Skip to content

Data Processing Agreement

Between Controller and BuddyPro AB (Processor) Version 1.0 — Governed by Regulation (EU) 2016/679 (GDPR) Article 28

1. Parties

This Data Processing Agreement (DPA) is entered into between:

Controller: The company that has accepted BuddyPro's Terms of Service (the Controller).

Processor: BuddyPro AB, org. number 559516-1844, Karlavägen 41, 114 31 Stockholm, Sweden (BuddyPro or the Processor).

Together referred to as the Parties.

2. Background and Purpose

The Controller has engaged BuddyPro to provide software services including BuddyPro Admin, Workforce, and Customer Portal (collectively the Services), as described in the Terms of Service.

In the course of providing the Services, BuddyPro processes personal data on behalf of the Controller. This DPA sets out the rights and obligations of each party with respect to such processing, as required by Article 28 of the GDPR.

This DPA forms part of and supplements the Terms of Service between the Parties. In the event of conflict, this DPA takes precedence with respect to the processing of personal data.

3. Definitions

Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679) unless otherwise defined herein.

Personal Data means any information relating to an identified or identifiable natural person processed by BuddyPro on behalf of the Controller under this DPA.

Sub-processor means any third party engaged by BuddyPro to process Personal Data in connection with the Services.

Services means the BuddyPro Admin, Workforce, and Customer Portal products provided under the Terms of Service.

4. Subject Matter, Nature, and Purpose of Processing

BuddyPro processes Personal Data solely to provide, maintain, and improve the Services as described in the Terms of Service, and as further instructed by the Controller from time to time.

The nature of the processing includes: storage, retrieval, display, transmission, and deletion of personal data as part of platform operation, scheduling, time reporting, invoicing, customer communication, and field workforce management.

5. Categories of Personal Data and Data Subjects

5.1 Data subjects

  • Employees and field workers (Buddies) of the Controller
  • End customers of the Controller
  • Administrators and users of the Controller's BuddyPro account

5.2 Categories of personal data

  • Identity data: first and last name, personal identity number (personnummer) where provided for tax or invoicing purposes
  • Contact data: email address, phone number, home and work address
  • Authentication data: email and phone stored in the authentication layer (Keycloak)
  • Employment data: work schedule, time registrations, job assignments, performance data, payroll calculations, bank account details
  • Location data: GPS coordinates recorded at job start/end, geofencing data, travel time
  • Customer data: booked jobs, service history, preferences, notes
  • Communication: messages between workers, administrators, and end customers within the platform
  • Device and usage data: session data, error logs, usage patterns (via analytics sub-processors)

6. Controller's Instructions

BuddyPro shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by Union or Member State law.

The Controller's principal instructions are set out in the Terms of Service and the configuration of the Services. The Controller may issue further instructions in writing during the term of this DPA. BuddyPro shall inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

BuddyPro shall promptly notify the Controller if it is required by law to process Personal Data in a manner other than as instructed, unless that law prohibits such notification.

7. BuddyPro's Obligations

7.1 Confidentiality

BuddyPro shall ensure that persons authorised to process Personal Data on its behalf are under an appropriate obligation of confidentiality, whether contractual or statutory.

7.2 Security

BuddyPro shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include at a minimum:

  • Encryption of Personal Data in transit (TLS) and at rest
  • Tenant isolation — each Controller's operational data is stored in a dedicated schema, isolated from other controllers
  • Secure authentication and role-based access controls via Keycloak
  • Regular security testing and vulnerability management
  • Backup and recovery procedures
  • Internal training on data protection for personnel with access to Personal Data
  • Data processing agreements with all sub-processors

7.3 Sub-processors

The Controller grants BuddyPro general authorisation to engage the sub-processors listed in Schedule 1 of this DPA. BuddyPro shall notify the Controller of any intended addition or replacement of sub-processors with at least 30 days' notice, giving the Controller the opportunity to object.

BuddyPro shall impose data protection obligations on sub-processors equivalent to those set out in this DPA by way of a written contract. BuddyPro remains liable to the Controller for the performance of sub-processors' obligations.

7.4 Data subject rights

BuddyPro shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.

BuddyPro shall forward any data subject requests received directly to the Controller without undue delay, and shall not respond to such requests directly unless authorised to do so by the Controller.

7.5 Assistance with compliance

BuddyPro shall assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 GDPR, including with regard to:

  • Security of processing (Article 32)
  • Notification of personal data breaches to the supervisory authority (Article 33)
  • Communication of personal data breaches to data subjects (Article 34)
  • Data protection impact assessments (Article 35)
  • Prior consultation with the supervisory authority (Article 36)

7.6 Personal data breaches

BuddyPro shall notify the Controller without undue delay — and in any case within 48 hours — after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

7.7 Deletion and return

Upon termination of the Services, BuddyPro shall, at the Controller's choice, delete or return all Personal Data processed on the Controller's behalf, and delete existing copies, unless Union or Member State law requires storage of the Personal Data.

Specifically, upon termination of a company account:

  • Operational data (Person, Buddy, and related records in the Controller's isolated schema) is deleted within 30 days of account closure
  • Authentication data (email, phone in Keycloak) is retained until the user has had no activity across any BuddyPro service for 7 years, or until the user requests erasure, unless the user is active in another company account on the platform
  • Accounting and tax records are retained for 7 years per the Swedish Bookkeeping Act (bokföringslagen)

7.8 Audit rights

BuddyPro shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller shall give BuddyPro reasonable notice of any audit (at least 14 days), ensure that audits do not unreasonably disrupt BuddyPro's operations, and treat any information obtained as confidential. Audit costs are borne by the Controller unless the audit reveals a material breach by BuddyPro.

8. Controller's Obligations

The Controller warrants that it has a lawful basis for instructing BuddyPro to process Personal Data under this DPA, and that it has fulfilled its own obligations under the GDPR, including providing appropriate information to data subjects.

The Controller is responsible for the accuracy of the Personal Data it provides to BuddyPro and for ensuring that its use of the Services complies with applicable law.

9. International Transfers

BuddyPro stores and processes Personal Data within the EU/EEA. Where a sub-processor is located outside the EU/EEA or processes data in a third country, BuddyPro ensures that appropriate safeguards are in place as required by Chapter V of the GDPR, such as EU Standard Contractual Clauses or an adequacy decision.

Details of sub-processors and applicable transfer mechanisms are set out in Schedule 1. BuddyPro shall notify the Controller before engaging any sub-processor that involves a transfer to a third country.

10. Duration

This DPA remains in force for the duration of the Terms of Service and terminates automatically upon the termination of the Terms of Service. Obligations relating to confidentiality and data retention survive termination.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law.

Nothing in this DPA limits either party's liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any liability that cannot be excluded or limited under mandatory law.

12. Governing Law and Disputes

This DPA is governed by Swedish law and applicable EU law. Disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

13. Amendments

BuddyPro may amend this DPA to reflect changes in applicable law, sub-processor arrangements, or material changes to the Services. BuddyPro will provide the Controller with at least 30 days' notice of material amendments. Continued use of the Services following the effective date of an amendment constitutes acceptance.

Schedule 1 — Sub-processors

The following sub-processors are authorised as of the date of this DPA. BuddyPro maintains an up-to-date version of this list at buddypro.io/legal/dpa.

Sub-processorPurposeLocation / Transfer safeguard
Amazon Web Services (AWS)Primary infrastructure: application hosting (EKS), databases (RDS MySQL & PostgreSQL), cache (ElastiCache/Redis), file storage (S3), frontend hosting (Amplify), message queuing (Amazon MQ/RabbitMQ), VPS (EC2)EU/EEA — AWS Standard Contractual Clauses
SupabaseDatabase and authentication for FixatEU (AWS eu-central-1)
Keycloak (self-hosted)Authentication for Admin, Workforce, Customer PortalEU/EEA — BuddyPro-managed on AWS
PostHogProduct analytics and usage trackingEU Cloud instance
SentryError logging and diagnosticsEU — Standard Contractual Clauses
Customer.ioTransactional and marketing emailUS — Standard Contractual Clauses
Expo.devMobile app publishingUS — no personal data transferred

BuddyPro will notify the Controller at least 30 days in advance of adding or replacing a sub-processor. The Controller may object in writing within 14 days. If the Parties cannot reach resolution, either party may terminate the relevant Services on reasonable notice.