Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

Version: June 2026

1. Contracting Parties

Controller (Client)

The advisor / agency / company that uses Plan2Fund to process personal data of their own customers.

Processor

Kevin Kraushoferacting under the name Plan2FundMargaretenstraße 138/1/141050 Vienna, AustriaEmail: hello@plan2fund.ioWebsite: https://plan2fund.io

2. Subject Matter of Processing

The Processor supports the Controller in creating, editing, and managing business plans, financial plans, and funding documents via the Plan2Fund platform.

3. Duration of Processing

Processing occurs for the duration of the Controller's use of Plan2Fund. After termination or deletion of the account, data will be deleted in accordance with the Privacy Policy.

4. Scope and Type of Processing

4.1 Categories of Data Subjects

Customers of the advisor

Clients of the advisor

Employees of the advisor (if applicable)

4.2 Types of Personal Data

Names and contact details

4.3 Processing Purposes

Creation of business plans

Financial planning

Grant application support

Document management

AI-assisted text generation

5. Instruction-Bound Processing

The Processor processes data exclusively according to the Controller's instructions. The Controller decides on the purpose and means of processing their customer data.

6. Confidentiality

The Processor commits that persons authorized to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Data Security (TOMs)

The Processor implements technical and organizational measures in accordance with Art. 32 GDPR:

Technical Measures

HTTPS encryption: All data transmissions are encrypted

Password hashing: Passwords are securely stored using bcrypt

Session protection: HttpOnly, Secure, SameSite=Strict cookies

Access restriction: Role-based permissions (User/Advisor)

Technical logging: Logging for abuse prevention

Organizational Measures

Regular review of security-relevant processes

Restricted access to production data

Employee training in data protection

8. Sub-Processors

The Controller agrees to the engagement of the following sub-processors:

The Processor ensures that appropriate data processing agreements pursuant to Art. 28 GDPR are concluded with all sub-processors.

9. Data Subject Rights

The Processor supports the Controller in fulfilling data subject rights (access, rectification, deletion, data portability, etc.) through appropriate technical measures in the platform.

10. Deletion and Return

After termination of processing, the Processor deletes all personal data unless legal retention obligations prevent this.

Retention Periods

Project and plan data: Until deletion by the advisor

Exported files: Until deletion or re-export

AI usage logs: Until deletion of user account

Backups: Limited period until overwrite

11. Control Rights

The Controller has the right to verify the Processor's compliance with data protection obligations. In practice, this is done through:

Provision of the Privacy Policy

Documentation of TOMs

Notification in case of data breaches

12. Data Breaches

The Processor reports any data breaches to the Controller without undue delay (within 48 hours).

13. Amendments

Amendments to this agreement must be made in writing. The Processor informs the Controller of changes to sub-processors before their engagement.

14. Applicable Law

This agreement is subject to Austrian law, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

15. Final Provisions

Should any provision of this agreement be invalid, the validity of the remaining provisions shall remain unaffected.

Quick Navigation: