Data Processing Agreement — Surveys
Effective Date: May 1, 2026
Version: 1.0
Data Processing Agreement — HR Punks Surveys
This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement or Order Form between:
Processor: Produktų inžinerija, MB · Lithuanian company code 305570982 · Užupio g. 26-6, LT-01203 Vilnius, Lithuania · operating as “HR Punks”.
Controller: the customer organisation identified in the signature block.
Data protection contact: [email protected]. The Processor has not appointed a Data Protection Officer under Article 37 GDPR, that appointment not being mandatory for the Processor’s current processing activities.
Terms used in this DPA have the meanings given in Regulation (EU) 2016/679 (“GDPR”). “Services” means HR Punks Surveys as described in Annex 1.
1. Scope and Duration
The Processor processes Personal Data on the Controller’s behalf to deliver the Services for the duration of the Services and the retention periods in Section 6.
2. Processor Obligations (Article 28(3) GDPR)
The Processor shall:
a) process Personal Data only on the Controller’s documented instructions — comprising this DPA, the Master Service Agreement or Order Form, the configuration choices made by the Controller’s administrators in the HR Punks dashboard, and any further written instructions agreed by the Parties — unless required by EU or Member State law;
b) ensure persons authorised to process Personal Data are bound by confidentiality;
c) implement the technical and organisational measures set out in Annex 2 (Article 32 GDPR);
d) engage Sub-processors only on the terms in Section 4;
e) assist the Controller, by appropriate technical and organisational measures, in responding to data subject rights requests under Chapter III GDPR;
f) assist the Controller with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultations);
g) at the Controller’s choice, delete or return all Personal Data on termination of the Services, in accordance with Section 6;
h) make available the information necessary to demonstrate compliance with this DPA and allow for, and contribute to, audits under Section 5;
i) maintain a record of processing activities under Article 30(2) GDPR and make it available to the Controller or a supervisory authority on request.
3. Personal Data Breach
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller’s Personal Data, providing the information required by Article 33(3) GDPR to the extent then known and supplementing as further information becomes available.
Breach contact: [email protected].
4. Sub-processors
The Controller authorises the Sub-processors listed in Annex 3. The Processor will (i) impose data protection obligations on each Sub-processor no less protective than those in this DPA, (ii) remain liable for any failure by a Sub-processor to fulfil its data protection obligations, and (iii) give the Controller at least 30 days’ prior notice of any addition or replacement of Sub-processors. The Controller may object on reasonable data protection grounds; if unresolved, the Controller may terminate the Services with respect to processing requiring the disputed Sub-processor.
Notice channel: changes published at hrpunks.com/legal/dpa-surveys (Annex 3) and emailed to the Controller’s designated contact.
5. Audits
Once per calendar year, on at least 30 days’ prior written notice, the Controller may audit the Processor’s compliance with this DPA. Audits may be satisfied by (i) written responses to a reasonable security questionnaire, (ii) then-current third-party audit reports where available, or (iii) an on-site audit by the Controller or its independent auditor, subject to reasonable confidentiality and operational constraints. Each Party bears its own audit costs unless the audit reveals material non-compliance by the Processor.
6. Return or Deletion of Data
On termination of the Services, the Controller may, within 30 days of termination, request return of all Personal Data in a commonly used machine-readable format. After that window (or sooner if the Controller waives it in writing), the Processor will delete all Personal Data within a further 60 days, except where retention is required by law. Maximum window from termination to confirmed deletion of primary copies: 90 days. Routine backup copies roll out under the Processor’s backup retention policy (Annex 2) within a further 7 days. The Processor will provide written confirmation of deletion on request.
7. International Transfers
Where Personal Data is transferred outside the European Economic Area to a country not deemed adequate by the European Commission, the Parties incorporate the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two — controller to processor) by reference, with the parameters set out in Annex 4. The Processor warrants that no transfer is made unless an appropriate safeguard under Chapter V GDPR is in place.
8. Governing Law, Jurisdiction, and Order of Precedence
This DPA is governed by the laws of the Republic of Lithuania. The courts of Vilnius, Lithuania have exclusive jurisdiction over disputes arising under this DPA. The Parties may agree alternative governing law and jurisdiction in writing. On matters of data protection this DPA prevails over the Master Service Agreement or Order Form; the Standard Contractual Clauses, where incorporated, prevail over both on international-transfer matters. Each Party’s liability under this DPA is subject to the limits of liability set out in the Master Service Agreement or Order Form; nothing in this DPA limits liability that cannot be limited by applicable law.
Annex 1 — Details of Processing
Subject matter: Delivery and operation of HR Punks Surveys (employee engagement, eNPS, manager feedback, pulse, and similar survey types) via the Controller’s existing Slack workspace and the HR Punks web dashboard.
Duration: Term of the Services plus the retention periods in Section 6.
Nature and purpose of processing:
- Authenticate the Controller’s authorised administrators via Slack OAuth 2.0.
- Synchronise the Controller’s employee directory (name, email) from Slack.
- Deliver survey invitations and reminders to data subjects via Slack direct message (bot-to-user DM only).
- Collect survey responses through Slack interactive components (buttons, dropdowns, modal text inputs). The Processor does not subscribe to or read direct-message history or message content; responses are received as structured Slack action payloads.
- Aggregate and present survey results to the Controller’s authorised administrators, applying anonymity rules so managers see aggregated statistics and team-attributed text responses unless a data subject explicitly chooses to reveal identity on a per-response basis.
- Provide error monitoring and operational telemetry necessary to operate the Services.
Slack as a channel, not a Sub-processor: the Controller maintains its own subscription to Slack and a direct relationship with Slack Technologies under the Controller’s Slack agreement and Slack’s data processing terms. Slack is not engaged by the Processor as a Sub-processor. The Processor’s Slack app operates inside the Controller’s Slack workspace under the Controller’s authority, using only the minimum scopes set out below.
Slack OAuth scopes requested (minimum necessary):
| Scope | Purpose |
|---|---|
chat:write |
Send survey questions and reminders via direct message to data subjects. |
im:read |
Detect that a DM channel with the bot exists in order to send to it. Does not grant access to DM message content (which would require im:history, not requested). |
users:read |
Read the workspace employee directory to populate the administrator’s audience-selection list. |
users:read.email |
Match Slack users to dashboard accounts. |
Slack event subscriptions: team_join (include new employees in the survey roster) and app_home_opened (render the HR Punks home tab). The bot does not subscribe to message, channel, or file events, and has no access to public channels, private channels, or group DMs.
Categories of data subjects: the Controller’s employees, contractors, and other workforce members invited to participate in surveys; the Controller’s administrative users of the HR Punks dashboard.
Categories of Personal Data:
| Data | Source | Purpose |
|---|---|---|
| Slack user ID, display name, real name, email, profile picture | Slack users:read, users:read.email |
Identify survey recipients; render in dashboard. |
| Workspace ID and name | Slack OAuth installation | Tenant isolation. |
| Team / department membership | Configured by Controller administrator | Result segmentation. |
| Survey responses: numeric scores, text answers, response timestamps | Data subject input via Slack interactive components | Aggregate analytics; manager dashboards. |
| Identity-reveal flag on free-text responses | Data subject’s per-response choice | Anonymity control. |
| Authentication tokens (Slack OAuth bot/user tokens, dashboard sessions) | Slack OAuth flow; dashboard login | Service operation. |
| Operational logs (IP, request metadata, error stack traces) | Service runtime | Security; debugging. |
Special categories of Personal Data: none processed by default. Free-text responses are not solicited to contain special-category data; if a data subject volunteers such data it is stored alongside other free-text responses and subject to the same access controls.
Retention: active workspace data — for the duration of the Services; Personal Data after termination — deleted within 90 days (Section 6); application logs — 30 days; database backups — rolling 7-day window via AWS RDS automated backups.
Annex 2 — Technical and Organisational Measures
Hosting and infrastructure. Backend API, database, cache, and queue transport on AWS in region eu-west-1 (Dublin, Ireland) — ECS Fargate for compute, RDS PostgreSQL 15 for storage, ElastiCache (Redis) for cache and queue transport, all within a private AWS VPC. Marketing site and customer dashboard frontend on DigitalOcean App Platform in region FRA1 (Frankfurt, Germany). All Personal Data is stored within the European Economic Area.
Encryption. TLS terminated at the AWS Application Load Balancer using an AWS Certificate Manager (ACM) certificate; HTTP on port 80 redirected to HTTPS on port 443 (permanent 301 redirect). Internal traffic between the load balancer and ECS tasks runs over private subnets within the AWS VPC. AES-256 encryption at rest at the storage layer using RDS-managed KMS keys is scheduled to be enabled on the production RDS PostgreSQL instance by Q4 2026; until then, Personal Data at rest is protected by AWS VPC network isolation, restrictive RDS security groups (ingress permitted only from the API ECS service security group), IAM-credential-based database access, encrypted RDS automated backups, and deletion protection on the RDS instance. Secrets (database credentials, JWT signing secret, Sentry DSN, third-party integration credentials, Slack OAuth tokens issued by the Controller during installation) are stored in AWS Secrets Manager or in the Processor’s database secured by the controls above.
Access control and tenant isolation. Role-based access in the dashboard (User, Admin); multi-tenant logical isolation enforced at the query layer, with every database query scoped to the requesting tenant’s tenantId; the production RDS database is not directly internet-accessible, accepting ingress only from the API’s ECS service security group; AWS console and CLI access via individual IAM credentials with multi-factor authentication enabled; the Processor’s personnel access Personal Data only as strictly necessary to diagnose an active incident or fulfil a Controller request, and not for marketing or analytics purposes.
Survey anonymity and data minimisation. Responses are anonymous to managers by default; manager-facing views present aggregated statistics and free-text responses labelled “Member of [Team]”. A data subject’s identity is associated with a specific free-text response only where the data subject explicitly toggles identity reveal on that response. The Processor collects only the categories of Personal Data set out in Annex 1 (data minimisation, Article 5(1)© GDPR).
Software development and vulnerability management. Source code in private repositories with access restricted to the Processor’s personnel; continuous-integration gates (type checking, unit tests, linting) before merge to the production branch; dependency vulnerability scanning via GitHub Dependabot (weekly npm, monthly GitHub Actions and Docker base images); critical and high-severity dependency vulnerabilities triaged within 7 days and patched within 30 days of an upstream fix; production deployments exclusively via GitHub Actions to AWS ECS, with no direct write access to production runtime resources outside the deployment pipeline; OS-level patching on managed AWS services (RDS, ECS Fargate, ElastiCache) provided by AWS under the shared responsibility model. The first independent penetration test of the Services is scheduled for Q4 2026 and on a recurring annual cadence thereafter; under Section 5 the Controller may commission its own penetration test on a mutually agreed scope and timing.
Logging and monitoring. Application logs (ECS task stdout/stderr) to AWS CloudWatch with 30-day retention; AWS administrative actions captured by AWS CloudTrail; Sentry error monitoring configured with sendDefaultPii: false and a beforeSend hook that recursively redacts known Personal Data fields (email addresses, employee names, Slack identifiers, free-text survey response values, and authentication tokens) before transmission. Application audit-event log (administrator actions in the dashboard) scheduled for Q4 2026.
Incident response and personnel. Sentry alerting on production exceptions; 72-hour breach notification commitment to the Controller (Section 3); documented internal incident response procedure covering detection, containment, notification, and post-incident review; first tabletop testing of that procedure scheduled to commence Q4 2026 on a recurring annual cadence thereafter. All of the Processor’s personnel are bound by confidentiality obligations through their employment, founder, or contractor agreement; the offboarding procedure revokes credentials (AWS IAM, GitHub, Slack admin, Google Workspace) within 24 hours of notice of departure. Incident contact: [email protected].
Business continuity. AWS RDS automated daily backups with a 7-day retention window and a documented restore procedure; first restore-drill exercise scheduled for Q4 2026 on a recurring annual cadence thereafter.
Annex 3 — Approved Sub-processors
| Sub-processor | Contracting entity | Role | Location of processing | Safeguard |
|---|---|---|---|---|
| Amazon Web Services | Amazon Web Services EMEA SARL (Luxembourg) | Cloud hosting: compute, database, cache, queue transport. | EU (eu-west-1, Dublin, Ireland) |
AWS GDPR Data Processing Addendum incorporating SCCs Module 2 and Module 3 for onward transfers. |
| DigitalOcean | DigitalOcean LLC (United States) | Hosting of the marketing site and the customer dashboard frontend. | EU (FRA1, Frankfurt, Germany) |
DigitalOcean Data Processing Agreement incorporating SCCs Module 2. |
| Sentry | Functional Software Inc., operating as Sentry | Error monitoring. Personal Data is redacted at the Processor’s SDK level (Annex 2 — Logging and monitoring) before transmission. | EU (Germany, *.de.sentry.io) |
Sentry Data Processing Addendum. Storage in the EEA; SCCs Module 2 incorporated as a safeguard. |
The Controller’s existing Slack workspace is used as the survey delivery channel under the Controller’s direct relationship with Slack Technologies (Salesforce, Inc.) and is not engaged by the Processor as a Sub-processor (Annex 1).
The Processor warrants that each Sub-processor is bound by data protection obligations no less protective than those in this DPA (Article 28(4) GDPR), including onward-transfer safeguards where the Sub-processor in turn engages its own sub-processors.
Annex 4 — Standard Contractual Clauses (Module Two)
Where Personal Data is transferred outside the European Economic Area to a Sub-processor in a country not deemed adequate by the European Commission, the Parties incorporate the Standard Contractual Clauses (Module Two — controller to processor), Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in full as if set out herein, with the following parameters:
- Data exporter: the Controller. Data importer: the Processor.
- Clause 7 (docking clause): not used.
- Clause 9(a): OPTION 2 — general written authorisation, with at least 30 days’ prior notice of new or replacement Sub-processors (Section 4).
- Clause 11(a) (optional independent dispute resolution body): not adopted.
- Clause 13 (supervisory authority): the State Data Protection Inspectorate of the Republic of Lithuania (Valstybinė duomenų apsaugos inspekcija).
- Clauses 17 and 18 (governing law, forum and jurisdiction): the laws and courts of Lithuania, as set out in Section 8.
- Annex I.A (parties): the signature block of this DPA.
- Annex I.B (description of transfer): Annex 1 of this DPA.
- Annex I.C (competent supervisory authority): per Clause 13 above.
- Annex II (technical and organisational measures): Annex 2 of this DPA.
- Annex III (sub-processors): Annex 3 of this DPA.
Signature Block
DPA version signed: __________ (e.g. v1.3, as published at hrpunks.com/legal/dpa-surveys on the effective date above)
For the Processor — Produktų inžinerija, MB
Name: ______________________
Title: ______________________
Date: ______________________
Signature: ______________________
For the Controller — [Customer legal entity]
Company name: ______________________
Registered address: ______________________
Registration number: ______________________
Name: ______________________
Title: ______________________
Date: ______________________
Signature: ______________________
