Data Processing Agreement
Dualtime · dualtime.app · [email protected]
Effective date: March 24, 2026
Preliminary Note — Dualtime's Roles in Data Protection
Dualtime may act as Data Controller or Data Processor depending on the type of data:
- DATA CONTROLLER: with respect to the Client's (manager's) own data required for the contractual relationship (name, email, billing information). Governed by the Privacy Policy and Terms of Service, not by this Agreement.
- DATA PROCESSOR: with respect to the Client's employees' data. The Client decides what data to collect and for what purpose. Dualtime processes it solely according to their instructions. This is the main subject matter of this Agreement.
1. Parties to the Agreement
This Data Processing Agreement ("Agreement" or "DPA") is entered into between:
| THE CLIENT (Data Controller) | The company, self-employed professional or business that contracts the Dualtime service and manages their employees' access to the Platform. Hereinafter: "the Client". |
| DUALTIME (Data Processor) | Javier Castaño Candela, a self-employed professional based in Huelva, Spain, owner of dualtime.app. Contact: [email protected]. Hereinafter: "Dualtime". |
2. Definitions
| Term | Definition |
|---|---|
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing | Any operation performed on personal data: collection, recording, storage, consultation, disclosure, erasure, etc. |
| Controller | The party that determines the purposes and means of processing. In this Agreement: the Client, with respect to their employees' data. |
| Processor | The party that processes data on behalf of the Controller. In this Agreement: Dualtime, with respect to the Client's employees' data. |
| Sub-processor | A third party engaged by Dualtime to provide part of the service that involves processing personal data. |
| End Users | Employees and collaborators of the Client added to the Platform by the Client. |
| Platform | The Dualtime SaaS service, accessible at dualtime.app and through the mobile clock-in app. |
| Security Breach | An incident resulting in the destruction, loss, alteration, unauthorized disclosure of, or access to personal data. |
3. Subject Matter and Legal Basis
This Agreement governs the processing of End Users' (employees') data that Dualtime performs on behalf of the Client, within the framework of the shift management and attendance tracking service.
This Agreement is binding pursuant to Article 28 of the GDPR and constitutes an integral part of the Dualtime Terms of Service. It is entered into when the Client accepts those Terms.
Dualtime will not process End Users' data for any purpose of its own or beyond those set out in this Agreement, except where required by law.
4. Processing Details
4.1 Purposes
Dualtime will process End Users' data exclusively for:
- Authentication and management of employee accounts (access via Email OTP or Magic Link)
- Recording clock-in and clock-out times (attendance tracking)
- Display and assignment of shifts and schedules by the Client
- Storage of attendance records for the Client's review
- Sending transactional communications (access codes, shift notifications)
4.2 Categories of Data
| Category | Specific Data |
|---|---|
| Identification data | First and last name |
| Contact data | Email address |
| Work activity data | Clock-in/clock-out date and time, assigned shift |
| Technical data | Internal identifier, Platform access timestamps |
Dualtime will not process special categories of data (health, ethnic origin, beliefs, etc.) unless expressly instructed by the Client with an appropriate legal basis.
4.3 Data Subjects
The data subjects are the employees and collaborators that the Client adds to the Platform. The Client is solely responsible for ensuring they have a legal basis for processing their data and for informing them appropriately.
4.4 Duration
Processing lasts for as long as the contract remains in effect. After termination, Dualtime will retain the data for a maximum of 30 days for possible export, after which it will be permanently deleted.
5. Dualtime's Obligations (Processor)
5.1 Instruction Principle
Dualtime will process data only in accordance with the Client's documented instructions. If it considers that an instruction infringes the GDPR, it will notify the Client immediately.
5.2 Confidentiality
Persons with access to the data are subject to a duty of confidentiality.
5.3 Security Measures (TOMs)
- Encryption in transit via TLS 1.2/1.3 (HTTPS)
- Encryption at rest on Scaleway servers (France)
- Passwordless authentication (Email OTP / Magic Link)
- Role-based access control: employees see only their own data; managers see only their organization
- Periodic backups (30-day retention)
- Principle of least privilege for internal access
5.4 Assistance to the Controller
Dualtime will assist the Client in responding to data subject rights requests, notifications to the supervisory authority, and data protection impact assessments (DPIAs) where required.
5.5 Audit Rights
Dualtime will provide the Client with the information necessary to demonstrate compliance with this Agreement. The Client may request an audit with at least 30 days' notice and without disrupting the service. Audit costs shall be borne by the Client.
5.6 Return and Deletion
After cancellation, the Client may export their data for 30 days. After that period, Dualtime will permanently delete all data, including backups.
6. Client's Obligations (Controller)
- Inform their employees about the processing of their data before adding them to the Platform, in accordance with Art. 13 GDPR.
- Ensure they have an appropriate legal basis for processing their employees' data.
- Not instruct Dualtime to process data in a manner contrary to applicable regulations.
- Notify Dualtime of any changes to the processing instructions.
- Manage Platform access: invite, deactivate, and remove employees.
- Handle data subject rights requests from their employees directly, with assistance from Dualtime where necessary.
7. Sub-processors
The Client authorizes Dualtime to engage the following sub-processors:
| Provider | Service | Purpose | Location |
|---|---|---|---|
| Scaleway | Cloud hosting | Storage and infrastructure | France (EU) |
| PostHog | Analytics | Anonymous Platform usage analysis | EU / EEA |
| Polar | Payments | Client (manager) subscriptions | International |
| Resend | Email delivery | Authentication OTPs and Magic Links | US |
Dualtime will notify the Client of any changes to sub-processors with at least 10 days' notice, giving the Client the opportunity to object. Dualtime remains liable to the Client for its sub-processors' compliance.
8. International Transfers
Dualtime endeavors to ensure that processing takes place within the EEA. For transfers to third countries, it guarantees that they are governed by one of the mechanisms under Chapter V of the GDPR (adequacy decision, Standard Contractual Clauses, or another valid mechanism).
9. Security Breaches
- Dualtime will notify the Client within a maximum of 48 hours of becoming aware of the incident.
- The notification will include: description of the incident, categories and approximate number of affected individuals, possible consequences, and measures taken.
- Dualtime will assist the Client in fulfilling their obligation to notify the supervisory authority and, where applicable, the data subjects.
The Client, as Controller, is responsible for notifying the supervisory authority within the GDPR timeframe (72 hours).
10. Data Subject Rights
If an employee exercises their rights directly with Dualtime, it will notify the Client within a maximum of 5 business days. The Client is responsible for responding within the legal timeframe.
Contact: [email protected]
11. Liability
Each party is liable for its own GDPR violations. Dualtime shall only be liable for damages caused when it has breached its obligations as Processor or acted outside the Client's instructions. Dualtime's total liability shall not exceed the amount invoiced to the Client in the 6 months preceding the event giving rise to the claim.
12. Term and Termination
This Agreement remains in effect for as long as the service contract is in force. Termination of the contract entails termination of this Agreement, without prejudice to obligations that survive by their nature (confidentiality, data deletion).
13. Governing Law and Jurisdiction
This Agreement is governed by Spanish law and the GDPR. Any disputes shall be submitted to the courts of Huelva, Spain.
14. Amendments
Dualtime may update this Agreement to adapt it to regulatory or service changes, notifying the Client at least 30 days in advance. Continued use of the service constitutes acceptance of the changes.
15. Acceptance
The Client accepts this Agreement by accepting the Dualtime Terms of Service.