Data Processing Agreement

(Article 28 GDPR)

Last updated: 14/02/2026

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms of Service or Master Service Agreement (the "Principal Agreement") between:

  • Tech Art Ltd., a company registered in the Republic of Bulgaria, operating TimeMetrics.io ("Processor")
  • The Customer ("Controller")

This Agreement governs the processing of Personal Data under Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR").

1. Roles of the Parties

1.1 The Customer acts as the Data Controller.

1.2 Tech Art Ltd., operating TimeMetrics.io, acts as the Data Processor.

1.3 The Processor shall process Personal Data only on documented instructions from the Controller.

2. Subject Matter and Duration

2.1 Subject Matter

The processing concerns the provision of TimeMetrics.io workforce productivity and analytics services.

2.2 Duration

Processing shall continue for the duration of the Principal Agreement unless otherwise agreed or required by law.

3. Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

  • Providing employee productivity monitoring services
  • Generating analytics and reports
  • System security and fraud prevention
  • Customer support
  • Service maintenance and improvement

Processing operations may include:

  • Collection
  • Recording
  • Organization
  • Storage
  • Retrieval
  • Analysis
  • Deletion

4. Categories of Data Subjects

Data Subjects may include:

  • Employees
  • Contractors
  • Consultants
  • Temporary staff
  • Other authorized End Users

5. Categories of Personal Data

Depending on Customer configuration, the Processor may process:

  • Name or user ID
  • Work email address
  • IP address
  • Device identifiers
  • Login timestamps
  • Application usage data
  • Productivity metrics
  • Activity timestamps
  • Technical logs

The Processor does not intentionally process special categories of data (Article 9 GDPR). If such data is captured inadvertently, it is processed solely under Customer instruction.

6. Obligations of the Processor

The Processor shall:

6.1 Process Personal Data only on documented instructions from the Controller.

6.2 Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.

6.3 Implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

  • Encryption in transit (TLS/HTTPS)
  • Access controls
  • Secure hosting infrastructure
  • Data minimization practices
  • Logging and monitoring mechanisms

6.4 Assist the Controller in fulfilling obligations under Articles 32–36 GDPR, including:

  • Data breach notification
  • Data protection impact assessments (DPIA)
  • Prior consultations with supervisory authorities

6.5 Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

6.6 Delete or return Personal Data upon termination of services, unless EU or Bulgarian law requires retention.

6.7 Make available all information necessary to demonstrate compliance with this Agreement.

7. Subprocessors

7.1 The Controller grants general authorization to the Processor to engage subprocessors.

7.2 The Processor shall ensure that subprocessors are bound by data protection obligations equivalent to those in this Agreement.

7.3 The Processor shall remain fully liable for subprocessors' compliance.

7.4 A current list of subprocessors shall be made available upon request.

8. International Data Transfers

8.1 Personal Data shall be processed within the European Economic Area (EEA) unless otherwise agreed.

8.2 Where transfers outside the EEA occur, the Processor shall ensure appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission

9. Data Subject Rights

9.1 The Processor shall assist the Controller in responding to requests for:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Portability
  • Objection

9.2 If the Processor receives a request directly from a Data Subject, it shall promptly forward the request to the Controller.

10. Security of Processing

The Processor implements measures including:

  • Encrypted communication channels
  • Role-based access control
  • Secure cloud hosting
  • Regular security monitoring
  • Backup and disaster recovery systems

Security measures shall be appropriate to the risk level of the processing.

11. Personal Data Breach

11.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.

11.2 The notification shall include:

  • Description of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences
  • Measures taken or proposed

12. Deletion and Return of Data

Upon termination of the Services:

  • The Processor shall delete or return all Personal Data at the Controller's choice.
  • Backups shall be securely deleted according to retention schedules.
  • Legal retention obligations under Bulgarian law shall apply where required.

13. Audit Rights

13.1 The Controller may request reasonable information demonstrating compliance.

13.2 Audits shall be conducted:

  • With reasonable notice
  • During business hours
  • At Controller's expense
  • Without disrupting normal operations

14. Liability

Liability shall be governed by the Principal Agreement, subject to GDPR Article 82.

15. Governing Law

This Agreement shall be governed by:

  • The laws of the Republic of Bulgaria
  • Regulation (EU) 2016/679 (GDPR)

Disputes shall be subject to the competent Bulgarian courts.