Back to Trackfaze
TermsPrivacyHIPAA

Data Processing Agreement

GDPR & Data Protection Compliance

Data Processing Agreement

Last Updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Trackfaze ("Processor") and the subscribing entity ("Controller").

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable person
  • "Processing": Any operation performed on Personal Data
  • "Sub-processor": Third party engaged by Processor to process data
  • "Data Subject": Individual whose Personal Data is processed

2. Scope and Purpose

This DPA applies to all Personal Data processed by Trackfaze on behalf of the Controller in connection with the workforce management services provided.

3. Processor Obligations

Trackfaze agrees to:

  • Process data only on documented instructions from Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Controller with data subject requests
  • Delete or return data upon termination
  • Make available information necessary to demonstrate compliance

4. Security Measures

We implement and maintain:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Incident response and breach notification procedures
  • Employee security awareness training
  • Physical security for data center facilities

5. Sub-processors

Current sub-processors include:

  • Vercel - Hosting and infrastructure
  • Supabase - Database and authentication
  • Stripe - Payment processing
  • Resend - Email delivery

We will notify Controller of any sub-processor changes with 30 days notice.

6. Data Transfers

For international data transfers, we rely on:

  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements with sub-processors
  • Compliance with applicable transfer mechanisms

7. Data Subject Rights

We will assist Controller in responding to requests from Data Subjects to exercise their rights under applicable law, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object

8. Breach Notification

In case of a Personal Data breach, we will:

  • Notify Controller without undue delay (within 72 hours)
  • Provide details of the breach and affected data
  • Assist with breach investigation and mitigation
  • Support required regulatory notifications

9. Audit Rights

Controller may audit our compliance with this DPA:

  • Upon reasonable notice (minimum 30 days)
  • During normal business hours
  • At Controller's expense
  • We may satisfy audit requests through third-party certifications

10. Duration and Termination

This DPA remains in effect for the duration of the Services agreement. Upon termination:

  • We will delete all Personal Data within 90 days
  • Controller may request data export before deletion
  • Certain data may be retained as required by law

11. Liability

Our liability under this DPA is subject to the limitations in the Terms of Service.

12. Governing Law

This DPA is governed by the laws of the State of Maryland.

Contact

Data Protection inquiries: support@trackfaze.com

Trackfaze
8 Market Pl Suite 339
Baltimore, MD 21202