Data Processing Agreement

Version: 1.1Effective: April 19, 2026

Last updated: April 19, 2026

Standard GDPR Article 28 compliant Data Processing Agreement for ENTERPRISE customers. This document governs the relationship between the data controller (you) and the data processor (Cadensa).

📄 ENTERPRISE Customers

This DPA template is designed for ENTERPRISE plan customers. If you are an ENTERPRISE customer and need a signed DPA, please contact us:

Email:

Response time: Within 5 business days

1. Definitions

Controller: The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. Your organization.

Processor: The natural or legal person which processes personal data on behalf of the controller. Cadensa / Axeri Labs Bt.

Personal Data: Any information relating to an identified or identifiable natural person (GDPR Article 4(1)).

Data Subject: The identified or identifiable natural person (e.g., your employees).

Sub-processor: A third-party service provider engaged by the processor to assist in processing activities.

2. Subject Matter and Duration

Subject Matter: Cadensa (processor) provides time tracking and project management services to the controller under the ENTERPRISE plan. The processor processes personal data on behalf of and according to the instructions of the controller.

Duration: This DPA remains in effect for the entire duration of the ENTERPRISE subscription and terminates automatically upon subscription termination. Data deletion follows the Terms of Service (30-day grace period + 8-year accounting retention).

3. Nature and Purpose of Processing

Processing Activities:

• Storage: Storage of user accounts, time entries, projects, tasks
• Processing: Report generation, analytics, billing data production
• Transfer: Data transmission to controller users (only within controller organization)
• Deletion: Data deletion upon controller request or expiration of legal retention period

Purpose of Processing:

• Time tracking and attendance management
• Project management support
• Billing data generation (billable hours)
• Productivity reporting
• Ensuring service availability

4. Categories of Data and Data Subjects

Data Categories:

• Identification data (name, email)
• Work-related data (time entries, projects)
• Technical data (IP address, browser info)
• Usage data (login history)
• Settings (language, timezone, avatar)

Data Subjects:

• Controller's employees
• Controller's contractors
• Controller's team members
• Administrators

5. Controller Obligations and Instructions

The controller shall ensure that:

1. It has a legal basis for processing personal data
2. Data subjects have been properly informed
3. Processing complies with GDPR and applicable national laws
4. Instructions given to the processor are lawful

Processing Instructions:

The processor shall process personal data only on written instructions from the controller. The following instructions apply:

• As specified in the ENTERPRISE subscription agreement
• As outlined in the Terms of Service
• As per written requests sent to by the controller

6. Processor Obligations

The processor (Cadensa) undertakes to:

a) Confidentiality (GDPR Article 28(3)(b))

Ensures that persons authorized to process personal data have committed themselves to confidentiality.

b) Technical and Organizational Measures (GDPR Article 32)

Implements appropriate technical and organizational measures to protect data:

• Encryption: TLS 1.3 (transit), AES-256 (storage)
• Access control: RBAC, optional 2FA
• Audit logging: 2-year retention
• Backups: Daily, encrypted
• System updates: Regular security patches

c) Data Deletion (GDPR Article 28(3)(g))

Deletes or returns all personal data after the end of the provision of services, except data subject to legal retention (8 years - Accounting Act).

d) Audit Rights (GDPR Article 28(3)(h))

Makes available all information necessary to demonstrate compliance with GDPR. ENTERPRISE customers may request 1 audit per year (with 30 days notice).

e) Data Breach Notification (GDPR Article 33)

Notifies the controller without undue delay, and in any event within 24 hours, of any personal data breach via .

7. Sub-processors

The controller grants general authorization to the processor to engage sub-processors. The processor shall notify the controller at least 30 days in advance of any new sub-processor engagement.

Current Sub-processors (2026-04-19):

1. Hetzner Online GmbH
Service: Server hosting + MongoDB database
Location: Germany (EU)
DPA: hetzner.com/legal/data-privacy-faq

2. Stripe Inc.
Service: Payment processing
Location: USA (EU Standard Contractual Clauses)
DPA: stripe.com/legal/dpa

3. Tarhely.eu / EZIT Kft.
Service: Email delivery (SMTP)
Location: Hungary (EU)
Terms: tarhely.eu/aszf

4. Vercel Inc.
Service: Landing page hosting + CDN
Location: Global (EU edge servers)
DPA: vercel.com/legal/dpa

5. Wasabi Technologies, LLC
Service: Invoice PDF archival (S3-compatible Object Storage, WORM Object Lock in COMPLIANCE mode — 8-year immutable retention per Hungarian Accounting Act §169)
Location: Germany (eu-central-2 / Frankfurt — EU)
DPA: wasabi.com/legal/data-processing-addendum

6. Billingo Technologies Zrt.
Service: Electronic invoice issuance + NAV Online Számla 3.0 reporting (subscription invoices)
Location: Hungary (EU)
Data transferred: customer name, billing address, tax / EU VAT number, email, invoice line items and amounts
DPA: billingo.hu/adatvedelem

7. Google LLC (Analytics)
Service: Analytics (consent-based only)
Location: USA (EU-US Data Privacy Framework)
DPA: privacy.google.com/businesses/processorterms

Right to object: The controller may object to any new sub-processor within 30 days via .

8. Data Subject Rights Assistance

The processor assists the controller, using appropriate technical and organizational measures, in fulfilling data subject rights (GDPR Articles 15-22):

Right to Access:
Profile → Export Data (JSON)

Right to Rectification:
Profile → Edit

Right to Erasure:
Settings → Delete Account (30-day grace period)

Data Portability:
JSON export

Response time: The processor fulfills controller requests within 5 business days ().

9. Data Breach Management

Notification Obligation:

The processor shall notify the controller without undue delay, and in any event within 24 hours, of any personal data breach.

Notification channel:

Contents:

• Nature of the breach
• Categories of data and number of data subjects affected
• Consequences of the breach
• Measures taken and planned

10. Term and Termination

Effective Date: This DPA becomes effective upon commencement of the ENTERPRISE subscription.

Termination: This DPA terminates automatically upon termination of the ENTERPRISE subscription.

Processing after termination:

• 30-day grace period: data can be exported
• After 30 days: all personal data deleted (except legal obligations)
• Billing records: 8-year retention (anonymized)
• Audit logs: 2-year retention (anonymized)

11. Liability and Indemnification

Liability allocation under GDPR Article 82:

Processor Liability:
The processor is liable only if it has not complied with GDPR obligations specifically directed to processors or has acted outside or contrary to lawful instructions of the controller.

Limitation of Liability:
Total aggregate liability of the processor is limited to 12 times the monthly subscription fee (subject to mandatory GDPR liability rules).

12. Governing Law and Jurisdiction

Governing Law: This DPA is governed by Hungarian law and EU GDPR.

Jurisdiction: Disputes shall fall under the jurisdiction of the Pest County Court (Hungary).

13. Signatures

This DPA becomes effective upon acceptance of the ENTERPRISE subscription. If you need a signed copy, please contact us:

Controller:

Name: __________________________

Address: __________________________

Date: __________________________

Signature: __________________________

Processor:

Name: Axeri Labs Bt. (CADENSA)

Address: 2120 Dunakeszi, Brassói utca 7., Hungary