Skip to content
Real time CLOUD Time and attendance solutions - making your life easier.
Real time CLOUD Time and attendance solutions - making your life easier.

Data Processing Agreement

Data Processing Agreement

Acceptance of Terms: By accessing or using the Services provided by Systime US Inc., with its principal place of business at 4920 W Cypress St. Ste 104, # 5087, Tampa FL 33607 ("The Supplier"), you (the “Client”) agrees to be bound by the terms of this Data Processing Agreement (“DPA” or “Agreement”). This Agreement is effective upon the Client's use of the Services and continues until termination of the Services or as stipulated herein.

Online Acceptance: The Client's agreement to the terms of this DPA will be indicated by checking a checkbox or clicking on an 'Accept' or similar button as part of the registration or client onboarding process on Supplier’s website.

Incorporation: WHEREAS, the Client, by using the Services provided by the Supplier as detailed on Supplier's Website SystimeUS.com or as otherwise agreed to between the parties in writing, agrees to the terms of this DPA, which governs the processing of Personal Data in connection with the Services. This DPA is incorporated by reference into the Supplier’s Terms and Conditions related to the Services (“Principal Agreement”), and by accepting the Principal Agreement, the Client also agrees to the terms of this DPA.

WHEREAS, Client is the Data Controller and Supplier is the Data Processor;

WHEREAS, Supplier agrees to process such personal data on behalf of Client in accordance with the terms of this Agreement;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the parties hereto agree as follows:

1. Definitions:

    • "Data Protection Laws" shall mean all applicable privacy and data protection laws and regulations, including, but not limited to, the laws and regulations of the United States and the United Kingdom, as well as any other jurisdiction where personal data may be processed under this Agreement.
    • "Data Processor" refers to an entity or organization that processes personal data on behalf of the Data Controller, following the Data Controller's instructions and for the purposes specified by the Data Controller.
    • "Data Controller" refers to the entity or organization that determines the purposes and means of the processing of personal data.
    • "Personal Data" means any personal data that the Supplier processes on behalf of the Client when the Client avails Services from the Supplier.
    • "Processing" means any operation performed on Personal Data, such as collection, storage, use, and transfer.
    • “Services” means the services that the Supplier provides to the Client under the Principal Agreement.
    2. Scope and Purpose of Processing:
      • The Client appoints the Supplier as its Data Processor concerning all Client Personal Data processed according to or about the performance of the Services under the Principal Agreement. The details of the scope, purpose and duration of the Personal Data and processing (including the type of Personal Data) covered by this DPA are set out in Exhibit A of this DPA.
      • The Supplier shall undertake the Processing of Personal Data if and to the extent such Processing is required in the performance of the Principal Agreement. The processing shall include the calculation of hours worked, creation of reports, and potential transfer of data for payroll purposes.
      • Supplier shall process Personal Data only as instructed by Client and in accordance with the terms of this DPA, ensuring compliance with Data Protection Laws. The Client hereby represents and warrants that any instructions provided by the Client do not violate any Data Protection Laws. The Supplier will act only on the documented instructions of the Client and process the Personal Data accordingly. Client will indemnify Supplier for all costs and expenses (including reasonable attorney fees) incurred or sustained by Supplier if Client’s instructions violate applicable Data Protection Laws.
      • In the event the Supplier is required by applicable law to process Client Personal Data, the Supplier will carry out such processing and notify Client of such legal requirement, unless such notification is prohibited by applicable law.  Supplier shall not make use of Personal Data for purposes other than for providing Services under the Principal Agreement.
      • Supplier shall without undue delay inform Client if,
        1. in its opinion, an instruction infringes applicable Data Protection Laws.
        2. it becomes aware of any circumstances which render its compliance with any applicable Data Protection Law impossible.
      • This DPA shall apply to all the Supplier’s current and future delivery of Services under the Principal Agreement. This DPA supplements the Principal Agreement.
      • Where permitted by applicable Data Protection Laws, the Supplier may aggregate, de-identify, or anonymize Personal Data, so it no longer meets the Personal Data definition under the relevant Data Protection Laws, and may process such aggregated, de-identified, or anonymized data for its purposes.
      3. EU Personal Data Processing Compliance and Responsibility:
        • The Client hereby represents and warrants that the Personal Data provided to or accessed by the Data Processor under this Agreement will not include any Personal Data pertaining to individuals located in the European Union (EU). The Client affirms that it has implemented appropriate measures to ensure that no EU Personal Data is transmitted, processed, or otherwise made available to the Data Processor under the terms of this Agreement. In the event that the Data Controller inadvertently transmits EU Personal Data, it shall immediately notify the Data Processor of such occurrence. The Data Controller shall then take all necessary steps to rectify such transmission, including but not limited to retrieving the data and ensuring its deletion from the Data Processor's systems.
        • The Supplier will employ reasonable measures to identify the geographic origin of Personal Data processed under this Agreement. However, the Supplier is not responsible for determining the precise origin of data provided by the Client. In cases where the Supplier becomes aware that the data includes EU Personal Data, the Supplier shall comply with the relevant provisions of the General Data Protection Regulation (GDPR) or equivalent legislation, to the extent applicable. The Client is responsible for informing the Supplier if the data subject to processing under this Agreement includes EU Personal Data. Upon such notification, both parties shall collaborate to ensure compliance with applicable EU data protection laws.
        • The Client shall indemnify and hold harmless the Supplier against any claims, liabilities, damages, losses, and expenses arising from a) the Client’s failure to disclose the presence of EU Personal Data or b) a breach of the Client’s warranty stated above.
        4. Security Measures:
          • Supplier shall implement and maintain appropriate technical and organizational security measures to protect Personal Data, including ISO 27001 certification, port blocking, antivirus software, and employee/contractor non-disclosure agreements. The Supplier may change the controls and safeguards set out in the preceding sentence from time to time provided that the Supplier will not materially decrease the overall security of the Personal Data. While the Supplier will use commercially acceptable means to protect the Personal Data of the Client, the Supplier does not guarantee its absolute security. While the Supplier does not guarantee absolute security, it commits to maintaining industry-standard measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. The Supplier shall have no liability for data breaches that result from the Client’s instructions or actions.
          • The Client shall have the right to conduct audits and inspections of the Supplier’s data processing activities to ensure compliance with this DPA and applicable Data Protection Laws, subject to reasonable notice and confidentiality obligations.
          5. Supplier Obligations:
          • Supplier shall ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory or professional obligation of confidentiality.
          • Supplier shall assist Client in fulfilling its obligations to respond to Data Subject requests and requests related to the exercise of Data Subject rights under applicable Data Protection Laws (at the cost of the Client) but the Client shall be responsible for ensuring compliance with such requests. If the Supplier receives a request or a complaint from a Data Subject, including requests regarding the Data Subject’s rights under applicable Data Protection Laws, the Supplier will forward the request without undue delay to the Client unless the Supplier is required by law to address that request. “Data Subjects” means the employees whose information is entered into the system. They are the individuals whose personal data is being processed through the cloud-based software for the purpose of calculating their working hours.
          • Supplier shall (to the extent legally permissible) notify Client without undue delay in the event of Personal Data Breach, including providing information on the nature of the breach, the affected Personal Data, and any other information required to be provided under applicable Data Protection Laws save where such Personal Data  Breach is unlikely to result in a risk to the rights and freedoms of individuals. A 'Personal Data Breach' refers to a security incident in which there is unauthorized access to, disclosure, alteration, or destruction of Personal Data, potentially leading to the accidental or unlawful loss, misuse, or compromise of such data, requiring notification and remediation as per applicable Data Protection Laws. The Supplier shall have no liability for data breaches that result from the Client’s instructions or actions.
          6. Special Category Data:
          • Definition: For the purposes of this DPA, "Special Category Data" shall refer to any Personal Data that falls within the categories of special category data as defined by applicable Data Protection Laws.
          • The Client shall provide written instructions and a lawful basis for processing Special Category Data and shall be solely responsible for ensuring that the processing is lawful, including obtaining any necessary consents or meeting other lawful processing conditions.
          • The Supplier shall implement robust technical and organizational measures to ensure the security and protection of Special Category Data in accordance with the requirements of applicable Data Protection Laws.
          • The Supplier shall process Special Category Data only to the extent necessary to achieve the specific purposes identified by the Client or as otherwise necessary for the purposes of the Principal Agreement and shall not retain such data for longer than required for those purposes, unless otherwise instructed by the Client or required by law. The Supplier shall have no liability for data retention beyond the scope of the Data Controller's instructions.
          7. Sub-Processor:         
          • Data Processor may engage third-party sub-processors to assist in providing the Services to Data Controller.
          • The Data Controller provides a general authorization to the Data Processor to engage third-party sub-processors as necessary to assist in providing the Services. The Data Processor shall maintain a list of sub-processors and shall make it available to the Data Controller upon request.
          • The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors via email or may post it on the Supplier’s website. The Data Controller shall have the opportunity to object to new sub-processors within 30 days from the notification date.
          • If the Data Controller objects to a new sub-processor for reasonable data protection concerns, the Data Processor shall use reasonable efforts to make available a change in the Services or recommend a commercially reasonable change to the Data Controller’s configuration or use of the Services to avoid processing of Personal Data by the objected sub-processor.
          • Data Processor shall ensure that any sub-processor engaged to process personal data on behalf of Data Controller complies with the same data protection obligations as set out in this Agreement. Data Processor shall remain fully liable to Data Controller for the performance of the sub-processor's obligations as if they were the obligations of Data Processor itself.
          8. Liability and Indemnification:
          • Supplier shall not be liable for any claim arising from any action or omission by Client, to the extent permitted by law.
          • Client agrees to indemnify and hold harmless Supplier and its sub-processors from any claims, damages, liabilities, costs, and expenses (including any reasonable attorney's fees and expenses), arising from Client’s breach of this Agreement or the Client’s non-compliance with Data Protection Laws.
          • Supplier does not make any representation that entering into this Agreement will enable the Client to comply with its obligations under applicable Data Protection Laws.
          9. Termination:
          • This Agreement shall terminate automatically upon the termination of the Principal Agreement between the parties. Notwithstanding the termination of the Principal Agreement, this DPA shall survive and remain in force to the extent necessary to fulfill its purposes, including but not limited to the protection of the rights of Data Subjects and the performance of post-termination data processing, data security, and data retention obligations.
            10. Data Retention:
            • The Data Processor shall retain Personal Data processed on behalf of the Data Controller only for the duration necessary to fulfill the purposes for which it was collected, or as required by applicable law. Data Processor shall not retain Personal Data for longer than is necessary for the purposes of processing, unless otherwise instructed in writing by the Data Controller. In the absence of specific instructions, the Data Processor shall establish and adhere to its own data retention policies, which shall be in compliance with applicable Data Protection Laws.
            • Upon the termination of this Agreement or upon written instruction from the Data Controller, the Data Processor shall, at the choice of the Data Controller, securely delete or return all personal data to the Data Controller, unless applicable law requires further retention of such data.
            • Notwithstanding the above, Personal Data may continue to exist in backup copies for a reasonable period due to technical limitations of data backup and recovery systems. Such data shall not be actively processed and shall remain subject to the same data protection safeguards as the live data.
            11. International Transfer:
            • Data may be accessed by Supplier’s support technicians in the UK and USA for support purposes.
            • Supplier ensures that any transfer of Personal Data outside of the USA and UK will be conducted in compliance with Data Protection Laws. This includes implementing appropriate safeguards such as encryption, pseudonymization, and maintaining the confidentiality, integrity, availability, and resilience of processing systems and services. For the avoidance of doubt, Supplier may process Personal Data as necessary to provide the Services to Client and during such course, Client's Personal Data may be transferred to and processed by Supplier outside of Client’s state, province, country, or other governmental jurisdiction where the applicable Data Protection Laws may differ than those from Client's jurisdiction and Client expressly consents to such transfer provided that such transfers are conducted in compliance with the applicable Data Protection Laws. Client agrees that such transfers may be necessary for the performance of the Services or other purposes defined in the Principal Agreement. Supplier may transfer the Personal Data to other jurisdictions where its sub-processors have functions and Client expressly consents to such transfer provided that such transfers are conducted in compliance with the applicable Data Protection Laws.
            12. Miscellaneous:
            • This DPA is incorporated into and forms part of the Principal Agreement. In case of any conflict between this DPA and the Principal Agreement, this DPA will prevail to the extent of such conflict. The Exhibit of this DPA forms part of this DPA.
            • This Agreement constitutes the entire agreement between the parties concerning the subject matter hereof.
            • The Data Processor reserves the right to unilaterally amend the terms of this DPA as necessary to reflect changes in legal requirements, industry standards, or business practices. Any such amendments will be posted on Supplier’s website and will be effective immediately upon posting. Continued use of the Data Processor's services by the Data Controller after any such amendments will constitute acceptance of the revised Agreement.
            • In the event of any conflict or inconsistency between the provisions of this DPA and any external legal requirements (including but not limited to international data transfer regulations) or subsequent amendments made unilaterally by the Data Processor, the parties agree to collaborate in good faith to resolve the conflict. This collaboration aims to ensure compliance with applicable law while maintaining the original intent and protective measures of this Agreement to the greatest extent possible. Should modifications to this Agreement be necessary to achieve compliance or reconcile any unilateral amendments, such modifications will be made in a manner consistent with the original terms and intent of this Agreement, ensuring fairness and reasonableness to both parties.
            • The governing law and dispute provisions under the Principal Agreement shall apply mutatis mutandis to this DPA.
            • This DPA is a legally binding agreement between the Parties.
            • The Parties’ failure to enforce any right or provision of this DPA does not mean a waiver of those rights or provisions.

              Exhibit A - Details of Data Processing

              A) Specific Personal Data Processed:

              The specific Personal Data that will be processed by the Supplier on behalf of the Client includes the following:

              • Employee's Full Name
              • Date of Birth
              • Address
              • Phone Number
              • Social Security Number
              • Land Line Phone Number
              • Email Addresses
              • Mobile Number
              • Elected Emergency Contact's Full Name
              • Elected Emergency Contact's Landline Phone Number
              • Elected Emergency Contact's Mobile Number
              • Elected Emergency Contact's Address
              • Elected Emergency Contact's Email
              B) Description of Data Processing Activities:

              The Supplier will undertake the following data processing activities:

              • Collection of clocking data from time clocks of mobile devices.
              • Processing clocking information to calculate hours worked.
              • Creation of time-card and other reports (if internal payroll system).
              • Possibility to pass a file containing employee data (if external payroll system).

              Purpose of Processing:

              The purpose of processing is to enable the Client to:

              • Identify the specific employee records they wish to examine in the software.
              • Access certain personal details required for payroll and communication purposes.
              C) Categories of Personal Data Collected, Processed, or Stored:

              Categories of personal data that will be collected, processed, or stored by the Supplier on behalf of Clients include:

              • Employee's Full Name
              • Date of Birth
              • Address
              • Phone Number
              • Social Security Number
              • Land Line Phone Number
              • Email Addresses
              • Mobile Number
              • Elected Emergency Contact's Full Name
              • Elected Emergency Contact's Landline Phone Number
              • Elected Emergency Contact's Mobile Number
              • Elected Emergency Contact's Address
              • Elected Emergency Contact's Email
              D) Secondary Purposes or Additional Uses:

              If employee data is exported from the product to any party, it can be configured by the Client and may contain the following information:

              • Payroll Number
              • Employee ID Number
              • Employee's Full Name
              • Date of Birth
              • Address
              • Phone Number
              • Social Security Number
              • Land Line Phone Number
              • Mobile Number
              E) Data from EU Data Subjects:

              No Personal Data from individuals residing in the European Union (EU) will be obtained or processed as part of these data processing activities.

              Ver1.02 December 2023