Data Processing Agreement
This Data Processing Agreement ("DPA") applies when SA-HR processes personal data on behalf of a client in the course of providing software hosting, platform operation, or related services. It forms part of the service agreement between SA-HR (the Processor) and the client (the Controller).
Where SA-HR is the controller (for example, regarding website visitors and direct enquiries), the Privacy Policy applies instead.
1. Definitions
"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Data Subject", "Controller", "Processor", and "Processing" have the meanings given to them in the GDPR.
2. Subject matter
SA-HR processes Personal Data strictly to provide the agreed services to the Controller — typically hosting, maintenance, platform operation, and technical support.
3. Duration
This DPA applies for as long as SA-HR processes Personal Data on behalf of the Controller under the service agreement.
4. Nature & purpose of processing
Processing is limited to what is necessary to operate the service — storing, transmitting, backing up, and displaying data as the Controller has configured.
5. Categories of Data Subjects and Personal Data
These depend on how the Controller uses the service. Typical categories include:
- Data Subjects: the Controller’s customers, guests, patients, employees, or other individuals the Controller decides to enter into the system.
- Personal Data: identity data (name, contact details), transactional data (bookings, orders, appointments), free-text notes the Controller enters, and similar operational data.
SA-HR does not require Special Category Data by default. If the Controller chooses to process such data, the Controller is responsible for ensuring a valid legal basis.
6. Obligations of SA-HR as Processor
SA-HR will:
- Process Personal Data only on documented instructions from the Controller (including the service agreement itself).
- Ensure personnel with access are bound by confidentiality.
- Implement appropriate technical and organisational measures (Art. 32 GDPR) to protect Personal Data.
- Assist the Controller in responding to Data Subject requests where technically feasible.
- Assist the Controller with breach notification obligations and data protection impact assessments where applicable.
- Notify the Controller without undue delay, and within 72 hours at the latest, of any confirmed Personal Data breach affecting the Controller’s data.
- On termination, return or delete all Personal Data (at the Controller’s choice), subject to retention required by law.
7. Sub-processors
The Controller authorises SA-HR to use sub-processors to deliver the service. SA-HR uses reputable providers for hosting, email, backup, and related infrastructure, each under written data-protection obligations at least equivalent to this DPA.
A current list of sub-processor categories is available on request. SA-HR will give the Controller a reasonable opportunity to object to new sub-processors that materially change the processing.
8. International transfers
Some sub-processors are located outside the EEA. Where that is the case, transfers are covered by appropriate safeguards such as the EU Standard Contractual Clauses and, where relevant, supplementary measures.
9. Security
SA-HR implements measures including:
- Encryption in transit (TLS) and encryption at rest for production data stores.
- Role-based access control, least-privilege principle.
- Regular backups and tested restoration procedures.
- Secure software development practices and review.
- Logging and monitoring of access to Personal Data.
10. Audit
The Controller may, at reasonable intervals and with reasonable notice, request information and documentation reasonably necessary to demonstrate SA-HR’s compliance with this DPA. Physical on-site audits may be arranged where required by law and at the Controller’s cost.
11. Liability
Liability under this DPA is governed by, and capped in accordance with, the liability provisions of the underlying service agreement.
12. Governing law
This DPA is governed by the law of the Republic of Croatia, consistent with the underlying service agreement.