Legal · Art. 28 GDPR

Data processing agreement (DPA)

In short

Your company is the controller of its employees’ data; Egalis is the processor and processes the data exclusively on your documented instructions, exclusively in the EU. The text below is the standard DPA, ready to be signed together with the service contract.

1. Roles of the parties and subject matter

The client acts as controller (Art. 4(7) GDPR) for the personal data of its employees and candidates; Egalis acts as processor (Art. 4(8)). Subject matter of the processing: providing the pay transparency compliance platform — import, calculations, job evaluation, reporting, information requests, remediation.

2. Nature and purpose of the processing; categories of data

  • Data subjects: the client’s employees and, in the recruitment module, its candidates.
  • Categories of data: internal identifier (the payroll ID), sex, job title, occupation code (e.g. ISCO-08), department, hire date, working-time fraction, remuneration elements, leave events, pay changes; optionally the name (stored separately, encrypted); the contact email for information requests. No national identification numbers are processed and no special category of data enters the calculation data.
  • Duration: for the term of the contract, plus the legal retention of reports required by the Directive and the applicable national law, unless the controller instructs otherwise.

3. Egalis' obligations (Art. 28(3) GDPR)

  • Processes the data only on the controller’s documented instructions (use of the application constitutes an instruction).
  • Ensures the confidentiality of the persons authorised to process the data.
  • Applies technical and organisational measures (Art. 32): EU-only hosting, pseudonymisation by design, encryption of nominal identities, role-based access control, an immutable audit log.
  • Engages no new sub-processors without prior information to the controller (Annex 1), with a 15-day right to object.
  • Supports the controller with data subjects’ requests and with impact assessments.
  • Notifies the controller without undue delay, and within 72 hours at the latest, of any personal data breach it becomes aware of.
  • On termination: returns the data (full export, structured format) and permanently deletes it, except for the audit log (legal evidence, without salary data) and legal retention obligations.
  • Makes available the information necessary to demonstrate compliance and allows audits, with reasonable notice.

4. Transfers

The data is processed and stored exclusively in the European Union. No transfers to third countries take place.

5. Annex 1 — authorised sub-processors

  • Hetzner Online GmbH, Germany — hosting infrastructure.
  • Transactional email: our own server, hosted in the EU — there is no third-party email provider.
  • Stripe Payments Europe, Ltd., Ireland — card payment processing (billing data only; payroll data never reaches Stripe).

6. The parties

Egalis: ADDO VISION SOLUTIONS SRL, registered office: Bucharest, Șos. Berceni 96, Monaco Towers, A9.06, Romania, trade register no. J2013010973404, EUID ROONRC.J2013010973404, VAT RO32203240 (contact: office@addovision.ro). The client: the entity identified in the service contract. The DPA forms an integral part of the contract. See also the privacy policy.

Updated: 10 July 2026. Figures reflect Directive (EU) 2023/970 as adopted. Member states had to transpose it by 7 June 2026 and may impose stricter national rules — check your country's implementing law (Egalis country editions track them).

Egalis does not provide legal advice; for specific situations, consult an employment lawyer.