DATA PROCESSING AGREEMENT (DPA)

Last updated: 2026-03-24

This Data Processing Agreement ("DPA") is concluded in accordance with Article 28(3) of Regulation (EU) 2016/679 ("GDPR") and forms an integral part of the service agreement ("Main Agreement") between OnSinch, s.r.o. and the client using the OnSinch platform.

Data Processor ("Processor"):
OnSinch, s.r.o., Příběnická 939/20, 130 00 Prague 3, Czech Republic
ID: 24274330 | VAT ID: CZ24274330

Data Controller ("Controller"):
The entity that has entered into a Main Agreement with the Processor for the use of the OnSinch platform.

Effective date: This DPA takes effect upon the Controller's acceptance of the Main Agreement (including by signing the agreement or by using the OnSinch platform) and remains in force for the duration of the Main Agreement and any applicable data retention period thereafter.

1. Definitions

  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.
  • Personal Data means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • Processing means any operation performed on Personal Data, as defined in GDPR Article 4(2), including collection, recording, storage, use, disclosure by transmission, erasure, or destruction, by either automated or non-automated means.
  • Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Subject Matter and Scope of Processing

2.1 Purpose

The Processor processes Personal Data solely for the purpose of providing the OnSinch workforce management platform and related support services to the Controller, as described in the Main Agreement. The Processor shall not process Personal Data for any purpose other than as determined by the Controller.

2.2 Duration

Processing shall continue for the duration of the Main Agreement. Upon termination, the provisions of Section 10 (Data Return and Deletion) apply. This DPA may not be terminated independently of the Main Agreement.

2.3 Nature of processing

The Processor provides the Controller with services in the area of information technologies (including granting access to the OnSinch internet application and the right to use its features), customer support, and data storage. The processing consists of: collection, recording, storage, retrieval, display, organisation, modification, disclosure by transmission, and deletion of Personal Data entered into the platform by the Controller and its authorised users. The frequency and duration of processing activities are dependent on the activity of the Controller and its operational needs.

2.4 Types of Personal Data processed

Depending on the Controller's use of the platform, the following categories of Personal Data may be processed:

  • Identification data (name, surname, email address, phone number, address, date of birth)
  • Employment data (job title, role, availability, qualifications, certifications)
  • Financial data (bank account details, payroll information, invoicing data)
  • Work task data (shift schedules, timesheets, attendance records, performance notes)
  • Login credentials (email, hashed password)
  • Profile photographs (if uploaded)
  • Company data (registration number, tax registration number)
  • Any other Personal Data entered by the Controller or persons authorised by the Controller into the platform

In the course of cooperation, no special category Personal Data (Article 9 GDPR) shall be processed, unless expressly agreed otherwise.

2.5 Categories of data subjects

  • The Controller and its representatives
  • Controller's employees and workers
  • Controller's future employees and candidates
  • Contractors, freelancers, and temporary staff managed via the platform
  • Controller's clients, subcontractors, and business contacts (if entered into the platform)

By granting access to the OnSinch platform to any person, the Controller confirms that such person falls within one of the above categories.

3. Obligations of the Controller

The Controller shall:

  1. Ensure that it has a lawful basis for the processing of Personal Data and has provided appropriate notices to data subjects.
  2. Provide processing instructions to the Processor through the use of the platform, email communication, or other documented instructions.
  3. Ensure that data provided to the Processor is accurate and lawfully collected, and that no rights of the Controller or any third party are harmed by such transfer.
  4. Comply with its obligations under GDPR as Data Controller.
  5. The Processor is not obliged to verify the legal nature or lawfulness of Personal Data provided by the Controller.

4. Obligations of the Processor

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law. If the Processor considers that an instruction from the Controller conflicts with applicable law, it shall inform the Controller and await further instructions.
  2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 1. The Processor shall ensure that the security measures are of a reasonable level with regard to the present state of the art, the sensitivity of the Personal Data, and the costs related to the security measures.
  4. Comply with the conditions for engaging Sub-processors, as set out in Section 6.
  5. Assist the Controller, taking into account the nature of the processing, in responding to requests for exercising data subject rights under GDPR Chapter III. Where a data subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.
  6. Assist the Controller in ensuring compliance with obligations under GDPR Articles 32 to 36 (security, breach notification, DPIAs), taking into account the nature of processing and information available to the Processor.
  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
  9. The Processor's obligations under this DPA apply equally to every person who processes Personal Data under the Processor's instructions. The Processor shall ensure compliance of such persons with the rules stipulated in this DPA.

5. Data Breach Notification

5.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data. This duty applies irrespective of the nature or impact of the breach.

5.2 The notification shall include:

  1. A description of the nature of the Data Breach, including where possible the categories and approximate number of data subjects and records concerned.
  2. The name and contact details of the Processor's contact point (security@onsinch.com).
  3. A description of the likely consequences of the Data Breach.
  4. A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

5.3 The Processor shall ensure that the information provided is correct, complete, and accurate. The Controller shall subsequently determine whether to inform the data subjects or the relevant regulatory authorities.

5.4 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

6. Sub-processors

6.1 General authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors whose services are necessary for the performance of the Main Agreement, subject to the conditions in this section.

6.2 Current Sub-processors

Core Sub-processors (always active):

Sub-processor

Function

Location

Google Cloud Platform (Google LLC)

Infrastructure hosting, database (CloudSQL), file storage (GCS), CDN

EU (Netherlands — europe-west4)

Amazon Web Services (AWS SES)

Transactional email delivery

EU (Ireland — eu-west-1)

Sentry.io (Functional Software, Inc.)

Application error monitoring

EU

Optional Sub-processors (activated only upon Controller's request):

Sub-processor

Function

Location

Twilio Inc.

SMS messaging

EU/US

SMSBrana (KONZULTA Brno, a.s.)

SMS messaging

Czech Republic, EU

Google Maps Platform (Google LLC)

Address geocoding and map display

EU/US

Google reCAPTCHA Enterprise (Google LLC)

Bot and abuse protection

EU/US

Google LLC

OAuth authentication (social login)

EU/US

Meta Platforms Ireland Ltd.

OAuth authentication (social login)

EU/US

Fio banka, a.s.

Payment file processing (SEPA/batch payments, Czech clients only)

Czech Republic, EU

Browser push services (Google FCM, Mozilla, Apple APNs)

Web push notifications to workers' devices

EU/US

Optional Sub-processors are only engaged when the Controller explicitly requests the corresponding feature. The Controller may choose their preferred SMS provider or provide their own SMS gateway credentials.

Client-controlled third-party services: The platform allows the Controller to configure their own analytics and marketing tracking services (e.g., Google Tag Manager, Google Analytics, Facebook Pixel, Google Ads, Sklik/Seznam.cz) by providing their own tracking IDs in the platform settings. The Processor provides this capability as a platform feature, but the Controller acts as the Data Controller for these services and is solely responsible for their configuration, use, and compliance with applicable data protection laws. These services are not Sub-processors of the Processor.

Self-hosted services: The Processor uses several self-hosted services running within its own infrastructure (PDF generation, document building, document signing). These do not transmit Personal Data to any external party and are not Sub-processors.

6.3 Sub-processor changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. The Processor shall provide at least 30 days' notice before engaging a new Sub-processor.

6.4 Sub-processor obligations

Where the Processor engages a Sub-processor, it shall impose the same data protection obligations as set out in this DPA on the Sub-processor by way of a contract, in accordance with GDPR Article 28(2) and 28(4). The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

7. International Data Transfers

All Personal Data is processed and stored within the European Economic Area (EEA):

  • Application and database hosting: Netherlands (EU)
  • Email delivery: Ireland (EU)
  • Backups: Netherlands (EU)

If any future transfer of Personal Data outside the EEA becomes necessary (e.g., for optional services such as OAuth authentication or SMS messaging via non-EU providers), the Processor shall ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission, or reliance on an adequacy decision.

8. Data Subject Rights

8.1 The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).

8.2 Where a data subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.

8.3 The platform provides the Controller with tools to directly manage data subject requests (viewing, editing, and deleting personal data). For requests requiring Processor assistance, the Controller should contact security@onsinch.com.

9. Audits

9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and GDPR Article 28.

9.2 The Controller may conduct audits or inspections, either itself or through a mandated third-party auditor, subject to reasonable advance notice (minimum 48 hours) and during normal business hours. The audit shall not unreasonably disrupt the Processor's operations.

9.3 The Processor may satisfy audit requests by providing relevant documentation, certifications, or third-party audit reports where available.

10. Data Return and Deletion

10.1 Upon termination of the Main Agreement, the Controller may request a full export of all Personal Data held by the Processor (database export, uploaded files) in a machine-readable format.

10.2 Following termination, the Processor shall retain Personal Data for a period of up to 4 years in accordance with its published privacy policy and applicable legal retention requirements (Czech civil law limitation periods). The Controller may request earlier deletion at any time by written instruction to security@onsinch.com.

10.3 Upon deletion of Personal Data from production systems (whether at the end of the retention period or upon earlier Controller request), backup copies containing such data shall be permanently removed within 90 days through the natural backup rotation cycle. The destruction of data encompasses the destruction of all existing copies and backups.

10.4 The Processor shall confirm deletion in writing upon request.

11. Allocation of Responsibility

11.1 The Processor processes Personal Data under the conditions set out in this DPA, in accordance with the Controller's instructions and under the responsibility of the Controller.

11.2 The Processor is not responsible for incidents related to Personal Data (such as unauthorised access or data leakage) which occurred because the Controller or persons authorised by the Controller did not observe the Processor's security instructions or general electronic safety rules (e.g., leaving devices unattended, using weak passwords, providing access to untrustworthy persons).

11.3 The Processor undertakes to indemnify the Controller for claims raised by data subjects, supervisory authorities, or other third parties as a consequence of the breach of the Processor's statutory or contractual duties under this DPA.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement, except that neither party's liability for breaches of data protection obligations shall be limited where such limitation is not permitted by applicable law. Each party is entitled to claim damages for loss incurred in connection with the breach of duties of the other party in accordance with Act No. 89/2012 Coll., Czech Civil Code.

13. Confidentiality

13.1 All Personal Data received by the Processor from the Controller or collected by the Processor within the framework of this DPA is subject to a duty of confidentiality and shall not be disclosed to any third parties except Sub-processors listed in Section 6.

13.2 This duty of confidentiality shall not apply where the Controller has expressly authorised disclosure, where disclosure is reasonably necessary for the performance of this DPA, or where there is a legal obligation to disclose.

13.3 The duty of confidentiality survives the termination of this DPA.

14. Term and Termination

14.1 This DPA takes effect upon the Controller's acceptance of the Main Agreement and shall remain in force until all Personal Data has been deleted or returned in accordance with Section 10.

14.2 This DPA may not be terminated independently of the Main Agreement.

14.3 The provisions of this DPA that by their nature should survive termination shall survive, including Sections 5, 9, 10, 11, 12, and 13.

15. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Czech Republic, in particular Act No. 89/2012 Coll., Czech Civil Code. Any disputes arising from or in connection with this DPA shall be submitted to the competent courts of the Czech Republic.

Annex 1 — Technical and Organisational Security Measures

The Processor implements the following measures to protect Personal Data:

Infrastructure Security

  • All data hosted on Google Cloud Platform (GCP), which maintains ISO 27001, SOC 2, and other certifications.
  • Single-tenant architecture: each client operates in a dedicated application container with a separate database and unique credentials.
  • All data stored within the EU (GCP europe-west4, Netherlands).

Encryption

  • At rest: AES-256 encryption (GCP default) for databases, backups, and stored files.
  • In transit: TLS 1.2+ for all client-to-server communication. Database connections encrypted via CloudSQL Proxy.

Access Control

  • Production access restricted to authorised personnel via Google Cloud IAM-authenticated SSH.
  • Database access via CloudSQL Proxy with IAM authentication.
  • Access restricted to authorised persons only; technological devices secured.
  • Role-based permission system within the application for end users.
  • Principle of least privilege: production access not granted by default; granted incrementally based on role and need.

Backup and Recovery

  • Daily automated database backups (15-day retention).
  • Continuous binary log backups for point-in-time recovery (2-day retention).
  • Weekly pre-deployment database snapshots (multi-month retention).
  • All backups encrypted at rest and stored within the EU.

Monitoring and Logging

  • Real-time uptime monitoring of all client instances.
  • Application error tracking and monitoring.
  • Infrastructure access logging via GCP audit logs.

Development Security

  • All code changes reviewed via Merge Requests by at least one peer reviewer.
  • Secure development practices aligned with OWASP guidelines.
  • Parameterised database queries (ORM-based) to prevent injection attacks.

Incident Response

  • Dedicated security contact: security@onsinch.com
  • Data breach notification to Controller within 24 hours.
  • Internal incident response procedures for identification, containment, and remediation.

 

This DPA is incorporated by reference into the Main Agreement. By entering into the Main Agreement, the Controller accepts the terms of this DPA.

Document version: 1.0 | Last updated: 2026-03-24