Data Processing Addendum (DPA)

Last updated: 2026-04-29

Parties

This DPA is between the customer ("Controller") and Custom Projects AS ("Processor"), and applies when Custom Hours processes personal data on behalf of the Controller.

Service

Custom Hours is a time tracking, project tracking, employee hour registration, approval, absence tracking, and reporting service operated by Custom Projects AS. Organisation number: 934561112. Country: Norway.

Subject matter and duration

Custom Hours processes personal data to provide the Service. Processing continues for the duration of the customer's use of the Service, unless a longer retention period is required by law, required for legitimate operational reasons, or agreed with the customer.

Nature and purpose of processing

• Authentication and access control
• Company, employee, role, and membership administration
• Project tracking and hour entry submission
• Hour review, approval, rejection, reporting, and export workflows
• Absence tracking and related administrative review
• Audit logging for accountability and security
• Operational troubleshooting and security protection
• Subscription, billing, payment, and applicable tax handling through payment providers

Types of personal data

• Employee identifiers: name, email, role, company membership, and access status
• Company data: company settings, employee access, billing email, organisation number, and subscription metadata
• Project data: project names, assignments, and related work entries
• Work data: dates, times, breaks, comments, status, rejection reason, approval status, and related records
• Absence data: absence type, dates, status, and related administrative notes
• Audit data: timestamps, actor, action, entity, summary, and changed values where applicable
• Security and technical data: session identifiers, timestamps, IP address, user agent, and hashed security identifiers where stored
• Billing metadata: Stripe customer, subscription, billing status, and payment-related metadata. Custom Hours does not store full card details.

Categories of data subjects

• Customer employees
• Customer administrators and owners

Processor obligations

• Process personal data only on documented instructions from the Controller, including instructions given through use of the Service.
• Ensure that personnel with access to personal data are subject to confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Assist the Controller with data subject requests where applicable and reasonably possible.
• Notify the Controller of personal data breaches without undue delay after becoming aware of them.
• Use subprocessors only as needed to provide, secure, maintain, and bill for the Service.
• Make relevant information available to help the Controller assess compliance with this DPA, within reasonable limits and subject to security and confidentiality requirements.

Subprocessors

Custom Projects AS uses service providers only as needed to provide, secure, maintain, and bill for the Service. The current core service providers are:

• Render: hosting and PostgreSQL database infrastructure for the Service. The production database is hosted in Frankfurt (EU Central).
• Resend: transactional email delivery, including employee invitations and password reset emails.
• Stripe: payment processing, subscriptions, billing management, and applicable tax calculation during checkout.

DomainShop is used for domain and DNS administration. It is not used as an application data processor unless customer personal data is sent through a DomainShop service.

Custom Projects AS remains responsible for subprocessors used to provide the Service. If materially different subprocessors are added, this DPA or related customer-facing documentation should be updated.

International transfers

The Service is intended for EU/EEA-oriented business use. The production PostgreSQL database is currently hosted in Frankfurt (EU Central). Some service providers, including payment and email providers, may process data outside Norway or the EU/EEA where necessary to provide their services. Where transfers outside the EU/EEA occur, appropriate safeguards will be used as required by law.

Security measures

• Tenant isolation enforced server-side through company-scoped authorization checks
• Role-based access control for employee, admin, and owner workflows
• Server-side sessions using an HttpOnly session cookie
• Session cookie configured with SameSite=Lax and Secure in production
• Session tokens stored server-side as hashes rather than raw tokens
• Validation and authorization checks on protected routes
• Audit logging for key mutations and accountability events
• Standardized API error handling and request identifiers for troubleshooting
• Stripe handles payment card details; Custom Hours does not store full card details

Deletion and return of data

The Service allows customer owners to request workspace export and deletion. Workspace export is provided as a JSON export and may include company information, employees, projects, project assignments, hour entries, absences, activity events, and data request records.

Final workspace deletion requires explicit confirmation and is intended to be permanent and irreversible. Deletion may be performed by anonymizing identifiers, disabling the company, revoking sessions, clearing notes and personal identifiers, and marking operational records such as hour entries and absences as deleted.

When workspace deletion is requested, the Service records a retention-until date that is currently 90 days after the deletion request. Final workspace deletion anonymizes or disables active application data when the customer owner explicitly confirms deletion. The 90-day marker does not mean that all database rows are automatically physically purged after 90 days.

If a deleted workspace was a user's only active company membership, the user's global account email may be anonymized or released so the email can be used again. If the user still belongs to another active company, the global account email may be retained so access to that other company can continue.

If a workspace deletion is requested while a Stripe subscription is still active or recoverable, the Service may cancel the Stripe subscription immediately before final deletion when the customer owner explicitly chooses that option.

The Processor may retain limited records where required for billing, accounting, security, legal compliance, dispute handling, audit integrity, or backup rotation. Production database recovery is handled by Render. The current Render PostgreSQL setup supports point-in-time recovery for the past 7 days. Logical database export files, if created, are retained by Render for at least 7 days.

The Processor will assist the Controller with data subject requests where applicable, but employees should normally direct requests about employer-controlled work records to the Controller.

Contact

For DPA requests, contact Custom Projects AS by email at support@customhours.no.