English
Data Processing Agreement
Last updated: January 15, 2026
This Data Processing Agreement (“DPA”) is incorporated into the Terms of Service between you (“Controller”) and Converge Software d.o.o. (“Processor”). It satisfies Article 28 of Regulation (EU) 2016/679 (“GDPR”).
1. Subject and duration
The Processor processes personal data on behalf of the Controller in connection with the Workplace.hr service. Processing continues for the duration of the service subscription, plus a 90-day return-or-deletion window thereafter.
2. Nature and purpose of processing
The Processor processes the personal data the Controller submits to the service: employee records, contract details, contact information, document metadata, payroll inputs. Processing is for the sole purpose of operating the service the Controller has subscribed to.
3. Categories of data subjects
- The Controller’s employees, contractors, and applicants.
- The Controller’s customers, suppliers, and contacts, where uploaded.
4. Categories of personal data
- Identity data: names, dates of birth, ID/tax numbers.
- Contact data: addresses, phone numbers, email.
- Employment data: roles, salaries, leave balances, performance notes.
- Documents: contracts, payslips, certificates, invoices.
5. Processor obligations
The Processor:
- Only processes personal data on documented instructions from the Controller.
- Ensures personnel authorised to process the data are bound by confidentiality.
- Implements appropriate technical and organisational measures (Annex II).
- Does not engage sub-processors without prior written consent (general or specific). The current sub-processor list is at
workplace.hr/legal/sub-processors. - Assists the Controller in responding to data subject requests.
- Notifies the Controller of any personal data breach without undue delay (within 72 hours of awareness).
- Returns or deletes all personal data at the end of the agreement, at the Controller’s choice.
- Makes available all information necessary to demonstrate compliance with this DPA.
6. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting | Falkenstein & Helsinki |
| Stalwart Labs | Mail server (self-hosted) | Same infrastructure |
The Processor will give the Controller 30 days’ notice of any change to this list, during which the Controller may object on reasonable grounds.
7. Data subject rights
Where the Processor receives a request from a data subject relating to data processed under this DPA, the Processor will forward the request to the Controller within 5 business days and not respond directly unless instructed.
8. Data transfers
The Processor will not transfer personal data outside the European Economic Area without the Controller’s prior written consent and appropriate safeguards (e.g., Standard Contractual Clauses).
9. Audits
The Controller, at its own cost and on 30 days’ written notice, may audit the Processor’s compliance with this DPA, no more than once per year (more frequently in case of a confirmed breach).
10. Liability and indemnity
Each party’s liability is governed by the Terms of Service. This DPA does not create independent indemnification obligations beyond those required by Article 82 of the GDPR.
11. Term and termination
This DPA terminates automatically when the underlying Terms of Service terminate. Clauses that by their nature should survive (confidentiality, audit rights for prior periods) survive termination.
12. Governing law and jurisdiction
Croatian law. Courts of Zagreb, Croatia.
Annex I — Description of processing
(See sections 2–4 above.)
Annex II — Technical and organisational measures
- TLS 1.3 for all data in transit.
- AES-256 at rest, with separate per-customer encryption keys.
- Role-based access control with least privilege.
- Comprehensive audit logging, 12-month retention.
- Daily encrypted backups, 30-day retention, recoverable to point-in-time within the last 7 days.
- Annual penetration testing.
- All staff bound by confidentiality and trained on GDPR.
Signing this DPA
This DPA is automatically incorporated into the Terms of Service when you subscribe to a paid tier. A countersigned copy is available on request from dpo@workplace.hr.
Last updated: