Data Processing Agreement
policies-customer-facing/dpa-template.mdData Processing Agreement
Version: 1.0 | Last reviewed: 2026-06-17 | Effective date: 2026-06-17
Between Vezoft, a company registered in Bulgaria (EU) under company number (EIK) 202823109, with its registered office in Kardzhali, Bulgaria (see Imprint for the full registered address) ("Vezoft", "TimerOS", Processor)
and
Customer fills in: [CUSTOMER LEGAL NAME], registered at [CUSTOMER ADDRESS] ("Customer", Controller)
(each a "Party"; together the "Parties")
This Data Processing Agreement ("DPA") forms part of the Terms of Service and any Order Form between the Parties (together, the "Agreement"). It is entered into to satisfy Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and equivalent provisions of the UK GDPR and the California Consumer Privacy Act as amended ("CCPA/CPRA"), in respect of TimerOS's processing of personal data on behalf of the Customer.
If you accepted the Terms of Service on behalf of an organisation and your jurisdiction recognises browse-wrap or click-wrap consent for B2B agreements, this DPA is in force automatically. For larger Customers preferring a wet-signed or e-signed copy, contact privacy@timeros.ai for a counter-signature.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR or the Agreement.
- Customer Personal Data — personal data (as defined in GDPR Art. 4(1)) that TimerOS processes on behalf of the Customer under the Agreement.
- Data Subject — an individual whose personal data is processed, including the Customer's employees, contractors, agents, clients, and their representatives.
- Sub-processor — a third party engaged by TimerOS to process Customer Personal Data on its behalf.
- EU SCCs — the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
- UK Addendum — the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018.
- Annex 1 — Description of Processing (this DPA).
- Annex 2 — Technical and Organisational Measures (this DPA).
- Annex 3 — List of approved Sub-processors (current list at
subprocessors).
2. Roles
The Parties acknowledge that, in respect of Customer Personal Data processed under the Agreement:
(a) Customer is the Controller (or, where Customer is itself a processor for its own client, Customer acts as the relevant data exporter and TimerOS is the sub-processor down the chain).
(b) TimerOS is the Processor, processing Customer Personal Data only on documented instructions from the Customer.
For CCPA purposes, TimerOS acts as a Service Provider. TimerOS does not sell or share Customer Personal Data (as those terms are defined in the CCPA), and does not retain, use, or disclose Customer Personal Data outside the direct business relationship between the Parties or for any commercial purpose other than performing the Service.
3. Subject matter, duration, nature, purpose, and instructions
The subject matter, nature, purpose, types of data, and categories of data subject are set out in Annex 1. The Agreement (including this DPA, the Order Form, configuration choices the Customer makes in the Service, and any in-app or written instructions from a Customer-authorised user) constitutes the Customer's complete and final documented instructions. If TimerOS believes an instruction breaches data-protection law, it will notify the Customer without delay and may suspend performance until the instruction is corrected.
Duration: for as long as TimerOS processes Customer Personal Data under the Agreement, and for any post-termination period required by Section 12.
4. Confidentiality and personnel
TimerOS ensures that any person authorised to process Customer Personal Data is bound by a written confidentiality obligation or a statutory duty of confidence, and is trained on data-protection requirements. Access is on a need-to-know basis, with role-based access controls.
5. Security
TimerOS implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2 and as updated from time to time on this URL. The Customer is responsible for evaluating whether the measures in Annex 2 meet its risk profile. TimerOS may update Annex 2 from time to time, provided the level of protection is not materially reduced.
6. Sub-processors
(a) General authorisation. The Customer grants TimerOS general authorisation to engage Sub-processors. The current list is Annex 3 (the Sub-processors page).
(b) Notice of changes. TimerOS will give the Customer at least 30 days' prior notice of adding or replacing a Sub-processor that will process Customer Personal Data. Notice is delivered to the account-owner email and posted to the Sub-processors page.
(c) Right to object. The Customer may object on reasonable data-protection grounds within 30 days of notice. The Parties will work in good faith to find a resolution. If none can be found, the Customer may terminate the affected Order Form on written notice, and TimerOS will refund pre-paid fees for the unused period.
(d) Flow-down. TimerOS imposes on each Sub-processor written data-protection obligations no less protective than those in this DPA, including the EU SCCs where international transfers are involved.
(e) Liability. TimerOS remains liable to the Customer for the acts and omissions of its Sub-processors as if they were its own.
7. Data subject rights
(a) TimerOS will provide the Customer with reasonable assistance, by appropriate technical and organisational measures, to fulfil the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR and equivalent rights under other applicable laws.
(b) The Service includes self-service tools for data export and account deletion. The Customer is responsible for using these tools to fulfil its own obligations to Data Subjects.
(c) If TimerOS receives a request from a Data Subject directly, TimerOS will, without undue delay, forward the request to the Customer and not respond except to confirm receipt and refer the Data Subject to the Customer, unless legally compelled to do otherwise.
8. Personal data breach
If TimerOS becomes aware of a personal data breach involving Customer Personal Data, TimerOS will:
(a) Notify the Customer without undue delay and in any event within 48 hours of becoming aware of the breach.
(b) Provide the Customer with information reasonably required for the Customer to comply with GDPR Art. 33 and 34, including: the nature of the breach, categories and approximate number of Data Subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed.
(c) Cooperate with the Customer's reasonable instructions to investigate, mitigate, and remediate.
TimerOS's notification under this Section is not an admission of fault or liability.
9. Data protection impact assessment and prior consultation
TimerOS will provide reasonable assistance to the Customer in carrying out a Data Protection Impact Assessment (DPIA) and any prior consultation with a supervisory authority under GDPR Art. 35 and 36, taking into account the information available to TimerOS. TimerOS provides Customers with a base DPIA package for the employee-monitoring features at internal/dpia-employee-monitoring.md, which Customers may adapt and rely on as a starting point.
10. International transfers
(a) TimerOS deploys EU-resident infrastructure for Customers whose tenant is provisioned in an EU region. For such Customers, no transfer of Customer Personal Data outside the EU/EEA occurs in the ordinary operation of the Service.
(b) Where a transfer to a third country occurs (including in the course of using Sub-processors), the Parties incorporate the EU SCCs Module 2 (controller-to-processor) into this DPA as follows:
- Clause 7 (docking clause) — not used.
- Module 2 applies.
- Clause 9 — Option 2 (general written authorisation), with 30 days' notice as per Section 6 above.
- Clause 11(a) — independent dispute resolution body — not selected.
- Clause 17 — governing law: the law of Bulgaria (an EU Member State).
- Clause 18(b) — courts: the courts of Kardzhali, Bulgaria.
- Annex I.A and I.B — see Annex 1 of this DPA.
- Annex II — see Annex 2 of this DPA.
- Annex III — see Annex 3 of this DPA.
(c) For UK GDPR transfers, the UK Addendum applies and is incorporated by reference, with Tables 1, 2 and 3 completed by reference to the SCCs above and Table 4 left to the data importer (TimerOS) at first instance.
(d) For Swiss FADP transfers, the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner apply.
11. Audits
(a) TimerOS makes available to the Customer all information necessary to demonstrate compliance with this DPA and GDPR Art. 28.
(b) Once per calendar year, on at least 30 days' prior written notice and at the Customer's own cost, the Customer may audit TimerOS's compliance with this DPA, by:
- reviewing a current SOC 2 or ISO 27001 report (when available), or
- a written audit questionnaire that TimerOS will answer within 30 days, or
- a remote audit (video call + document review) where the questionnaire is insufficient.
(c) On-site audits are reserved for cases where the Customer can show that the alternatives above are insufficient to address a specific, identified concern. The Customer must coordinate with TimerOS to avoid undue disruption to TimerOS's other customers and to maintain confidentiality.
(d) Where a supervisory authority requires an audit by law, that audit will proceed subject to applicable confidentiality and the protection of other customers' data.
12. Deletion and return of data
(a) On termination or expiry of the Agreement, the Customer may, within 30 days, export Customer Personal Data via the Service's self-service export, or request a one-off export from TimerOS in JSON format at no charge.
(b) After 30 days from termination (or earlier on Customer's written instruction), TimerOS will delete Customer Personal Data from its production systems within a further 30 days, except to the extent retention is required by applicable law (e.g. tax records, financial records) or by the Customer's request to hold for ongoing legal proceedings. Customer Personal Data persists in MongoDB Atlas backups under a 7-day point-in-time recovery window and 30-day snapshot retention; it is purged on the rolling snapshot cycle, no later than 30 days.
(c) At the Customer's written request, TimerOS will provide a certificate of deletion.
13. Liability
(a) Each Party's liability under this DPA is subject to the limitation of liability set out in the Agreement, with the exception of liabilities that cannot be limited under applicable law, including under GDPR Art. 82 to Data Subjects.
(b) Without prejudice to Art. 82, the Parties allocate liability between them in proportion to fault.
14. Order of precedence
In case of conflict between this DPA and the rest of the Agreement, this DPA prevails for matters concerning the processing of Customer Personal Data. The EU SCCs prevail in case of conflict with this DPA.
15. Governing law and jurisdiction
This DPA is governed by the laws of Bulgaria, with exclusive jurisdiction in the courts of Kardzhali, without prejudice to mandatory Data Subject rights to bring proceedings in the courts of their habitual residence.
16. Notices
To TimerOS: privacy@timeros.ai, with copy to our registered office in Kardzhali, Bulgaria (see Imprint for the full registered address). To the Customer: the account-owner email on file.
Acceptance. Acceptance of the Terms of Service constitutes acceptance of this DPA. For a counter-signed copy contact privacy@timeros.ai.