Data Processing Agreement

The DPA governs the processing of personal data by justReporting GmbH Wirtschaftsprüfungsgesellschaft on behalf of customers using ReportingGPT (Art. 28 GDPR / § 28 DSGVO).

A DPA is available for all paid plans (Starter, Pro, Team, Enterprise). Free plan users process data without a formal DPA – we recommend upgrading if a DPA is required for your organisation.

• Subject matter, nature, and purpose of processing
• Categories of personal data and data subjects
• Data retention and deletion obligations
• Technical and organisational measures (TOMs) per Art. 32 GDPR
• Sub-processor list with notification obligation for changes
• Audit rights and cooperation obligations
• Standard contractual clauses where applicable

Our primary sub-processor for AI inference is Amazon Web Services (AWS) – specifically AWS Bedrock, hosted in Frankfurt (eu-central-1). AWS operates under their own DPA with standard contractual clauses. A full sub-processor list is included in the DPA.

Report data is retained for the duration of the subscription plus a 30-day deletion window following account closure. Export artefacts are available for download at any time. On request, data can be deleted earlier.

Note: Different retention periods may apply to different document types under applicable law (e.g., § 257 HGB for business records, up to 10 years). We recommend reviewing your own obligations.

• Full export of all reports, comments, and review data in PDF and Word format at any time
• Structured CSV export of comment data and audit trail available on request
• No vendor lock-in: your reports remain in their original format (PDF/Word)
• On subscription cancellation: 30-day window to download all data before deletion
• Data deletion confirmation provided in writing on request
• No proprietary formats – all outputs use open standards

We believe in data sovereignty. Your data belongs to you, not to us. Switching away from ReportingGPT should be as easy as switching to it.