Data Processing Agreement

Version 1.0Effective: 16 January 2026GDPR Compliant
Contact Legal Terms & Conditions

Data Processing Agreement

This Data Processing Agreement (Auftragsverarbeitungsvertrag/AVV) is drafted in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679.

1. Introduction and Scope

1.1. Parties

This Data Processing Agreement (DPA) is entered into between:

  • Ibis Flow GmbH, Pforzheimer Str. 68, 75015 Bretten, Germany (Processor), and
  • The business entity accepting the Terms and Conditions (Controller).

1.2. Incorporation

This DPA forms an integral part of, and is incorporated by reference into, the Terms and Conditions (Principal Agreement). In the event of any conflict between this DPA and the Principal Agreement regarding data protection matters, this DPA shall prevail.

1.3. Applicability

This DPA applies to all processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Ibis Flow collaborative estimation service.

2. Definitions

In this DPA, unless the context requires otherwise, terms defined in the GDPR (including Personal Data, Processing, Data Subject, Controller, Processor, Personal Data Breach, and Supervisory Authority) shall have the same meaning as in the GDPR. Additionally:

  • Controller Personal Data means any personal data processed by the Processor on behalf of the Controller pursuant to this DPA.
  • Data Protection Laws means the GDPR and any applicable national implementing legislation, as amended or superseded from time to time.
  • Sub-processor means any third party engaged by the Processor to process Controller Personal Data.
  • Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Decision 2021/914).

3. Details of Processing

3.1. Subject Matter and Duration

The subject matter of the processing is the provision of the Ibis Flow collaborative estimation platform. Processing shall continue for the duration of the Principal Agreement, unless terminated earlier in accordance with its terms.

3.2. Nature and Purpose of Processing

The Processor processes Controller Personal Data for the following purposes:

  • Providing the Ibis Flow estimation and planning service
  • Enabling real-time collaboration during estimation sessions
  • Synchronising estimation data with Controller's connected systems (e.g., Atlassian Jira)
  • Managing user accounts and organisation membership
  • Processing payments and managing subscriptions
  • Providing technical support when requested
  • Generating anonymised analytics to improve the service

3.3. Types of Personal Data

The following categories of personal data may be processed:

  • Identity data: Names, email addresses, profile information
  • Account data: Organisation membership, user roles, subscription status
  • Usage data: Estimation session participation, votes, comments, reactions
  • Technical data: IP addresses, browser information, device identifiers, access timestamps
  • Integration data: Data imported from or synchronised with connected third-party systems (e.g., Jira ticket information, user mappings)
  • Authentication tokens: OAuth access and refresh tokens for connected integrations

3.4. Categories of Data Subjects

Personal data may be processed concerning:

  • Authorised users of the Controller's organisation
  • Individuals referenced in data imported from the Controller's connected third-party systems

4. Controller Instructions and Processor Obligations

4.1. Processing on Instructions

The Processor shall process Controller Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2. Documented Instructions

The Controller's instructions to the Processor are documented in:

  1. This DPA and its annexes
  2. The Principal Agreement (Terms and Conditions)
  3. The Controller's configuration and use of the Ibis Flow service
  4. Any additional written instructions provided by the Controller and acknowledged by the Processor

4.3. Notification of Unlawful Instructions

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes Data Protection Laws. The Processor is not obligated to assess whether the Controller's instructions comply with Data Protection Laws, but shall not knowingly process Controller Personal Data in a manner that would constitute a clear violation.

5. Security of Processing

5.1. Technical and Organisational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR.

5.2. Security Measures Documentation

The Processor's current technical and organisational measures are described in the Technical and Organisational Measures (TOMs) document, which is incorporated by reference into this DPA. The Processor may update the TOMs from time to time to reflect improvements in security practices, provided that such updates do not materially reduce the level of protection afforded to Controller Personal Data.

5.3. Key Security Measures

Without limiting the foregoing, the Processor maintains the following security measures:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls based on role and least-privilege principles
  • Authentication via federated identity provider (Microsoft Entra External ID)
  • Hosting within the European Union (Microsoft Azure West Europe)
  • Regular automated backups with point-in-time recovery capability
  • Error monitoring and alerting systems
  • Secure software development practices

5.4. Confidentiality

The Processor shall ensure that persons authorised to process Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received appropriate training on data protection requirements.

6. Sub-processors

6.1. General Authorisation

The Controller hereby provides general authorisation for the Processor to engage Sub-processors to process Controller Personal Data, subject to the conditions set out in this Section 6.

6.2. Current Sub-processors

The Controller acknowledges and approves the Sub-processors listed in Annex 1 (Sub-processor List) to this DPA as of the effective date.

6.3. Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by updating the Sub-processor list on its website and, where the Controller has subscribed to notifications, by email. The Controller shall have fourteen (14) days from the date of such notification to object to the change on reasonable grounds relating to data protection.

6.4. Objection to Sub-processors

If the Controller objects to a new Sub-processor and the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected services by providing written notice within thirty (30) days. The Processor shall refund any prepaid fees for the terminated services on a pro-rata basis.

6.5. Sub-processor Obligations

Where the Processor engages a Sub-processor, the Processor shall ensure by way of a written contract that the Sub-processor is bound by data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

7. International Data Transfers

7.1. Data Location

The Processor stores and processes Controller Personal Data primarily within the European Union (Microsoft Azure West Europe region, Netherlands). However, certain Sub-processors may process personal data outside the EU/EEA.

7.2. Transfer Mechanisms

Where Controller Personal Data is transferred to a country outside the EU/EEA that has not received an adequacy decision from the European Commission:

  • The Processor shall ensure that appropriate safeguards are in place, including the Standard Contractual Clauses (SCCs) adopted by the European Commission, or other valid transfer mechanisms under Article 46 of the GDPR.
  • The Sub-processors listed in Annex 1 that process data outside the EU/EEA have entered into appropriate data processing agreements with the Processor, which include the SCCs or equivalent safeguards.

7.3. Transfer Impact Assessments

The Processor shall, upon request, provide the Controller with relevant information regarding the legal regime applicable in the destination country and any supplementary measures implemented to ensure adequate protection of Controller Personal Data.

8. Data Subject Rights

8.1. Assistance with Requests

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection).

8.2. Notification of Requests

If the Processor receives a request from a Data Subject in relation to Controller Personal Data, the Processor shall promptly, and in any event within five (5) business days, notify the Controller and shall not respond to the request directly unless authorised to do so by the Controller or required by applicable law.

8.3. Self-Service Capabilities

The Ibis Flow service provides self-service capabilities enabling authorised users to access, export, and delete their personal data directly through the platform. The Controller may use these capabilities to fulfil Data Subject requests without requiring Processor assistance.

9. Personal Data Breach

9.1. Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller Personal Data. The notification shall include, to the extent known:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of the Processor's point of contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects

9.2. Breach Assistance

The Processor shall cooperate with the Controller and provide reasonable assistance in investigating the breach, fulfilling any notification obligations to Supervisory Authorities or Data Subjects, and mitigating the effects of the breach.

9.3. Documentation

The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make this documentation available to the Controller upon request.

10. Data Protection Impact Assessments and Prior Consultation

10.1. DPIA Assistance

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities that the Controller is required to carry out pursuant to Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

10.2. Scope of Assistance

Such assistance may include providing information about the Processor's processing operations, security measures, and Sub-processors as relevant to the assessment.

11. Data Deletion and Return

11.1. During the Agreement

The Controller may delete Controller Personal Data at any time through the self-service functionality provided by the Ibis Flow service. Deletion requests processed through the service result in permanent removal of the data from the Processor's active systems.

11.2. Upon Termination

Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller's choice:

  • Return: Provide the Controller with an export of Controller Personal Data in a commonly used, machine-readable format (JSON or CSV), to the extent such export functionality is available in the service; or
  • Delete: Delete all Controller Personal Data from its systems.

If the Controller does not provide instructions within thirty (30) days of termination, the Processor shall delete all Controller Personal Data.

11.3. Backup Retention

Controller Personal Data may persist in automated backup systems for a limited period following deletion (typically up to 35 days) as part of standard disaster recovery procedures. Such backup data is encrypted and access-restricted, and shall be permanently deleted when the relevant backup cycle completes.

11.4. Legal Retention

The Processor may retain Controller Personal Data to the extent required by applicable law (e.g., tax or accounting requirements), in which case the Processor shall inform the Controller of the legal basis and expected retention period, and shall ensure continued confidentiality of such data.

12. Audit Rights

12.1. Information and Compliance

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR.

12.2. Audit Procedures

The Controller may audit the Processor's compliance with this DPA, subject to the following conditions:

  • The Controller shall provide at least thirty (30) days' prior written notice of any audit
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
  • Audits shall be limited to once per calendar year, unless a Personal Data Breach has occurred or a Supervisory Authority requires an audit
  • The Controller (or its appointed auditor) shall enter into appropriate confidentiality undertakings
  • The scope of the audit shall be limited to matters directly relevant to the Controller's personal data and the Processor's compliance with this DPA

12.3. Audit Costs

Each party shall bear its own costs in connection with any audit. However, if an audit reveals a material breach of this DPA by the Processor, the Processor shall reimburse the Controller's reasonable audit costs.

12.4. Third-Party Certifications

At the Controller's request, the Processor shall provide copies of relevant third-party audit reports, certifications, or attestations (if any) that demonstrate the Processor's compliance with applicable security standards. The Controller agrees that review of such documentation may satisfy audit requirements under this Section 12 where appropriate.

13. Liability

13.1. Limitation of Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement (Terms and Conditions), except to the extent that such limitations are prohibited by Data Protection Laws.

13.2. Allocation

The parties agree that the Processor shall be liable for damage caused by processing that infringes Data Protection Laws only where the Processor has not complied with obligations specifically directed to processors under Data Protection Laws, or has acted outside or contrary to the Controller's lawful instructions.

14. Term and Termination

14.1. Term

This DPA shall commence on the date the Controller accepts the Principal Agreement and shall continue in force until the termination or expiry of the Principal Agreement, and thereafter until all Controller Personal Data has been deleted or returned in accordance with Section 11.

14.2. Survival

The provisions of this DPA relating to confidentiality, liability, and any provisions that by their nature should survive termination, shall survive the termination or expiry of this DPA.

15. Governing Law and Jurisdiction

15.1. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Germany, without regard to its conflict of laws principles.

15.2. Jurisdiction

Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Germany, as specified in the Principal Agreement.

15.3. Supervisory Authority

Without prejudice to the foregoing, the Controller retains the right to lodge a complaint with a competent Supervisory Authority in accordance with Article 77 of the GDPR.

Annex 1: Sub-processor List

Last updated: January 2026

The following Sub-processors are authorised to process Controller Personal Data on behalf of the Processor:

Sub-processorPurposeLocationTransfer Mechanism
Microsoft AzureCloud infrastructure, hosting, database, storageEU (West Europe - Netherlands)N/A (EU)
Microsoft Entra External IDUser authentication and identity managementEUN/A (EU)
Stripe, Inc.Payment processing and subscription managementUSAEU-US Data Privacy Framework; SCCs
Functional Software, Inc. (Sentry)Error monitoring and application performanceUSAEU-US Data Privacy Framework; SCCs
Postmark (ActiveCampaign, LLC)Transactional email deliveryUSAEU-US Data Privacy Framework; SCCs
Atlassian Pty LtdIntegration with Jira (OAuth tokens, data synchronisation)Australia / USAAdequacy decision (Australia); SCCs

Note:The Controller may subscribe to Sub-processor change notifications by contacting privacy@ibisflow.com.

Annex 2: Controller Instructions

By accepting this DPA, the Controller instructs the Processor to process Controller Personal Data as follows:

  1. Purpose: Processing is permitted solely for the purpose of providing the Ibis Flow service as described in the Principal Agreement and this DPA.
  2. Duration: Processing shall continue for the duration of the Principal Agreement plus any retention period required by applicable law or as necessary to complete deletion procedures.
  3. Data minimisation: The Processor shall process only such personal data as is necessary for the provision of the service.
  4. Security: The Processor shall implement and maintain the security measures described in Section 5 and the TOMs document.
  5. Sub-processing: The Processor may engage the Sub-processors listed in Annex 1, subject to the conditions in Section 6.
  6. International transfers: Transfers outside the EU/EEA are permitted only where appropriate safeguards are in place as described in Section 7.
  7. Assistance: The Processor shall assist the Controller with Data Subject requests, breach notifications, and DPIAs as described in this DPA.
  8. Deletion: Upon termination, the Processor shall delete or return Controller Personal Data as specified in Section 11.

Document Information

Version: 1.0

Effective Date: 16 January 2026

For questions about this DPA, please contact: privacy@ibisflow.com

Document Actions

Contact Legal Team

Questions about this DPA?

Our legal team is available to help clarify any provisions.

Contact legal support →

Related documents

Review our terms of service

Terms and Conditions →
Ibis Flow Logo
© 2026 Ibis Flow GmbH. All Rights Reserved.