Data Processing Addendum
Data Processing Addendum
(“DPA”, Version 1.1 — last updated 07 May 2025)
This DPA is incorporated into and forms part of the Trackifi Terms of Service (the “Agreement”) between:
| Party | Details |
|---|---|
| Controller | [Customer Legal Name], registered in [Country], with its registered address at [Address] (“Customer”, “Controller”, “you”) |
| Processor | Trackifi Oy, Business ID 3530479-2, Helsinki, Finland (“Trackifi”, “Processor”, “we/us”) |
1 Definitions
Capitalised terms not defined here have the meanings given in Regulation (EU) 2016/679 (“GDPR”).
- “Personal Data” – data processed under the Agreement that relates to an identified or identifiable natural person.
- “Sub‑processor” – a third‑party processor engaged by Trackifi to process Personal Data on Trackifi’s behalf.
2 Subject‑matter & Duration
Trackifi will process Personal Data only for the term of the Agreement and solely on documented instructions from the Controller, unless EU or Member‑State law requires otherwise (GDPR Art 28 §3 (a)).
3 Nature & Purpose of Processing
Provision of a SaaS platform for time tracking, resource allocation, invoicing, analytics, and related consulting‑team workflows. Processing operations include collection, storage, retrieval, transmission, analysis, and deletion of Personal Data to deliver and support the Services.
4 Categories of Data & Data Subjects
| Personal‑data category | Examples |
|---|---|
| Identification data | Name, business e‑mail, user ID, role, company name |
| Employment data | Hourly rate, hour targets, project allocations |
| Time‑entry data | Hours logged, notes/description text |
| Technical data | IP addresses, device/agent data, login timestamps |
| Data subjects |
|---|
| Customer employees |
| Freelancers / external consultants |
| Customer clients (when included in time‑entry notes or invoice metadata) |
No special categories (GDPR Art 9) are expected. Controller agrees not to upload such data.
5 Processor Obligations
- Confidentiality – Trackifi ensures personnel are bound by confidentiality (Art 28 §3 (b)).
- Security Measures – Trackifi implements the controls in Annex I (Art 32).
- Sub‑processors – Controller authorises the vendors in Annex II. Trackifi will provide 30‑days’ advance notice of any intended changes and impose equivalent data‑protection obligations on all Sub‑processors (Art 28 §2‑4).
- Assistance – Taking into account the nature of processing, Trackifi assists Controller in fulfilling Art 32‑36 obligations and responding to data‑subject requests (Art 28 §3 (e‑f)).
- Breach Notification – Trackifi notifies Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal‑Data Breach, detailing nature, scope, and mitigation steps (Art 33).
- Audit & Information Rights – Trackifi provides information to demonstrate compliance and allows audits once per 12 months on 30‑days’ notice, subject to reasonable confidentiality (Art 28 §3 (h)).
6 Controller Obligations
Controller will: (i) ensure a lawful basis for all Personal Data submitted; (ii) not instruct Trackifi to process data unlawfully; (iii) maintain accurate contact details for breach notices.
7 International Transfers
Production data is stored exclusively within the European Economic Area. If Trackifi later transfers Personal Data outside the EEA, it will rely on an adequacy decision or the EU Standard Contractual Clauses (2021/914) and notify Controller in advance.
8 Return & Deletion of Data
Upon termination of the Agreement, Trackifi will, at Controller’s choice:
- a) delete all Personal Data within 30 days, or
- b) make it available for export (JSON/CSV) and then delete.
Encrypted backups are purged within 90 days unless retention is required by law.
9 Liability & Governing Law
Liability is limited as in the Agreement. This DPA is governed by Finnish law; disputes shall be resolved by the District Court of Helsinki, unless overridden by mandatory EU law.
10 Hierarchy & Updates
If this DPA conflicts with the Agreement, this DPA prevails for privacy matters. Trackifi may update Annex II to reflect new Sub‑processors; Controller may object within 30 days.
Annex I — Technical & Organisational Security Measures
| Control area | Implementation |
|---|---|
| Encryption | TLS 1.2+ in transit; AES‑256 at rest |
| Access control | MFA for staff; role‑based least privilege |
| Isolation | Tenant data separated via unique IDs |
| Monitoring & logging | Centralised logs, anomaly alerts; 30‑day retention |
| Back‑up & DR | Daily encrypted backups; RTO < 4 h, RPO 24 h |
| Vulnerability management | Quarterly penetration tests; weekly dependency scans |
| Employee security | Security training, NDAs |
| Physical security | ISO 27001‑certified EU data centres |
Annex II — Authorised Sub‑processors
| Vendor | Location of processing | Purpose |
|---|---|---|
| Scaleway SAS | Paris & Amsterdam, EU | Primary cloud hosting, managed PostgreSQL, object storage |
| Cloudflare, Inc. (EU edge) | Multiple EU Points‑of‑Presence | TLS termination, DDoS protection, WAF, CDN caching |
| Resend Inc. (EU region) | Dublin, Ireland* | Transactional e‑mail delivery (invites, password resets, notifications) |
| Stripe Payments Europe Ltd | Dublin, Ireland | Payment processing & subscription billing |
* Resend note: Parent company is U.S‑based, but Trackifi’s Resend workspace is locked to the EU‑West‑1 (Ireland) region. Message content remains within the EEA; an SCC‑backed DPA is in place for any ancillary U.S. processing of billing metadata.
Notice procedure: Changes to this list will be posted here and communicated via e‑mail at least 30 days before a new sub‑processor begins processing customer data.
Signatures
Jesse Kauppi, CEO - Founder – 07 May 2025
Trackifi Oy