Clockin.chat
LoginTry free

Legal

Data Processing Agreement

Last updated: 7 May 2026

This Data Processing Agreement (hereinafter, "DPA") is entered into between:

  • The client subscribing to the clockin.chat service (hereinafter, "the Controller"), and
  • David Lorenzo García, Tax ID (NIF) 12395061Q, Urbanización Espejo del Mar, 04002 Almería, España, service provider (hereinafter, "the Processor").

This DPA is an integral part of the Terms & Conditions of the service and enters into force when the Controller activates their account on clockin.chat.

1. Subject matter

The Processor will process personal data on behalf of the Controller, solely for the purpose of providing the working time recording and holiday management service described in the Terms & Conditions, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Personal Data Protection and digital rights (LOPDGDD).

2. Nature and purpose of processing

  • Purpose: Digital recording of working hours (clock-in/out), management of holiday and absence requests and approvals, and communication with employees via WhatsApp Business API.
  • Nature: Collection, storage, retrieval, modification, export and deletion of working time and absence data.

3. Categories of data and data subjects

Data categoryExamples
Identification dataEmployee first name and surname
Contact dataWhatsApp phone number
Employment dataClock-in/out times, working hours duration, holiday requests, approved or rejected absences

Data subjects: Employees, coordinated self-employed workers and any other person whose working time is recorded via the Service by the Controller.

No special categories of data under Article 9 of the GDPR are processed.

4. Duration

Processing will be carried out for the duration of the contractual relationship between the Controller and the Processor. Upon termination of the contract, the provisions of Clause 9 of this DPA shall apply.

5. Processor obligations

The Processor undertakes to:

  1. Process data only on the Controller's documented instructions. If the Processor considers that any instruction infringes the GDPR, it will notify the Controller accordingly.
  2. Ensure confidentiality. All persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organisational security measures (GDPR Article 32), including:
    • Encryption of communications via TLS/HTTPS.
    • Encryption of sensitive data at rest.
    • Role-based access control and secure authentication.
    • Regular backups with a minimum 30-day retention.
    • Monitoring and logging of access to personal data.
  4. Assist the Controller in fulfilling its obligations regarding:
    • Security of processing (GDPR Article 32).
    • Notification of data breaches (GDPR Articles 33–34).
    • Data protection impact assessments (GDPR Article 35), where applicable.
    • Handling requests from data subjects to exercise their rights.
  5. Notify data breaches. In the event of a personal data breach, the Processor will notify the Controller without undue delay, and in any case within 72 hours of becoming aware of it, providing all available information.
  6. Delete or return data at the end of the contract, in accordance with Clause 9 of this DPA.
  7. Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA, and allow audits as provided in Clause 8.

6. Sub-processors

The Controller grants the Processor general authorisation to engage sub-processors. The authorised sub-processors are as follows:

ProviderPurposeCountryTransfer safeguards
Meta Platforms Ireland Ltd. WhatsApp Business API messaging Irlanda (UE) / EE.UU. Yes — Standard Contractual Clauses
Stripe, Inc. Payment processing and billing EE.UU. / UE Yes — Standard Contractual Clauses
OVHcloud SAS Server hosting and infrastructure Francia (UE) Not required (EU/EEA)
DonDominio / Arsys Internet S.L. Domain registration and transactional email delivery España (UE) Not required (EU/EEA)
Google LLC (Google Analytics) Web traffic analytics (IP anonymisation enabled) EE.UU. Yes — Standard Contractual Clauses
Simple Analytics BV Privacy-friendly web analytics (no cookies) Países Bajos (UE) Not required (EU/EEA)

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, with a minimum of 30 days' prior notice. The Controller may object to such a change with reasoned grounds. In the event of an unresolved objection, the Controller may terminate the contract without penalty.

The Processor will impose on sub-processors the same data protection obligations as those set out in this DPA, in particular as regards sufficient guarantees that appropriate technical and organisational measures will be implemented.

7. International transfers

Some sub-processors listed above transfer data outside the EEA. Such transfers are carried out with the appropriate safeguards provided for in Article 46 GDPR, in particular Standard Contractual Clauses adopted by the European Commission.

8. Audit rights

The Controller has the right to audit compliance with this DPA, either directly or through a third party designated by the Controller. Audits must:

  • Be notified at least 30 days in advance.
  • Be conducted during business hours and without disrupting the Processor's operations.
  • Be limited to systems and data relevant to the processing covered by this DPA.
  • Be carried out at the Controller's expense.

As an alternative to on-site audits, the Processor may provide the Controller with relevant audit reports (ISO 27001, SOC 2 or equivalent) evidencing compliance.

9. Return and deletion of data

Upon termination of the contract for any reason, the Processor will:

  1. Make available to the Controller, for a period of 30 calendar days from the date of termination, the ability to export all data in CSV/PDF format from the administration panel.
  2. After that period, proceed to the secure and irreversible deletion of all personal data processed on behalf of the Controller, unless a legal obligation requires continued retention.
  3. At the Controller's request, issue a deletion certificate.

10. Duration and amendments

This DPA has the same term as the main service contract. It may be amended by the Processor to reflect regulatory changes, with prior notice to the Controller. Last updated: 2026-05-07.

11. Data protection contact

For any questions relating to this DPA, the Controller may contact the Processor at: support@clockin.chat.