DATA PROCESSING AGREEMENT

Version 1.2 Effective Date: __________

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between:

Envision Technologies Limited, an Irish company registered under company number 400334, with its registered office at 28b Princes Street, Cork, Ireland (“Processor”)

and

Customer identified in the applicable Order Form, subscription, or Agreement (“Controller”).

The parties agree as follows.

1. Purpose

This DPA governs the processing of Personal Data by Processor on behalf of Controller in connection with the provision of the VacationTracker.com software-as-a-service platform.

2. Definitions

The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Special Category Data” shall have the meanings given under Applicable Data Protection Law.

“Applicable Data Protection Law” means:

  • Regulation (EU) 2016/679 (EU GDPR)
  • UK GDPR
  • Irish Data Protection Act 2018
  • Any legislation implementing or supplementing the foregoing

3. Scope and Roles

3.1 Controller appoints Processor to process Personal Data described in Appendix A.

3.2 Controller remains responsible for determining the purposes and lawful basis of processing.

3.3 Processor shall process Personal Data solely on documented instructions from Controller except where otherwise required by law.

4. Processor Obligations

Processor shall:

  1. Process Personal Data only on documented instructions from Controller.

  2. Ensure personnel authorized to process Personal Data are subject to confidentiality obligations.

  3. Implement appropriate technical and organizational security measures.

  4. Assist Controller in responding to Data Subject requests.

  5. Assist Controller with compliance obligations relating to security, breach notification, impact assessments, and supervisory authority consultations.

  6. Maintain records as required by Applicable Data Protection Law.

5. Security

Processor shall implement and maintain the technical and organizational measures described in Appendix B.

Processor may update such measures provided that the overall level of security is not materially reduced.

6. Personal Data Breaches

6.1 Processor shall notify Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Controller Personal Data.

6.2 Such notification shall include available information concerning:

  • Nature of the breach
  • Categories of affected records
  • Likely consequences
  • Remediation actions taken or proposed

7. Subprocessors

7.1 Controller authorizes Processor to engage subprocessors listed in Appendix C.

7.2 Processor shall ensure subprocessors are subject to written agreements imposing substantially equivalent data protection obligations.

7.3 Processor shall remain responsible for the performance of its subprocessors.

7.4 Processor may update its subprocessors from time to time and shall make an updated list available upon request.

8. International Transfers

Where Personal Data is transferred outside the EEA or United Kingdom, Processor shall implement appropriate safeguards including:

  • European Commission Standard Contractual Clauses
  • UK International Data Transfer Addendum
  • Adequacy decisions
  • Other lawful transfer mechanisms

9. Audit Rights

9.1 Processor shall provide information reasonably necessary to demonstrate compliance with this DPA.

9.2 Any audit shall:

  • Occur on reasonable notice
  • Take place during normal business hours
  • Not unreasonably interfere with Processor operations
  • Be subject to confidentiality obligations

9.3 Processor may satisfy audit requests through provision of documentation, policies, certifications, reports, or questionnaires where appropriate. Processor may satisfy audit requests through the provision of security documentation, policies, questionnaires, certifications, independent assessments, or similar materials.

On-site audits shall only be permitted where legally required and where the information provided is insufficient to satisfy the Controller's obligations under Applicable Data Protection Law.

10. Return and Deletion of Data

10.1 Upon termination of services, Controller may export available Customer Data during the retention period.

10.2 Processor shall delete Customer Data in accordance with its retention policies unless retention is required by law.

10.3 Backup copies may remain in secure backup systems until overwritten through normal backup rotation processes.

10.4 Customer account data is retained for up to 90 days following termination unless otherwise required by law.

10.5 Backup data may be retained for up to 180 days before deletion through normal backup rotation processes.

11. Liability

The liability of each party under this DPA shall be subject to the limitations of liability set forth in the Agreement except where prohibited by Applicable Data Protection Law.

12. Governing Law

This DPA shall be governed by the laws of Ireland.

13. Order of Precedence

In the event of conflict between this DPA and the Agreement concerning Personal Data processing, this DPA shall prevail.

APPENDIX A

DETAILS OF PROCESSING

Subject Matter

Provision of absence and leave management software services.

Duration

For the duration of the customer subscription and applicable retention periods.

Categories of Data Subjects

  • Employees
  • Contractors
  • Administrators
  • Authorized users

Categories of Personal Data

  • Names
  • Email addresses
  • Employee identifiers
  • Department information
  • Employment-related information entered by Controller
  • Absence requests
  • Leave records
  • User-entered notes
  • Authentication identifiers
  • Calendar synchronization identifiers
  • Audit logs

Special Category Data

Where configured by Controller, Personal Data may include:

  • Health-related absence information
  • Medical leave information
  • Family-related leave information
  • Other Special Category Data entered by users

Controller remains responsible for determining the lawful basis for such processing.

Nature of Processing

Collection, storage, organization, retrieval, transmission, deletion, and other processing necessary to provide the services.

Purpose of Processing

Provision, maintenance, support, and security of the VacationTracker.com platform.

APPENDIX B

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Processor maintains security measures including:

Access Control

  • Unique user accounts
  • Role-based permissions
  • Least-privilege access principles
  • Restricted production access

Authentication

  • Password-based authentication
  • Multi-factor authentication for administrative accounts

Encryption

  • TLS encryption in transit
  • Encryption at rest provided by infrastructure services

Monitoring and Logging

  • Administrative activity logging
  • Authentication event logging
  • Security event monitoring

Infrastructure Security

  • Managed cloud infrastructure
  • Security patching procedures
  • Vulnerability monitoring

Business Continuity

  • Regular backups
  • Recovery procedures
  • Infrastructure redundancy where available

Incident Management

  • Incident response procedures
  • Security event investigation
  • Breach notification procedures

APPENDIX C

AUTHORIZED SUBPROCESSORS

Provider Purpose
Amazon Web Services Cloud hosting and infrastructure
Akamai Technologies Infrastructure and network services
Hetzner Infrastructure services
Postmark Transactional email delivery
Stripe Payment processing

AUTHORIZED INTEGRATION PROVIDERS

Provider Purpose
Google Google Sign in/Google Calendar Sync
Microsoft Microsoft Sign In/Microsoft Calendar Sync
Slack Sign In with Slack & application Slack Integration

SIGNATURES

CONTROLLER

Company: _______________________

Name: _________________________

Title: __________________________

Signature: _____________________

Date: __________________________

PROCESSOR

Envision Technologies Limited

Name: _________________________

Title: __________________________

Signature: _____________________

Date: __________________________