Data Processing Agreement

This Data Processing Agreement (the "DPA") forms part of the Terms of Service between Tramplo ("Processor") and the Customer ("Controller"). It applies whenever Tramplo processes personal data on the Controller's behalf and where applicable EU GDPR, UK GDPR, Quebec Law 25, Brazil LGPD, Türkiye KVKK, or similar laws require a written processor agreement.

On accepting the Terms, Controller is deemed to have entered into this DPA, and (for transfers from the EEA, UK, or Switzerland) the EU Standard Contractual Clauses incorporated by reference below.

Capitalised terms not defined here have the meaning given in the GDPR. "Personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings set out in Article 4 of the GDPR.

• Subject matter:processing of employee monitoring data uploaded to Tramplo by Controller's admins and desktop clients.
• Duration:for as long as Controller's Tramplo subscription is active, plus the post-termination wind-down period described below.
• Nature and purpose: hosting, transmission, storage, retrieval, display, and deletion of monitoring data so that Controller can administer time tracking for its workforce.

• Data subjects:Controller's employees, contractors, or other individuals whom Controller invites and authorises to use Tramplo.
• Categories of personal data: name, work email, hashed password, device identifiers, IP address at consent or login, screenshots taken during active shifts, per-minute counts of keystrokes / mouse clicks / mouse-move seconds, foreground-application names with start/end timestamps, shift start/end times, audit-log entries, and consent records.
• Special categories: Tramplo does not require, request, or design for the processing of special-category data. If such data appears incidentally in a screenshot, Controller is responsible for triggering blur, deletion, or redaction.

• Tramplo will process personal data only on documented instructions from Controller, including with regard to international transfers, unless required by law.
• Tramplo will ensure that personnel authorised to process personal data are bound by confidentiality.
• Tramplo will implement appropriate technical and organisational measures (Annex A below).
• Controller warrants that it has a lawful basis and required notices in place before activating monitoring on any data subject.

Controller authorises Tramplo to engage subprocessors listed at /legal/subprocessors. Tramplo will:

• Notify Controller by email at least 30 days before adding or replacing a subprocessor.
• Impose data-protection obligations on each subprocessor that are no less protective than this DPA.
• Remain liable for the acts and omissions of its subprocessors with respect to Controller's personal data.

Where Tramplo transfers personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) of 4 June 2021 are incorporated by reference, with the following choices:

• Clause 7 (docking) does not apply.
• Clause 9: Option 2 (general written authorisation), 30 days' notice.
• Clause 11: independent dispute resolution does not apply.
• Clause 17: governing law of the EU member state of the data exporter, or of Ireland if the exporter is outside the EU.
• Clause 18: courts of the chosen governing law.

For the UK, the Information Commissioner's Office International Data Transfer Addendum to the EU SCCs is incorporated. For Switzerland, the SCCs apply with references to Switzerland and the Swiss FADP as appropriate.

Tramplo will, taking into account the nature of the processing, provide reasonable assistance through appropriate technical and organisational measures (such as the built-in "My data" export and the deletion-request workflow) to help Controller fulfil its obligations to respond to requests from data subjects.

Tramplo will notify Controller of a personal data breach affecting Controller's data without undue delay after becoming aware of it, and in any event within 72 hours where feasible. The notification will include, to the extent known, the nature of the breach, categories and approximate volume of data subjects and records affected, likely consequences, and measures taken or proposed.

On reasonable written notice, Tramplo will make available to Controller information necessary to demonstrate compliance with this DPA. To minimise duplicative audits, Tramplo may satisfy this obligation by providing third-party audit reports or certifications it holds, where available, or by responding to a Controller-supplied security questionnaire. On-site audits are limited to once per year and are subject to reasonable confidentiality and operational protections.

• On termination of the Terms, Controller may request a structured machine-readable export of its data within 30 days.
• After the 30-day window, or after Controller confirms in writing that no export is needed, Tramplo will delete Controller's personal data, including from backups within 35 days.
• Tramplo may retain personal data where required by law and the audit-log entries described in the employee monitoring notice for the retention period stated there.

• TLS 1.2 or higher for all client-server communication.
• argon2id password hashing; SHA-256 hashing for API tokens.
• Postgres with role-based access; database not exposed to the public internet.
• Screenshot files stored on a non-public directory on the application server.
• Rate limiting on authentication endpoints; audit logging of sensitive actions.
• Principle of least privilege for personnel access; access reviewed when staff change roles or leave.
• Daily retention purge job; per-user deletion-request workflow.
• Backups encrypted at rest; restore tests performed periodically.

See /legal/subprocessors.

Privacy / DPA notices: info@tramplo.com.