Data Processing Agreement (DPA)
1. Roles
- Controller: your company. You decide which workers go into Labourix, which documents are uploaded, and why.
- Processor: Labourix. We process that data only to deliver the service, and only on your instructions.
Using the product's features is your instruction: when you file a LIMOSA declaration, you instruct us to transmit that data to the Belgian authority; when you send an hour report, you instruct us to disclose it to that client.
2. Subject matter and duration
We process the data for as long as your account exists, plus the retention periods described in the privacy policy. The subject matter is workforce administration and legal compliance for construction.
3. Categories of data subjects and data
- Data subjects: your workers and the workers of subcontractors you register; your own staff; contact persons at your clients.
- Data: identity data and national numbers; identity, A1 and LIMOSA documents and data extracted from them; clock-in/clock-out times and a GPS position at those two moments; hours, tasks and leave; wage or rate data; housing and vehicle assignments; documents you upload.
4. Our obligations
- Process only on your documented instructions, and tell you if we believe an instruction breaks the law.
- Bind everyone with access to confidentiality.
- Apply appropriate technical and organisational measures (clause 6).
- Assist you with data-subject requests, impact assessments and consultations with the authority.
- On your choice, delete or return the data when the service ends.
- Make available the information you need to show compliance, and allow audits (clause 8).
5. Subprocessors
You give general authorisation for the subprocessors below. We will tell you at least 30 days before adding or replacing one, and you may object; if we cannot resolve your objection, you may cancel without penalty.
- Cloud hosting & database — application and data storage — European Union.
- Transactional e-mail — sending notifications, approval links and password e-mails — European Union.
- Payment provider — subscription billing. Receives billing data only; never worker data.
- AI processing — used for document scanning and contract review. Data is sent for the single purpose of producing that result, is not retained by the provider for training, and is covered by a processing agreement with a zero-retention arrangement.
All subprocessors are bound by terms at least as strict as this DPA. Where any processing takes place outside the EEA, it is covered by the European Commission's Standard Contractual Clauses.
6. Security measures
- Encryption in transit (TLS) on every channel, across every Labourix application.
- Encryption at rest for the database and stored documents.
- Tenant isolation enforced on every API request — not merely hidden in the interface.
- Role-based access: owner, admin, coordinator, foreman, worker. Workers see only their own data. Clients see only what you send them.
- Least-privilege access for Labourix staff; production access is limited, logged, and used only to fix a problem you reported.
- Regular backups with tested restores.
- Data minimisation by design: GPS is captured only at clock-in and clock-out. There is no continuous or background location tracking, and we will not build it.
- Your data is never used to train AI models.
7. Personal data breach
If a breach affects your data we will notify you without undue delay and in any case within 48 hours of becoming aware, with what we know: what happened, which data and roughly how many people are affected, the likely consequences, and what we are doing about it. You remain the one who notifies the supervisory authority — within your 72-hour window — and we will give you everything you need to do it.
8. Audits
You may verify our compliance once a year, and after any breach: by asking us a written set of questions, by reviewing documentation we provide, or — for larger customers — by an on-site or remote audit with reasonable notice, at your cost, subject to confidentiality and without disturbing other customers.
9. Deletion and return
When your contract ends you can export everything. We then delete or anonymise the data within 90 days, except where the law obliges us to keep it (invoices; compliance records still inside their statutory retention period). Backups roll off within 35 days.
10. Precedence
If this DPA and the Terms of service conflict on a data-protection point, this DPA wins.
Need this signed?
Some clients want a countersigned PDF for their file. Ask and you will have it the same day.
Request a signed DPA