Data Processing Terms
Data Processing Terms for GDPR and EU regulatory compliance.
Last updated:February 24, 2026
Company details (placeholders)
- Processor legal entity: [PLACEHOLDER: Full legal company name]
- Organization number: [PLACEHOLDER: Swedish organization number]
- Registered address: [PLACEHOLDER: Street, postal code, city, country]
- DPA contact: [PLACEHOLDER: dpa@company-domain.com]
These Data Processing Terms summarize Schedulyn's commitments when processing personal data on behalf of Customers under GDPR and other applicable EU/EEA data protection laws. A signed DPA may include additional commercial or technical annexes. In case of conflict regarding personal data processing, the signed DPA prevails.
1. Roles and scope
Customer acts as controller and Schedulyn acts as processor under GDPR Art. 28 for personal data submitted to the Service. Processing is limited to what is necessary to provide, maintain, secure, and support the Service.
2. Processing details (Art. 28(3))
- Subject matter: cloud workforce scheduling and related support services.
- Duration: for the term of the service agreement and agreed deletion/export window.
- Nature: collection, storage, structuring, retrieval, analysis, scheduling optimization, deletion.
- Purpose: deliver scheduling workflows, coverage planning, user administration, and auditability.
- Data subjects: employees, managers, admins, and authorized customer users.
- Data categories: identity/contact data, shift and availability data, access and audit metadata.
3. Documented instructions
Schedulyn processes personal data only on documented Customer instructions unless required otherwise by Union or Member State law. If such legal requirement applies, Schedulyn informs Customer unless legally prohibited.
4. Confidentiality and personnel controls
Personnel authorized to process personal data are subject to confidentiality obligations and trained on security and data protection responsibilities.
5. Security of processing (Art. 32)
- Access control and least-privilege enforcement.
- Encryption in transit and integrity protections for production environments.
- Logging, monitoring, and incident response processes.
- Backup and recovery controls designed for resilience and availability.
- Regular review of security practices based on risk and system changes.
6. Subprocessors
Customer provides general authorization for Schedulyn to use subprocessors that are necessary to provide the Service. Schedulyn imposes data protection obligations on subprocessors equivalent to those in this DPA and remains responsible for subprocessors' processing in accordance with GDPR requirements.
7. Assistance with data subject rights
Considering the nature of processing, Schedulyn provides reasonable assistance to help Customer respond to requests to exercise data subject rights under GDPR Chapter III.
8. Incident notification
Schedulyn notifies Customer without undue delay after becoming aware of a personal data breach affecting Customer data and provides available information reasonably required for Customer's legal assessment and notification obligations.
9. DPIA and supervisory support
Schedulyn provides reasonable support for data protection impact assessments and prior consultation duties where required and relevant to the processing performed by Schedulyn.
10. Audits and information rights
Schedulyn makes available information reasonably necessary to demonstrate compliance and, where agreed, supports audits conducted by Customer or an independent auditor under confidentiality and proportionality conditions.
11. International transfers
Transfers outside the EEA/UK are governed by valid transfer safeguards (such as SCCs) and supplementary measures where needed under GDPR Chapter V.
12. Return and deletion
At the end of the service relationship, Schedulyn deletes or returns personal data (including copies), unless Union or Member State law requires retention.
13. Contact
DPA and compliance requests: sales@schedulyn.com and [PLACEHOLDER: DPA/legal contact].