Back
Version 1.0

Data Processing Agreement

GDPR Article 28 Compliant Data Processing Agreement

~5 min read

Spotted a translation issue? Email us at support@geotid.dk — we want this right.

Contents

Important Notice

This Data Processing Agreement ("DPA") forms part of the Terms of Service and is entered into by and between the Customer ("Controller") and GeoTid ApS ("Processor"). This DPA applies when the Processor processes Personal Data on behalf of the Controller in connection with the GeoTid time tracking services.

1. Parties & Definitions

1.1 Parties

  • "Controller" or "Customer": The organization subscribing to GeoTid services
  • "Processor": GeoTid ApS, registered in Denmark
  • "Data Subject": Employees or individuals whose personal data is processed

1.2 Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person
  • "Processing": Any operation performed on Personal Data
  • "Sub-processor": Any third party engaged by the Processor to process Personal Data
  • "GDPR": EU General Data Protection Regulation 2016/679

2. Scope of Processing

2.1 Categories of Personal Data

  • Employee identification data (name, email, phone number)
  • Time and attendance records (check-in/check-out timestamps)
  • Location data (GPS coordinates for geofencing)
  • Employment relationship data (employer associations)
  • Device information (for authentication purposes)

2.2 Purposes of Processing

  • Time tracking and work hour management
  • Geofencing and location verification
  • Reporting and analytics for the Controller
  • User authentication and access control
  • Service maintenance and improvement

2.3 Duration

Processing occurs for the duration of the service agreement, plus any legally required retention periods. Time entry data is retained for 7 years to comply with labor law and tax requirements.

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel processing data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior authorization from the Controller
  • Assist the Controller in fulfilling data subject rights requests
  • Delete or return all Personal Data upon termination of services
  • Make available information necessary to demonstrate GDPR compliance
  • Notify the Controller without undue delay of any data breach

4. Sub-processors

4.1 Current Sub-processors

Sub-processorPurposeLocation
Hetzner Online GmbHCloud infrastructure hosting (API, web dashboard, database)EU (Nuremberg, Germany)
Sentry GmbHError monitoring (anonymized)EU (Frankfurt, Germany)
ResendTransactional email deliveryEU
Stripe Payments Europe Ltd.Subscription billing (no card data stored on our systems)EU (Ireland)

4.2 Changes to Sub-processors

The Controller will be notified via email at least 30 days before any new sub-processor is engaged. The Controller may object to such changes within 14 days.

5. Security Measures

The Processor implements the following security measures:

5.1 Technical Measures

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Strong authentication with JWT tokens and secure password hashing (bcrypt)
  • Regular security updates and vulnerability scanning
  • Database backups with encryption
  • Access logging and monitoring

5.2 Organizational Measures

  • Role-based access control (employee, admin, super_admin)
  • Regular security awareness training
  • Documented security policies and procedures
  • Incident response procedures

6. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests:

  • Right of Access: Export functionality available in settings
  • Right to Rectification: Users can update their profile information
  • Right to Erasure: Account deletion available with data anonymization
  • Right to Data Portability: JSON export of all personal data
  • Right to Restrict Processing: Account can be deactivated
  • Right to Object: Marketing consent is separate and optional

Response time for data subject requests: Within 72 hours of receipt.

7. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay, and in any case within 24 hours
  • Provide the nature of the breach, categories of data affected
  • Describe likely consequences and measures taken or proposed
  • Document all breaches regardless of notification requirements

Emergency Contact

For data breach reporting: support@geotid.dk

8. Audit Rights

The Controller has the right to:

  • Request documentation of security measures and compliance
  • Conduct audits with reasonable notice (minimum 30 days)
  • Engage third-party auditors subject to confidentiality agreements
  • Review sub-processor compliance documentation

Audit requests should be directed to: support@geotid.dk

9. Termination & Data Deletion

Upon termination of services:

  • Controller may request data export within 30 days of termination
  • Personal Data will be deleted within 90 days unless legally required to retain
  • Time entry records may be retained for 7 years for legal compliance (anonymized)
  • Confirmation of deletion will be provided upon request

10. Contact Information

Data Controller Contact

As defined in your service agreement

Data Processor Contact

GeoTid ApS
Copenhagen, Denmark
CVR: [To be assigned]
Email: support@geotid.dk
DPO: support@geotid.dk

This Data Processing Agreement is effective as of January 6, 2026

Privacy PolicyTerms of ServiceHome