Data Processing Agreement

Last updated: February 17, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Artes Codex (operating as TimeLeaf), a sole proprietorship registered in the Province of Alberta, Canada ("Processor"), and the customer ("Controller") for the provision of the TimeLeaf platform services ("Services").

This DPA is entered into to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national implementing legislation.

2. Definitions

  • Personal Data means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Services.
  • Data Subject means the identified or identifiable natural person to whom the Personal Data relates.
  • Processing means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, or deletion.
  • Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

3. Scope and Purpose of Processing

The Processor shall process Personal Data solely for the purpose of providing the Services as described in the main agreement. The categories of Personal Data processed include:

  • Employee names, email addresses, and contact information
  • Employment details (job title, department, hire date, employment type)
  • Leave and time-off records (requests, approvals, balances)
  • Timekeeping records (clock-in/out, time entries, timesheets)
  • Organizational data (team membership, reporting hierarchy)
  • Authentication credentials (hashed passwords, SSO tokens)
  • Audit logs and system usage data

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit, access controls, and regular security assessments.
  • Not engage another processor without prior specific or general written authorization of the Controller.
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection).
  • Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless storage is required by applicable law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

Current sub-processors include:

  • Stripe, Inc. — Payment processing (San Francisco, USA)
  • Infrastructure Provider — Cloud hosting and data storage (as specified in the service agreement)

6. Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient country has been deemed adequate by the European Commission.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Data Retention

Personal Data is retained for the duration of the service agreement. Upon termination, the Controller may request data export within 30 days. After this period, all Personal Data will be securely deleted. Audit logs may be retained for up to 12 months for compliance purposes, after which they are automatically purged.

9. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption of data at rest and in transit (TLS 1.2+)
  • Role-based access controls with principle of least privilege
  • Multi-factor authentication for administrative access
  • Regular security assessments and vulnerability scanning
  • Automated data backup and disaster recovery procedures
  • Comprehensive audit logging of all data access and modifications
  • Rate limiting and CSRF protection on all API endpoints
  • Content Security Policy and security headers on all responses

10. Term and Termination

This DPA shall remain in effect for the duration of the main service agreement. Upon termination of the service agreement, this DPA shall automatically terminate, subject to the data retention and deletion obligations described herein.

11. Contact

For questions about this DPA or to request a signed copy, please contact us at [email protected].