STEALTH MODE
Product
The IdeaEU CloudProjects & TasksTeam ChatVideo MeetingsFiles & DocsAI AssistantAll Features
Solutions
IT Services & SolutionsSoftware & SaaSMarketing, PR & Creative AgenciesLife Sciences & MedTechRenewable Energy & CleanTechStartups & ScaleupsEnterprise
Pricing
Log in
Join the waitlist
Product
The IdeaEU CloudProjects & TasksTeam ChatVideo MeetingsFiles & DocsAI AssistantAll Features
Solutions
IT Services & SolutionsSoftware & SaaSMarketing, PR & Creative AgenciesLife Sciences & MedTechRenewable Energy & CleanTechStartups & ScaleupsEnterprise
PricingLog in

Data Processing Agreement (DPA)

Effective: March 5, 2026

pursuant to Art. 28 GDPR

1. Parties and Subject Matter

This DPA is entered into between the Customer as Controller and Liza GmbH, Aachener-und-Münchener-Allee 1, 52074 Aachen, Germany, as Processor.

It supplements the Terms of Service and governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the "Liza" platform.

2. Subject Matter and Duration

Processing is carried out for the duration of the main agreement and encompasses the provision of the SaaS platform for project communication and management.

3. Nature and Purpose of Processing

Processing includes the storage, organization, retrieval, and erasure of personal data for the purpose of delivering the contractually agreed platform features. Where the Controller uses AI features of the platform, content is transmitted to third-party AI model providers as sub-processors. These providers are contractually prohibited from using data to train their models. The Controller may disable AI features entirely at any time.

4. Categories of Data Subjects

Data subjects include employees and agents of the Controller, as well as the Controller's customers and business partners, to the extent their data is processed on the platform.

5. Categories of Personal Data

The following categories are processed: contact data (name, email, phone), communication content (messages, files, comments), project data (tasks, assignments, deadlines), and technical data (IP address, device information, access logs).

6. Obligations of the Processor

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law, in which case it shall inform the Controller of such requirement in advance.

The Processor shall ensure that all persons authorized to process personal data are bound by confidentiality obligations, and shall assist the Controller in fulfilling its obligations under Art. 32–36 GDPR (security, data protection impact assessments, breach notifications).

7. Technical and Organizational Measures (TOMs)

The Processor shall implement appropriate technical and organizational measures pursuant to Art. 32 GDPR, including in particular encryption of personal data in transit (TLS), access and authorization controls, network segmentation and database security, regular security reviews and penetration testing, procedures for regularly testing the effectiveness of measures, and backup and recovery procedures.

TOMs are described in detail in Annex A and updated as necessary.

8. Sub-processors

The Controller grants general authorization for the use of sub-processors. The current list is available at Subprocessor List.

The Processor shall notify the Controller at least 14 days before engaging a new sub-processor. The Controller may object within this period. If the Controller objects and no reasonable alternative can be found, the Controller has the right to terminate the agreement.

The Processor shall ensure that each sub-processor is subject to the same data protection obligations. All sub-processors process data exclusively within the EU/EEA.

9. Assistance with Data Subject Rights

The Processor shall assist the Controller through appropriate technical and organizational measures in fulfilling requests from data subjects (Art. 15–22 GDPR).

10. Data Breach Notification

The Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of a personal data breach, and shall assist with notifications to the supervisory authority.

11. Deletion and Return of Data

Upon termination of the main agreement, the Processor shall delete all personal data within 30 days, unless retention is required by law. Upon request, the Processor shall make the data available in a commonly used format prior to deletion.

12. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the GDPR. The Controller has the right to have an audit conducted no more than once per year by a qualified, independent external auditor, with at least 60 days' prior notice. The auditor must be bound by a confidentiality agreement in advance. The costs of the audit shall be borne by the Controller. The Processor may offer current certifications (e.g., ISO 27001, SOC 2 Type II) as equivalent evidence of compliance.

Annex A: Technical and Organizational Measures

1. Physical Access Control

Measures to prevent unauthorized persons from accessing data processing facilities:

  • All Customer data is processed and stored on servers of the cloud provider UpCloud. UpCloud operates an information security management system certified under ISO 27001 and SOC 2 Type II. Physical security of the data centers is ensured by UpCloud.
  • The Provider does not operate its own data center.
  • Access to the Provider's office premises is secured by a central reception and a key-based locking system. Visitors are registered and accompanied.
  • Employees working remotely are instructed to protect work devices from unauthorized access and to lock them when unattended.

2. System Access Control

Measures to prevent unauthorized use of data processing systems:

  • Access to all internal systems (cloud console, code repositories, admin tools) requires authentication with an individual user account and a strong password.
  • All employee accounts are secured by two-factor authentication with a biometric second factor.
  • Passwords are managed exclusively through a central password manager.
  • The platform offers Customers two-factor authentication as an additional security option.
  • Work devices are automatically locked after periods of inactivity.

3. Data Access Control

Measures to ensure authorized users only access data assigned to them:

  • The platform uses a role-based access control model that governs end-user access within a Customer organization (e.g., Admin, Member, Guest).
  • Provider employees have no default access to Customer content. Access is granted only upon active authorization by the Customer and is limited to a defined time period.
  • The principle of least privilege applies to all internal systems.
  • Access rights are reviewed regularly and revoked immediately upon an employee's departure.

4. Transfer Control

Measures to protect personal data during transmission:

  • All data transfers between end users and the platform are TLS-encrypted (HTTPS).
  • Administrative access to the infrastructure (servers, databases) is only possible via VPN.
  • Communication with third-party providers (e.g., AI providers, payment service providers) is conducted exclusively through encrypted interfaces (HTTPS/TLS).

5. Input Control

Measures to ensure traceability of data entry, modification, and deletion:

  • Changes to data are logged with user ID, timestamp, and type of action (audit log).
  • Each user operates with a personalized user account; anonymous input is not possible.
  • Audit logs are protected against retrospective modification.

6. Processing Control

Measures to ensure data is processed only in accordance with instructions:

  • Processing of personal data is carried out exclusively on the basis of this DPA and documented instructions from the Controller.
  • Contractual agreements pursuant to Art. 28 GDPR are in place with all sub-processors.
  • Compliance with contractual requirements by sub-processors is reviewed regularly.

7. Availability Control

Measures to protect against data loss:

  • Daily automatic backups by the cloud provider UpCloud.
  • Additional backups to a separate data center (geo-redundant storage).
  • Continuous uptime monitoring of the platform.
  • Documented disaster recovery plan with defined recovery objectives.

8. Data Separation

Measures to ensure data collected for different purposes is processed separately:

  • Each Customer is maintained in a separate database (physical tenant separation).
  • Development and production environments are fully separated.
  • No production data is used in development environments.

9. Incident Response

Procedures in the event of a data breach:

  • Documented incident response process with defined escalation levels.
  • Notification to the Controller without undue delay, no later than 48 hours after becoming aware of a breach.
  • Documentation of all incidents including cause, impact, and remedial measures taken.

10. Employee Training

  • Regular data protection training for all employees.
  • Commitment to data confidentiality upon joining the company.
  • Awareness training for social engineering and phishing.

Annex B: Current Sub-processors

See: Subprocessor List

Product
The IdeaEU CloudProjects & TasksTeam ChatVideo MeetingsFiles & DocsAI AssistantAll FeaturesPricing
Solutions
IT Services & SolutionsSoftware & SaaSMarketing, PR & Creative AgenciesLife Sciences & MedTechRenewable Energy & CleanTechStartups & ScaleupsEnterprise
Why Liza?
Liza vs. TeamsLiza vs. SlackLiza vs. ZoomLiza vs. TrelloLiza vs. AsanaLiza vs. ClickUpLiza vs. Google DriveLiza vs. Dropbox
Resources
Getting StartedDownloadsHelp & SupportAPI DocsFeedbackChangelogRoadmapStatus
Company
About usContact usTerms of ServicePrivacy PolicyCookie PolicyDPASubprocessor ListAcceptable UseImprint
Language
English
Deutsch
Français
Español
Português
Italiano
Nederlands
日本語