Data Processing Agreement

Pursuant to Art. 28 GDPR (General Data Protection Regulation)

Controller

[CUSTOMER NAME]

[CUSTOMER STREET]

[POSTAL CODE CITY], Germany

represented by [PLACEHOLDER]

Processor

Packteam24.de Power GmbH

Am Altenwerder Kirchtal 1–3

21129 Hamburg, Germany

represented by Przemyslaw Topolnicki, Managing Director

§ 1 Introduction, Scope, Definitions

1.1 This agreement governs the rights and obligations of the Controller and the Processor (hereinafter jointly referred to as "Parties") in connection with the processing of personal data on behalf pursuant to Art. 28 GDPR.

1.2 This agreement applies to all activities in which the Processor, its employees, or subcontractors commissioned by it process personal data of the Controller.

1.3 Terms used in this agreement shall be understood in accordance with their definitions in the GDPR.

§ 2 Subject Matter and Duration of Processing

2.1 The Processor undertakes the following processing activities: Collection/recording, storage, use, etc. of employee data and time tracking data from employees and administrators of the Controller for the purpose of time and attendance tracking.

2.2 Processing continues indefinitely until termination of this agreement or the main contract by either party.

§ 3 Nature and Purpose of Data Processing

3.1 The Controller uses the B2B SaaS solution "Workflex360 Time" from the Processor. This includes time tracking (Web/Mobile/Kiosk), NFC check-in/check-out, and optionally point-in-time GPS for time tracking events.

3.2 Processing is carried out by: Collection, recording, storage, retrieval, use, transmission within the tenant, restriction, deletion, and maintenance of security and system logs.

3.3 Processing serves the purposes of time and attendance tracking, record keeping, internal administration, and process optimization for the Controller.

3.4 The following categories of personal data are processed:

Employee ID
Name/abbreviation of employees
Assignments (department/location/position)
Time tracking events (timestamp, NFC tag ID, terminal ID)
Optionally: point-in-time GPS coordinates at time tracking events
Administrator account data (name, business email address)
Optionally: Push tokens for mobile push notifications

3.5 Processing concerns: Employees of the Controller and Administrators of the Controller (B2B context).

§ 4 Obligations of the Processor

4.1 The Processor processes personal data exclusively as contractually agreed or in accordance with instructions from the Controller.

4.2 The Processor confirms that it is aware of the relevant data protection regulations and complies with the principles of proper data processing.

4.3-4.9 The Processor undertakes to maintain confidentiality, train personnel, support the Controller in maintaining the processing register and conducting data protection impact assessments.

4.10 Processing on behalf is generally carried out in Germany or within the EU/EEA (cloud infrastructure: Hetzner Online GmbH). Transfer to third countries only takes place using appropriate safeguards pursuant to Chapter V GDPR.

§ 5 Technical and Organizational Measures

The data security measures described in Annex 1 are established as binding. They represent the minimum owed by the Processor.

§ 6-16 Other Provisions

The agreement also contains provisions regarding: Correction, deletion, and blocking of data (§6), sub-processing relationships (§7), rights and obligations of the Controller (§8), notification obligations (§9), instructions (§10), termination of the assignment (§11), remuneration (§12), liability (§13-13b), contractual penalties (§14), special termination rights (§15), and miscellaneous provisions (§16).

Annex 1 - Technical and Organizational Measures

Physical Access Control: Physical access to data centers only for authorized personnel
System Access Control: RBAC, MFA for administrators, automatic lockout
Data Access Control: Tenant separation, logging of all accesses
Transfer Control: TLS ≥ 1.2, encryption of data at rest
Input Control: Full logging, immutable audit logs, 90-day retention
Availability Control: Daily backups, geo-redundant storage, RTO/RPO ≤ 24h
Incident Response: Initial response ≤ 2 hours

Annex 2 - Approved Sub-processors

Hetzner Online GmbH

Industriestr. 25, 91710 Gunzenhausen, Germany

Scope: Cloud hosting and backup services in Germany or EU

Apple Inc. (APNs)

One Apple Park Way, Cupertino, CA 95014, USA

Scope: Delivery of push notifications to iOS devices

Status: optional / only when activated by the Controller

Google LLC (FCM)

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Scope: Delivery of push notifications to Android devices

Status: optional / only when activated by the Controller

Payment Service Providers (PSP)

Stripe / Paddle / Lemon Squeezy

Scope: Payment processing

Status: optional / only when activated by the Controller

Annex 3 - Authorized Persons for Instructions

1. Authorized to Issue Instructions (Controller):

[PLACEHOLDER_NAME], [PLACEHOLDER_FUNCTION], [PLACEHOLDER_EMAIL]

2. Authorized to Receive Instructions (Processor):

Workflex360 – Data Protection / Support
privacy@workflex360.com

This Data Processing Agreement is an integral part of the SaaS main contract Workflex360 Time.