Skip to main content
Skip to content

Data Processing Agreement

Version: 1.0
Effective Date: January 9, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the organization subscribing to StaffTraq ("Customer" or "Controller") and StaffTraq ("Processor") for the provision of employee scheduling services (the "Service").

This DPA applies to the extent that StaffTraq processes Personal Data on behalf of Customer in connection with providing the Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by StaffTraq on behalf of Customer.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.

"Data Subject" means the individual to whom the Personal Data relates (e.g., Customer's employees).

"Subprocessor" means any third party engaged by StaffTraq to process Personal Data on behalf of Customer.

"Data Breach" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

"Applicable Data Protection Law" means all laws relating to data protection applicable to the processing of Personal Data, including Alberta PIPA, PIPEDA, and CCPA/CPRA.

2. Roles and Responsibilities

2.1 Customer as Controller

Customer is the Controller of the Personal Data and is responsible for:

  • Determining the purposes and means of processing Personal Data through the Service
  • Ensuring lawful basis for processing (e.g., employment relationship)
  • Providing appropriate notice to Data Subjects about data collection
  • Responding to Data Subject requests (with StaffTraq's assistance)
  • Ensuring accuracy of Personal Data provided to StaffTraq

2.2 StaffTraq as Processor

StaffTraq is the Processor and will:

  • Process Personal Data only on Customer's documented instructions
  • Maintain confidentiality of Personal Data
  • Implement appropriate security measures
  • Assist Customer in fulfilling Data Subject rights
  • Notify Customer of any Data Breach
  • Delete or return Personal Data upon termination

3. Scope of Processing

3.1 Categories of Data Subjects

  • Customer's employees
  • Customer's managers and administrators
  • Customer's contractors (if applicable)

3.2 Categories of Personal Data

  • Identification data: name, email, phone number, profile photo
  • Employment data: job title, department, employee ID, hire date
  • Scheduling data: shifts, availability, time-off requests
  • Time tracking data: clock in/out times, breaks, attendance
  • Communication data: messages, files shared within the platform
  • Payroll reference data: payslip documents (PDFs)

3.3 Purpose of Processing

  • Providing employee scheduling and time tracking services
  • Facilitating team communication
  • Generating reports for workforce management
  • Maintaining audit logs for compliance

3.4 Duration of Processing

Processing will continue for the duration of the service agreement. Upon termination, StaffTraq will delete or return Customer Data in accordance with Section 10.

4. Customer Obligations

Customer agrees to:

  • Provide Notice: Inform employees that their data will be processed through StaffTraq, including types of data collected and purposes
  • Ensure Lawfulness: Have a lawful basis for providing employee data to StaffTraq (typically the employment relationship)
  • Accuracy: Ensure Personal Data provided is accurate and up to date
  • Instructions: Provide documented, lawful processing instructions
  • Compliance: Comply with Applicable Data Protection Law

5. StaffTraq Obligations

5.1 Processing Instructions

StaffTraq will process Personal Data only in accordance with Customer's documented instructions, unless required by law. If legal obligations require processing beyond Customer's instructions, StaffTraq will notify Customer (unless prohibited by law).

5.2 Confidentiality

StaffTraq ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations.

5.3 Security Measures

StaffTraq implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit (TLS 1.3) and at rest
  • Access controls and authentication (via Clerk)
  • Role-based permissions within the Service
  • Regular security assessments and updates
  • Secure infrastructure hosting (Vercel, Convex)
  • Employee security training

6. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes StaffTraq to engage the Subprocessors listed at /legal/subprocessors. StaffTraq maintains this list and will update it when Subprocessors are added or removed.

6.2 Subprocessor Agreements

StaffTraq ensures that each Subprocessor is bound by data protection obligations no less protective than those in this DPA.

6.3 Notification of Changes

StaffTraq will notify Customer at least 30 days before engaging a new Subprocessor. Customer may object within 14 days of notification. If Customer objects, the parties will work in good faith to resolve the concern. If no resolution is reached, Customer may terminate the affected services.

6.4 Liability

StaffTraq remains liable for the acts and omissions of its Subprocessors as if they were StaffTraq's own acts and omissions.

7. Data Subject Rights

7.1 Assistance

StaffTraq will assist Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including:

  • Access to Personal Data
  • Correction of inaccurate data
  • Deletion of data (subject to legal retention requirements)
  • Data portability
  • Restriction of processing
  • Objection to processing

7.2 Response Time

StaffTraq will respond to Customer's assistance requests within 10 business days.

7.3 Direct Requests

If a Data Subject contacts StaffTraq directly regarding their rights, StaffTraq will refer them to Customer unless otherwise instructed.

7.4 Self-Service

StaffTraq provides self-service tools within the platform that enable Data Subjects to export their data and submit deletion requests.

8. Data Breach Notification

8.1 Notification to Customer

StaffTraq will notify Customer of any confirmed Data Breach without undue delay, and in any event within 72 hours of becoming aware.

8.2 Information Provided

The notification will include:

  • Nature of the breach and categories of data affected
  • Approximate number of Data Subjects affected
  • Contact information for StaffTraq's point of contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8.3 Cooperation

StaffTraq will cooperate with Customer in investigating the breach and fulfilling any legal notification obligations.

8.4 Regulatory Notification

Customer is responsible for notifying supervisory authorities and Data Subjects as required by law. StaffTraq will provide reasonable assistance.

9. Audit Rights

9.1 Information

Upon written request, StaffTraq will provide Customer with information necessary to demonstrate compliance with this DPA, including:

  • Security documentation
  • Subprocessor list and agreements
  • Relevant certifications or audit reports

9.2 Audits

Customer may conduct an audit of StaffTraq's processing activities, subject to:

  • 30 days' prior written notice
  • Reasonable scope and timing
  • Confidentiality obligations
  • Customer bearing audit costs

9.3 Third-Party Audits

In lieu of Customer audits, StaffTraq may provide third-party audit reports or certifications that address the relevant security and privacy controls.

10. Data Return and Deletion

10.1 Upon Termination

Upon termination or expiration of the service agreement:

  • Customer may export their data through the Service within 30 days
  • StaffTraq will delete Customer Data within 90 days, except as required by law
  • Payroll and time records will be archived for 6 years per legal retention requirements

10.2 Certification

Upon Customer's written request, StaffTraq will certify in writing that Customer Data has been deleted (except data retained for legal compliance).

11. International Transfers

11.1 Transfer Locations

Customer Data may be processed in the United States by StaffTraq and its Subprocessors.

11.2 Safeguards

For transfers outside Canada, StaffTraq ensures appropriate safeguards are in place, including:

  • Subprocessor agreements with data protection obligations
  • Security measures described in Section 5.3
  • Compliance with PIPEDA's accountability principle

12. Liability

Each party's liability under this DPA is subject to the limitations of liability in the main service agreement. This DPA does not increase either party's total liability beyond what is specified in the service agreement.

13. Term

This DPA remains in effect for the duration of the service agreement and continues until all Personal Data has been deleted or returned in accordance with Section 10.

14. Amendments

StaffTraq may update this DPA to reflect changes in Applicable Data Protection Law or processing activities. Material changes will be notified to Customer 30 days in advance.

15. Contact

For questions about this DPA, contact:

StaffTraq Data Protection
Email: dpa@stafftraq.com
Address: [Your Business Address]
Alberta, Canada