Data Processing Agreement
Last updated: 4 July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Hexense Tech OÜ, registry code 17371031, registered address Gonsiori tn 29, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia (the “Processor”) and the Customer (the “Controller”), and governs the Processor’s processing of personal data contained in Customer Data on behalf of the Controller, as required by Article 28(3) of the GDPR.
1. Details of processing
- Subject matter and duration — provision of the Hexense HR platform for the duration of the Controller’s subscription, plus the deletion period in clause 9.
- Nature and purpose — hosting, storage, and processing of HR records as directed by the Controller through the Service: leave management, policies and acknowledgements, directory and org chart, profiles and onboarding, documents and e-signatures, expenses, payroll records, announcements, surveys, and related notifications and reports.
- Categories of data subjects — the Controller’s current, former, and prospective employees and contractors, and other individuals whose data the Controller enters into the Service.
- Categories of personal data — identification and contact details; employment details (role, team, manager, start/end dates); leave and absence records; compensation and payroll records; expense records; documents and signatures; policy acknowledgements; survey responses; profile fields defined by the Controller.
- Special categories — the Service is not designed to require special-category data, but absence records may reveal health-related information (for example, sick leave). The Controller is responsible for ensuring it has a valid legal basis under Articles 6 and 9 GDPR for such data.
2. Instructions
The Processor processes Customer Data only on the Controller’s documented instructions — namely the Terms, this DPA, and the Controller’s configuration and use of the Service — unless required otherwise by EU or member state law, in which case the Processor informs the Controller before processing unless the law prohibits it. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR.
3. Confidentiality
The Processor ensures that persons authorized to process Customer Data are bound by contractual or statutory confidentiality obligations, and that access is limited to what is necessary to operate and support the Service.
4. Security (Article 32)
The Processor implements and maintains appropriate technical and organizational measures, including:
- tenant isolation enforced at the database layer via row-level security on every table holding Customer Data, with org-scoped policies tested for cross-tenant isolation;
- encryption of data in transit (TLS) and at rest;
- role-based access control within the Service (employee / manager / admin) and support for multi-factor authentication and single sign-on;
- audit logging of administrative and security-relevant actions;
- least-privilege operational access; service credentials are never exposed to client applications;
- hosting in the European Union (AWS eu-west-1) with managed backups.
5. Subprocessors
The Controller grants general authorization to engage the subprocessors listed at /legal/subprocessors. The Processor will give at least 30 days’ notice of intended additions or replacements (via the Service or email), during which the Controller may object on reasonable data protection grounds; if the objection cannot be resolved, the Controller may terminate the affected subscription. The Processor imposes data protection obligations on subprocessors equivalent to those in this DPA and remains liable for their performance.
6. International transfers
Customer Data is stored in the European Union. Where a subprocessor processes personal data outside the EEA, the transfer is protected by an adequacy decision (including the EU–US Data Privacy Framework) or the European Commission’s Standard Contractual Clauses, with supplementary measures as appropriate.
7. Assistance to the Controller
- Data subject rights — taking into account the nature of the processing, the Processor assists the Controller with appropriate technical and organizational measures (including the Service’s built-in profile, export, and reporting features) in fulfilling requests under Articles 15–22 GDPR. Requests received directly from data subjects are forwarded to the Controller without undue delay.
- Articles 32–36 — the Processor assists the Controller, insofar as information is available to it, with security, breach notification, data protection impact assessments, and prior consultation obligations.
8. Personal data breaches
The Processor notifies the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Data, providing the information reasonably required for the Controller’s obligations under Articles 33 and 34 GDPR, supplemented as more information becomes available.
9. Deletion and return
During the subscription, the Controller’s admins can export Customer Data via the Service’s export and reporting features. After the end of the subscription and a 30-day grace period, the Processor deletes Customer Data, including from backups on the backup provider’s rotation schedule, unless EU or member state law requires continued storage.
10. Audit and information
The Processor makes available the information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or its mandated auditor — no more than once per 12 months unless required by a supervisory authority or following a breach, on at least 30 days’ notice, during business hours, under confidentiality, and at the Controller’s cost. Third-party certifications and audit reports of the Processor’s infrastructure providers may be used to satisfy audit requests where adequate.
11. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.
12. Contact
Data protection inquiries: privacy@hex-tech.xyz