Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and Cloud Timer ("Data Processor") in accordance with GDPR Article 28.

Roles

The Customer (employer/company) is the Data Controller. Cloud Timer acts as the Data Processor, processing personal data on behalf of the Controller.

Types of Data Processed

We process the following categories of personal data: names, email addresses, work hours, time entries, expense records, receipt files, vacation requests, and employment information.

Purpose of Processing

Data is processed solely to provide the Cloud Timer service: time tracking, expense management, project management, analytics, and team collaboration.

Security Measures

We implement appropriate technical and organizational measures including: encryption in transit (TLS), encryption at rest, access controls, regular security reviews, and secure sub-processor agreements.

Data Breach Notification

In the event of a personal data breach, we will notify the Data Controller without undue delay, and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.

Data Deletion

Upon termination of the service agreement, we will delete or return all personal data within 30 days, except where retention is required by law (e.g., Bogføringsloven).

Audit Rights

The Data Controller has the right to audit our compliance with this DPA. We will provide reasonable assistance and access to relevant information upon written request.

International Transfers

Some sub-processors are located in the USA. Transfers are safeguarded under the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.

Sub-Processor List

Governing Law

These terms are governed by and construed in accordance with the laws of Denmark. Any disputes shall be resolved in Copenhagen City Court (Københavns Byret).