Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the service agreement between the Customer ("Controller") and IWDEurope OÜ, owner and operator of Brainy HR ("Processor"), registered at Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia, effective upon service activation.

1. Definitions

- "Personal Data": Information relating to an identifiable natural person, including HR data (e.g., employee names, emails, payroll details).

- "Processing": Any operation on Personal Data (e.g., collection, storage, retrieval).

- "GDPR": General Data Protection Regulation (EU) 2016/679.

- Other terms as defined in GDPR.

2. Scope of Processing

Processor processes Personal Data to deliver BrainyHR HR SaaS services. Details:

- Subject matter: HR management (e.g., employee records, performance tracking).

- Duration: Duration of the service agreement.

- Nature: Cloud-based storage and processing on AWS infrastructure.

- Purpose: As instructed by the Controller for HR operations.

- Data types: Employee identifiers, contact details, sensitive HR data.

- Data subjects: Employees, job applicants.

3. Processor Obligations

3.1 Process Personal Data only on Controller’s documented instructions, unless required by EU law.

3.2 Ensure personnel are bound by confidentiality agreements.

3.3 Implement technical and organizational measures per GDPR Art. 32, including:

- Encryption of data in transit and at rest.

- Access controls and authentication.

- Regular security audits and vulnerability scans via AWS tools.

3.4 Notify Controller of any Personal Data breach within 72 hours of awareness (GDPR Art. 33).

3.5 Assist Controller with data subject requests (GDPR Art. 15-22), Data Protection Impact Assessments (Art. 35), and supervisory authority consultations (Art. 36).

3.6 Delete or return Personal Data to Controller upon agreement termination, unless required by law (Art. 28(3)(g)).

3.7 Sub-processors:

- Engage sub-processors only with Controller’s prior written consent.

- Provide updated sub-processor list upon request.

- Ensure sub-processors comply with GDPR via contracts.

4. Controller Obligations

4.1 Ensure a lawful basis for Processing and provide clear instructions.

4.2 Reimburse Processor for reasonable costs of compliance assistance (e.g., audits, data subject requests).

5. Audits and Inspections

Processor permits Controller or its appointed auditor to conduct compliance audits (max once/year), at Controller’s expense, with reasonable notice.

6. International Data Transfers

No Personal Data transfers outside the EEA without safeguards, using Standard Contractual Clauses (EU Commission Decision 2021/914, Annex).

7. Liability

Liability as per the terms and conditions. Processor liable for GDPR breaches per Art. 82 if caused by intentional or gross negligence.

8. Governing Law and Jurisdiction

Governed by EU law. Disputes resolved in courts of Estonia.

9. Termination

DPA terminates with the subscription. Personal Data deleted/returned per Clause 3.6.

10. Contact

Processor: IWDEurope OÜ, Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551, Estonia, support@brainyhr.io.