DPIA Support Resource

Service: Onplana is a multi-tenant project, programme, and portfolio management platform. Customer organisations store project plans, tasks, comments, time entries, proposals, and related work-management artefacts. Optional AI features (Claude / Azure OpenAI) generate plan drafts, risk detection, summaries, and natural-language task parsing on customer instruction.

Nature: Cloud-hosted SaaS. Customer organisations access via authenticated web app, REST API, and an MCP server for AI-agent integration. No on-premise component.

Purpose: Provide the project-management service the customer subscribed to. Personal data is processed only on documented Controller instructions (DPA §3).

Duration: For the term of the customer's subscription, plus a defined retention window after termination. See §5 (Retention) below.

Data subjects: Customer organisation employees, contractors, contractors-of-contractors, and any third party the customer chooses to invite as guest, reviewer, or stakeholder. Onplana does not process personal data of the general public; the marketing site collects only website-visitor data covered by the Privacy Policy.

Categories of personal data: identification (name, email, role, profile photo); authentication (password hash, 2FA secret, session metadata, OAuth identity); workplace (task assignments, time entries, comments, activity logs); optional integrations (calendar metadata, document metadata, IdP identifiers if SSO/SCIM is enabled). No special-category data is expected; if a Controller imports it via custom fields or comments, processing follows the customer's lawful basis and our security measures continue to apply.

Recipients: Other authorised members of the same customer organisation; sub-processors (see §6); law-enforcement bodies only on valid legal process. Personal data is never sold and never used to train AI models.

Onplana processes customer personal data on the Controller's instructions under Art. 28. For Onplana's own processing (marketing site, account creation, billing, support), the legal bases are summarised in Privacy Policy §4: contract (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)) for security and fraud prevention, and consent (Art. 6(1)(a)) for analytics cookies.

Full TOMs live on the Security overviewpage. Headlines:

• Encryption at rest (AES-256) on Postgres, Blob, and Key Vault; encryption in transit (TLS 1.2+).
• Tenant isolation enforced at the row level (organizationId guard on every query) and at the middleware level (withOrganization).
• JWT auth with rolling tokenVersion, session registry with idle-timeout enforcement, optional TOTP 2FA, and SSO (SAML / OIDC) on Enterprise.
• Daily encrypted backups + 7-day point-in-time restore via Azure Postgres Flexible Server.
• Per-org audit logs, retention policies, IP allowlists (Enterprise), and SCIM provisioning (Enterprise).
• Vulnerability monitoring, dependency scanning, secret detection in CI, and incident-response runbooks.

Per-organisation retention policies govern how long different data classes survive after their live link is removed:

• Org data after soft-delete: configurable per org (default 90 days; HIPAA / FINRA presets stretch to 6 years).
• User data after the last membership is removed: most-restrictive userDataDays across the user's history.
• Audit logs: configurable per org (default 365 days); legal-hold presets retain forever.
• Self-service account deletion: 7-day user-cancellable grace, then anonymize-in-place + hard delete via the daily purge worker. See Privacy Policy §10.

A daily purge worker enforces every retention window automatically; no manual sweep required.

Primary processing in Azure West US (United States). Full sub-processor list — name, purpose, data category, region, and per-vendor DPA — is published on the Subprocessors page. The DPA authorises that list and the notification process for material changes.

Where customer personal data is transferred from the EEA / UK / Switzerland to the United States or other third countries, Onplana relies on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) attached to the DPA, together with the UK International Data Transfer Addendum and the Swiss FDPIC addendum where applicable. Supplementary measures (encryption, tenant isolation, defined data categories, limited governmental access exposure) accompany the SCCs as required by Schrems II.

A transfer-impact assessment (TIA) summary is available on request — email privacy@onplana.com.

Headline risks evaluated for the platform, with the mitigation already in place. This list is a starting point — Controllers should add their own organisation-specific risks (custom integrations, special-category data they choose to import, sector-specific concerns) on top.

• Unauthorised access — tenant-isolated queries, JWT with tokenVersion bump on rotation, idle timeouts, 2FA, SSO, audit logs, optional IP allowlist.
• Data loss — daily encrypted backups + point-in-time restore; soft-delete recycle bin with retention windows.
• Insider risk — least-privilege RBAC (org + project axes), audit trail on every privileged action, OWNER-only matrix edit, last-OWNER guardrail.
• Sub-processor failure — diversified providers per concern (compute / payment / email / AI), contractual DPAs in place, public sub-processor change notice channel.
• Data-subject-rights load — self-service data export (Art. 20) and self-service account deletion (Art. 17) handle the high-volume rights at scale.
• AI-feature exposure — Anthropic and Azure OpenAI both contractually exclude API content from model training; opt-out is the default; per-feature disable available; ENTERPRISE customers may bring their own Azure OpenAI deployment so inference stays in their tenancy.

Self-service tooling covers the common cases:

• Access (Art. 15) + portability (Art. 20): self-service export from Settings → Privacy & Data.
• Erasure (Art. 17): self-service account deletion with a 7-day cancellable grace window. Controller- initiated erasure for a specific data subject is available via support.
• Rectification (Art. 16): user-editable profile + admin tools for organisation-controlled fields.
• Restriction / objection (Arts. 18 + 21): handled on request via privacy@onplana.com.

For Controller-initiated DSAR support beyond the self-service tooling, Onplana provides reasonable assistance within the statutory one-month window.

Per DPA Schedule 1, Onplana notifies the affected Controller of any confirmed personal-data breach without undue delay and in any event within 72 hours of becoming aware, with a description, the categories and approximate number of data subjects, likely consequences, and measures taken.

• Data Processing Agreement — the contract behind everything above.
• Privacy Policy — what we process when you visit, sign up, and use the product.
• Subprocessors — current list with regions and per-vendor DPA references.
• Security overview — the TOMs referenced by Schedule 2 of the DPA.