Data Processing Agreement
Effective date: March 6, 2026 · Last updated: March 6, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CameleonPro UG (haftungsbeschränkt) (“Processor”) and the Subscriber (“Controller”) and governs the processing of personal data by the Processor on behalf of the Controller in connection with the CameleonPro field service management platform (the “Services”).
This DPA is designed to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and incorporates principles from the European Commission's Standard Contractual Clauses for controllers and processors.
1. Definitions
- “Controller” — The Subscriber (organization) that determines the purposes and means of processing personal data via the Services
- “Processor” — CameleonPro UG (haftungsbeschränkt), which processes personal data on behalf of the Controller
- “Sub-processor” — A third party engaged by the Processor to process personal data on behalf of the Controller
- “Personal Data” — Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1)
- “Processing” — Any operation performed on personal data, as defined in GDPR Article 4(2)
- “Data Subject” — The identified or identifiable natural person to whom the personal data relates
- “Data Breach” — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
2. Scope and Purpose of Processing
The Processor shall process personal data solely for the purpose of providing the Services as described in the Terms of Service, including:
- Managing service bookings, scheduling, and dispatch
- Facilitating communication between the Controller's team, fieldworkers, and customers
- Processing payments and generating invoices
- Providing GPS-based location tracking for active service assignments
- Sending notifications (email, SMS, push, WhatsApp) on behalf of the Controller
- Storing and managing compliance documents, certifications, and profile data
- Generating reports and analytics for the Controller's business operations
The Processor shall not process personal data for any purpose other than providing the Services, unless required by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
3. Categories of Data Subjects
The personal data processed under this DPA may relate to the following categories of data subjects:
- Organization staff — Owners, managers, and administrators of the Controller's organization
- Fieldworkers — Individuals who provide field services on behalf of the Controller
- End Customers — The Controller's customers who use the platform to request, book, and manage services
4. Types of Personal Data
| Category | Data Types |
|---|---|
| Contact information | Name, email address, phone number, postal address |
| Identity data | Profile photo, job title, role within organization |
| Location data | GPS coordinates (fieldworkers during active assignments), service addresses |
| Financial data | Invoice details, payment history, payout records (card details processed by Stripe, not stored by Processor) |
| Communications | Chat messages, discussion threads, notification content |
| Service data | Booking details, service requests, scheduling, work history, ratings and reviews |
| Compliance documents | Certifications, licenses, insurance documents uploaded by fieldworkers |
| Technical data | Device tokens (push notifications), IP addresses, session data, authentication logs |
5. Obligations of the Processor
The Processor shall:
- Process on documented instructions: Process personal data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA, unless required by applicable law
- Confidentiality: Ensure that all persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6)
- Sub-processor management: Not engage another processor without prior written authorization from the Controller (see Section 7)
- Assist with data subject rights: Assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist with compliance: Assist the Controller in ensuring compliance with obligations under GDPR Articles 32-36 (security, breach notification, data protection impact assessments)
- Deletion or return: At the choice of the Controller, delete or return all personal data after the end of the provision of Services, and delete existing copies unless retention is required by law
- Audit support: Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or an authorized auditor (see Section 10)
6. Security Measures
The Processor implements the following technical and organizational measures to protect personal data:
6.1 Technical Measures
- Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher
- Encryption at rest: Database storage is encrypted using AES-256
- Multi-tenant isolation: Each Controller's data is logically isolated at the database level using tenant identifiers; cross-tenant data access is prevented at the application layer
- Access controls: Role-based access control (RBAC) with principle of least privilege; multi-factor authentication available via Keycloak
- Automated backups: Daily encrypted backups with point-in-time recovery capability
- Vulnerability management: Regular security assessments, dependency scanning, and patching
6.2 Organizational Measures
- Personnel: Access to personal data is limited to authorized personnel who require it for their duties
- Confidentiality: All personnel with access to personal data are bound by confidentiality obligations
- Incident response: Documented incident response procedures with defined escalation paths
- Business continuity: Disaster recovery procedures with defined recovery time and recovery point objectives
7. Sub-Processors
The Controller grants general authorization for the Processor to engage the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and billing | EU / US (SCCs) |
| Keycloak (self-hosted) | Authentication and identity management | EU |
| Google Cloud / Firebase | Push notification delivery (FCM) | EU / US (SCCs) |
| Mapbox, Inc. | Mapping, geocoding, and route optimization | US (SCCs) |
| Brevo (Sendinblue) | Transactional email delivery | EU (France) |
| Cloudinary Ltd. | Image hosting and transformation | EU / US (SCCs) |
| STRATO AG | Cloud infrastructure (application servers, database, web hosting) | EU (Germany) |
7.1 New Sub-Processors
The Processor shall notify the Controller at least 30 days before engaging a new sub-processor, providing details of the processing to be undertaken. The Controller may object to a new sub-processor on reasonable grounds within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected Services without penalty.
7.2 Sub-Processor Obligations
The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a written contract. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
8. International Data Transfers
The Processor's primary infrastructure is located within the European Union. Where personal data is transferred to sub-processors located outside the EU/EEA, the Processor ensures appropriate safeguards are in place:
- European Commission adequacy decisions (where applicable)
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
- Supplementary measures where required by the specific circumstances of the transfer
The Processor shall inform the Controller of any changes to the data transfer mechanisms used and shall not transfer personal data to a country outside the EU/EEA without appropriate safeguards.
9. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
- The Processor shall promptly notify the Controller if it receives a request directly from a data subject, unless otherwise authorized by the Controller
- The Processor shall provide the Controller with the technical means to fulfill data subject requests through the platform's administrative tools where possible
- The Processor shall respond to the Controller's assistance requests within 10 business days
10. Data Breach Notification
10.1 Notification Timeline
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Controller's personal data.
10.2 Notification Content
The notification shall include, to the extent available:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
- The name and contact details of the Processor's point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
10.3 Cooperation
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall not notify any third party (including supervisory authorities) of a breach without the Controller's prior approval, unless required by law.
11. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
- The Controller may conduct audits, including inspections, no more than once per year, with at least 30 days' written notice
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
- The Controller shall bear its own costs for audits
- The Processor may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001) where available
12. Term and Termination
This DPA shall remain in effect for the duration of the Controller's subscription to the Services and shall automatically terminate when the Terms of Service are terminated.
Upon termination, the Processor shall, at the Controller's election:
- Return all personal data in a standard, machine-readable format (CSV, JSON) within 30 days of the request; or
- Delete all personal data within 30 days of termination, unless retention is required by applicable law
The Processor shall certify the deletion of personal data upon the Controller's request.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
The Processor shall be liable for damages caused by processing that does not comply with this DPA or with the Controller's lawful instructions. The Processor shall not be liable for damages caused by processing carried out in accordance with the Controller's instructions.
14. Contact
For questions about this DPA or to exercise rights under it:
CameleonPro UG (haftungsbeschränkt)
Data Protection Contact
Email: privacy@cameleonpro.com