Data Processing Agreement

Last updated: 18th March 2026

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"):

  • "Controller" means the organization or entity (Customer) that determines the purposes and means of the processing of Personal Data and has entered into the Terms of Service with the Processor.
  • "Processor" means Monkaru, which processes Personal Data on behalf of the Controller.
  • "Personal Data"means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) GDPR.
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Applicable Data Protection Law" means GDPR, the Austrian Data Protection Act (DSG), and any other applicable EU/EEA data protection legislation.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA governs the processing of Personal Data by Monkaru (Processor) on behalf of the Customer (Controller) in connection with the provision of the Monkaru employee shift scheduling service ("the Service") as described in the Terms of Service.

2.2 Purpose of Processing

The Processor processes Personal Data solely for the following purposes:

  • Providing and maintaining the shift scheduling service
  • Managing employee records, schedules, and assignments
  • Tracking absences, vacation entitlements, and working hours
  • Generating reports and analytics for the Controller
  • Sending notifications and communications on behalf of the Controller
  • Providing technical support and resolving issues

2.3 Duration of Processing

Processing shall commence on the date the Controller creates an account and shall continue for the duration of the Service agreement. Upon termination, the Processor shall delete or return all Personal Data in accordance with Section 11 of this DPA.

3. Types of Personal Data Processed

The following categories of Personal Data are processed under this DPA:

  • Identity data: Employee names, employee identifiers
  • Contact data: Email addresses, phone numbers
  • Employment data: Department, team, employment type, employment dates, contractual working hours
  • Schedule data: Shift assignments, working hours, overtime records, schedule versions
  • Absence data: Vacation requests, sick leave records, time-off entitlements
  • Skills and qualifications: Professional skills, certifications, station assignments
  • Preference data: Shift preferences, availability, working pattern preferences
  • Account data: Email address, authentication credentials (encrypted), account creation date

Note: The Processor does not process special categories of personal data (Article 9 GDPR) unless explicitly provided by the Controller. Sick leave records are limited to dates and do not include medical diagnoses or health details.

4. Categories of Data Subjects

The following categories of Data Subjects are affected by processing under this DPA:

  • Employees: Individuals whose scheduling and employment data is managed in the Service
  • Managers / Administrators: Individuals with organizational management access to the Service
  • Account holders: Individuals who have created an account to use the Service

5. Obligations of the Processor

5.1 Documented Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are documented in this DPA and the Terms of Service.

5.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security of Processing

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA, in accordance with Article 32 GDPR.

5.4 Sub-processor Management

The Processor shall not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. The current list of Sub-processors is provided in Section 6 of this DPA.

5.5 Assistance with Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (Articles 15–22).

5.6 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.

5.7 Deletion and Return of Data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data. See Section 11 for details.

5.8 Audit and Inspection

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

6. Sub-processors

The Controller hereby grants the Processor general authorization to engage Sub-processors. The Processor currently uses the following Sub-processors:

Sub-processorPurposeData ProcessedLocation
Supabase, Inc.Database hosting, authentication, file storageAll application data, authentication credentialsEU
IONOS SEVirtual Private Server (VPS) hostingApplication processing, temporary request dataEU (Germany)
Stripe, Inc.Payment processing, subscription managementBilling data, subscription statusUS (EU-US DPF certified, SCCs)
Brevo SASTransactional email deliveryEmail addresses, email contentEU (France)
Functional Software, Inc. (Sentry)Error monitoring and performance tracingError events, stack traces, performance metrics (no PII by configuration)EU (Germany/Frankfurt)
Better Stack, s.r.o.Uptime monitoringHTTP response codes, latency metrics (no personal data)EU (Czech Republic)
RybbitWebsite analytics (cookieless)Page views, referrers, device type, country-level location (no personal data, no cookies)EU (Germany)

The Processor shall impose the same data protection obligations as set out in this DPA on each Sub-processor by way of a contract. Where a Sub-processor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.

Change Notification: The Processor will notify the Controller at least 30 days in advance of any intended changes to the Sub-processor list. If the Controller objects to a new Sub-processor within 14 days of notification, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the Service agreement.

7. Technical and Organizational Measures

The Processor implements the following measures pursuant to Article 32 GDPR to ensure the security of processing:

7.1 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Data at rest is encrypted using AES-256 encryption
  • Passwords are hashed using industry-standard algorithms (bcrypt)
  • Authentication tokens are stored in cookies with the Secure flag (production only) and SameSite=Lax attributes

7.2 Access Control

  • Role-based access control (RBAC) with organization-level isolation
  • Row-Level Security (RLS) policies enforced at the database level
  • Multi-factor authentication (MFA) available for all users
  • Session management with automatic expiration
  • Principle of least privilege for all access levels

7.3 Availability and Resilience

  • Daily automated database backups
  • Health monitoring with automated alerts
  • Rate limiting to prevent abuse and ensure service availability

7.4 Data Protection and Recovery

  • Soft delete mechanism with 30-day recovery window for accidental deletions
  • Automated daily purge of expired soft-deleted records (30+ days)
  • Activity log archival with 90-day hot storage and 2-year cold archive
  • Automated weekly archive rotation and purge of expired archive records
  • Trash UI for administrators to review and restore deleted items

7.5 Incident Detection and Response

  • Security event logging and monitoring
  • Documented incident response procedures
  • Breach detection mechanisms for unauthorized access patterns
  • 72-hour notification process aligned with GDPR Article 33

7.6 Regular Testing

  • Regular security audits and vulnerability assessments
  • Input validation and output encoding to prevent injection attacks
  • Content Security Policy (CSP) and security headers

8. Data Subject Rights Assistance

The Processor shall assist the Controller in responding to Data Subject requests under GDPR Articles 15–22:

  • Right of Access (Art. 15): The Processor provides a data export feature that allows the Controller to generate a complete copy of all Personal Data associated with their organization.
  • Right to Rectification (Art. 16): The Controller can directly edit employee records and other Personal Data through the Service interface.
  • Right to Erasure (Art. 17): The Controller can delete individual employee records. Full account deletion is available through the data rights management interface and removes all associated Personal Data.
  • Right to Restriction (Art. 18): The Processor will implement processing restrictions upon documented request from the Controller.
  • Right to Data Portability (Art. 20): The data export feature provides Personal Data in a structured, commonly used, machine-readable format (JSON).
  • Right to Object (Art. 21): The Processor will cease processing upon documented objection from the Controller, except where processing is required for the provision of the Service.

The Processor shall notify the Controller without undue delay if it receives a request from a Data Subject directly. The Processor shall not respond to such requests without the Controller's prior authorization, unless legally required to do so.

9. Data Breach Notification

In the event of a Data Breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within 48 hours after becoming aware of a Data Breach, to enable the Controller to comply with the 72-hour notification obligation under Article 33 GDPR.
  • Provide the following information in the notification (as available):
    • Nature of the breach, including categories and approximate number of Data Subjects and records affected
    • Name and contact details of the Processor's data protection contact
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach, including mitigation measures
  • Cooperate with the Controller in investigating and remediating the breach, including providing all necessary information and assistance for the Controller to fulfill its notification obligations to supervisory authorities and Data Subjects.
  • Document the breach including facts, effects, and remedial actions taken, in accordance with Article 33(5) GDPR.

10. International Data Transfers

The Processor ensures that all international transfers of Personal Data comply with Chapter V of the GDPR:

  • Primary data storage: The database and authentication infrastructure (Supabase) and application server (IONOS) are hosted within the EU/EEA. All scheduling, absence, and employee data is stored and processed exclusively within the EU.
  • US-based Sub-processors: Stripe, Inc. is based in the United States. Only billing metadata (email address, customer ID, subscription status) is shared with Stripe — no scheduling, absence, or employee data is transferred. Transfers to this Sub-processor are protected by:
    • EU-US Data Privacy Framework (DPF) certification where applicable
    • Standard Contractual Clauses (SCCs) pursuant to Commission Decision 2021/914
    • Transfer Impact Assessments (TIAs) where required
  • No other transfers: The Processor shall not transfer Personal Data to any third country or international organization without the prior written consent of the Controller, unless required by EU or Member State law.

11. Term, Termination, and Data Deletion

11.1 Term

This DPA is effective from the date the Controller creates an account and remains in effect for the duration of the Service agreement. This DPA is automatically incorporated into the Terms of Service.

11.2 Data Return

Upon termination of the Service agreement, the Controller may export all Personal Data using the data export feature before account deletion. The export is provided in a structured, machine-readable format (JSON).

11.3 Data Deletion

Upon termination of the Service agreement, account deletion, or upon formal request, the following data lifecycle applies:

  1. Soft deletion: All active data is immediately soft-deleted (hidden from all users and inaccessible through the Service)
  2. 30-day grace period: Data remains recoverable by the account administrator during this window
  3. Permanent deletion: After 30 days, all data is permanently hard-deleted with CASCADE, removing all associated records
  4. Activity logs: Moved to a secure archive after 90 days, retained for up to 2 years, then permanently deleted
  5. Audit logs: Retained for 2 years for security and compliance purposes, then permanently deleted
  6. Working time records: Retained for 2 years by default for technical reasons and then permanently deleted. It is the Controller's responsibility to export this data in time to meet their individual statutory retention and record-keeping obligations (e.g. under applicable labor or tax law).

Automated purge jobs run daily. No manual intervention is required for data lifecycle management. The data types permanently deleted include:

  • All employee records and associated Personal Data
  • All schedule, shift, and absence data
  • All organization settings and configurations
  • Account credentials and authentication data

11.4 Controller's Responsibility

Important: The Controller is responsible for ensuring compliance with applicable labor law requirements regarding data retention before initiating account deletion. The Controller should export any data required for labor law compliance before the 30-day recovery window expires. The Processor provides data export tools but does not determine retention periods on behalf of the Controller.

12. Liability

Liability under this DPA is governed by the provisions of the Terms of Service and applicable law, in particular:

  • Each party shall be liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.
  • The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of the Controller.
  • A party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage, in accordance with Article 82(3) GDPR.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Austria, without regard to its conflict of law provisions. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of Vienna, Austria.

Where provisions of this DPA conflict with the Terms of Service regarding data protection matters, this DPA shall prevail.

14. Contact Information

For any questions regarding this DPA or data protection matters, please contact:

Data Protection Contact

Monkaru

Name: Manuel Istratoaie

Email: support@monkaru.at

Location: Vienna, Austria

The Controller may also contact the competent supervisory authority:

Austrian Data Protection Authority

Österreichische Datenschutzbehörde

Barichgasse 40–42, 1030 Vienna, Austria

Email: dsb@dsb.gv.at

Phone: +43 1 52 152-0