Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, or deletion.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely on behalf of the Controller for the purpose of providing the Infrix workforce management platform, including:

• Time registration and work hour tracking
• Shift scheduling and availability management
• Absence and leave management
• Project management and task allocation
• Workforce reporting and analytics
• User authentication and access control
• Service notifications (email)

The Processor shall not process Personal Data for any purpose other than as instructed by the Controller or as required by applicable law.

3. Duration

This DPA is effective for the duration of the Controller's use of the Service. Upon termination, the Processor will delete or return all Personal Data within 90 days, unless retention is required by applicable law.

4. Categories of Data Subjects

• Employees of the Controller
• Managers and administrators of the Controller
• Contractors and temporary staff managed through the Service

5. Types of Personal Data

• Identity data: name, email address, phone number, job title, department.
• Employment data: work hours, break times, clock-in/out timestamps, shift assignments, availability preferences, contract details.
• Absence data: leave requests, absence types, leave balances.
• Health data (special category): sick leave type and duration. No medical diagnoses or detailed health information is processed.
• Project data: project assignments, task information, time allocation per project.
• Technical data: IP address, browser information, session identifiers (processed for authentication, security, and error monitoring).

6. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Dutch law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational security measures as described in Section 10.
• Not engage another processor (sub-processor) without prior written authorization of the Controller, subject to Section 7.
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
• Assist the Controller in ensuring compliance with obligations related to security, breach notification, impact assessments, and prior consultation (Articles 32-36 GDPR).
• At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless retention is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

7. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The current sub-processors are:

• Google Firebase (Google LLC) — Authentication, database, storage. EU region (europe-west4).
• Stripe (Stripe Inc.) — Payment processing (to be activated). United States, EU-US Data Privacy Framework.
• Sentry (Functional Software Inc.) — Error monitoring. United States.
• Resend (Resend Inc.) — Email delivery. United States.
• Railway (Railway Corp.) — Hosting and infrastructure.

The Processor shall inform the Controller of any intended changes to the list of sub-processors at least 14 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the parties will work in good faith to find a solution. If no solution can be found, the Controller may terminate the Service.

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract.

8. International Data Transfers

Primary data storage is in the EU (Google Firebase, europe-west4, Netherlands). Where Personal Data is transferred to sub-processors outside the EU/EEA (United States), the Processor ensures that appropriate safeguards are in place in accordance with Articles 44-49 GDPR, including:

• EU-US Data Privacy Framework certification of the sub-processor.
• Standard Contractual Clauses (SCCs) where the Data Privacy Framework does not apply.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Articles 15-22 GDPR. The Processor shall promptly forward any Data Subject request it receives directly to the Controller, unless otherwise instructed.

The Processor provides the following mechanisms to support Data Subject rights:

• Access and portability: data export in JSON or CSV format upon request.
• Rectification: administrators can update employee data directly in the Service.
• Erasure: account and data deletion within 90 days of request, subject to legal retention requirements.
• Restriction: the Processor can restrict processing of specific data upon Controller instruction.

10. Security Measures

The Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

• Encryption in transit: all data transmitted via TLS.
• Encryption at rest: provided by Google Firebase.
• Access control: role-based access with company-scoped data isolation (multi-tenancy). Firestore security rules enforce data separation at the database level.
• Authentication: secure session management via Firebase Auth.
• Application security: Content Security Policy (CSP), CSRF protection, rate limiting on sensitive operations.
• Monitoring: error tracking and performance monitoring via Sentry.
• Confidentiality: all personnel with access to Personal Data are bound by confidentiality obligations.

11. Data Breach Notification

The Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of a Data Breach involving Personal Data processed on behalf of the Controller.

The notification shall include:

• A description of the nature of the breach.
• The categories and approximate number of Data Subjects and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

12. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, as required by Articles 35-36 GDPR, taking into account the nature of the processing and the information available to the Processor.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.

The Controller may conduct audits, including inspections, either itself or through a mandated third-party auditor, subject to:

• Reasonable advance notice of at least 14 days.
• Audits being conducted during normal business hours with minimal disruption.
• The auditor being bound by appropriate confidentiality obligations.
• No more than one audit per calendar year, unless required by law or a supervisory authority.

14. Return and Deletion of Data

Upon termination of the Service or upon written request from the Controller:

• The Processor shall, at the Controller's choice, return all Personal Data in a structured, commonly used, machine-readable format (JSON or CSV) or delete all Personal Data.
• Deletion shall be completed within 90 days of the request or termination.
• The Processor may retain Personal Data to the extent required by applicable EU or Dutch law, in which case the Processor shall inform the Controller and continue to protect the data.
• The Processor shall certify in writing that all Personal Data has been deleted upon the Controller's request.

15. Liability

The liability of each party under this DPA is subject to the limitations set out in the Terms of Service. Each party is liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.

16. Contact

For questions about this Data Processing Agreement: