Data Processing Agreement

Last updated: December 2, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Clerkcat ("Processor") and the organization using our services ("Controller"). This DPA reflects our commitment to process personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom the Personal Data relates
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data
  • "Data Breach" means any unauthorized access to, or destruction, loss, or alteration of Personal Data

3. Scope and Purpose

This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the visitor management services. The purpose of processing is to enable the Controller to manage visitor check-ins, track visitor activity, and maintain records as configured by the Controller.

4. Types of Personal Data

The categories of Personal Data processed may include:

  • Visitor names and contact information
  • Photographs and signatures
  • Check-in and check-out timestamps
  • Purpose of visit and host information
  • Custom fields as configured by the Controller
  • Device and browser information

5. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller of any Data Breach without undue delay
  • Delete or return all Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance with this DPA

6. Controller Obligations

The Controller agrees to:

  • Ensure there is a lawful basis for processing visitor Personal Data
  • Provide appropriate privacy notices to Data Subjects
  • Obtain necessary consents where required
  • Ensure instructions to the Processor comply with applicable laws
  • Maintain records of processing activities as required by law

7. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Incident response and disaster recovery procedures
  • Employee security training and awareness programs
  • Physical security measures for data centers

8. Sub-processors

The Controller authorizes the Processor to engage Sub-processors to assist in providing the services. The Processor will maintain a list of current Sub-processors and notify the Controller of any changes. Sub-processors are bound by data protection obligations substantially similar to those in this DPA.

9. International Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor ensures appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to countries with adequate data protection as determined by the European Commission.

10. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection. The Controller can fulfill most requests directly through the Service's administrative features.

11. Data Breach Notification

In the event of a Data Breach affecting the Controller's Personal Data, the Processor will notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

12. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits will be conducted with reasonable notice and during normal business hours.

13. Term and Termination

This DPA remains in effect for the duration of the processing of Personal Data under the Terms of Service. Upon termination, the Processor will, at the Controller's choice, delete or return all Personal Data and delete existing copies unless required by law to retain the data.

14. Contact Us

For questions about this Data Processing Agreement or to exercise your rights, please contact us at [email protected].