Data Processing Agreement

This Data Processing Agreement (the "Agreement") sets out how SaberTask processes personal data on behalf of the customer when the customer uses the SaberTask platform. The Agreement is entered into between:

The Data Controller

The customer using the SaberTask platform (the "Data Controller"). The customer's company details are completed on signing.

The Data Processor

SaberTask LDA, company reg. no. PT518467546, Rua Hermano Neves N.º 18, Piso 3, Escritório 7, V5098 1600-477 Lisbon, Portugal (the "Data Processor").

The Data Controller and the Data Processor are each referred to as a "Party" and together as the "Parties". The Parties have entered into this Agreement in order to comply with Regulation 2016/679 (the General Data Protection Regulation) and to safeguard privacy and the fundamental rights and freedoms of natural persons.

1. Preamble

This Agreement sets out the Data Processor's rights and obligations when processing personal data on behalf of the Data Controller.
This Agreement has been drawn up to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation").
In connection with the provision of the SaberTask platform for managing the Data Controller's service operations (the "Main Agreement"), the Data Processor processes personal data on behalf of the Data Controller in accordance with this Agreement.
This Agreement takes precedence over any similar provisions in other agreements between the Parties, including the Main Agreement.
Two annexes form an integral part of this Agreement:
- Annex A contains information about the purpose, nature, data types and duration of the processing.
- Annex B contains a list of approved sub-processors.

2. The Data Controller's rights and obligations

The Data Controller is responsible for ensuring that the processing of personal data takes place in accordance with the General Data Protection Regulation and this Agreement.
The Data Controller has the right and obligation to decide the purposes and means of the processing of personal data.
The Data Controller is responsible for ensuring that there is a legal basis for the processing the Data Processor is instructed to carry out.

3. The Data Processor acts on instructions

The Data Processor may process personal data only on documented instructions from the Data Controller, cf. Annex A, unless required to do so by EU or national law.
The Data Processor immediately informs the Data Controller if, in its opinion, an instruction infringes the General Data Protection Regulation.

4. Confidentiality

The Data Processor grants access to personal data only to persons who are subject to a duty of confidentiality, and only to the extent necessary.
Access lists are reviewed on an ongoing basis and revoked when access is no longer necessary.

5. Security of processing

The Data Processor implements appropriate technical and organisational measures to ensure a level of protection appropriate to the risk of the processing, cf. Article 32 of the General Data Protection Regulation.
SaberTask LDA is actively working towards ISO 27001 certification and continuously monitors its GDPR compliance via Sprinto (automated compliance monitoring). Relevant security measures include, among others:
- Encryption of personal data in transit and at rest
- Access control and role-based permissions
- Continuous logging and monitoring of systems
- Procedures for incident response and security events
The Data Processor assists the Data Controller with information about implemented security measures where this is necessary for the Data Controller's compliance with Article 32.

6. Sub-processors

The Data Processor operates under a general authorisation arrangement, cf. Article 28(2) of the General Data Protection Regulation. The Data Controller hereby gives general prior authorisation for the use of the sub-processors listed in Annex B.
The Data Processor informs the Data Controller in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days before they take effect. The Data Controller has the right to object on reasonable grounds within this period. The Parties shall then discuss the objection in good faith. If the Parties cannot reach agreement within 14 days of the objection, the Data Controller may terminate the Agreement with 30 days' written notice.
The Data Processor imposes on its sub-processors the same data protection obligations as those set out in this Agreement.
The Data Processor remains fully liable to the Data Controller even if a sub-processor fails to fulfil its obligations.

7. Transfer to third countries

Processing takes place primarily within the EU/EEA. Any transfer to third countries takes place only on the basis of documented instructions from the Data Controller and in accordance with Chapter V of the General Data Protection Regulation.
Relevant transfer bases for approved sub-processors (cf. Annex B) are set out therein.

8. Assistance to the Data Controller

The Data Processor assists the Data Controller, to the extent possible, in fulfilling data subjects' rights (access, rectification, erasure, data portability, etc.), cf. Chapter III of the General Data Protection Regulation.
The Data Processor further assists the Data Controller with:
- Notification of personal data breaches to the supervisory authority (within 72 hours)
- Notification of data subjects in the event of a high-risk breach
- Carrying out data protection impact assessments (DPIAs) where relevant

9. Notification of security breaches

The Data Processor notifies the Data Controller without undue delay and no later than 48 hours after becoming aware of a personal data breach.
The notification shall as a minimum include: the nature of the breach, the categories and number of data subjects affected, the likely consequences, and the remedial measures taken or planned.

10. Erasure and return of data

On termination of the agreement, the Data Processor erases all personal data processed on behalf of the Data Controller and confirms in writing that erasure has been completed - unless legislation requires continued storage.
Before termination, the Data Controller may request that data be handed over in a standard format (CSV, Excel or JSON).

11. Audit and inspection

The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the General Data Protection Regulation and this Agreement.
The Data Processor allows for audits and inspections, including via the Data Processor's ongoing compliance reports from Sprinto, which can be provided on request.

12. Liability and limitation of liability

The Data Processor's total liability to the Data Controller is limited to an amount equal to six months' subscription fees paid by the Data Controller under the Main Agreement in the six months preceding the event giving rise to the claim.

13. Entry into force and termination

This Agreement enters into force upon signature by both Parties and remains in effect for as long as the Data Processor processes personal data on behalf of the Data Controller.
The Agreement may be renegotiated if legislative changes or material changes to the nature of the processing give cause to do so.
On termination of the Main Agreement, this Agreement terminates once the obligations in section 10 have been fulfilled.

14. Governing law and venue

Any dispute in connection with this Agreement is settled by the Danish courts and is governed by Danish law.

15. Contact persons

For the Data Processor (SaberTask LDA)

Sebastian Reipuert Søe-Pedersen, Co-Founder & CTO. Email: sebastian@sabertask.com

For the Data Controller

Completed by the customer on signing.

16. Signatures

This Agreement is concluded electronically as part of the customer's onboarding and is countersigned by SaberTask LDA. A signed copy is available on request.

Annex A - Information about the processing

Purpose of the processing

Operation and administration of the SaberTask platform for managing the Data Controller's service operations, including task management, time tracking, absence management, piece-rate wage calculation and payroll export.

Nature of the processing

Collection, recording, organisation, storage, adaptation, retrieval, use and erasure of personal data.

Types of personal data

Name and employee number
Tasks and time registrations
Absence and sick-leave data
Wage data (piece-rate, supplements)
GPS/route data in connection with task performance
Any comments and images attached to tasks

Categories of data subjects

The Data Controller's employees and team leaders.

Duration of the processing

For as long as the Main Agreement is in force. On termination, data is erased in accordance with section 10.

Place of processing

Primarily within the EU/EEA via Microsoft Azure (see Annex B).

Annex B - Approved sub-processors

Sub-processor	Purpose	Data transferred	Country	Transfer basis
Microsoft Azure (Microsoft Ireland Operations Ltd.)	Cloud hosting and data storage	All personal data in the platform, cf. Annex A	Ireland (EU)	Processing within the EU/EEA
Postmark (ActiveCampaign, LLC)	Transactional email delivery	Name and email address of the recipient	USA	EU-US Data Privacy Framework
Google Maps (Google Ireland Ltd.)	Map display and route optimisation	Addresses and geographic coordinates (not linked to a person or ID)	Ireland (EU)	Processing within the EU/EEA
Mapbox (Mapbox Inc.)	Map display and route optimisation	Addresses and geographic coordinates (not linked to a person or ID)	USA	EU-US Data Privacy Framework
inMobile ApS	Transactional SMS delivery	Mobile number and name of the recipient	Denmark (EU)	Processing within the EU/EEA (ISAE 3000 certified)
Anthropic, PBC	AI processing of uploaded documents (Claude)	Content of documents uploaded by users to the platform's AI features - not personal data from other system data	USA	EU-US Data Privacy Framework

The Data Processor notifies the Data Controller in writing at least 30 days before adding new sub-processors.