Skip to main navigation Skip to main content Skip to page footer
Request a demo

Data Processing Agreement

 

1. PURPOSE OF THE AGREEMENT AND LEGAL BASIS

1.1. Purpose:

This Data Processing Agreement (“DPA”) governs the processing of personal data by the Supplier (hereinafter, the “Data Processor” or “Processor”) on behalf of the Customer (hereinafter, the “Data Controller” or “Controller”) as a consequence of the execution of the Software License and Services Agreement (the “Agreement”).

1.2. Legal basis:

The provision of the Services involves the processing of personal data to achieve the agreed purpose (i.e., the provision of the Services) and for the duration necessary to fulfill the obligations established therein, with the legal basis for processing being the execution of the Agreement and compliance with any legal obligations arising therefrom.

In compliance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the Supplier, as Data Processor, undertakes the following commitments in relation to the processing of personal data communicated by the Customer, as Data Controller, for the provision of the Services.

2. PROCESSING ACTIVITIES

The Data Processor shall process, on behalf of the Data Controller, the personal data necessary for the provision of the services under the Software License and Services Agreement, which may include the following processing activities: Access, collection, recording, organization, structuring, retention, storage, consultation, communication, interconnection of data between system modules or integrations, modification, updating, deletion, erasure, or blocking of data during the execution of the Agreement.

3. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA

The Processor may process the following categories of personal data on behalf of the Controller:

3.1 Categories of Data Subjects:

• Employees and/or authorized users of the Customer.

• Administrative or management personnel of the Customer with access rights to the platform.

3.2 Categories of Personal Data:

• Identification data: name, surname, email, employee number, job position, user identifier, and photograph, if applicable.

• Professional contact data: address, telephone, corporate email.

• Employment-related data: information regarding schedules, attendance, performance, training, evaluations, etc.

• System access and usage data (logs, IP, activity within the application).

Special categories of personal data shall not be processed unless expressly requested by the Customer and appropriate consents and guarantees required under the GDPR have been obtained.

4. PROCESSOR COMMITMENTS

4.1 General Commitments:

i) Use the personal data being processed only for the purpose of this Contract.

ii) Process the data in accordance with the instructions of the Data Controller. If the Data Processor considers that any of these instructions infringe any data protection regulations, it shall immediately inform the Data Controller.

iii) Maintain a record of processing activities carried out on behalf of the Data Controller, containing the information required by current data protection regulations.

iv) iv) Not disclose the data to third parties, unless expressly authorised by the Data Controller or, where applicable, the data subject, in legally permissible circumstances.

v) Not subcontract other services that form part of the subject matter of this Contract and involve the processing of personal data, except for auxiliary services necessary for the normal operation of the Data Processor's Services. The subcontractor, who will also have the status of data processor (sub-processor), will likewise be obliged to comply with the obligations established in this Data Processing Agreement.

vi) Shall provide reasonable assistance to the Data Controller in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required.

vii) Maintain the duty of confidentiality with respect to the personal data to which it has had access by virtue of the Contract, even after its termination, and ensure that the persons authorized to process personal data undertake to respect confidentiality and to comply with the corresponding security measures, which must be duly communicated to them.

viii) Ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, which must be duly communicated to them.

ix) Ensure that the persons authorized to process personal data are aware of their functions and obligations regarding the processing thereof, according to the requirements of the GDPR or, where applicable, have received specific training on the matter.

x) Notify the Data Controller in writing of the receipt of any request to exercise rights of access, rectification, erasure, restriction of processing, data portability, objection, the right not to be subject to decisions based solely on automated processing, or any other right established in Applicable Laws, within a period not exceeding three (3) business days from receipt of the request, along with the relevant information to resolve said request.

xi) Notify the Data Controller in writing of any personal data breach that constitutes a risk to the rights and freedoms of natural persons of which you become aware, without undue delay, and, in any event, within 48 (forty-eight) hours, along with relevant information and documentation of the incident.

xii) Provide the Data Controller with all the information necessary to demonstrate compliance with your obligations, including the performance of audits, reviews, and inspections carried out, upon written request to that effect from the Data Controller.

xiii) Implement the necessary security measures, based on the nature, scope, context, and purposes of the processing, which, considering the state of the art, ensure a level of security appropriate to the risk, including, among others:

a) Pseudonymization and encryption.

b) The ability to guarantee the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

c) The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.

d) A process for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing. These measures are described in Appendix A.

xiv) Delete or return to the Data Controller all personal data held by the Data Controller (regardless of the medium) upon termination of the Contract, upon written request from the Data Controller. However, the Data Processor may retain them, duly blocked, for as long as liabilities may arise from the execution of the Contract.

4.2 Sub-processors:

The Supplier may subcontract the provision of the Service when necessary for its performance. When such subcontractors process the Customer Personal Data on behalf of the Supplier, the Supplier shall ensure that (i) a written agreement exists imposing confidentiality and data protection obligations with a level of protection no lower than that established in this Agreement, and (ii) the subcontractor acts solely on the Supplier’s documented instructions. The Supplier shall always be responsible for the performance of its subcontractors. Without prejudice to the information provided in this DPA, a list of the subcontractors currently involved in providing the Service shall be provided to the Customer upon request.

The Controller authorises the Processor to use the sub-processors listed below, exclusively for the provision of necessary ancillary services (e.g., data hosting, technical support, communications, or analytics). The Processor will maintain an up-to-date list of sub-processors, including their identity, location, and function.

The currently authorised sub-processors include, but are not limited to, the following:

• Microsoft Azure (hosting and storage services – EU or EEA).

• Hastee Europe S.L. (payroll advance services, subject to explicit Customer authorisation).

• Signaturit (signature management services).

• RoSPA, PREVINTEGRA, MINDTOOLS (training services).

• Amazon Web Services (AWS) (cloud infrastructure services – EU or EEA).

• Intellum Evolve (e-learning content authoring services).

• Zendesk (help desk )

5. RETENTION AND DELETION OF TRAINING CERTIFICATES AND PERSONAL DATA

5.1 Role of the Supplier as Data Processor:

The Supplier will act at all times as the Data Processor, processing the personal data associated with the training, including certificates, results, and accreditations, only during the term of the Contract and in accordance with the Customer documented instructions, pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR).

5.2 Data Retention and Export:

Upon termination of the Contract, the Processor will allow the Customer to export or download in a structured, commonly used, machine-readable format the certificates and associated personal data available on the Platform. Once the period authorized for such export has expired, and in the absence of further instructions from the Customer, the Processor will securely delete the data, except for data whose retention is legally required.

5.3 Retention Periods:

The Supplier shall not be responsible for determining or complying with the legal or contractual retention periods for training certificates as instructed by the Customer or third parties. This responsibility lies exclusively with the Customer or the corresponding issuing Supplier, unless sector-specific regulations require their retention.

5.4 Handling of Certificates Issued by Third-Party Suppliers:

- PREVINTEGRA: Will retain certificates for five (5) years from their issuance. The Supplier will not retain certificates issued by PREVINTEGRA after the termination of the Contract and may inform the Customer so that they can request them directly.

- RoSPA Qualifications: Will not be obligated to retain copies of certificates or students' personal data beyond what is strictly necessary to fulfill its own operational, contractual, or legal requirements. The Supplier, as the Data Processor, will not assume responsibility for the safekeeping, replacement, or retrieval of such certificates or data.

- INTELLUM EVOLVE: Will act as a sub-processor and will be solely responsible for the storage and availability of the certificates in accordance with its own policies.

- Mindtools: Will retain all training records, certificates, and learning progress for the duration of the Contract and for at least six (6) years after its termination, in accordance with applicable regulations. The Processor may export this data in commonly used electronic formats at no additional cost, without incurring any obligation to retain it beyond its own internal purposes.

5.5 General Limitation of Liability:

Upon termination of the contractual relationship, or when the certificates depend on third-party suppliers or sub-processors, the Processor will not assume any obligation to store, replace, or retrieve certificates or associated personal data, without prejudice to applicable legal obligations regarding data protection.

6. CUSTOMER COMMITMENTS

i. Declares the lawfulness of the personal data to which the Supplier has access in the provision of the Services covered by the Contract, especially data relating to employees and collaborators, guaranteeing that such data has been obtained in compliance with all the requirements established in the GDPR.

ii. Undertakes to comply with the regulations in force at all times regarding the Protection of Personal Data in relation to all personal data processed as a result of the provision of the Services.

iii. Undertakes to inform the Supplier of the rectification or erasure of the personal data to which the Supplier has access under the Contract, as well as the restriction of its processing, as soon as possible after the data subject's request and always within the legally established time limits.

iv. Will inform data subjects of the aspects related to the processing of their data in accordance with the provisions of Article 13 of the GDPR.

v. Will provide the Data Processor with the data necessary to provide the services covered by the Contract. vi. It will carry out the necessary preliminary consultations.

vii. It will supervise the processing, including carrying out inspections and audits.

viii. Additionally, the Customer authorizes the Data Processor to contract hosting service supplier for the servers necessary for the provision of the Services. These servers may only be located in countries of the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland, and Norway) or, where applicable, in countries that have been declared as having an adequate level of protection by the European Commission. The Data Processor undertakes to enter into data processing agreements with these suppliers in accordance with Article 28 of the GDPR and under the same terms as DPA.

ix. The Customer also authorizes the Data Processor to use or contract any other data processor that is considered an auxiliary service necessary for the normal operation of the Data Processor's services.

x. Likewise, the Customer authorizes the Data Processor to share the personal data provided by the Customer with companies within its group, solely for the purpose of providing the contracted Services. The Data Processor is also obligated to formalize data processing agreements, under the same terms as this DPA, with all group companies involved in providing the services, pursuant to Article 28 of the GDPR.

xi. By this clause, the Customer declares that, should they request and contract payroll advance services with Hastee Europe S.L., NIF B67374504, they will inform all their employees of the necessary transfer of their data to this supplier so that they can use the contracted payroll advance service, and that they have obtained the necessary consents for this purpose. Should any employee not wish to have their data transferred or not intend to use the payroll advance service, this must be communicated to the Supplier as soon as possible.

xii. If, in connection with a Service requested by the Customer, it is necessary for interested parties (e.g., Customer employees and/or collaborators) to access an application via their mobile phone, said application will contain its "Terms of Use" and "Privacy Policy" with respect to the interested party.

xiii. The platform is not configured to store data that may be considered special categories of personal data under the GDPR, and therefore the Customer agrees not to store this type of information on it.

The Customer shall be liable to the Supplier for compliance with all of the above and for any penalty or damage that may be imposed on or caused to the Supplier as a result of non-compliance. The Customer releases and assumes as its own any responsibility that may arise for the Supplier in relation to any infringement committed by the Customer, under the Personal Data Protection Regulations, especially in relation to the personal data that it stores on the Platform and/or in the Services.

7. INTERNATIONAL DATA TRANSFERS

The Customer expressly authorises the Data Processor to carry out international transfers of personal data to the countries in which the Data Processor and/or its suppliers provide services, when necessary for the provision of the Services covered by the Contract. These transfers will take place when it is necessary to use technological services provided by third parties (suppliers of infrastructure services, web analytics, marketing, or customer relationship management) whose servers or support equipment are located outside the European Economic Area (EEA), such as in the United States or other countries.

The Supplier, in its capacity as Data Processor and, in certain systems, Data Controller, guarantees that all international data transfers are carried out with appropriate safeguards, in accordance with Articles 44 to 49 of Regulation (EU) 2016/679 (GDPR). In particular, the Supplier may apply one or more of the following safeguards:

- The existence of an adequacy decision issued by the European Commission regarding the destination country.

- The formalisation of Standard Contractual Clauses approved by the European Commission with the receiving supplier.

- The supplier's adherence to the EU-U.S. Data Privacy Framework, where applicable.

- The implementation of additional technical and organisational measures, when required, to protect personal data.

The Supplier also acts as the Data Controller for data managed directly in its corporate and service systems, including, but not limited to:

- CRM / Dynamics

- Microsoft Azure

- MAPAL OS and its associated databases

- Corporate email and collaboration platforms (Microsoft 365, Teams, SharePoint)

- Other systems and services where data of Customers, employees, or collaborators of the Customer is stored.

The Supplier guarantees that all transfers will be made only to suppliers that comply with the obligations set forth in the GDPR and this DPA, and will assess and verify the suitability of the safeguards applied before making any transfer, in order to ensure a level of protection equivalent to that required by the GDPR.

For more information on international data transfers, the Customer can contact: dpo@mapal-os.com .

8. DATA PROCESSOR’S DECLARATION OF GDPR COMPLIANCE

In accordance with Article 28.1 of the GDPR, which requires the selection of only data processors that offer sufficient guarantees to implement appropriate technical and organizational measures, ensuring that the processing complies with the requirements of this Regulation and guarantees the protection of the data subject's rights, the Data Processor hereby declares that it complies with the following stipulations:

1) That it complies, based on its activities, with the obligations and principles imposed by the General Data Protection Regulation (EU 2016/679).

2) That it maintains a record of the data processing activities carried out under its responsibility.

3) That it has conducted the corresponding risk analysis, which determines the technical and organizational security measures it must implement to comply with the GDPR.

4) That it has adopted the necessary security measures to guarantee:

a) Physical control of its facilities where it processes the Controller's data.

b) That access to its computer systems is granted through individual usernames and passwords. c) That it has limited access to the Data Controller's data only to those users who require it.

d) That it maintains backups, where applicable, of the personal data processed by the Data Controller.

e) In the event of managing media or documents containing the Data Controller's personal data, these are duly secured with locks or equivalent locking devices.

f) That it has perimeter protection and antivirus systems in place to protect its computer systems.

g) That it maintains a security incident log.

h) That it has established mechanisms and procedures for reporting security incidents.

5) That it undertakes to maintain confidentiality, even after the relationship ends, and to ensure that the persons authorized to process the data also commit to and comply with these security measures.

6) That it proactively carries out periodic audits to verify compliance with the technical and organizational security obligations and measures that guarantee compliance with the GDPR.

9. PROCESSING OF CONTACT DATA OF THE PARTIES

Regarding the personal data of the signatories to this contract, to which the parties may have access as a result of its execution, such data may only be processed, intended, and used for the purpose of formalizing and managing the contractual relationship, fulfilling and executing the obligations arising from it, and, where applicable, sending commercial information by electronic means.

The legal basis for processing the signatories' personal data and corporate contact information is the execution of this contract and compliance with the legal obligations arising from it, as well as the legitimate interest of staying informed about the products and/or services of both parties.

The Supplier acts as the Data Controller with respect to the aforementioned contact information and may carry out international transfers of personal data when necessary for the management of the contractual relationship, for example, through the use of corporate tools or technological systems provided by third parties whose servers or support equipment are located outside the European Economic Area. These transfers will always be carried out in accordance with Articles 44 to 49 of Regulation (EU) 2016/679 (GDPR), applying appropriate safeguards to ensure a level of protection equivalent to that required by European data protection law.

The parties may object to the sending of information and exercise their legally guaranteed rights of access, rectification, erasure, objection, data portability, restriction of processing, and agree to inform the other party of the content of this stipulation. Additionally, the parties acknowledge that data subjects have the right to lodge a complaint with the relevant supervisory authority.

Furthermore, the Supplier will appoint a Data Protection Officer to the Customer, who will not only oversee all data processing carried out by the Supplier but will also address any issues related to data processing. The contact details of the Supplier’s Data Protection Officer is: dpo@mapal-os.com .

10. INTEGRATIONS

The Supplier’s Software offers the possibility of integration, at the Customer request, with other software provided by third parties (other Customer suppliers not party to this contract). If such integration is carried out at the Customer request, and only if the processing of personal data is necessary for the execution of said software integration, the processing will consist of the communication of personal data between two data processors with a common data controller, based on the legal grounds of the performance of the service agreements formalized between the Customer and both suppliers. The Customer undertakes to confirm that said service agreement with third-party supplier includes the clauses corresponding to the processing of data in accordance with Article 28 of the GDPR.

11. USE OF ARTIFICIAL INTELLIGENCE TOOLS (“AI TOOLS”)

The Parties acknowledge that the Services provided through the Platform may incorporate certain artificial intelligence functionalities (the “AI Tools”) designed to support operational management, data analysis, and user interactions. Such AI Tools are intended solely to assist in performing the Services under this Agreement and to provide decision-support, insights, and operational recommendations, without determining the purposes or means of processing personal data independently of the Data Controller.

The AI Tools used in our Platform may include, without limitation:

a) Conversational assistants enabling users to access, query, and synthesise information from the Platform.

b) Recommendation engines providing guidance on workflows, employee scheduling, and training. The Processor shall ensure that Personal Data provided by the Customer and processed through the AI Tools shall not be used for training or improving external or third-party AI models, or for any purpose outside the provision of the Services under this Agreement, unless expressly authorised in writing by the Customer.

c) Predictive analytics models offering forecasts and operational insights based on data available within the Platform.

d) Automated workflow functionalities that structure tasks, monitor progress, and highlight best practices in accordance with the Customer’s documented procedures. No automated processing is carried out that affects the rights of the data subjects. The Parties acknowledge that the AI Tools provided within the Services do not perform any fully automated decision-making that produces legal effects concerning, or similarly significantly affects, any data subject, in accordance with Article 22 of the GDPR. Any recommendations or insights generated by the AI Tools must be reviewed and acted upon by authorised personnel of the Customer, who retain full responsibility for decisions made regarding Personal Data.

The Processor shall ensure that all uses of AI Tools are:

i) Performed strictly in accordance with the documented instructions of the Controller.

ii) Used solely to provide, maintain, and enhance the Services under this Agreement; and

iii) Subject to the same technical and organizational safeguards applicable to all Personal Data processed under this DPA, including confidentiality, security, and access restrictions.

Any Personal Data processed by or through the AI Tools shall be:

i) Processed only within the scope of the Services and the instructions of the Data Controller.

ii) Subject to all applicable obligations under this DPA, including Articles 28 and 32 of the GDPR; and

iii) Accessible only to authorised users of the Services for the purpose of performing their functions.

The AI Tools are only intended to be used as decision-support mechanisms. The Parties acknowledge that they do not replace human decision-making, nor do they independently determine the purposes or means of processing Personal Data. The Customer remains the Data Controller of all Personal Data processed within the Platform, and the Processor remains bound to act solely on the Customer’s documented instructions.

The Data Controller shall have the right to review, upon request, the output generated by the AI Tools, including any logs, recommendations, and operational insights, for the purpose of verifying compliance with the instructions provided to the Processor and with applicable data protection legislation. The Processor shall provide such access in a timely manner, subject to reasonable operational constraints.

12. TERM

This Data Processing Agreement shall remain in effect only for the duration of the Contract between the parties, of which it forms an integral part. The termination, resolution, or expiration of the Contract shall automatically terminate this Data Processing Agreement without further notice, without prejudice to any obligations that may remain in effect after its termination, particularly those relating to confidentiality, return, or deletion of personal data.

13. PREVALENCE

In case of contradiction between this DPA and the Agreement, the provisions of this DPA shall prevail in all matters relating to the processing of personal data.

APPENDIX A: SECURITY MEASURES

This Appendix forms an integral part of the License Service Agreement entered into between the Supplier and the Customer and sets out the security measures that the Supplier, acting as Data Processor, shall comply with in relation to the information, systems, and resources provided or managed within the scope of the Services.

Pursuant to Section 4 of the Data Processing Agreement, the Data Processor declares that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature of the data processed.

Such measures include, without limitation:

• Training and Awareness

The Supplier shall ensure that all personnel assigned to the Service receive appropriate information security training and awareness, tailored to their roles and responsibilities.

• Confidentiality Measures

The Supplier shall implement contractual, organizational, and technical measures necessary to preserve the confidentiality of all information processed under the Service.

• Secure Operation of Computing Environments

The Supplier shall operate and manage secure computing environments—whether cloud based or hosted on premises—particularly those containing web applications and customer data storage. This shall include configuring the underlying infrastructure in accordance with recognized industry security standards, as well as monitoring such environments to detect suspicious or potentially malicious activity.

• Return and/or Secure Deletion of Customer Information

Upon termination of the Service, the Supplier shall return and/or securely delete Customer information using data erasure procedures aligned with industry standards, provided that such deletion has been expressly reviewed and authorized by the Supplier’s competent legal department.

• Maintenance of Information Security Policies

The Supplier shall maintain information security policies ensuring that all policies and associated measures are periodically reviewed and enhanced when necessary.

• Data Security Controls

The Supplier shall implement data security controls, including logical data segregation, restricted access (e.g., role based access), continuous monitoring, and the use of commercially available, industry standard encryption technologies, including encrypted backups.

• Logical Access Controls

The Supplier shall implement logical access controls governing electronic access to data and system functionalities according to authorization levels and job responsibilities. Such controls shall include granting access strictly on a need to know and least privilege basis, the use of unique user identifiers and passwords, periodic access reviews, and the immediate revocation or modification of access rights upon termination of employment or changes in job role.

• Password Controls

The Supplier shall enforce password controls designed to manage and regulate password strength and use, including prohibiting password sharing. All privileged user accounts shall require strong passwords, and multi factor authentication shall be mandatory.

• Operational Controls for Technology and Systems

The Supplier shall maintain operational procedures and controls for the configuration, monitoring, and maintenance of technology and information systems, in accordance with established internal standards and adopted industry standards. These controls shall include secure disposal of systems and media to ensure that all information or data contained therein becomes irretrievable or indecipherable prior to final disposal or removal from the Supplier’s possession.

• Change Management Procedures

The Supplier shall maintain change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to technological and information assets.

• Incident and Problem Management

The Supplier shall implement incident and problem management procedures enabling the investigation, response, mitigation, and reporting of events related to technological and information assets.

• Vulnerability Management and Protective Technologies

The Supplier shall implement vulnerability assessments, patch management, threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

• Security Reviews and Penetration Testing

The Supplier shall conduct security reviews and, where appropriate, penetration testing of applications and infrastructures at least annually. Such activities shall be performed exclusively by the Supplier or by third parties appointed and directly managed by the Supplier. All reports, results, and related documentation shall be strictly confidential and shall not be disclosed to third parties. Remediation of identified vulnerabilities shall be prioritized according to their criticality and managed in accordance with the Supplier’s internal security procedures.