1. Parties and subject matter
This Data Processing Agreement (DPA) governs the processing of personal data that PosupClock (processor) carries out on behalf of the customer company (controller) when providing the Service. It forms part of the Terms and Conditions.
2. Subject, duration and nature
The processing is for the provision of the attendance-tracking Service for the term of the contract. Its nature includes recording, storing and querying attendance data.
3. Data categories and data subjects
- Data subjects: the controller's employees.
- Data: identification, clock-in records, zone location and facial biometric data (special category).
4. Processor obligations (PosupClock)
- Process data only on the controller's documented instructions.
- Ensure confidentiality of authorized personnel.
- Apply appropriate security measures (GDPR Art. 32 or equivalent).
- Assist the controller with data-subject requests and impact assessments.
- Notify any security breach without undue delay.
5. Biometric consent
The controller warrants that it has obtained employees' explicit consent for biometric data processing and assumes responsibility for that legal basis.
6. Sub-processors
The controller authorizes the following sub-processors: Stripe (payment processing) and our cloud hosting providers. We will give reasonable prior notice of any addition or replacement of sub-processors, allowing the controller to object on legitimate grounds.
7. International transfers
Any transfer outside the controller's territory will be made with appropriate safeguards under applicable law.
8. Return and deletion
At the end of the contract, and at the controller's choice, we will return or delete personal data, including biometric data, unless legally required to retain it.
9. Audit
We will make available the information needed to demonstrate compliance with this DPA and cooperate with reasonable audits.
10. Contact
For matters relating to this DPA: privacy@posup.app.