Skip to content

Data Processing Agreement

Definitions

The terms used in this appendix shall have the meanings assigned to them in the EU General Data Protection Regulation.

Purpose of processing

In this appendix, the Parties agree on the terms under which the Processor processes personal data on behalf of the Controller during the term of this agreement.

The Controller acts as the controller in relation to the personal data processed under this agreement and is responsible for ensuring that it fulfills all obligations required of a controller under mandatory legislation.

The Processor processes personal data for the purpose of providing and delivering the products and services specified in more detail in the commercial service agreement between the Parties (of which this agreement forms an appendix), in accordance with any further instructions given by the Controller from time to time.

The Processor shall inform the Controller if it considers that the Controller’s written instructions regarding processing violate the General Data Protection Regulation or other applicable mandatory data protection provisions. In addition to the terms of this agreement, each Party undertakes to comply with applicable national data protection laws and the provisions of the EU General Data Protection Regulation as applicable to its operations.

Duration of processing

The Processor shall process personal data until the termination of the commercial service agreement between the Parties, unless otherwise instructed by the Controller, or until the data is returned or destroyed in accordance with the Controller’s instructions.

Nature of processing, types of personal data processed, and categories of data subjects

The processing of personal data carried out by the Processor on behalf of the Controller includes, among other things, the receipt, collection, recording, storage, retention, modification, use, disclosure by transmission, deletion or destruction of data, as well as other operations performed on personal data.

a) Categories of data subjects

Personal data may relate to several categories of data subjects, such as users of the services under the commercial agreement between the Parties or the Controller’s personnel.

b) Types of personal data processed

The personal data processed may relate to several categories of personal data, such as a person’s name, address, telephone number, email address, bank account number, personal identity number, salary information, and other data. The types of personal data processed are specified in Annex A.

International data transfers

The Processor shall, as a rule, process personal data within the EU or EEA, or in countries that ensure an adequate level of data protection as required by data protection legislation.

Certain Sub-processors and their parent companies may be located outside the EU/EEA. All locations and sub-processors are listed in Annex A to this Data Processing Agreement.

If personal data is transferred to countries outside the EU or EEA, subject to the Controller’s separate prior written consent, such transfer shall be carried out by applying (i) the European Commission’s standard contractual clauses for the transfer of personal data or equivalent clauses approved by the European Union that replace such clauses, or (ii) other appropriate transfer mechanisms defined in the General Data Protection Regulation, and in accordance with the Controller’s instructions.

Sub-processors

The Processor may use sub-processors for the processing of personal data. The Processor is responsible for the actions of its sub-processors as for its own actions and shall enter into written agreements on the processing of personal data with its sub-processors. The current sub-processors are listed in Annex B. An updated list of sub-processors is available on the Processor’s website.

Security

The Processor shall ensure that it implements appropriate technical and organizational measures aimed at preventing the accidental, unauthorized and/or unlawful destruction, loss, alteration, unauthorized disclosure or transfer of, or access to, personal data processed on behalf of the Controller that is in the possession of the Processor. For the avoidance of doubt, the Processor shall not be responsible for the technical security of information systems or services owned by the Controller or for which the intellectual property rights belong to the Controller or any third party, unless explicitly agreed otherwise. If the Processor is required to assist the Controller in improving, developing or maintaining the technical or organizational security of such systems or services, the Parties shall agree separately on such work, its costs and other terms.

Security measures shall be designed taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights and freedoms of natural persons, such as:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

Audit rights & security

Taking into account the state of the art, the costs of implementation, as well as the scope, context and purposes of processing and the risks to the rights and freedoms of natural persons, Evenpay shall in all cases implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures shall include at least those set out in Article 32(1) of the EU General Data Protection Regulation (EU 2016/679, GDPR), as well as the security measures in place on the effective date of the Agreement, which shall be maintained at a level at least equivalent throughout the term of the Agreement.

The Customer shall have the right, upon reasonable prior notice and at its own expense or through an independent third party, to audit Evenpay’s processing of personal data in accordance with this Agreement and the Data Processing Agreement (“Audit”). The purpose of the Audit is to verify the lawfulness of Evenpay’s data protection obligations and processing activities. The Supplier shall remedy any identified deficiencies without charge.

  • Evenpay shall assist in the conduct of the Audit to a reasonable extent, provided that:
    the Audit is carried out in a manner that does not unreasonably interfere with Evenpay’s business and may be conducted no more than once per calendar year;
  • the Customer provides written notice of the Audit at least thirty (30) days in advance;
  • the Customer shall bear all costs arising from the Audit and shall reimburse Evenpay for all reasonable costs incurred by Evenpay in enabling the Audit, including arranging access to Evenpay’s or its subcontractors’ processing facilities or information systems;
  • Evenpay shall have the right, as a primary means, to demonstrate its compliance by providing the Customer with security or audit reports prepared by an independent third party (such as ISO 27001, SOC 2, or similar reports);
  • the Audit may also cover the activities of Evenpay’s subcontractors or sub-processors to the extent permitted by their own terms. A subcontractor may alternatively provide the Customer with a certified audit report (“assurance report”) to fulfill the audit requirement;
  • persons conducting the Audit shall commit in writing to comply with Evenpay’s security and confidentiality requirements prior to the commencement of the Audit.
  • The audit right shall remain valid for three (3) years after termination of the Agreement to the extent that the audit concerns processing activities or data protection obligations during the term of the Agreement.

Data subject rights

Taking into account the nature of the processing, the Processor shall, to a reasonable extent and without undue delay, assist the Controller by appropriate technical and organizational measures, where possible, in fulfilling the Controller’s obligation to respond to requests concerning the exercise of data subject rights under the General Data Protection Regulation. Such rights include, among others, as defined in the Regulation:

  1. the right of access to personal data;
  2. the right to rectify inaccurate data;
  3. the right to erasure (“right to be forgotten”);
  4. the right to restriction of processing;
  5. the right to data portability, i.e. the right to have data transferred from one system to another;
  6. the right to object to processing;
  7. the right not to be subject to automated decision-making, including profiling; and
  8. the right to withdraw consent.

If such requests are submitted directly to the Processor, it shall promptly notify the Controller thereof.

Personal data breaches

The Processor shall notify the Controller without undue delay of any personal data breach it becomes aware of in the course of processing, so that the Controller can fulfill its notification obligations under the General Data Protection Regulation within the prescribed time limits. Sufficient information regarding the breach shall be provided, and the Processor shall otherwise assist the Controller in fulfilling its obligations under the Regulation. The Processor shall also take the necessary follow-up measures to mitigate the adverse effects of the personal data breach or to prevent future breaches.

Entry into force and effects of termination

This agreement shall enter into force when both Parties have signed it and shall remain in effect until the commercial agreement between the Parties terminates.

Within a reasonable period after termination of the agreement, the Processor shall, at the Controller’s choice, either delete or return all personal data to the Controller and delete existing copies, as well as remove its user access to the Controller’s information systems, unless applicable legislation requires the retention of personal data.

Unless the Controller has provided instructions regarding deletion or return within 12 months after termination of the agreement, the Processor shall delete the personal data and related copies, unless applicable legislation requires retention. In such case, the Processor shall be entitled to retain the personal data in accordance with legal requirements, without otherwise continuing the processing of personal data and while continuing to comply with the confidentiality obligations set out in this appendix.

A. Data Subjects, Personal Data Processed, Purpose of Processing, Nature of Processing and Duration of Processing

A.1 Categories of Data Subjects

  • Employees of the customer/partner
  • Contact persons of the customer/partner

A.2 Personal Data Processed

  • Name

  • Telephone number

  • Email address

  • City

  • Login credentials

  • Personal identity number

  • Age

  • Gender

  • Education and qualification data

  • Performance evaluations

  • Employment information

  • Salary data, salary basis and salary changes

  • Log data

  • IP address

  • Nationality

  • Primary country of employment

A.3 Special Categories of Data (Sensitive Personal Data)
In order for the Processor to process Special Categories of Personal Data on behalf of the Controller, the Controller must list in the table below the Sensitive Personal Data that the Processor processes.

The Controller is also obliged to notify the Processor and update the table below if the information changes during the validity of this annex to the agreement.

Sensitive Personal Data

The Processor processes the following Sensitive Personal Data on behalf of the Controller:

Category Yes No

Race or ethnic origin, political opinion, philosophical or religious belief

x

Health Data

x

Sexual behavior and orientation

x

Trade union membership

x

Genetic or biometric data

x

Criminal convictions, suspicions, or charges

x

Children’s personal data

x

A.4 Purpose of Processing
The purpose of the Processor’s processing of Personal Data on behalf of the Controller is the following:

To provide services in accordance with the Agreement.

A.5 Nature of Processing
The Processor’s processing of Personal Data on behalf of the Controller mainly relates to:

Receiving, storing, recording, reporting, transferring, anonymizing, and deleting data.

A.6 Duration of Processing
The Processor processes Personal Data on behalf of the Controller for the following period:

As long as the Agreement is valid and applicable to the processing of Personal Data.

Current Sub-processors

The following sub-processors of the Processor have access to the Controller’s Personal Data (07.04.2026).

Name Location / Country Legal transfer mechanism if the sub-processor has access to Personal Data outside the EU or EEA Role in providing the service

Google Cloud Platform

EU

Standard Contractual Clauses (if outside EU/EEA)

Cloud infrastructure, storage, and computing services

Mixpanel

EU

N/A (no transfers outside EU/EEA)

Analytics tool

Auth0

EU

N/A (no transfers outside EU/EEA) or SCCs if applicable

User authentication tool

Crisp

EU

N/A (no transfers outside EU/EEA)

Inapp chat tool

Lettermint

EU

N/A (no transfers outside EU/EEA)

Transactional email traffic

Kombo

EU

N/A (no transfers outside EU/EEA)

Integration platform for HRIS and ATS integrations.