Data Processing Agreement

Last updated: February 6, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Paxit ("Processor", "we", "us") and the organization using our services ("Controller", "you", "Customer") for the provision of Paxit services. This DPA reflects the parties' agreement regarding the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Protection Laws" means all applicable laws relating to data protection, including GDPR.

3. Scope and Roles

This DPA applies to the processing of Personal Data by Paxit on behalf of the Customer in connection with the provision of our services. The Customer acts as the Controller determining the purposes and means of processing, while Paxit acts as the Processor processing Personal Data on the Customer's behalf and in accordance with the Customer's instructions.

4. Categories of Data Processed

Paxit processes the following categories of Personal Data:

  • Identity Data: Names, email addresses, profile pictures
  • Professional Data: Job titles, team membership, office assignments
  • Attendance Data: Office check-in/check-out times, attendance history
  • Technical Data: IP addresses, device information, usage logs
  • Integration Data: Slack user IDs and workspace information

5. Processor Obligations

We shall:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Engage Sub-processors only with prior authorization and under written contracts
  • Assist the Customer in responding to Data Subject requests
  • Assist with data protection impact assessments where required
  • Delete or return all Personal Data upon termination of services, unless retention is required by law
  • Make available all information necessary to demonstrate compliance

6. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, and availability
  • Regular testing and evaluation of security measures
  • Access controls and authentication mechanisms
  • Regular security training for personnel
  • Incident response and disaster recovery procedures

7. Sub-processors

The Customer provides general authorization for us to engage Sub-processors. We maintain a list of current Sub-processors, which is available upon request. We will notify the Customer of any intended changes to Sub-processors, giving the Customer the opportunity to object. Sub-processors are bound by data protection obligations substantially similar to those in this DPA.

8. Data Location & EU Residency

Paxit is committed to keeping your data within the European Union:

  • EU Data Storage: All Personal Data is stored exclusively within the European Union. Your data never leaves EU borders.
  • EU-Based Providers: We prioritize EU-based service providers and infrastructure wherever possible to maintain data sovereignty and minimize reliance on non-EU vendors.
  • Privacy by Design: While we do not hold formal certifications, Paxit is built with privacy at its core, following GDPR principles in every aspect of our service.

9. International Transfers

Your data is stored in the European Union. In exceptional cases where Personal Data may need to be processed outside the European Economic Area (for example, when using specific third-party tools that have no EU alternative), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms.

10. Data Subject Rights

We will assist the Customer in fulfilling Data Subject rights requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

11. Data Breach Notification

We will notify the Customer without undue delay upon becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

12. Audit Rights

We will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality obligations.

13. Duration and Termination

This DPA remains in effect for the duration of our processing of Personal Data on behalf of the Customer. Upon termination, we will delete or return all Personal Data to the Customer within 30 days, unless applicable law requires continued storage.

14. Contact Information

For questions about this DPA or to exercise any rights, please contact us at [email protected].

← Back to home