Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between QOnsApp ("Processor") and the organization subscribing to the Service ("Controller"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the QOnsApp platform.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR and CCPA).
• "Processing" means any operation performed on Personal Data, including collection, storage, use, modification, disclosure, and deletion.
• "Data Subject" means an identified or identifiable person whose Personal Data is processed.
• "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope of Processing

2.1 Categories of Data Subjects

• Employees and contractors of the Controller.
• Building managers, supervisors, and administrators.
• Other individuals whose data the Controller uploads to the Service.

2.2 Types of Personal Data

• Identity data: name, email, phone number, employee ID.
• Employment data: role, department, building assignments, hourly rate, certifications.
• Attendance data: clock-in/out times, shift schedules, break durations, time-off records.
• Activity data: platform usage, actions performed, audit logs.

2.3 Purpose of Processing

The Processor processes Personal Data solely to provide the QOnsApp workforce management service as described in the Terms of Service, including shift management, time tracking, reporting, analytics, and related operational features.

3. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.
• Implement appropriate technical and organizational security measures (see Section 5).
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability).
• Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations.
• Delete or return all Personal Data upon termination, at the Controller's choice, within 30 days.
• Make available all information necessary to demonstrate compliance and allow for audits (see Section 7).

4. Sub-Processors

The Controller provides general authorization for the Processor to engage Sub-Processors. The Processor shall:

• Maintain a list of current Sub-Processors (see below).
• Notify the Controller of any intended additions or replacements at least 14 days in advance.
• Ensure each Sub-Processor is bound by data protection obligations no less protective than this DPA.
• Remain liable for the acts and omissions of its Sub-Processors.

Current Sub-Processors

5. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

• Encryption: TLS in transit (HSTS enforced), encryption at rest via database provider.
• Access control: Role-based access with 20+ distinct roles, company-level data isolation.
• Authentication: Secure password hashing (bcrypt), JWT tokens with periodic refresh, session management.
• Monitoring: Audit logging, error tracking, intrusion detection.
• Network security: Rate limiting, CSRF protection, security headers (CSP, HSTS, X-Frame-Options).
• Personnel: Access limited to authorized personnel on a need-to-know basis.

6. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
• Provide the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach.
• Cooperate with the Controller in investigating, mitigating, and remediating the breach.
• Document all breaches, including facts, effects, and remedial actions taken.

7. Audit Rights

The Controller may audit the Processor's compliance with this DPA, subject to:

• Reasonable advance notice of at least 30 days.
• Audits conducted during normal business hours and no more than once per year.
• The Controller bearing the cost of the audit unless a material non-compliance is found.
• The Processor may satisfy audit requests by providing relevant certifications or third-party audit reports.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests by providing:

• Self-service tools: data export and account deletion features within the platform.
• Technical support: assistance with access, rectification, erasure, and portability requests that cannot be fulfilled through self-service.
• Timely response: all assistance will be provided within the timeframes required by applicable law.

9. International Data Transfers

Where Personal Data is transferred outside the EEA/UK, the Processor ensures appropriate safeguards including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission.
• Assessment of the data protection regime of the recipient country.
• Supplementary measures where necessary to ensure adequate protection.

10. Duration and Termination

This DPA remains in effect for the duration of the Controller's subscription. Upon termination:

• The Processor will cease processing Personal Data except as required to fulfill remaining obligations.
• The Controller may request data export within 30 days of termination.
• After 30 days, all Personal Data will be securely deleted unless retention is required by law.

11. Contact

For questions about this DPA or to request a signed copy, contact:

See also our Privacy Policy and Terms of Service.