Start Your 30-Day Free Trial

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“Agreement”) constitutes an integral part of the General Terms and Conditions for the provision of SaaS services (“Main Agreement”) and governs the relationship between:

the CLIENT, in its capacity as a data controller (“Controller”),

and

“BIODIT” AD, in its capacity as a data processor (“Processor”),

hereinafter jointly referred to as the “Parties”.

By accepting the Main Agreement, this Agreement shall be considered concluded and binding.

  1. SUBJECT AND SCOPE

1.1. This Agreement regulates the conditions under which the Processor processes personal data on behalf of the Controller in connection with the provision of a SaaS-based time tracking system, including check-in terminals (“Services”).

1.2. The processing is carried out in accordance with: Regulation (EU) 2016/679 (“GDPR”); applicable European Union law and national legislation;

  1. DEFINITIONS

2.1. The terms “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Security Breach” and “Supervisory Authority” have the meaning given in the GDPR.

2.2. For the purposes of this Agreement:

    • “Controller Personal Data” means all personal data processed by the Processor on behalf of the Controller;
    • “Sub-processor” means a third party engaged by the Processor;
    • “Data Protection Laws” means all applicable legislation in the field of personal data protection.
  1. PROCESSING OF PERSONAL DATA

3.1. The Processor processes Controller Personal Data only:

    • on documented instructions from the Controller;
    • for the purposes of providing the Services;
    • within the scope agreed in the Main Agreement.

3.1.1. Documented instructions shall also include the functionalities of the Services, configurations selected by the Controller, as well as the terms of the Main Agreement.

3.2. If the Processor is required by applicable law to process personal data outside the instructions, it shall notify the Controller in advance, unless this is prohibited by law.

3.3. If the Processor considers that a given instruction violates Data Protection Laws, it shall immediately notify the Controller.

  1. OBLIGATIONS OF THE CONTROLLER

The Controller guarantees and declares that:

4.1. the processing of personal data is carried out on a valid legal basis;

4.2. the obligations for transparency and information towards data subjects have been fulfilled;

4.3. the personal data provided are adequate, accurate and limited to what is necessary;

4.4. special categories of personal data are not processed, unless expressly agreed;

4.5. it has the right to provide the personal data to the Processor.

  1. CONFIDENTIALITY

5.1. The Processor guarantees that persons authorized to process personal data:

    • are bound by confidentiality obligations;
    • process the data only when necessary.

5.2. Each party undertakes to keep confidential any confidential information received in connection with the Agreement.

  1. SECURITY OF PROCESSING

6.1. The Processor applies appropriate technical and organizational measures in accordance with Article 32 GDPR.

6.2. When determining the measures, the following shall be taken into account:

    • the state of the art;
    • the costs of implementation;
    • the nature, scope and purposes of the processing;
    • the risks to the rights and freedoms of natural persons.

6.3. The specific measures are described in Annex No. 2.

  1. SUB-PROCESSORS

7.1. The Processor has the right to engage sub-processors.

7.1.1. The Processor shall notify the Controller of any change in sub-processors at least 30 (thirty) days in advance.

7.1.2. The Controller has the right to object within 30 (thirty) days of the notification.

7.2. The Processor:

    • Ensures that sub-processors are bound by obligations equivalent to this Agreement;
    • Remains responsible for their performance.

7.3. An up-to-date list of sub-processors is maintained on the Processor’s website or in Annex No. 3.

  1. RIGHTS OF DATA SUBJECTS

8.1. The Processor assists the Controller in fulfilling its obligations regarding data subject rights.

8.2. The Processor:

    • notifies without undue delay upon receiving a request;
    • does not respond independently, unless required by law.
  1. SECURITY BREACHES

9.1. The Processor shall notify the Controller no later than 72 hours from becoming aware and, where possible, within 24–48 hours.

9.2. The notification includes the information necessary for compliance with GDPR obligations.

9.3. The Processor provides assistance within a reasonable time to limit and remedy the consequences.

  1. IMPACT ASSESSMENT

The Processor provides reasonable assistance in:

    • data protection impact assessments;
    • consultations with supervisory authorities.
  1. STORAGE, RETURN AND DELETION

11.1. Upon termination of the Services, the Processor:

    • deletes or returns the personal data;
    • unless retention is required by law.

11.2. Upon request, confirmation of deletion is provided.

  1. AUDIT AND DEMONSTRATION OF COMPLIANCE

12.1. The Processor provides information to demonstrate compliance.

12.2. Audits are carried out:

    • Upon reasonable notice of not less than 30 (thirty) days;
    • No more than once per year;
    • Only in case of justified suspicion;
    • At the expense of the Client;
    • Provided that trade secrets and the security of other clients are not affected.
  1. DATA TRANSFERS

13.1. Personal data are stored and processed within the European Union and/or the European Economic Area, unless explicitly agreed otherwise. In case of transfer outside the EU/EEA, the Processor ensures appropriate safeguards in accordance with applicable law.

13.2. Transfers outside the EU/EEA are permitted only if appropriate safeguards are in place.

13.3. Where necessary, standard contractual clauses are applied.

  1. LIABILITY

14.1. Each party is liable for damages caused by breach of this Agreement or applicable law.

14.2. The Processor is liable only for damages caused by:

    • processing in violation of documented instructions; or
    • failure to fulfill its GDPR obligations.

14.3. To the extent permitted by applicable law, the total liability of the Processor under this Agreement, regardless of the legal basis of the claim, is limited to the total amount of fees paid by the Controller under the Main Agreement for the last 12 (twelve) months preceding the event giving rise to liability.

14.4. This limitation does not apply in cases of intent or gross negligence by the Processor, or in other cases where limitation is not permitted under applicable law, including under GDPR.

  1. HIERARCHY OF DOCUMENTS

In case of conflict between this Agreement and the Main Agreement, this Agreement shall prevail with regard to personal data protection.

  1. APPLICABLE LAW AND JURISDICTION

16.1. The law of the Republic of Bulgaria applies.

16.2. All disputes shall be resolved by the competent court in Sofia.

ANNEX No. 1

Details of processing

Subject: SaaS time tracking system

Purpose: management of working time and attendance

Categories of data:

identification data (name, ID)

contact data (email, phone – if available)

attendance and working hours data

technical data (IP addresses, logs)

Data subjects: employees and contractors

Duration: for the term of the Main Agreement

Place of processing: EU/EEA

ANNEX No. 2

Technical and organizational measures

The Processor applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including where applicable:

  1. Access control

Implementation of role-based access control (RBAC);

Restriction of access to personal data only to authorized persons on a need-to-know basis;

Use of strong authentication (including multi-factor authentication where applicable);

Management of user rights (creation, modification and deactivation of accounts);

Regular review of access rights.

    1. Encryption and data protection

Encryption of data in transit using secure protocols (e.g. TLS 1.2 or newer);

Encryption of data at rest where applicable;

Pseudonymization and/or data minimization where possible;

Protection of keys and certificates through appropriate management mechanisms.

  1. Logging and monitoring

Maintaining logs of access and system activities;

Monitoring for unauthorized access and suspicious activity;

Restricted access to logs;

Retention of logs for a reasonable period for security and audit purposes.

  1. Security and infrastructure

Use of secure server environments (including high-security cloud services);

Network protection (firewalls, segmentation, protection against unauthorized access);

Regular software and system updates (patch management);

Protection against malware and vulnerabilities.

  1. Backups and recovery

Daily backups;

Storage of backups in a secure environment;

Testing of disaster recovery procedures;

Ability to restore availability and access within a reasonable time.

  1. Physical security

Controlled physical access to facilities where data is processed;

Use of secure data centers;

Protection against physical incidents (fire, flood, etc.).

  1. Incident management

Procedures for identifying and managing security incidents;

Internal reporting and escalation processes;

Limiting and minimizing consequences;

Documentation of incidents and actions taken.

  1. Testing and evaluation

Periodic testing and evaluation of effectiveness;

Vulnerability assessments and, where necessary, penetration testing;

Continuous improvement of security measures.

  1. Organizational measures

Staff training on data protection and security;

Confidentiality obligations for employees and subcontractors;

Internal policies and procedures;

Restriction of staff access to personal data.

  1. Sub-processors

Preliminary security assessment;

Contractual obligations equivalent to this Agreement;

Periodic compliance reviews.

  1. Data protection principles

Application of “privacy by design” and “privacy by default”, including:

    • data minimization;
    • access limitation;
    • processing only for specific purposes;
    • limited storage period.
  1. Additional provisions

The Processor may update these measures provided the level of security is not reduced.

ANNEX No. 3

Sub-processors

The Processor gives its general authorization to engage subcontractors for personal data processing, provided the requirements of Article 28(2) and (4) GDPR are met.

As of the date of this Agreement, the Processor uses the following subcontractors:

Sub-processor

Country

Role/Purpose

Data category

Hetzner Online GmbH

Germany (EU)

Hosting of web applications and databases; data backups

All personal data processed via the platform

Cloudflare, Inc.

USA (with appropriate safeguards)

Content delivery network (CDN); cyberattack protection (DDoS, WAF)

Traffic metadata; IP addresses; HTTP requests

Stripe, Inc.

USA (with appropriate safeguards)

Payment processing

Payment data; payer identification data

Hetzner is established in the EU, therefore data transfer is carried out without additional transfer mechanisms.

Cloudflare and Stripe are established in the USA. Transfers are based on Standard Contractual Clauses (SCCs) adopted by the European Commission and/or the EU-U.S. Data Privacy Framework, where the respective company is certified.