Last updated: October 24, 2024
Introduction and Scope
This Data Processing Agreement (“Agreement”) is entered into between Clockk.com Inc. (“Clockk”), a company incorporated in Nova Scotia, Canada, and the client (“Controller”), which utilizes Clockk’s time tracking services. The purpose of this Agreement is to ensure the secure and lawful processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
This Agreement applies to any personal data that Clockk processes on behalf of the Controller as part of providing its time-tracking SaaS services.
Definitions
For the purposes of this Agreement, the following terms shall have the meanings set out below:
“Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by Clockk on behalf of the Controller under this Agreement.
“Processing”: Any operation or set of operations performed on Personal Data, whether automated or not, such as collection, use, storage, disclosure, or deletion.
“Controller”: The entity that determines the purposes and means of the processing of Personal Data (the customer using Clockk’s services).
“Processor”: Clockk, which processes Personal Data on behalf of the Controller.
“Subprocessor”: Any third party engaged by Clockk to process Personal Data on behalf of the Controller.
“Data Subject”: The individual whose Personal Data is being processed (e.g., employees or contractors tracked through Clockk’s services).
“GDPR”: The General Data Protection Regulation (EU) 2016/679.
Obligations of the Processor (Clockk)
Processing on Instructions: Clockk shall only process Personal Data on the documented instructions of the Controller, unless required by law.
Confidentiality: Clockk shall ensure that all personnel authorized to process Personal Data are under an obligation of confidentiality.
Security: Clockk shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including encryption, access controls, and regular audits.
Data Subject Requests: Clockk shall assist the Controller in responding to any Data Subject requests to exercise their rights under GDPR.
Assistance with GDPR Compliance: Clockk will provide reasonable assistance to the Controller in ensuring compliance with GDPR obligations, such as security measures, breach notifications, and impact assessments.
Obligations of the Controller (Customer)
Compliance with Laws: The Controller (Clockk’s customer) shall ensure that the processing of Personal Data complies with applicable data protection laws, including the GDPR.
Processing Instructions: The Controller (Clockk’s customer) instructs Clockk to process Personal Data solely for the purposes of providing the time-tracking services as described in Clockk’s Terms of Service and other agreements. Clockk will not process Personal Data for any purpose other than as specified by the Controller’s use of the service, unless required by law. The Controller acknowledges that Clockk’s processing is governed by its algorithms and technical setup, which are part of the service provided.
Legal Basis: The Controller must ensure that they have a lawful basis for processing Personal Data, including obtaining necessary consents from Data Subjects, if applicable.
Accuracy and Legitimacy: The Controller is responsible for ensuring that the Personal Data provided to Clockk is accurate, lawful, and necessary for the processing purposes.
Subprocessors
Authorization of Subprocessors: The Controller (Clockk’s customer) authorizes Clockk to engage the following subprocessors to process Personal Data as necessary to provide the time-tracking services:
| Subprocessor | Location | Description of Processing | Data Processed |
|---|---|---|---|
| Amazon Web Services | USA, Canada | Cloud hosting and storage | User data, activity logs |
| Paddle | UK, USA | Payment processing, tax remittance | Payment details, user info |
| ProfitWell | USA | Business revenue management | User data |
| Google Analytics | USA | Analytics and tracking | Usage data, IP addresses |
| SiteBehaviour | Canada | Analytics and tracking | Usage data, IP addresses |
| Intercom | USA | Live chat, email support, product engagement analytics | User data, usage data, IP addresses, activity logs |
| Amply | USA | Email communications | User data |
| Icon.horse | USA | Website icons | IP addresses |
| Sentry | USA | Error tracking and management | IP addresses, user data |
| Google Workspace | USA | Email, document creation and management, real-time collaboration | User data, email addresses, calendar events, contacts, and any information submitted to a Clockk employee by a Controller or Subject |
| Illow | USA | Cookie consent management | IP address |
| Block Disposable Email | USA | Prevent spam sign-ups | User email address |
Changes to Subprocessors: Clockk will maintain an updated list of subprocessors. The Controller may request notifications of changes to subprocessors, and Clockk will provide such notifications upon request.
Subprocessor Obligations: Clockk will ensure that all subprocessors are bound by data protection obligations equivalent to those in this Agreement.
Data Subject Rights
Assistance with Requests: Clockk will assist the Controller in fulfilling Data Subject requests only to the extent that Clockk can provide necessary tools or information, based on the Controller’s documented instructions.
Limited Involvement: If Clockk receives a Data Subject request directly, Clockk will inform the Controller and will not take further action unless required by law.
Security Measures
Technical and Organizational Measures: Clockk shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data where appropriate,
- Regular backups of data,
- Access controls to limit personnel access to personal data,
- Regular security audits and assessments.
Confidentiality and Access: Clockk ensures that only authorized personnel with a need to know have access to personal data.
Data Breach Notification
Notification Obligation: In the event of a personal data breach affecting the Controller’s data, Clockk will notify the Controller without undue delay, but no later than 72 hours after becoming aware of the breach.
Details of the Breach: The notification will include sufficient information for the Controller to meet any reporting obligations, including the nature of the breach, the affected data, and any actions taken to mitigate the damage.
Data Retention and Deletion
Retention Period: Clockk will retain personal data in accordance with the retention period specified in Clockk’s Privacy Policy, or as required by applicable law.
Deletion of Data: Upon termination of the services, Clockk will delete all personal data, unless further retention is required by law.
Audit and Compliance
Audit Rights: The Controller may request, at reasonable intervals and with reasonable notice, information or documentation to demonstrate Clockk’s compliance with the obligations set forth in this Agreement.
Internal Reviews: Clockk will provide evidence of internal reviews or security practices, where appropriate, to demonstrate compliance.
Minimizing Disruption: Any audits shall be conducted in a manner that minimizes disruption to Clockk’s operations.
Liability and Indemnity
Limitation of Liability: Clockk’s total liability arising out of or related to this Agreement, whether in contract, tort, or otherwise, shall not exceed the total amount paid by the Controller to Clockk in the 12 months preceding the claim.
Indemnification: The Controller agrees to indemnify and hold harmless Clockk against any claims, damages, or legal actions arising from the Controller’s breach of this Agreement or applicable data protection laws.
Miscellaneous
Governing Law: This Agreement shall be governed by and construed in accordance with the laws of Nova Scotia, Canada.
Amendments**: Clockk may amend this Agreement from time to time. Any substantial changes will be communicated to the Controller, and continued use of the services after such changes constitutes acceptance of the revised Agreement.
Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Dispute Resolution: Any disputes arising out of this Agreement shall be resolved through arbitration or mediation before resorting to legal action.