Legal
Data Processing Agreement
Last updated July 2026 (version 1.0)
This Data Processing Agreement (“DPA”, verwerkersovereenkomst) forms part of the agreement between the customer organization (“Controller”) and ITProposal B.V. (Celtucom), Amsterdam, the Netherlands (“Processor”) for the use of the Celtucom platform, and implements Article 28 of the EU General Data Protection Regulation (GDPR / AVG). To receive a countersigned copy for your records, email info@celtucom.com.
1. Roles and scope
The Controller determines the purposes and means of processing the personal data of its employees and other users it invites to the platform. The Processor processes that personal data only to provide, maintain and support the Celtucomservice, and only on the Controller’s documented instructions, including with regard to transfers, unless required otherwise by EU or member state law (in which case the Processor informs the Controller before processing, unless that law prohibits this).
2. Duration
This DPA applies for as long as the Processor processes personal data on behalf of the Controller under the main agreement, and ends when all personal data has been deleted or returned in accordance with section 10.
3. Nature and purpose of processing
Hosting, storage and processing of workforce management data to deliver the Celtucom functionality the Controller enables: time tracking, scheduling, timesheets, time-off, tasks, forms, service desk, chat and announcements, notifications, reporting and payroll exports, and related support.
4. Categories of data subjects and personal data
Data subjects:the Controller’s employees, contractors and other users the Controller invites.
Personal data: account and profile data (name, email address, phone number, role, profile fields configured by the Controller); work data (shifts, clock-in and clock-out times, breaks, timesheets, time-off requests and balances, tasks, form submissions, service desk tickets); communication content (chat messages, announcements, comments, attachments); and, where the Controller enables location features, approximate location captured at clock-in for attendance verification. The platform is not intended for special categories of personal data; the Controller instructs its users accordingly.
5. Confidentiality
The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to what is necessary for their role.
6. Security (Article 32 GDPR)
Taking into account the state of the art and the nature of the data, the Processor implements appropriate technical and organisational measures, including: encryption of data in transit (TLS) and at rest; row-level security policies enforced at the database; granular role-based access control; two-factor authentication and biometric unlock options; audit logging of sensitive changes; per-account session management and revocation; segregated platform-operator tooling; and backups of production data. The Processor’s management systems are certified to ISO/IEC 27001:2022 (information security) and ISO 9001:2015 (quality). The current overview is published on the security page.
7. Sub-processors
The Controller grants a general written authorisation for the engagement of sub-processors. The current sub-processor list, with purposes and processing locations, is provided to the Controller at onboarding and at any time on request via info@celtucom.com. The Processor imposes data protection obligations on each sub-processor equivalent to those in this DPA and remains fully liable to the Controller for their performance. The Processor announces intended additions or replacements at least 30 days in advance by email to the Controller’s account owners; the Controller may object on reasonable data protection grounds, in which case the parties will seek a solution in good faith.
8. International transfers
Primary production infrastructure (database, authentication and file storage) is hosted in the European Union (Frankfurt, Germany). Where a sub-processor processes limited personal data outside the EEA (for example email addresses for transactional email or device tokens for push notifications), the transfer takes place under appropriate safeguards within the meaning of Chapter V GDPR, such as an adequacy decision (including the EU-US Data Privacy Framework where the provider is certified) or Standard Contractual Clauses.
9. Assistance, data subject rights and breaches
Taking into account the nature of the processing, the Processor assists the Controller with appropriate technical and organisational measures in fulfilling data subject requests (access, rectification, erasure, portability), and assists with data protection impact assessments and prior consultations where required. The platform provides data export and deletion capabilities for this purpose.
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provides the information reasonably required for the Controller to meet its own notification obligations under Articles 33 and 34 GDPR.
10. Return and deletion
Upon termination of the main agreement, the Processor deletes the personal data or returns it to the Controller (export in a common, machine-readable format), at the Controller’s choice, within 90 days, and deletes existing copies unless EU or member state law requires further storage. Data in backups is removed in line with the normal backup rotation cycle.
11. Audits
The Processor makes available the information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller: at most once per 12 months, with at least 30 days’ written notice, during business hours, without disrupting the service, and at the Controller’s expense, unless a personal data breach gives reasonable cause for an earlier audit.
12. Liability and governing law
Liability under this DPA is governed by the liability provisions of the main agreement between the parties. This DPA is governed by Dutch law; disputes are submitted to the competent court in Amsterdam, the Netherlands.
Contact
Questions about this DPA, requests for a countersigned copy, and privacy matters can be sent to info@celtucom.com.
