Data Processing Agreement

1. About this page

This page contains the standard Data Processing Agreement (DPA) between HR Cluster AS (as data processor) and each customer (as data controller) who uses the HR Cluster platform. It forms part of the contract between us and supplements our Terms of Service and Privacy Policy.

This version is our pre-approved template. If you require a countersigned copy for your records, email privacy@hrcluster.com and we will return a signed PDF — typically within two business days.

2. Parties

Processor: HR Cluster AS, Norwegian org. no. 937 565 690.

Controller: the legal entity or organisation that has entered into an agreement with HR Cluster AS to use the platform.

3. Subject matter and duration

This DPA governs the processing of personal data that takes place when the controller uses the HR Cluster platform. It is effective from the start of the service and continues for as long as HR Cluster AS processes personal data on behalf of the controller, even if the main service agreement is amended or renewed.

4. Nature and purpose of processing

HR Cluster AS processes personal data solely to provide the HR Cluster workforce management platform, including time tracking, scheduling, incident reporting, documents and credentials, inventory, messaging, and related services, strictly following the controller's documented instructions.

This includes a limited number of automated security measures, such as Google reCAPTCHA Enterprise on selected public forms and security-sensitive requests, that are necessary to protect the platform from spam, fraud, and abuse. The current list of subprocessors involved in such measures is maintained on our Subprocessors page.

5. Categories of data subjects

• Employees, contractors, volunteers, and other workforce members of the controller
• Administrators and managers of the controller
• Other individuals whose personal data the controller uploads or enters into the platform

6. Categories of personal data

• Identity data (name, email, phone, date of birth, employee number)
• Account and access data (login credentials, PIN hashes, roles, permissions)
• Employment and scheduling data (role, group, hourly rate, shifts)
• Attendance data (clock-in/out records, geolocation where enabled)
• Documents and credentials (certifications, training, uploaded identity documents)
• Operational data (incidents, messages, inventory assignments)
• Sensitive identifiers (national ID or bank details, where entered — encrypted at rest)
• Technical data (IP address, browser/device metadata, audit log timestamps)

7. Obligations of the processor

HR Cluster AS undertakes to:

1. Process only on instruction. Process personal data only on documented instructions from the controller, as set out in the service agreement, this DPA, and applicable configuration of the platform. If HR Cluster AS is required by law to process data without such instruction, it will inform the controller before processing unless that law forbids such notice.
2. Confidentiality. Ensure that persons authorised to process personal data are bound by confidentiality obligations.
3. Security. Implement appropriate technical and organisational measures as described on our Security page, reflecting Article 32 of the GDPR.
4. Sub-processing. Engage subprocessors only under a written agreement that imposes data protection obligations equivalent to those in this DPA. The current list of approved subprocessors is published on our Subprocessors page. HR Cluster AS will notify the controller of any intended material change and give the controller a reasonable opportunity to object.
5. Assistance with data subject rights. Assist the controller, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under GDPR Chapter III.
6. Assistance with compliance. Assist the controller in meeting its obligations under GDPR Articles 32–36 regarding security, breach notification, impact assessments, and prior consultation, taking into account the nature of processing and the information available.
7. Breach notification. Notify the controller without undue delay after becoming aware of a personal data breach affecting the controller's data, and provide the information reasonably required for the controller to meet its own notification obligations.
8. Audit rights. Make available to the controller all information necessary to demonstrate compliance with this DPA, and allow for reasonable audits conducted at the controller's cost, on reasonable notice and under mutually agreed confidentiality terms.
9. Return or deletion. At the choice of the controller, delete or return all personal data at the end of the service, and delete existing copies unless retention is required by applicable law.

8. International transfers

HR Cluster AS's primary infrastructure is located in the European Union. Where a subprocessor processes personal data outside the EEA, the transfer is made under the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework, together with any supplementary measures indicated by the subprocessor.

9. Governing law

This DPA is governed by the laws of Norway and any disputes are subject to Norwegian courts, consistent with the main Terms of Service.

10. How to request a signed copy

Email privacy@hrcluster.com with your organisation name and registered address. We will return a countersigned PDF for your records, typically within two business days. No changes to the text are required — the version on this page is the same as the signed copy.

11. Contact

HR Cluster AS
Org. no.: 937 565 690
Email: privacy@hrcluster.com

Last updated: April 2026