M

Data Processing Agreement (DPA)

Last updated: 2025-06-20

1. Subject Matter

This Agreement governs the Processor's Processing of Personal Data on behalf of the Controller in connection with the use of the Mojn.Dev SaaS application, which supports Azure DevOps refinement sessions, real-time collaboration and AI-assisted guidance.

2. Duration

This Agreement applies for as long as the Processor Processes Personal Data on behalf of the Controller.

3. Nature and Purpose of Processing

  • Authenticate users and enable access (passwordless login).
  • Temporarily display Azure DevOps work‑item data in real‑time to enable collaboration. Data is held briefly in Liveblocks only during active sessions and deleted at session end.
  • Provide AI‑assisted refinement support.
  • Improve the Service through product analytics and telemetry (aggregated, de‑identified where possible).
  • Maintain and secure the Service, including monitoring, backup and troubleshooting.

4. Categories of Data and Data Subjects

Categories of Personal Data

  • Email address
  • Encrypted Azure DevOps Personal Access Token (PAT)
  • IP address and browser/session metadata
  • Collaboration metadata
  • Prompts and responses submitted to the AI assistant
  • Temporarily displayed Azure DevOps work‑item titles and custom fields

Categories of Data Subjects

  • Employees or other authorised users of the Controller

5. Instructions and Responsibilities

  • The Processor shall Process Personal Data only on documented instructions from the Controller, unless otherwise required by Union or Member‑State law to which the Processor is subject; in such case, the Processor shall inform the Controller of that legal requirement before Processing.
  • The Processor ensures that every person acting under its authority who has access to Personal Data is subject to a contractual or statutory duty of confidentiality and receives regular data‑protection training.

6. Security Measures

The Processor implements and maintains appropriate technical and organisational measures in accordance with Article 32 GDPR, including but not limited to:

  • Transport‑layer encryption (TLS 1.2+).
  • Encryption of data at rest; encrypted storage of PATs using industry‑standard algorithms.
  • Role‑based access control with multi‑factor authentication for privileged accounts.
  • Continuous infrastructure monitoring, logging and alerting.
  • Pseudonymisation or aggregation where possible for analytics.

7. Security Incident (Data‑Breach) Notification

  • The Processor shall notify the Controller without undue delay and, where feasible, no later than 24 hours after becoming aware of a Personal‑Data Breach affecting the Personal Data.
  • The notification shall at a minimum describe: (i) the nature of the Breach (including categories and approximate number of Data Subjects and Personal‑Data records concerned); (ii) likely consequences of the Breach; and (iii) measures taken or proposed to address the Breach and mitigate its possible adverse effects.
  • The Processor shall promptly investigate the Breach, take reasonable steps to mitigate harm, and cooperate with the Controller to enable compliance with Articles 33 & 34 GDPR.

8. Sub‑Processors

Oracle Cloud Infrastructure

Location: US

Hosting of application and Postgres database

Liveblocks, Inc.

Location: US

Real‑time collaboration (ephemeral room storage)

OpenAI, Inc.

Location: US

AI processing (LLM inference)

PostHog, Inc.

Location: EU

Product analytics and session replay

Amazon Web Services, Inc. (SES)

Location: EU

Transactional email delivery

The Controller authorises the Sub‑Processors listed above. The Processor shall give the Controller 30 days written notice of any intended addition or replacement of a Sub‑Processor, thereby giving the Controller the right to object on reasonable grounds.

The Processor shall impose data‑protection obligations on each Sub‑Processor that are no less protective than those set out in this Agreement and shall remain fully liable to the Controller for the performance of the Sub‑Processor's obligations.

9. International Transfers

Where the Processing involves a transfer of Personal Data to a country outside the EU/EEA that does not provide an adequate level of protection, the Processor shall ensure a valid transfer mechanism, such as the EU Standard Contractual Clauses (SCCs), is in place with the receiving entity.

10. Data‑Subject Rights & Regulatory Assistance

  • The Processor shall promptly forward to the Controller any request it receives directly from a Data Subject or supervisory authority concerning Personal Data processed under this Agreement, and shall not respond to such request except on documented instructions from the Controller.
  • Taking into account the nature of Processing, the Processor shall assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to Data‑Subject requests under Chapter III GDPR.
  • The Processor shall further assist the Controller with obligations under Articles 32 – 36 GDPR (security, breach notification, Data‑Protection Impact Assessment and prior consultation) by providing relevant records or information reasonably required to demonstrate compliance.

11. Data Retention and Deletion

Operational retention

  • Liveblocks room data is deleted after the last participant leaves the session.
  • OpenAI request logs are retained for ≤ 30 days for abuse‑monitoring.

End‑of‑contract: Upon termination of the Service or at the Controller's written request, the Processor shall, at the Controller's choice, return all Personal Data and copies thereof to the Controller or securely erase them within 30 days, unless Union or Member‑State law requires storage.

The Processor shall provide written confirmation of deletion upon request.

12. Audit and Demonstration of Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be subject to reasonable advance notice, confidentiality undertakings and shall not unreasonably interfere with the Processor's business operations.

13. Compliance with Applicable Law

If the Processor believes an instruction from the Controller infringes the GDPR or other Union or Member‑State data‑protection provisions, the Processor shall immediately inform the Controller. If the Processor is required by law to Process Personal Data contrary to the Controller's instructions, the Processor shall notify the Controller before such Processing, unless the law prohibits such notification.

14. Contact Information

BoK ApS (trading as Mojn.Dev)
Ellemosevej 78, 2900 Hellerup, Denmark
hello@mojn.dev