Legal

Data Processing Agreement

Last updated: 16 July 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the OneBase Terms of Service between you ("Customer", "Controller") and Coffee in Code Out S.R.L. ("OneBase", "Processor", "we"). By accepting the Terms you accept this DPA. It reflects the parties' agreement, under Article 28 of the GDPR, on our processing of the personal data you store in OneBase. Where it conflicts with the Terms on that processing, this DPA prevails. This is version 1.0.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach" and "supervisory authority" have the meanings given in the GDPR. "Customer Personal Data" means personal data contained in the content that the Customer stores in OneBase and in respect of which the Customer is the controller.

2. Roles of the parties

The Customer is the controller of Customer Personal Data. OneBase is the processor, and processes Customer Personal Data only on the Customer's documented instructions.

For the personal data of OneBase's own account holders — such as the Customer's login and billing details — OneBase is the controller, and that processing is governed by the OneBase Privacy Policy, not this DPA.

3. Scope and instructions

3.1 OneBase processes Customer Personal Data only to provide, secure and support the service, and only on the Customer's documented instructions. Those instructions are set out in the Terms, this DPA, the Customer's configuration and use of the service, and any further written instructions the Customer gives.

3.2 OneBase will tell the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law. OneBase is not obliged to review the legality of instructions.

3.3 If OneBase is required by EU or Member State law to process Customer Personal Data beyond the Customer's instructions, it will inform the Customer of that requirement before processing, unless the law prohibits it.

4. Details of processing (Annex I)

Subject matter: OneBase's provision of a configurable business-management platform to the Customer.

Duration: the term of the Customer's subscription, plus the deletion period set out in section 11.

Nature and purpose: hosting, storage, structuring, retrieval, display and processing of Customer content — including any personal data it contains — so that OneBase can provide the service and the features the Customer chooses to use, including the AI Consultant where the Customer enables it.

Types of personal data: determined by the Customer through its use of the service. This typically includes names, email addresses, phone numbers, postal addresses, company details, communication content, notes, and any other fields the Customer chooses to store. The Customer must not store special-category data (Article 9 GDPR) unless it has a lawful basis for doing so and has informed OneBase in writing.

Categories of data subjects: determined by the Customer. This typically includes the Customer's contacts, leads, clients, customers, employees and suppliers.

5. Confidentiality

OneBase ensures that the people it authorises to process Customer Personal Data are bound by an appropriate duty of confidentiality and process that data only as necessary to provide the service.

6. Security (Article 32, Annex II)

OneBase implements appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing. The current measures are:

  • Tenant isolation — every workspace's data is separated by row-level tenancy enforced in the application, with independent membership validation on every request, so one workspace cannot reach another's data.
  • Encryption in transit — all connections between the Customer and the service, and between the service and its sub-processors, are protected with TLS.
  • Access control — role- and profile-based access within each workspace, least-privilege internal access to production, and authentication controls on administrative access.
  • Hosting — application and database hosting with OVHcloud in its Warsaw, Poland data centre, within the European Economic Area.
  • Backups and recovery — regular backups with a defined retention period and a documented restore process.
  • Logging and monitoring — access and activity logging to support breach detection and investigation.
  • Secure development — separation of development, testing and production environments, and managed dependencies.

7. Sub-processors

7.1 The Customer gives general authorisation for OneBase to engage sub-processors to help provide the service. OneBase remains responsible for its sub-processors and imposes on each of them data-protection obligations no less protective than those in this DPA.

7.2 OneBase's current sub-processors are listed in Annex III below. OneBase will give the Customer at least 30 days' notice — by email and/or by updating this DPA — before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the service.

8. Current sub-processors (Annex III)

OneBase uses the following sub-processors to provide the service. Each processes Customer Personal Data only as needed for its stated purpose:

  • Stripe — payment and subscription processing for paid plans. Where personal data is processed outside the EEA, the transfer is covered by Standard Contractual Clauses.
  • OVHcloud — hosting and storage of the service and its database, in Warsaw, Poland, within the EEA. No transfer outside the EEA.
  • MXroute — delivery of transactional and notification email (sign-in, verification, billing and notifications). Where email is processed outside the EEA, the transfer is covered by Standard Contractual Clauses.
  • Anthropic — the AI Consultant feature, engaged only for workspaces that enable it. Anthropic processes the content submitted to that feature in the United States; the transfer is covered by Standard Contractual Clauses.

9. International transfers

Where OneBase or a sub-processor processes Customer Personal Data outside the EEA, the transfer is covered by an appropriate safeguard under Chapter V of the GDPR — in particular the European Commission's Standard Contractual Clauses, or an adequacy decision. The relevant mechanism for each sub-processor is shown in Annex III. Hosting and primary storage remain within the EEA (OVHcloud, Poland).

10. Assistance to the Customer

10.1 Data subject requests. Taking into account the nature of the processing, OneBase assists the Customer — by appropriate technical and organisational measures, and insofar as possible — in responding to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection. The service's self-service tools, including in-workspace editing, deletion and one-click export, are the primary means of assistance; OneBase provides further help on reasonable request.

10.2 Compliance obligations. OneBase assists the Customer, taking into account the nature of the processing and the information available to it, in meeting its obligations under Articles 32 to 36 GDPR — security, breach notification, data protection impact assessments and prior consultation.

11. Return and deletion

The Customer can export Customer Personal Data at any time using the one-click export, before or immediately after cancellation. OneBase deletes Customer Personal Data within 30 days of the end of the subscription, and removes it from backups within the normal backup rotation, unless EU or Member State law requires it to be retained.

12. Personal data breach

OneBase notifies the Customer without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Customer Personal Data, providing the information the Customer reasonably needs to meet its own notification obligations, to the extent that information is available to OneBase.

13. Audit

13.1 OneBase makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR, including this DPA, the sub-processor list in Annex III, and the description of security measures in Annex II.

13.2 Where the Customer reasonably needs further information, OneBase responds to reasonable written requests. On-site audits are permitted only where required by a supervisory authority or by law, on 30 days' prior written notice, no more than once a year, during business hours, subject to confidentiality, at the Customer's cost, and in a way that does not disrupt OneBase's operations or the security of other customers' data.

14. Liability and term

The liability provisions of the Terms apply to this DPA. This DPA takes effect when the Customer accepts the Terms and remains in force for as long as OneBase processes Customer Personal Data.

15. Governing law

This DPA is governed by the laws of Romania and is subject to the same jurisdiction provisions as the Terms.

16. Acceptance and record-keeping

This DPA is accepted electronically when the Customer accepts the Terms (Article 28(9) GDPR — "in writing, including in electronic form"). OneBase records the Customer's acceptance of the Terms, together with the date of acceptance, as part of the account record.

Questions?

Write to us at support@onebase.ro and we will help.