Data Processing Agreement
Version: 2026-05-10 · GDPR Art. 28
This DPA forms part of the Terms of Service. The Customer is the controller; QBeat Technologies Ltd ("Metix") is the processor. By accepting the Terms at signup, the Customer accepts this DPA on behalf of itself and its affiliates that use the Service.
1. Scope and purpose
Metix processes personal data on the Customer's behalf solely to provide the Service set out in the Terms — operating the HR platform, supporting compliance with EU Directive 2023/970, running statutory reports the Customer requests, and providing support.
2. Subject matter, duration, nature, purpose
- Subject matter: personal data processed via the Service.
- Duration: term of the Terms plus the wind-down period in §10.
- Nature: hosting, retrieval, transmission, computation.
- Purpose: provision of the Service.
3. Categories of data subjects
- The Customer's employees, contractors, applicants, and prior employees.
- The Customer's account administrators and authenticated users.
- Workers' representatives where the Customer enables that role.
4. Categories of personal data
- Identification: name, email, phone, address, employee number, locale.
- Employment: job title, role grade, start date, manager, location.
- Compensation: base wage, variable components, total compensation. Stored under field-level envelope encryption.
- Demographics:gender, age band; special-category data only with the Customer's documented Art. 9 lawful basis.
- Authentication: magic-link tokens, TOTP secrets, recovery codes.
- Audit: append-only events covering security-significant actions.
5. Processor obligations (Art. 28(3))
- Process only on documented Customer instructions.
- Ensure persons processing data are bound by confidentiality.
- Implement Art. 32 measures: encryption at rest and in transit, access control, tenant-isolated storage with row-level security, audit-chain integrity verification, tested restorability.
- Engage sub-processors only with the Customer's authorisation (granted in §7).
- Assist the Customer with data-subject rights requests (Art. 12–22).
- Notify the Customer of personal-data breaches without undue delay and within seventy-two hours of becoming aware.
- Make information available to demonstrate compliance and allow audits.
6. International transfers
Where Metix or a sub-processor transfers personal data outside the EEA, the transfer is covered by Standard Contractual Clauses (Decision (EU) 2021/914) plus supplementary measures per the Schrems II analysis.
7. Sub-processors
The Customer authorises the following sub-processors. Changes are notified at least thirty days in advance with a right of reasonable objection.
| Sub-processor | Service | Region | Transfer |
|---|---|---|---|
| Hetzner Online GmbH | Compute, storage, network | Germany / Finland (EU) | Within EEA |
| Stripe Payments Europe Ltd | Billing | Ireland (with US affiliate) | SCCs (US transfers) |
| Resend | Transactional email | United States | SCCs |
| Sentry GmbH | Error monitoring | Germany (EU tier) | Within EEA |
8. Security
- TLS 1.3 in transit; HSTS enforced.
- Field-level envelope encryption (AES-256-GCM, per-tenant data keys) for compensation and sensitive PII.
- Per-tenant row-level security and per-module Postgres roles.
- Append-only audit chain with cryptographic prev/self hashing.
- Off-site encrypted Postgres backups.
- Defence-in-depth: WAF/edge rate limit, CSP, CSRF, security headers.
- Vulnerability scanning in CI; Dependabot for dependency updates.
9. Data subject rights
Where a data subject contacts Metix directly, Metix forwards the request to the Customer without undue delay. Self-serve tools for access, rectification, export, and erasure are available.
10. Return or deletion of data
On termination, Metix gives the Customer thirty days to export data, then deletes or anonymises within ninety days, save where retention is required by law.
11. Conflict
In the event of conflict between this DPA and the Terms, this DPA prevails for matters of personal-data processing.