DPA
Version 1.0 · Effective 2025-07-01
Data Processing Agreement
Pursuant to Article 28 GDPR
⚠️ Limited Availability
BERLi is currently in development. Access is limited to authorized personnel for testing purposes. Full commercial availability will be announced separately.
Version: 1.0
Estimated Effective Date: July 1, 2025
Last Updated: February 27, 2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between BERLi Technologies OÜ (“Processor”, “BERLi”, “we”, “us”, “our”) and the Customer organization (“Controller”, “Customer”, “you”, “your”) and governs the processing of personal data on behalf of Customer.
1. Parties
1.1 Processor
BERLi Technologies OÜ, an Estonian company
- Registration: 12345678
- Address: Tallinn, Estonia
- DPO: dpo@berli.io
1.2 Controller
The Customer organization as identified in the Terms of Service and applicable Order.
2. Definitions
| Term | Definition |
|---|---|
| ”GDPR” | General Data Protection Regulation (EU) 2016/679 |
| ”Personal Data” | Any information relating to an identified or identifiable natural person |
| ”Data Subject” | The individual whose Personal Data is processed |
| ”Processing” | Any operation performed on Personal Data |
| ”Services” | The BERLi HR management platform |
| ”Subprocessor” | Any third party engaged by BERLi to process Personal Data |
| ”SCCs” | Standard Contractual Clauses approved by the European Commission |
| ”TOMs” | Technical and Organizational Measures |
| ”Personal Data Breach” | A breach of security leading to unauthorized access, destruction, disclosure, or loss of Personal Data |
3. Scope and Duration
3.1 Subject Matter
Processing of Personal Data on behalf of Customer for the purpose of providing the Services, including:
- Employee data management
- Time tracking and attendance
- Payroll support
- Document management
- Communication features
3.2 Duration
This DPA applies for the duration of the Terms of Service agreement between BERLi and Customer, including any renewals.
3.3 Termination
Upon termination:
| Action | Timeline |
|---|---|
| Data export available | 30 days |
| Data deletion | Within 90 days |
| Deletion certificate | Upon request |
4. Nature and Purpose of Processing
4.1 Nature of Processing
| Operation | Description |
|---|---|
| Collection | Receiving Personal Data from Customer |
| Storage | Secure storage in databases and file systems |
| Organization | Structuring and indexing for retrieval |
| Analysis | Processing for reports and insights |
| Display | Rendering in user interface |
| Transmission | Secure data transfer between components |
| Restriction | Limiting processing when requested |
| Erasure | Secure deletion when required |
4.2 Purpose of Processing
| Purpose | Description |
|---|---|
| HR management | Employee records, contracts, documents |
| Time tracking | Timesheets, attendance, leave management |
| Payroll support | Salary data, tax information, reimbursements |
| Compliance | Audit trails, regulatory reporting |
| Communication | Notifications, messaging within platform |
| Document management | Storage, retrieval, sharing of employment documents |
| Analytics | Aggregated reporting for Customer |
5. Categories of Personal Data
5.1 Data Categories
| Category | Examples | Sensitivity |
|---|---|---|
| Identity | Name, date of birth, nationality, ID numbers, photo | Standard |
| Contact | Address, email, phone number, emergency contact | Standard |
| Financial | IBAN, salary, tax codes, bank details | High |
| Employment | Job title, department, contract details, work hours, supervisor | Standard |
| Performance | Reviews, goals, feedback, ratings | Standard |
| Leave | Vacation, sick leave, absence records, medical certificates | High |
| Documents | Contracts, certificates, uploaded files | Standard |
| Access | Login credentials, access logs, permissions | Standard |
5.2 Special Category Data
When processing special category data (e.g., health data for sick leave):
- Customer confirms lawful basis under Article 9(2)(b) GDPR
- BERLi implements additional safeguards
- Access is restricted and logged
- Data is segregated and encrypted
5.3 Data Minimization
Customer will only provide Personal Data necessary for the Services. BERLi will not process data beyond what is required.
6. Categories of Data Subjects
6.1 Primary Data Subjects
| Category | Description |
|---|---|
| Employees | Full-time and part-time employees |
| Contractors | Freelancers and consultants |
| Interns | Trainees and apprentices |
| Temporary workers | Agency staff and temps |
6.2 Secondary Data Subjects
| Category | Description |
|---|---|
| Job applicants | Candidates (if using recruitment features) |
| Former employees | As retained per legal requirements |
| Emergency contacts | Provided by employees |
6.3 Approximate Numbers
Customer is responsible for providing approximate numbers of Data Subjects upon request.
7. Controller’s Obligations
Customer (as Controller) warrants and undertakes that:
7.1 Lawful Basis
- Customer has and will maintain a valid legal basis for all processing activities
- Customer has provided appropriate notices to Data Subjects
- Customer has obtained necessary consents where required
7.2 Data Accuracy
- Customer will ensure Personal Data is accurate and kept up to date
- Customer will correct inaccuracies promptly
7.3 Data Minimization
- Customer will only provide Personal Data necessary for the Services
- Customer will not upload data unrelated to HR management
7.4 Instructions
- Customer will provide documented instructions to BERLi regarding processing
- Instructions will be in writing (email accepted)
- BERLi will promptly inform Customer if instructions infringe GDPR
7.5 Data Subject Rights
- Customer will handle Data Subject requests
- BERLi will assist where technically feasible (see Section 12)
- Customer will inform Data Subjects of their rights
7.6 Compliance
- Customer will comply with all applicable data protection laws
- Customer will notify BERLi of any compliance issues affecting the Services
7.7 Third-Party Data
- Customer warrants it has authority to share third-party Personal Data
- Customer will indemnify BERLi for claims arising from unauthorized sharing
8. Processor’s Obligations
BERLi (as Processor) undertakes that:
8.1 Documented Instructions
BERLi will only process Personal Data:
- On documented instructions from Customer
- For the purposes specified in this DPA
- As required by EU or Member State law (BERLi will inform Customer unless prohibited)
8.2 Confidentiality
BERLi will ensure all personnel authorized to process Personal Data:
- Are bound by confidentiality obligations
- Have received data protection training
- Process data only on a need-to-know basis
8.3 Security Measures
BERLi will implement and maintain appropriate TOMs as described in Section 10.
8.4 Subprocessors
BERLi will:
- Only engage Subprocessors with prior written authorization
- Ensure Subprocessors provide equivalent guarantees
- Remain liable for Subprocessor performance
- Notify Customer of changes (see Section 9)
8.5 Assistance
BERLi will assist Customer with:
| Obligation | Article | Support Provided |
|---|---|---|
| Data Subject requests | Art. 15-22 | Technical implementation, data export |
| Security obligations | Art. 32 | TOMs, security documentation |
| Breach notification | Art. 33-34 | Incident detection, information for notifications |
| Data Protection Impact Assessment | Art. 35 | Information on processing operations |
| Prior consultation | Art. 36 | Documentation and support |
8.6 Deletion or Return
Upon termination or at Customer’s request:
- BERLi will delete or return all Personal Data at Customer’s choice
- BERLi will provide written confirmation of deletion
- BERLi may retain data as required by law (with confidentiality)
8.7 Audit
BERLi will:
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits by Customer or mandated auditor
- Respond to audit requests within 30 days
8.8 Records
BERLi will maintain records of:
- Processing activities (Article 30)
- Categories of processing
- Data transfers
- Security measures
9. Subprocessors
9.1 Current Authorized Subprocessors
| Provider | Location | Purpose | Transfer |
|---|---|---|---|
| OVHCloud | Germany | Infrastructure hosting | No (EU) |
| Self-hosted MinIO | Italy | Object storage | No (EU) |
| Self-hosted Ollama | Italy | AI processing | No (EU) |
| Google Firebase | USA | Push notifications | Yes (SCCs) |
| Google Workspace | USA | Transactional email | Yes (SCCs) |
9.2 Subprocessor Updates
BERLi will notify Customer of additions or replacements:
- Notice period: At least 30 days before change
- Notification method: Email to registered address
- Information provided: Name, location, purpose, safeguards
9.3 Objection Process
Customer may object to a new Subprocessor:
- Within 30 days of notification
- On reasonable data protection grounds
- In writing to legal@berli.io
If objection is unresolved within 30 days:
- Customer may terminate affected Services without penalty
- No refund for unrelated Services
9.4 Subprocessor Agreements
BERLi ensures all Subprocessors:
- Are bound by written agreements
- Provide equivalent data protection
- Implement appropriate TOMs
- Allow audits by BERLi
10. Technical and Organizational Measures
10.1 Security of Processing
BERLi implements the following TOMs:
Physical Security
| Measure | Description |
|---|---|
| Data center security | OVHCloud managed (ISO 27001 certified) |
| 24/7 monitoring | Continuous monitoring and alerting |
| Access control | Badge access, biometrics where applicable |
| Environmental controls | Fire suppression, climate control |
Technical Security
| Category | Measures |
|---|---|
| Encryption at rest | AES-256 for databases, files, backups |
| Encryption in transit | TLS 1.3 for all connections |
| Authentication | Magic link + secure session tokens |
| Access control | Role-based, principle of least privilege |
| Network security | Firewall, VPN, DDoS protection |
| Audit logging | Comprehensive logging with integrity protection |
| Vulnerability management | Regular scanning and patching |
| Backup encryption | All backups encrypted |
Organizational Security
| Measure | Description |
|---|---|
| Security training | Mandatory for all personnel |
| Access reviews | Quarterly audits of access rights |
| Incident response | Documented procedures, tested regularly |
| Background checks | For personnel with data access |
| Vendor management | Due diligence and monitoring |
10.2 Availability and Resilience
| Measure | Description |
|---|---|
| Regular backups | Daily, 90-day retention |
| Disaster recovery | Documented procedures, tested annually |
| Uptime target | 99.5% availability |
| Redundancy | Geographic redundancy for critical systems |
| Monitoring | 24/7 system monitoring |
10.3 Data Separation
| Measure | Description |
|---|---|
| Logical separation | Customer data segregated by organization |
| Access isolation | Cross-customer access prevented |
| Database isolation | Schema-level separation |
10.4 TOMs Updates
BERLi may update TOMs to maintain or improve security. Material reductions require 30 days notice.
11. Data Breach Notification
11.1 Detection and Assessment
BERLi will:
- Implement measures to detect Personal Data Breaches
- Assess severity and impact promptly
- Document all breaches and near-misses
11.2 Notification to Customer
BERLi will notify Customer:
| Timeline | Within 48 hours of awareness |
|---|---|
| Method | Email + phone for high severity |
| Contact | As specified in Terms of Service |
11.3 Information Provided
Notification will include:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Name and contact details of DPO
- Likely consequences
- Measures taken or proposed to address the breach
- Measures to mitigate potential adverse effects
11.4 Assistance
BERLi will assist Customer:
- In investigating the breach
- With information for supervisory authority notification
- With information for Data Subject notification
- In implementing remedial measures
11.5 Costs
Assistance is included in the Services. Extensive forensic investigations may incur reasonable fees with prior approval.
11.6 Documentation
BERLi will document all breaches, including:
- Facts relating to the breach
- Effects and remedial action taken
- Evidence of notification to Customer
12. Data Subject Rights
12.1 Assistance
BERLi will assist Customer in responding to Data Subject requests:
| Right | Assistance Provided |
|---|---|
| Access (Art. 15) | Data export in JSON/CSV format |
| Rectification (Art. 16) | Technical means to correct data |
| Erasure (Art. 17) | Secure deletion, confirmation |
| Restriction (Art. 18) | Processing flags, access suspension |
| Portability (Art. 20) | Machine-readable export |
| Object (Art. 21) | Processing controls, opt-out mechanisms |
12.2 Request Process
- Customer receives request from Data Subject
- Customer verifies identity and scope
- Customer submits request to BERLi (if technical assistance needed)
- BERLi responds within 10 business days
- Customer completes response to Data Subject
12.3 Timeline
| Request Type | BERLi Response Time |
|---|---|
| Data export | 5 business days |
| Data correction | 5 business days |
| Data deletion | 10 business days |
| Complex requests | 20 business days |
12.4 Costs
- Standard assistance: Included in Services
- Extensive requests (>10 hours): Reasonable fees with prior approval
13. Audit Rights
13.1 Information Requests
Customer may request:
- Evidence of TOMs implementation
- Processing records (Article 30)
- Subprocessor agreements (summary)
- Security certifications
BERLi will respond within 30 days.
13.2 Audits
Customer may conduct audits:
| Requirement | Details |
|---|---|
| Notice | 30 days written notice |
| Timing | During business hours |
| Scope | Relevant to this DPA |
| Conduct | Without disruption to Services |
| Frequency | Once per calendar year |
| Auditor | Qualified, independent auditor |
13.3 Audit Reports
BERLi may provide:
| Document | Availability |
|---|---|
| SOC 2 Type II | When available |
| ISO 27001 certificate | When available |
| Security questionnaire | Upon request |
| Penetration test summary | Upon request (redacted) |
13.4 Costs
- Customer bears own audit costs
- BERLi may charge for extensive audit support (>8 hours)
- Third-party certifications provided at no cost
14. Data Transfer
14.1 Within EU
Personal Data is primarily processed within the EU:
- Germany (OVHCloud): Primary infrastructure
- Italy (Self-hosted): Object storage, AI processing
14.2 Outside EU
Limited transfers to US Subprocessors:
| Transfer | Mechanism | Safeguards |
|---|---|---|
| Google Firebase (USA) | SCCs | Encryption, minimization |
| Google Workspace (USA) | SCCs | Encryption, minimization |
14.3 SCCs
Where SCCs apply:
- BERLi is data importer
- Customer is data exporter
- Module Two (Controller to Processor) applies
- Supplementary measures implemented
14.4 Transfers on Instruction
Customer may instruct BERLi to transfer data:
- To Customer’s other processors
- To Customer’s other systems
- BERLi will implement appropriate safeguards
15. Term and Termination
15.1 Term
This DPA is effective:
- From the Terms of Service start date
- For the duration of the Terms of Service
- Including any renewals
15.2 Termination
Upon termination of the Services:
| Action | Timeline | Details |
|---|---|---|
| Data export | 30 days | Customer may export all data |
| Data deletion | 90 days | Secure deletion of all Customer data |
| Deletion certificate | Upon request | Written confirmation |
15.3 Legal Retention
BERLi may retain data:
- As required by EU or Member State law
- For up to 5 years for employment records
- For defense of legal claims
- Such data remains subject to confidentiality
16. Liability
16.1 Apportionment
Each party is liable for damages caused by its breach of this DPA or the GDPR.
16.2 Limitation
Liability is subject to the limitations in the Terms of Service, except:
- Where non-waivable under GDPR
- For gross negligence or willful misconduct
- For death or personal injury
16.3 Indemnification
| Party | Indemnifies For |
|---|---|
| Customer | Claims arising from Customer’s instructions, unlawful data |
| BERLi | Claims arising from BERLi’s breach of this DPA or GDPR |
17. Governing Law
This DPA is governed by Estonian law.
Disputes are subject to the jurisdiction of Harju County Court, Estonia.
18. Amendments
18.1 Process
Amendments require:
- Written agreement from both parties
- Signed amendment or email confirmation
18.2 Regulatory Changes
BERLi may update this DPA to reflect:
- Changes in data protection law
- New regulatory guidance
- New SCCs or transfer mechanisms
30 days notice provided; continued use constitutes acceptance.
19. Contact
19.1 BERLi Contacts
| Role | Response Time | |
|---|---|---|
| DPO | dpo@berli.io | 10 business days |
| Privacy | privacy@berli.io | 5 business days |
| Legal | legal@berli.io | 5 business days |
| Security | security@berli.io | 3 business days |
| Support | support@berli.io | 2 business days |
19.2 Customer Contacts
As specified in the Terms of Service.
20. Annexes
Annex I: Data Processing Details
| Item | Details |
|---|---|
| Subject matter | HR management SaaS platform |
| Duration | Duration of Terms of Service |
| Nature of processing | Collection, storage, organization, analysis, display, transmission |
| Purpose of processing | HR management, time tracking, payroll support, compliance |
| Data categories | Identity, contact, financial, employment, performance, leave |
| Data subjects | Employees, contractors, interns, applicants |
| Location | Germany, Italy (EU) |
Annex II: Subprocessor List
| Provider | Location | Purpose | DPA | SCCs |
|---|---|---|---|---|
| OVHCloud | Germany | Infrastructure | Yes | N/A (EU) |
| Self-hosted MinIO | Italy | Object storage | N/A | N/A (EU) |
| Self-hosted Ollama | Italy | AI processing | N/A | N/A (EU) |
| Google Firebase | USA | Push notifications | Yes | Yes |
| Google Workspace | USA | Transactional email | Yes | Yes |
DPA History
| Version | Effective Date | Changes |
|---|---|---|
| 1.0 | July 1, 2025 (est.) | Initial version |
This DPA is incorporated into and forms part of the BERLi Terms of Service.
Last updated: February 27, 2025