Data Processing Agreement
Last updated: March 2026
This Data Processing Agreement is based on the Common Paper Data Processing Agreement Standard Terms Version 1.1, adapted for Timply's time tracking and scheduling platform.
License: The Common Paper Data Processing Agreement is licensed under CC BY 4.0. This document is a derivative work adapted for Timply. Original work © Common Paper.
Cover Page
To use this DPA, the parties must complete and sign or electronically accept this Cover Page. Capitalized words have the meanings given on this Cover Page or in the Standard Terms below.
Parties
| Variable | Meaning |
|---|---|
| Provider | Walter Media AB, Kronetorpsgatan 64F, 212 26 Malmö, Sweden, org. no. 559318-9060 |
| Customer | The legal entity that accepts the Cloud Service Agreement and this DPA |
| Agreement | The Cloud Service Agreement between Provider and Customer |
| Governing Member State | Sweden |
| Provider Security Contact | support@waltermedia.se |
| Security Policy | The security documentation at https://timply.se/security |
Annex I(B) – Description of Processing
Subject matter of processing: Provision of the Timply platform including time tracking, scheduling, employee management, payment processing via Stripe for subscriptions, and related services.
Nature and purpose of processing: Processing of Customer Personal Data as necessary to provide and maintain the Service, including storing, displaying, and transmitting data for schedules, time entries, employee management, payments, and platform functionality.
Duration of processing: For the duration of the Agreement and until Customer instructs deletion, plus any retention period required by Applicable Law.
Categories of Data Subjects:
- Customer's employees and authorized users
- Other individuals whose data Customer submits to the Service
Categories of Personal Data:
- Name, email, phone, addresses
- Schedule and time entry data
- Payment information (processed via Stripe for subscriptions)
- Data stored in custom fields and notes
- Other data Customer submits to the Service
Special Category Data: None (Customer will not submit special category data unless separately agreed).
Frequency of transfer: Continuous, as needed for Service provision.
Annex II – Technical and Organizational Measures
Provider implements the following measures (as described in the Security Policy):
- Encryption: TLS 1.2+ for data in transit; encryption at rest in database
- Access control: Row Level Security, role-based access control, secure authentication (bcrypt, magic links)
- Network security: DDoS protection, WAF, rate limiting
- Subprocessor oversight: Written agreements with subprocessors incorporating data protection obligations
- Incident response: Procedures for Security Incident notification within 72 hours
- Staff confidentiality: Contractual confidentiality obligations for personnel
- Backups: Regular encrypted backups
Annex III – Approved Subprocessors
| Subprocessor | Location | Processing activities |
|---|---|---|
| Stripe | Ireland (EU) | Payment processing |
| Supabase | AWS eu-north-1 (Stockholm, Sweden) | Database hosting |
| AWS | eu-north-1 (Stockholm, Sweden) | Infrastructure hosting |
| Google Cloud Platform | eu-north1 (Stockholm, Sweden) | Infrastructure hosting |
| SendGrid | EU | Email delivery |
| Vercel Analytics | Stockholm, Sweden / EU | Website analytics |
| Vercel (build) | Global | Web deployment; may process source code and build logs |
| EAS (Expo) | Global | Mobile builds; may process source code and build logs |
| Sentry | EU | Error monitoring |
| Uptime monitoring | Global | Service availability |
An up-to-date list is available at https://timply.se/security or via support@waltermedia.se. Provider will notify Customer at least 10 business days before adding or replacing subprocessors.
---
DPA Standard Terms
These Standard Terms are based on the Common Paper Data Processing Agreement Standard Terms Version 1.1 (May 9, 2025). The original terms are available at https://commonpaper.com/standards/data-processing-agreement/1.1/
1. Processor and Subprocessor Relationships
1.1 Provider as Processor. Where Customer is a Controller of Customer Personal Data, Provider is a Processor processing Personal Data on behalf of Customer.
1.2 Provider as Subprocessor. Where Customer is a Processor of Customer Personal Data, Provider is a Subprocessor of that data.
2. Processing
2.1 Processing Details. Annex I(B) on the Cover Page describes the subject matter, nature, purpose, and duration of Processing, as well as the Categories of Personal Data and Categories of Data Subjects.
2.2 Processing Instructions. Customer instructs Provider to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as specified through Customer's use of the Service; (c) as documented in the Agreement; and (d) as documented in other written instructions given by Customer and acknowledged by Provider. Provider will follow these instructions unless prohibited by Applicable Laws. Provider will immediately inform Customer if unable to follow instructions. Customer has given and will only give instructions that comply with Applicable Laws.
2.3 Processing by Provider. Provider will only Process Customer Personal Data in accordance with this DPA and the Cover Page. If Provider updates the Service, Provider may change the processing details by notifying Customer of updates and changes.
2.4 Customer Processing. Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws and Subprocessor requirements in Customer's agreement with its Controller.
2.5 Consent to Processing. Customer has complied and will comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Provider, including disclosures, consents, and safeguards.
2.6 Subprocessors. (a) Provider will not provide Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The Approved Subprocessors are listed in Annex III. Provider will inform Customer at least 10 business days in advance in writing of any changes. Customer has 30 days after notice to object; otherwise Customer is deemed to accept. If Customer objects within 30 days, the parties will cooperate in good faith to resolve the objection. (b) Provider will have written agreements with Subprocessors ensuring they only access and use Customer Personal Data as required and consistent with the Agreement. (c) If GDPR applies, Provider's agreements with Subprocessors will incorporate the data protection obligations in this DPA. Provider will share copies of Subprocessor agreements at Customer's request (subject to redaction for confidential information). (d) Provider remains fully liable for Subprocessor obligations and will notify Customer of any Subprocessor failure to fulfill material obligations.
3. Restricted Transfers
3.1 Authorization. Customer agrees that Provider may transfer Customer Personal Data outside the EEA, UK, or other territory as necessary to provide the Service. Where no adequacy decision applies, Provider will implement appropriate safeguards consistent with Applicable Data Protection Laws.
3.2 Ex-EEA Transfers. If GDPR protects the transfer, the transfer is from Customer in the EEA to Provider outside the EEA, and no adequacy decision applies, then by entering this DPA the parties are deemed to have signed the EEA SCCs (Commission Implementing Decision 2021/914). The EEA SCCs are completed as follows: Module Two (Controller to Processor) applies when Customer is Controller; Module Three (Processor to Sub-Processor) applies when Customer is Processor. For each module: Clause 7 optional docking does not apply; Clause 9 Option 2 applies with 10 business days minimum notice; Clause 11 optional language does not apply; Clause 13 square brackets removed; Clause 17 Option 1 – laws of Sweden; Clause 18(b) – courts of Sweden. The Cover Page contains the information required in Annex I, II, and III of the EEA SCCs.
3.3 Ex-UK Transfers. If UK GDPR protects the transfer, the transfer is from Customer in the UK to Provider outside the UK, and no adequacy regulations apply, then by entering this DPA the parties are deemed to have signed the UK Addendum. Section 3.2 contains Table 2 information. Table 4 is modified: neither party may end the UK Addendum per Section 19; if ICO issues a revised Approved Addendum, the parties will work in good faith to revise this DPA. The Cover Page contains Annex 1A, 1B, II, and III information.
3.4 Other International Transfers. For Swiss law transfers, references to GDPR in the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act where required.
4. Security Incident Response
Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware; (b) provide timely information about the Security Incident as it becomes known or as reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate. Provider's notification or response does not constitute an acknowledgment of fault or liability.
5. Audit & Reports
5.1 Audit Rights. Provider will give Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits. Provider may restrict access where it would negatively impact Provider's intellectual property, confidentiality, or other obligations. Customer will exercise audit rights by instructing Provider to comply with the reporting and due diligence requirements below. Provider will maintain compliance records for 3 years after the DPA ends.
5.2 Security Reports. Customer acknowledges that Provider may be audited against the Security Policy by independent auditors. Upon written request, Provider will give Customer, on a confidential basis, a summary of its then-current Report (if available) so Customer can verify compliance.
5.3 Security Due Diligence. Provider will respond to reasonable written requests from Customer to confirm compliance, including questionnaires. Requests must be made to support@waltermedia.se and may be made once per year.
6. Coordination & Cooperation
6.1 Response to Inquiries. If Provider receives any inquiry or request about Processing of Customer Personal Data, Provider will notify Customer and will not respond without Customer's prior consent. If allowed by Applicable Law, Provider will follow Customer's reasonable instructions. If a data subject makes a valid request to delete or opt out, Provider will assist Customer in fulfilling it. Provider will cooperate with Customer, at Customer's expense, in any legal response to third-party requests about Provider's Processing.
6.2 DPIAs and DTIAs. If required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting data protection impact assessments or data transfer impact assessments and consultations with authorities.
7. Deletion of Customer Personal Data
7.1 Deletion by Customer. Provider will enable Customer to delete Customer Personal Data consistent with Service functionality. Provider will comply as soon as reasonably practicable except where further storage is required by Applicable Law.
7.2 Deletion at DPA Expiration. After the DPA expires, Provider will return or delete Customer Personal Data at Customer's instruction unless further storage is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited, Provider will make reasonable efforts to prevent additional Processing and will continue to protect remaining data. If the parties have entered the EEA SCCs or UK Addendum, Provider will provide the certification of deletion in Clause 8.1(d) and 8.5 of the EEA SCCs only if Customer requests it.
8. Limitation of Liability
8.1 Liability Caps. To the maximum extent permitted under Applicable Data Protection Laws, each party's total cumulative liability arising out of or related to this DPA is subject to the waivers, exclusions, and limitations of liability in the Agreement.
8.2 Related-Party Claims. Claims against Provider or its Affiliates arising from this DPA may only be brought by the Customer entity that is a party to the Agreement.
8.3 Exceptions. This DPA does not limit liability to an individual for data protection rights under Applicable Data Protection Laws, or for violations of the EEA SCCs or UK Addendum.
9. Conflicts Between Documents
This DPA forms part of and supplements the Agreement. In case of inconsistency: (1) EEA SCCs or UK Addendum, (2) this DPA, (3) Agreement.
10. Term of Agreement
This DPA starts when Provider and Customer agree to this Cover Page and sign or electronically accept the Agreement, and continues until the Agreement expires or is terminated. The parties remain subject to obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Provider and Provider stops Processing it.
11. Definitions
"Applicable Laws" – laws, rules, regulations, and binding requirements that apply to a party.
"Applicable Data Protection Laws" – Applicable Laws governing how the Service may process personal information.
"Controller" – as defined in Applicable Data Protection Laws.
"Customer Personal Data" – Personal Data that Customer uploads or provides to Provider as part of the Service and governed by this DPA.
"EEA" – EU member states, Norway, Iceland, Liechtenstein.
"EEA SCCs" – standard contractual clauses in Commission Implementing Decision 2021/914.
"GDPR" – EU Regulation 2016/679 as implemented in EEA member states.
"Personal Data" – as defined in Applicable Data Protection Laws.
"Processing" / "Process" – as defined in Applicable Data Protection Laws.
"Processor" – as defined in Applicable Data Protection Laws.
"Report" – audit reports prepared according to the Security Policy on behalf of Provider.
"Restricted Transfer" – (a) GDPR: transfer from EEA to a country outside EEA not subject to adequacy decision; (b) UK GDPR: transfer from UK to another country not subject to adequacy regulations.
"Security Incident" – Personal Data Breach as defined in Article 4 of the GDPR.
"Service" – the product and services described in the Agreement.
"Subprocessor" – as defined in Applicable Data Protection Laws.
"UK Addendum" – international data transfer addendum to the EEA SCCs issued by the ICO.
"UK GDPR" – EU Regulation 2016/679 as implemented by UK law.
---
Contact
Walter Media AB Trading as Timply Kronetorpsgatan 64F 212 26 Malmö Sweden
Email: support@waltermedia.se Organisationsnummer: 559318-9060