Data processing
agreement

The Article 28 agreement your company needs before it puts worker data into any system. It applies automatically — you do not have to ask.

Data Processing Agreement (DPA)

Updated 14 July 2026 · Part of the Terms of service · privacy@labourix.com
You do not need to request this. This DPA applies automatically to every Labourix customer from the moment you create an account. If your own client or your accountant asks "do you have a processing agreement with your software supplier?", the answer is yes — send them this page. If you need it signed on paper, write to us and we will sign it.

1. Roles

Using the product's features is your instruction: when you file a LIMOSA declaration, you instruct us to transmit that data to the Belgian authority; when you send an hour report, you instruct us to disclose it to that client.

2. Subject matter and duration

We process the data for as long as your account exists, plus the retention periods described in the privacy policy. The subject matter is workforce administration and legal compliance for construction.

3. Categories of data subjects and data

4. Our obligations

5. Subprocessors

You give general authorisation for the subprocessors below. We will tell you at least 30 days before adding or replacing one, and you may object; if we cannot resolve your objection, you may cancel without penalty.

All subprocessors are bound by terms at least as strict as this DPA. Where any processing takes place outside the EEA, it is covered by the European Commission's Standard Contractual Clauses.

6. Security measures

7. Personal data breach

If a breach affects your data we will notify you without undue delay and in any case within 48 hours of becoming aware, with what we know: what happened, which data and roughly how many people are affected, the likely consequences, and what we are doing about it. You remain the one who notifies the supervisory authority — within your 72-hour window — and we will give you everything you need to do it.

8. Audits

You may verify our compliance once a year, and after any breach: by asking us a written set of questions, by reviewing documentation we provide, or — for larger customers — by an on-site or remote audit with reasonable notice, at your cost, subject to confidentiality and without disturbing other customers.

9. Deletion and return

When your contract ends you can export everything. We then delete or anonymise the data within 90 days, except where the law obliges us to keep it (invoices; compliance records still inside their statutory retention period). Backups roll off within 35 days.

10. Precedence

If this DPA and the Terms of service conflict on a data-protection point, this DPA wins.

Need this signed?

Some clients want a countersigned PDF for their file. Ask and you will have it the same day.

Request a signed DPA