Data Processing Agreement

Last updated: June 2026 (revised)

This Data Processing Agreement ("DPA") is a general template that forms part of the agreement between the customer and Emplora. It is provided for transparency; a countersigned copy is available on request. Entity details in [brackets] are completed on the executed version. If your procurement process requires a negotiated DPA, please contact us.

1. Parties and roles

This DPA is entered into between the customer organisation (the "Controller") and CAPITAL MANAGEMENT 2000 LTD, a company incorporated in Bulgaria with registered address at 224 6th of September Boulevard, Central District, Plovdiv 4000, Bulgaria (the "Processor" or "Emplora"). It governs Emplora's processing of personal data on the Controller's behalf under the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable data protection law. For its employees' personal data the Controller is the data controller; Emplora is the data processor. These processor commitments apply to all customers worldwide, regardless of whether the GDPR applies to the Controller; where it does not, they serve as Emplora's baseline data-protection standard.

2. Subject matter, duration, nature and purpose

Emplora processes personal data for the purpose of providing the workforce scheduling Service: creating and managing schedules, shifts, time-off, and related workforce features, sending notification emails to employees who have not opted out, and - on plans that include it - computing descriptive sick-leave timing summaries (for example, clustered events or weekday concentration) surfaced to managers as patterns to review. Processing lasts for the term of the customer's subscription plus the retention periods described in our Privacy Policy.

Free trials and plan downgrades. A free trial of a paid plan is active processing for the purposes of Art. 28: throughout the trial Emplora processes the Controller's personal data on the same terms and for the same purpose as a paid subscription. When a trial ends, or a plan otherwise moves to lower limits, data above the new limit is not deleted: it is retained and locked, consistent with the retention and downgrade behaviour described in the Privacy Policy. Such data is archived (recoverable soft-deletion) only on the Controller's explicit instruction to switch to the Free plan, and is permanently erased only through the deletion route in Section 9.

Sick-leave pattern summaries. These summaries are descriptive tools with no automated consequence. The Controller is responsible for informing its employees that leave patterns are monitored (GDPR Arts. 13-14), for complying with any works-council or employee-representation requirements that apply to workforce monitoring under local law, and for independently verifying any pattern before relying on it in an employment decision.

3. Categories of data and data subjects

  • Data subjects: the Controller's managers and employees, and any emergency contact recorded for an employee. Emergency contacts are third parties whose details are entered by the Controller's managers; the Controller is responsible for informing those persons that their data is held (GDPR Art. 14) and for handling their requests to correct or remove it.
  • Personal data: names, optional email addresses and phone numbers, optional employment details (job title, employment type, internal staff number, pay rate), optional emergency contact details (name and phone number), per-employee notification preferences, work schedules, shifts, time-off and sick-leave records, and account identifiers. Some records (for example sickness-related leave) may relate to health. The Controller is responsible for ensuring it has a lawful basis under GDPR Art. 9 for any special-category data it inputs, and must not input special-category data beyond what the Service requires.
  • Minor workers: where the Controller lawfully engages minors, the Controller is responsible for the lawful basis under GDPR Art. 6 for processing their data and for any work permits or parental consent required by local law. The GDPR Art. 8 digital-consent thresholds apply to services offered directly to children, not to the Controller's processing of a worker's data.

4. Processor obligations (Art. 28(3))

  • Process personal data only on the Controller's documented instructions, including the instructions set out in these terms and in the Controller's use of the Service.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Art. 32) as described in Section 7.
  • Respect the conditions for engaging sub-processors in Section 5.
  • Assist the Controller, taking into account the nature of processing, in responding to data-subject rights requests (access, rectification, erasure, restriction, portability, objection).
  • Assist the Controller with its obligations under Arts. 32-36 (security, breach notification, data protection impact assessments).
  • At the Controller's choice, delete or return all personal data at the end of the provision of services, and delete existing copies unless retention is required by law.
  • Make available the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. Audits are subject to reasonable prior written notice, take place no more than once in any 12-month period (unless required by a supervisory authority or following a personal data breach), occur during business hours, are subject to confidentiality, are at the Controller's cost, and must not compromise the security or confidentiality of other customers' data. Emplora may satisfy an audit request by providing relevant third-party reports, certifications, or completed security questionnaires where available.

5. Sub-processors

The Controller provides general authorisation for Emplora to engage the sub-processors listed on our Sub-processors page. Emplora imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for their performance, subject to the limitations of liability in the Terms of Service. We give at least 30 days' notice before adding or replacing a sub-processor, during which the Controller may object on reasonable data-protection grounds.

6. International transfers

Where personal data is transferred outside the EEA or the UK, the transfer is made under an appropriate safeguard: the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (UK IDTA) for UK data, the EU-US Data Privacy Framework where a sub-processor is certified, or another lawful mechanism. Primary application data is held in the EU; the current location of each sub-processor is on the Sub-processors page.

7. Security measures (Art. 32)

  • Encryption of data in transit (TLS) and at rest.
  • Hashing of employee PINs and manager passwords (bcrypt; passwords handled by our authentication sub-processor).
  • Role-based access control and multi-tenant isolation where every database query is scoped by organisation.
  • Logging of high-value administrative actions and monitoring for security incidents.

8. Personal data breach

Emplora notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and provides the information and reasonable assistance the Controller needs to meet its own notification obligations, including any obligation to notify its supervisory authority within 72 hours.

9. Deletion and return

On termination, or on the Controller's instruction via Settings > Privacy, Emplora deletes the organisation's personal data in line with the retention periods in the Privacy Policy. A deletion request made via Settings > Privacy triggers permanent erasure 30 days after the request, separate from the up-to-90-day post-cancellation retention period.

10. Liability

Each party's liability arising out of or relating to this DPA is subject to, and counts towards, the aggregate limitation of liability and the exclusions set out in the Terms of Service. This DPA does not increase or expand either party's liability beyond that limit, except for any liability that cannot be limited under applicable data-protection law, including a data subject's right to compensation under GDPR Art. 82.

11. Contact

Data protection enquiries and DPA requests: contact us or email hello@emplora.io.

We use cookies to improve your experience

We use cookies to analyse site usage and improve our service. Learn more