Data Processing Agreement
- Effective date
- April 24, 2026
- Last updated
- April 24, 2026
Data Processing Agreement
Effective Date: April 24, 2026 Last Updated: April 24, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between UAB Backoffice Solutions, company code 307630360, registered at Švitrigailos g. 11K-109, LT-03228 Vilnius, Lithuania (“Backoffice”, “we”, “us”) and the customer identified in the Service Agreement (“Customer”, “you”) for the use of the Backoffice service (“Service”).
This DPA governs the processing of personal data by Backoffice on behalf of the Customer in connection with the Service, in accordance with Regulation (EU) 2016/679 (“GDPR”) and the Lithuanian Law on Legal Protection of Personal Data.
By executing the Service Agreement or by using the Service, the Customer accepts this DPA. A countersigned copy is available on request to privacy@backoffice.lt.
1. Definitions
Terms used in this DPA have the meanings given in the GDPR. In addition:
- Personal Data means personal data, as defined in Article 4(1) GDPR, that Backoffice processes on behalf of the Customer in the course of providing the Service.
- Sub-processor means any third party engaged by Backoffice to process Personal Data on behalf of the Customer.
- Service Agreement means the agreement between the Parties governing the Customer’s use of the Service, including any order form, terms of service, or master subscription agreement.
- Parties means the Customer and Backoffice, collectively; each individually a “Party”.
- Controller and Processor have the meanings given in Article 4 GDPR.
- Personal Data Breach has the meaning given in Article 4(12) GDPR.
- Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to third countries annexed to Commission Implementing Decision (EU) 2021/914.
2. Roles of the Parties
The Customer is the Controller of Personal Data. Backoffice is the Processor. Sub-processors engaged by Backoffice act as further Processors.
Where the Customer is itself a processor acting on behalf of a third-party controller, Backoffice acts as a sub-processor and the Customer warrants that it has the authority to instruct Backoffice on behalf of that controller.
3. Scope and Instructions
Backoffice processes Personal Data only:
(a) on documented instructions from the Customer, including those set out in this DPA, the Service Agreement, and the Customer’s use of the Service’s configuration controls; and
(b) as required by Union or Member State law to which Backoffice is subject; in such a case, Backoffice will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
If Backoffice considers that an instruction infringes the GDPR or other applicable data protection law, it will inform the Customer without undue delay.
4. Subject Matter, Duration, Nature and Purpose
| Item | Details |
|---|---|
| Subject matter | Provision of workforce management software, including scheduling, time tracking, employee records, notifications, and related operational workflows. |
| Duration | The term of the Service Agreement, plus any post-termination return or deletion period set out in Section 14. |
| Nature | Storage, organization, retrieval, transmission, generation of reports and notifications, and related processing operations performed by automated means. |
| Purpose | To enable the Customer to manage its workforce and meet its operational and statutory recordkeeping obligations. |
5. Categories of Data and Data Subjects
Categories of Personal Data
- Identification data: first name, last name, contact details.
- Employment data: position, department, contract type, working hours, payroll inputs.
- Operational data: schedules, clock-in records, absence records, in-app messages.
- Technical data: authentication identifiers, device identifiers, IP addresses, log data.
Categories of Data Subjects
The Customer’s employees, managers, administrators, and other authorized users of the Service.
The Customer determines which Personal Data is provided to the Service and is responsible for ensuring it has a lawful basis for processing under Article 6 GDPR and, where applicable, Article 9 GDPR.
6. Customer Responsibilities
The Customer is responsible for:
(a) the lawfulness of its processing instructions and ensuring it has a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for the Personal Data it provides to the Service;
(b) the accuracy, quality, and integrity of the Personal Data it provides;
(c) providing required notices to data subjects and obtaining required consents;
(d) configuring the Service consistently with its data protection obligations.
7. No Use for Backoffice’s Own Purposes
Backoffice will not:
(a) sell Personal Data;
(b) process Personal Data outside the Service Agreement and the Customer’s documented instructions;
(c) combine Personal Data with personal data from other sources for purposes other than providing the Service to the Customer;
(d) use Personal Data to train machine learning or artificial intelligence models, except where strictly necessary to provide the Service to the Customer and on Customer’s documented instructions.
8. Confidentiality
Backoffice ensures that persons authorized to process Personal Data are bound by appropriate obligations of confidentiality, whether by contract or statutory duty, and are trained on data protection requirements relevant to their role.
9. Security Measures
Backoffice implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, in accordance with Article 32 GDPR.
The measures currently include:
- Encryption. Personal Data is encrypted in transit using current industry standards (currently TLS 1.2 or higher, with TLS 1.3 supported) and at rest using AES-256 or equivalent.
- Pseudonymization. Pseudonymization or anonymization where compatible with the purpose of processing.
- Access control. Role-based access following the principle of least privilege; multi-factor authentication for administrative and infrastructure access.
- Network security. Logical separation between production and non-production environments; restricted ingress and egress on production networks.
- Logging and monitoring. Audit logs for access to and changes affecting Personal Data, retained for a defined period and monitored for anomalies.
- Resilience. Regular backups with periodic restore testing; documented business continuity arrangements.
- Personnel. Background checks where lawful; confidentiality undertakings; periodic security training.
- Vulnerability management. Regular patching, dependency scanning, and remediation tracking.
- Incident response. Documented procedures for detecting, containing, investigating, and notifying personal data breaches.
- Regular testing. Regular testing, assessment and evaluation of the effectiveness of these measures.
A current description of the technical and organizational measures is available to the Customer on request. Backoffice may update these measures from time to time, provided the level of security is not materially reduced.
10. Sub-processors
The Customer provides general written authorization for Backoffice to engage Sub-processors, subject to this Section 10.
The current list of Sub-processors, together with their location and processing purpose, is published in Section 6.1 of the Privacy Policy at https://backoffice.lt/en/legal/privacy-policy and is incorporated into this DPA by reference (the “Sub-processor List”). Backoffice will not modify the Sub-processor List except in accordance with Section 10(c).
Backoffice will:
(a) impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA;
(b) remain liable to the Customer for the performance of each Sub-processor’s obligations; and
(c) provide the Customer with at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor, by email to the Customer’s account contact and additionally by in-product notification.
The Customer may object on reasonable data protection grounds within 14 days of the notice. If the objection cannot be resolved, the Customer may terminate the affected part of the Service Agreement without penalty in respect of the affected processing, and is entitled to a pro-rata refund of pre-paid fees for the affected portion of the Service from the date of termination.
11. International Transfers
Primary processing of Personal Data takes place within the European Union. Where Backoffice or a Sub-processor processes Personal Data outside the EU/EEA, the transfer is made on the basis of:
(a) an adequacy decision of the European Commission; or
(b) the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914), which the parties hereby incorporate into this DPA by reference, supplemented by additional technical, organizational and contractual measures where required by case law, including the Schrems II ruling.
The Parties agree that Module Two of the Standard Contractual Clauses applies, or Module Three where the scenario in Section 2 paragraph 2 is engaged (Customer acting as a processor). The Parties further agree that:
(i) Annexes I, II and III of the Standard Contractual Clauses are deemed populated by Sections 4, 5, 9 of this DPA and the Sub-processor List;
(ii) the optional docking clause (Clause 7) applies;
(iii) for Clause 9(a), Option 1 (general written authorization) applies, with the time period set in Section 10;
(iv) for Clauses 17 and 18, the law and forum are those set out in Section 18 of this DPA;
(v) Backoffice maintains a transfer impact assessment for transfers under the Standard Contractual Clauses and will make a summary available to the Customer on request within a reasonable period and in any case within 30 days.
Backoffice will provide the Customer with information on the transfer mechanism applicable to each Sub-processor on request.
12. Assistance to the Customer
Taking into account the nature of the processing and the information available to Backoffice, Backoffice will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligations to:
(a) respond to requests from data subjects exercising their rights under Articles 15-22 GDPR (access, rectification, erasure, restriction, portability, objection);
(b) ensure security of processing (Article 32);
(c) notify personal data breaches to supervisory authorities and data subjects (Articles 33-34);
(d) carry out data protection impact assessments and prior consultation with supervisory authorities (Articles 35-36).
The Service includes self-service tools that enable the Customer to access, correct, export, and delete Personal Data of its data subjects. Where assistance beyond these tools is requested, Backoffice may charge a reasonable fee for time and materials, except where the request relates to a personal data breach for which Backoffice is responsible.
The primary contact for assistance requests is privacy@backoffice.lt.
If Backoffice receives a request directly from a data subject relating to Personal Data processed on behalf of the Customer, Backoffice will not respond substantively (except to acknowledge receipt and direct the data subject to the Customer) and will forward the request to the Customer without undue delay.
13. Personal Data Breach Notification
Backoffice will notify the Customer without undue delay, and in any case in sufficient time to allow the Customer to meet its own 72-hour notification obligation under Article 33 GDPR, after Backoffice confirms a Personal Data Breach affecting Personal Data processed on behalf of the Customer.
The notification will include, to the extent then known:
- the nature of the breach, including the categories and approximate number of data subjects and records affected;
- the likely consequences of the breach;
- the measures taken or proposed to address the breach and mitigate its effects;
- a contact point for further information.
Where information cannot be provided at once, it will be provided in phases without further undue delay.
Backoffice will document all Personal Data Breaches affecting Personal Data processed on behalf of the Customer, including the facts relating to the breach, its effects, and the remedial action taken, and will make this documentation available to the Customer on request.
14. Return and Deletion of Personal Data
On termination or expiry of the Service Agreement, Backoffice will, at the Customer’s choice, return all Personal Data to the Customer or delete it. The Customer may communicate this choice in writing (including by email to privacy@backoffice.lt) within 30 days following termination, during which period Personal Data remains exportable through the Service. If the Customer does not communicate a choice within this 30-day period, the Customer is deemed to instruct Backoffice to delete the Personal Data. Backoffice will complete the chosen action within 90 days following the end of the 30-day notice period, except where retention is required by Union or Member State law, in which case the Personal Data will continue to be protected in accordance with this DPA and processed only for the purpose of, and to the extent required by, that retention.
On request, Backoffice will provide written confirmation of deletion.
15. Audit
Backoffice will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and this DPA.
The Customer’s audit right is generally satisfied by Backoffice providing, on request and no more than once per calendar year:
(a) a copy of its most recent independent third-party security report (where available); and
(b) responses to a reasonable security questionnaire.
Where the above is insufficient to enable the Customer to comply with a specific regulatory obligation, the Customer may, on at least 30 days’ prior written notice and at its own cost, conduct an audit during normal business hours, subject to reasonable confidentiality undertakings and a scope agreed in advance with Backoffice. Audits must not unreasonably interfere with Backoffice’s operations or the security or confidentiality of other customers’ data.
The “no more than once per calendar year” limitation and the Customer-cost rule do not apply to (i) audits requested by a competent supervisory authority, or (ii) audits triggered by a confirmed Personal Data Breach for which Backoffice is responsible.
16. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement, save for liability that cannot be excluded or limited under applicable law, including liability under Article 82 GDPR towards data subjects.
17. Term and Termination
This DPA takes effect on the Effective Date and continues for the duration of the Service Agreement and for any period thereafter during which Backoffice processes Personal Data on behalf of the Customer.
18. Governing Law and Jurisdiction
This DPA is governed by the laws of the Republic of Lithuania. Disputes arising out of or in connection with this DPA are subject to the exclusive jurisdiction of the competent courts of Vilnius, Lithuania, save where mandatory law provides otherwise.
19. Order of Precedence
In the event of a conflict between this DPA and the Service Agreement, this DPA prevails in respect of the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses incorporated under Section 11, the Standard Contractual Clauses prevail. In the event of a conflict between this DPA and the Sub-processor List referenced in Section 10, this DPA prevails. In the event of a conflict between this DPA and the Backoffice Privacy Policy in respect of Personal Data processed on behalf of the Customer, this DPA prevails.
20. Contact
For all matters relating to this DPA, including data subject requests, Sub-processor objections, audit requests, and data breach inquiries:
- Email: privacy@backoffice.lt
- Postal address: UAB Backoffice Solutions, Švitrigailos g. 11K-109, LT-03228 Vilnius, Lithuania