Data Processing Agreement
Effective date: 20 May 2026. Version: 1.1.
This Data Processing Agreement ("DPA") forms part of the subscription agreement between HREvio (the "Processor") and the customer organisation (the "Controller") for the use of the HREvio platform. It governs the processing of Personal Data on the Controller's behalf in accordance with Article 28 of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").
1. Definitions
In this DPA, the following terms have the meaning given in GDPR unless explicitly redefined:
- Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach - as defined in GDPR Article 4.
- Sub-processor - any third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
- SCC - Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914.
2. Subject matter, duration, nature and purpose of processing
Subject matter: Processing of Personal Data of the Controller's workforce and authorised users in connection with the use of the HREvio platform (HR management, onboarding, time tracking, performance, document storage).
Duration: For the term of the subscription agreement plus a 30-day post-termination retention window during which the Controller may export data, after which deletion or return per Section 11.
Nature and purpose: Storage, retrieval, organisation, structuring, transmission, and erasure of Personal Data as instructed by the Controller through the Controller's use of the platform's documented features.
3. Categories of personal data
- Identification data: full name, employee ID, date of birth, nationality.
- Contact data: business and (where provided by Controller) personal email, telephone, postal address.
- Employment data: job title, department, manager, employment status, start/end dates, contract type.
- Compensation data: salary, bonuses, currency, payment frequency.
- Performance data: review records, goals, ratings (where the Controller uses the relevant module).
- Attendance data: working time, leave records, absences.
- Documents: employment contracts, identification scans, certificates uploaded by Controller or Data Subjects.
- Account data: credentials hashes, login timestamps, IP addresses, audit logs.
4. Categories of data subjects
- Employees of the Controller.
- Contractors and freelancers engaged by the Controller.
- Job candidates (where Controller uses recruitment functionality).
- Dependants of employees (where Controller uses benefits functionality requiring such data).
- Other authorised users of the Controller's HREvio account (HR administrators, managers).
5. Controller obligations
The Controller warrants that it has a lawful basis under GDPR Article 6 (and where applicable Article 9) for the Processing it instructs the Processor to perform; that it has issued any required notices and obtained any required consents from Data Subjects; and that the Personal Data provided to the Processor is accurate and lawfully obtained.
6. Processor obligations
The Processor shall:
- (a) process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or an international organisation, unless required to do so by Union or Member State law;
- (b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- (c) implement the technical and organisational measures described in Annex II in compliance with GDPR Article 32;
- (d) respect the conditions in Section 7 for engaging Sub-processors;
- (e) assist the Controller, taking into account the nature of the Processing, in fulfilling its obligation to respond to Data Subject requests under GDPR Chapter III;
- (f) assist the Controller in ensuring compliance with GDPR Articles 32 to 36 (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of Processing and the information available to the Processor.
7. Sub-processors
The Controller grants the Processor a general written authorisation to engage the Sub-processors listed in Annex I. The Processor shall:
- Notify the Controller at least 14 days in advance of any intended addition or replacement of a Sub-processor, by means of an updated Annex I published in this DPA or via the Controller's account dashboard.
- Within those 14 days, the Controller may object to the change on reasonable, demonstrable grounds related to data protection; the parties shall negotiate in good faith. If no resolution is reached, the Controller may terminate the affected services with pro-rated refund of pre-paid fees.
- Bind each Sub-processor to data protection obligations no less protective than those in this DPA, by way of a written contract.
- Remain fully liable to the Controller for the performance of each Sub-processor's obligations.
8. Personal data breach notification
The Processor shall notify the Controller of any Personal Data Breach without undue delay after becoming aware of it, and in any event within 72 hours with all information then available, including:
- Nature of the breach, including categories and approximate number of Data Subjects and records concerned, where known.
- Likely consequences and the measures taken or proposed to address it, including, where appropriate, measures to mitigate adverse effects.
- Name and contact details of the Processor's data protection contact.
The Processor shall cooperate with the Controller and provide all information reasonably requested to enable the Controller to comply with its own notification obligations under GDPR Articles 33 and 34.
9. Audit rights
The Processor shall make available to the Controller, on reasonable written request and not more than once per twelve-month period (or more frequently if mandated by a Supervisory Authority), information necessary to demonstrate compliance with this DPA, including independent third-party audit reports of the Processor's hosting infrastructure (currently Hetzner Online GmbH's ISO 27001 / TÜV attestation, available on request) and equivalent attestations of the Processor's own security posture as may become available (the Processor anticipates SOC 2 Type I procurement on a roadmap aligned to commercial scale).
The Controller may, at its expense and on at least 30 days written notice, conduct an audit either itself or through an independent auditor mutually agreed in writing, subject to reasonable confidentiality obligations and during normal business hours, in a manner that does not unreasonably interfere with the Processor's operations.
10. International data transfers
For Sub-processors located outside the European Economic Area or the United Kingdom and not covered by a European Commission adequacy decision, the parties hereby incorporate by reference the Standard Contractual Clauses set out in Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor), with the Controller acting as the data exporter and the relevant Sub-processor as the data importer. The annexes to those SCC are populated by reference to Annex I (List of parties; Description of transfer) and Annex II (Technical and organisational measures) of this DPA.
The Processor has performed a Transfer Impact Assessment for each non-EU Sub-processor in accordance with the post-Schrems II requirements and applies supplementary measures (encryption in transit and at rest, key management, access controls) as set out in Annex II.
For transfers subject to United Kingdom data protection law, the parties incorporate by reference the UK Information Commissioner's Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0 issued 2 February 2022, or any subsequent version as may be amended). The Addendum's tables are populated by reference to the SCC annexes completed under this DPA's Annexes I and II.
11. Term, termination, return or deletion
This DPA takes effect on the effective date of the subscription agreement and remains in force for the duration of the Processor's provision of services to the Controller. On termination of those services, the Controller shall choose, by written notice within 30 days of termination, between:
- Return: the Processor exports all Personal Data in a structured, commonly used machine-readable format and provides it to the Controller, then deletes its copies.
- Deletion: the Processor deletes all Personal Data and certifies completion in writing.
If the Controller makes no election within 30 days, the Processor shall delete the data and certify completion. The Processor may retain Personal Data only to the extent and for the duration required by Union or Member State law, and shall protect such retained data with the security measures of Annex II.
The Processor's obligation to delete Personal Data under this Section is subject to the backup retention rotations described in Annex II, with any Personal Data remaining in backups retained solely for disaster-recovery purposes, not accessible for any other Processing, and overwritten in accordance with the scheduled rotation cycle.
12. Liability, governing law, miscellaneous
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the subscription agreement, save where such limitations are not enforceable under applicable law.
Notwithstanding the foregoing, neither party shall be liable to the other for indirect, special, consequential, exemplary, or punitive damages arising out of or relating to this DPA, and the Processor shall not be liable for fines or penalties imposed on the Controller by a supervisory authority arising from the Controller's own breach of its obligations under GDPR Article 82(2) or any equivalent provision of applicable data protection law.
This DPA is governed by the law of the Republic of Poland, without prejudice to the mandatory data protection laws of the Controller's place of establishment. The competent courts are the courts of Rzeszow, Poland (the registered place of business of the Processor, Hennadii Alforov, conducting business as HREvio under JDG sole proprietorship registered with CEIDG, VAT EU PL9571162953), save as required by Article 79 GDPR.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force. This DPA, together with the subscription agreement and the SCC incorporated under Section 10, constitutes the entire agreement of the parties on the subject matter and supersedes any prior understanding.
Annex I - List of sub-processors (current as of 7 May 2026)
A. EU entity, EU data residency
| Sub-processor | Service | Location |
|---|---|---|
| Hetzner Online GmbH | Application hosting, primary database, self-hosted services | Germany |
| Stripe Payments Europe Limited | Subscription billing | Ireland |
B. EU data residency, non-EU parent (SCC 2021/914 Module 2 as additional safeguard)
| Sub-processor | Service | Data residency | Parent jurisdiction |
|---|---|---|---|
| Cloudflare, Inc. | DNS, CDN, DDoS protection, R2 backup storage | EU edges, EU R2 buckets | United States |
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | EU SaaS region | United States |
| Grafana Labs, Inc. | Logs, dashboards, infrastructure observability | EU region (Frankfurt) | United States |
| Railsware Products, Inc. (Mailtrap) | Transactional email delivery | EU region | United States |
C. Non-EU vendor, full SCC 2021/914 Module 2 + Transfer Impact Assessment
| Sub-processor | Service | Scope |
|---|---|---|
| Google Ireland Limited (with onward processing by Google LLC under the Google Cloud Data Processing Addendum) | reCAPTCHA Enterprise (Cloud Assessments REST API) | Marketing site signup form only; fraud-signal scoring under legitimate interest with explicit on-form disclosure |
| Google Ireland Limited | Google Analytics 4 | Marketing site (www.hrevio.com) only; deployed under Google Consent Mode v2 advanced implementation: cookies and user identifiers are loaded only after explicit consent per ePrivacy Article 5(3); anonymous cookieless pings are sent for traffic estimation when consent is declined |
Annex II - Technical and Organisational Measures (Article 32)
- Encryption at rest: AES-256 for application database and backups in Cloudflare R2.
- Encryption in transit: TLS 1.3 for all client connections; HSTS with preload.
- Access control: Role-based access control with principle of least privilege; multi-factor authentication required for all administrative access.
- Audit logging: Centralised logs of administrative actions, ingested into Grafana Cloud (EU) with tamper-evident retention.
- Backup and recovery: daily encrypted backups (retained 14 days rolling) plus monthly snapshots (retained 365 days), stored off-site in Cloudflare R2 EU with lifecycle rules enforced (incomplete uploads aborted after 1 day); documented recovery procedures and tested restore drills.
- Pseudonymisation: where applicable, identifying data is separated from analytical and aggregated data.
- Personnel: all personnel with access to Personal Data are bound by written confidentiality obligations and trained on data protection.
- Security reviews: internal security review of the production environment conducted by the Processor at least annually; external penetration testing available on enterprise-customer request, at the Controller's expense or as agreed in the Subscription Agreement.
- Vendor security review: Sub-processors are subject to security and data protection due diligence prior to onboarding and on material change.
- Incident response: documented incident response plan with named on-call responder; breach notification process per Section 8.
Annex III - Standard Contractual Clauses reference
The Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (transfer Controller to Processor), are incorporated into this DPA by reference for the international transfers identified in Annex I, Category C, and as a supplementary safeguard for Annex I, Category B. Annex I (List of parties; Description of transfer; Competent supervisory authority) and Annex II (Technical and organisational measures) of those SCC are completed by reference to the corresponding annexes of this DPA. Where the laws of the data importer's jurisdiction prohibit compliance with the SCC, the Processor undertakes to notify the Controller promptly and to suspend the affected transfer until lawful conditions are restored or the Sub-processor is replaced.