Data Processing Addendum (DPA)

Last updated: 2026-03-01

Parties

This DPA is between the customer (“Controller”) and CP Hours (“Processor”), and applies when CP Hours processes personal data on behalf of the Controller.

Subject matter and duration

CP Hours processes personal data to provide the hours registration service. Processing continues for the duration of the customer’s use of the Service.

Nature and purpose of processing

Authentication and access control
Hour entry submission, review, approval/rejection
Audit logging for accountability and security
Operational troubleshooting and security monitoring

Types of personal data

Employee identifiers: name, email, role, company membership
Work data: dates, times, breaks, status, rejection reason
Security/technical data: session identifiers, timestamps, IP/user-agent (if stored)

Categories of data subjects

Customer employees
Customer administrators

Processor obligations

Process data only on documented instructions from the Controller.
Ensure confidentiality for personnel with access to personal data.
Implement appropriate security measures.
Assist with data subject requests where applicable.
Notify the Controller of personal data breaches without undue delay.

Subprocessors

CP Hours may use subprocessors for hosting and database services. CP Hours remains responsible for subprocessors’ performance of their obligations.

International transfers

The Service is intended for EU-region hosting (V1). If transfers outside the EU/EEA occur, appropriate safeguards will be used as required by law.

Security measures

Tenant isolation enforced server-side
Server-side sessions with HttpOnly cookies
Access control by role
Audit logging for key mutations
Rate limiting and standardized error handling for public endpoints

Deletion and return of data

Upon termination, the Controller may request export and/or deletion of customer data within a reasonable time, unless retention is required by law.

Contact

DPA requests: [ADD CONTACT EMAIL]