← CleanScope

Data Processing Agreement

Effective date: 2026-06-02 · Version dpa-en-v1

Processor: Andreas Hirzinger (Einzelunternehmen), Vomp, Tyrol, Austria — see the Impressum for full details. Controller: the Customer (cleaning-company account holder).

Current status. The proof-of-clean feature that this agreement governs is not active in the current version of CleanScope. No worker personal data is processed on your behalf today. These processor terms take effect automatically if and when you enable that feature. We publish this agreement now so it is available for your records and procurement review.

1. Subject, role, duration

1.1 This DPA governs CleanScope's processing of personal data on the Customer's behalf — namely the Customer's workers' GPS coordinates, proof photos, and associated timestamps collected through the proof-of-clean feature. For this data the Customer is the controller and CleanScope is the processor.

1.2 It applies for as long as CleanScope processes such data and prevails over conflicting terms for that data. It satisfies GDPR Art. 28(3); the corresponding clauses for UK GDPR and other regimes are addressed in §10.

2. Processing details (Art. 28(3) particulars)

Subject-matterProof-of-clean verification for cleaning jobs
DurationAccount lifetime; each record auto-deleted after 90 days
Nature & purposeStoring location + photo evidence that a task was completed
Data typesGPS lat/long + accuracy radius, photo image, timestamp, task/area reference
Data subjectsThe Customer's cleaning workers

3. Processor obligations

CleanScope: (a) processes only on the Customer's documented instructions (this DPA plus use of the product); (b) ensures persons authorized to process are bound by confidentiality; (c) implements the security measures in §6; (d) engages sub-processors only under §5; (e) assists the Customer with data-subject requests and with Art. 32–36 duties; (f) deletes or returns the data per §7; (g) makes available information needed to demonstrate compliance.

4. Customer obligations

The Customer warrants it has a valid legal basis and all required notices/consents/approvals to collect worker location and photos in every relevant jurisdiction (Terms §1, §7), and that its instructions comply with applicable law.

5. Sub-processors

5.1 The Customer generally authorizes the sub-processors listed in the Privacy Policy §4 (Supabase, Stripe, Resend, Loops, Vercel, Google Cloud Vertex AI).

5.2 CleanScope imposes data-protection obligations on each sub-processor equivalent to this DPA.

5.3 CleanScope notifies the Customer of intended additions or replacements of sub-processors with at least 30 days' notice; the Customer may object on reasonable data-protection grounds.

6. Technical & organizational measures (TOMs — Art. 32)

  • Encryption in transit (TLS) and at rest (Supabase-managed).
  • Access control / tenant isolation: Postgres Row-Level Security scopes every row to its owning account; the proof-photo bucket is private.
  • Signed-URL exposure only: proof photos are served via 1-hour expiring signed URLs; raw object URLs are rejected (403).
  • Least privilege: the service-role key is server-side only and never shipped to clients.
  • Storage minimization & deletion: an automated nightly job permanently deletes proof records and photos after 90 days (storage objects first, then rows).
  • Rate limiting on AI and write endpoints to limit abuse/exfiltration.
  • Audit trail: acceptance of legal terms is recorded with version + timestamp.

7. Breach notification, return & deletion

7.1 CleanScope notifies the Customer without undue delay (target: within 24 hours) after becoming aware of a personal-data breach affecting the Customer's worker data, with the information the Customer needs for its own Art. 33/34 duties.

7.2 On termination, worker data is deleted on the normal 90-day cycle or earlier on request; the Customer may export proposals/data beforehand (machine-readable — supports EU Data Act portability).

8. Audits

CleanScope provides, on reasonable request and confidentiality terms, the information needed to demonstrate Art. 28 compliance (security summary, sub-processor list, this DPA), and supports audits as required by Art. 28(3)(h).

9. Liability

Liability under this DPA follows the cap and allocation in the Terms of Service §6, to the extent permitted by applicable data-protection law (which can override caps for certain claims).

10. International transfers (the part that differs by region)

10.1 EU/EEA → USA sub-processors: EU Standard Contractual Clauses, Module 2 (controller-to-processor), EU Implementing Decision 2021/914, with documented transfer-impact assessment; EU-US Data Privacy Framework relied on where the recipient is certified.

10.2 UK: the UK International Data Transfer Addendum (IDTA) to the SCCs.

10.3 Switzerland: SCCs with Swiss FADP amendments where relevant.

10.4 Vertex AI stays in the EU (europe-west4) — no third-country transfer for the AI step.

11. Order of precedence

For the worker data in scope, the order is: applicable mandatory law → SCCs/IDTA → this DPA → the Terms of Service → the product UI.