Last updated: March 22, 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Plintio ("Processor") and the customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller.
1. Definitions
- Personal Data: any information relating to an identified or identifiable natural person
- Processing: any operation performed on personal data (collection, storage, retrieval, deletion)
- Controller: the customer who determines the purposes and means of processing
- Processor: Plintio, which processes personal data on behalf of the Controller
2. Scope of Processing
The Processor shall process personal data only:
- For the purpose of providing the Plintio HR management service
- In accordance with the Controller's documented instructions
- As required by applicable law
3. Categories of Data
| Category | Data Elements |
|---|---|
| Employee records | Name, email, phone, address, job title, hire date, status |
| Documents | Uploaded files (contracts, IDs, tax forms) |
| Time-off records | Request dates, type, status, approver |
| Account data | Admin name, email, company name |
| Usage logs | IP address, browser, actions performed |
4. Sub-Processors
The Processor engages the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (via Supabase) | US-East-1 (Virginia) |
| Supabase | PostgreSQL database, authentication, file storage | USA |
| Vercel | Application hosting and CDN | Global (primary: USA) |
| Stripe | Payment processing | USA |
| Resend | Transactional email delivery | USA |
The Controller consents to the use of these sub-processors. The Processor will notify the Controller at least 30 days before adding new sub-processors.
5. Security Measures
The Processor implements appropriate technical and organizational measures including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access control with principle of least privilege
- Immutable audit logging of all data modifications
- Regular security assessments
- Incident response procedures
- Employee access limited to those with a business need
6. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, including:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
7. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability) through the Service's built-in features (CSV export, employee editing, account deletion).
8. Data Deletion
Upon termination of the Service or upon Controller's request, the Processor shall delete all personal data within 30 days, unless retention is required by law.
9. Governing Law
This DPA is governed by the laws of the State of Delaware, USA, consistent with the Terms of Service.
10. Contact
For DPA-related inquiries: privacy@plintio.com