term of the service agreement referred to in section 1. The confidentiality obligation survives the term of this contract.
  2. A violation of legal or contractual data protection provisions by the Processor represents good cause for the Controller to exercise their right of extraordinary termination as reserved in the service agreement referred to in section 1.

§ 12 Severability

Should one or more provisions of this agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions of this agreement.

§ 13 Final provisions

  1. Changes or additions to this agreement must be made in writing.
  2. The assertion of a right of retention within the meaning of section 273 of the German Civil Code (BGB) is excluded with respect to the processed data and the associated data storage devices.
  3. This agreement is governed exclusively by the laws of the Federal Republic of Germany. The place of jurisdiction for all disputes arising under or in connection with this contract is Berlin.

§ 14 Effective date

This agreement is effective upon checkbox confirmation in customer account.

Niels Lindenthal - OpenProject GmbH

Berlin, YYYY-MM-DD