Standard data processing agreement for ShiftSphere customers processing EU personal data.
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ShiftSphere (Processor) and the Customer (Controller) for the processing of personal data as part of the Service.
2. Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by law. The nature of processing includes storage, computation, and transmission of employee HR data.
3. Security Measures
The Processor implements: encryption at rest and in transit, tenant isolation via separate database schemas, role-based access control, regular security audits, employee background checks, and incident response procedures.
4. Sub-processors
Current sub-processors: AWS (infrastructure), Stripe (payments), Sentry (error monitoring). The Processor will notify the Controller 30 days before engaging new sub-processors, allowing the Controller to object.
5. Audit Rights
The Controller may audit the Processor's compliance with this DPA once per year with 30 days notice. The Processor will provide reasonable cooperation and access to relevant documentation.
6. Data Deletion
Upon termination of the Service, the Processor will delete all personal data within 30 days (after a 14-day export window), unless retention is required by applicable law.