This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller", "Customer") and Converge Software d.o.o. ("Processor", "we", "us") for the use of Workplace.hr ("the Service"), and supplements our Terms of Service and Privacy Policy.
1. Definitions
- "Controller" means the Customer who determines the purposes and means of processing Personal Data through the Service.
- "Processor" means Converge Software d.o.o., which processes Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Subject Matter and Duration
This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service. The DPA is effective for the duration of the Controller's use of the Service and continues until all Personal Data has been deleted or returned in accordance with this agreement.
3. Nature and Purpose of Processing
The Processor processes Personal Data solely for the purpose of providing the Service as described in the Terms of Service, including:
- Storing and managing employee and contractor records
- Processing payroll calculations and generating pay slips
- Managing employment contracts and HR documents
- Tracking time-off, attendance, and work schedules
- Document processing and recognition (OCR)
- Generating reports and analytics for the Controller
4. Types of Personal Data
The following types of Personal Data may be processed through the Service:
- Name, date of birth, and contact details (email, phone, address)
- National identification numbers (OIB in Croatia, or equivalent)
- Employment details (job title, department, start/end dates, contract type)
- Compensation data (salary, bonuses, deductions, bank account details)
- Time-off and attendance records
- Tax and social security information
- Documents uploaded by the Controller (contracts, certificates, etc.)
5. Categories of Data Subjects
Personal Data processed under this DPA relates to the following categories of Data Subjects:
- Employees of the Controller
- Contractors and freelancers engaged by the Controller
- Job applicants and candidates (if applicable)
- Authorized users of the Controller's account
6. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or member state law.
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR.
- Respect the conditions for engaging Sub-processors as set out in Section 7.
- Assist the Controller in responding to Data Subject requests.
- Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR.
- At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless EU or member state law requires storage.
- Make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
7. Sub-processors
The Controller provides general written authorization for the Processor to engage Sub-processors, subject to the following conditions:
- All Sub-processors are located within the European Union or European Economic Area.
- The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor.
- The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object within 30 days.
- The Processor remains fully liable to the Controller for the performance of any Sub-processor's obligations.
8. Data Transfers
All Personal Data is processed and stored exclusively within the European Union. The Processor does not transfer Personal Data to any country outside the EU/EEA. All infrastructure, hosting, and Sub-processors are located within the EU.
9. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption at rest — all data is encrypted at rest using industry-standard encryption algorithms.
- Encryption in transit — all data in transit is protected using TLS 1.2 or higher.
- Database isolation — each customer's data is stored in a separate, isolated database instance.
- Zero-knowledge encryption — sensitive data is encrypted such that the Processor cannot access it in plaintext.
- Access controls — role-based access controls with the principle of least privilege.
- Authentication — multi-factor authentication support via IdPlace.hr (OAuth2/OIDC with PKCE).
- Audit logging — all access to Personal Data is logged and monitored.
- Regular updates — security patches and updates are applied promptly.
- Backup and recovery — regular encrypted backups with tested recovery procedures.
10. Data Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide sufficient information to allow the Controller to meet its obligations under Articles 33 and 34 of the GDPR, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.
11. Data Subject Requests
The Processor shall:
- Promptly notify the Controller if it receives a request from a Data Subject regarding their rights under the GDPR (access, rectification, erasure, restriction, portability, or objection).
- Not respond to such requests directly unless authorized by the Controller.
- Assist the Controller in fulfilling Data Subject requests through appropriate technical and organizational measures.
- Provide tools within the Service that enable the Controller to manage Data Subject requests directly where feasible.
12. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's business operations. The Controller shall bear its own costs of any audit.
13. Return and Deletion of Data
Upon termination of the Service:
- The Controller may request export of all Personal Data in a structured, commonly used, machine-readable format within 30 days of termination.
- After the 30-day export period (or upon the Controller's earlier instruction), the Processor shall delete all Personal Data within 90 days, unless retention is required by applicable law.
- The Processor shall provide written confirmation of deletion upon the Controller's request.
14. Governing Law
This DPA is governed by the laws of the Republic of Croatia and shall be subject to the jurisdiction of the competent courts in Zagreb, Croatia.
15. Contact
For questions about this DPA, contact us at:
Converge Software d.o.o.
Zagreb, Croatia
Email: privacy@workplace.hr