Starting Dupexi
Dupexi
Sign in
HomePricingAbout
Sign in

Data Processing Agreement

Dupexi Group Oy · Business ID: 3630170-2 · Finland

Last updated: June 11, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Dupexi Group Oy (Business ID: 3630170-2) ("Processor", "Dupexi", "we", "us") and the customer organization using the Dupexi Service ("Controller", "Customer").

This DPA applies to personal data that Dupexi processes on behalf of a Customer in connection with the Service, including workforce scheduling, shift management, work logs, and related organization data entered or generated by the Customer and its authorized users.

1) Purpose

The purpose of this DPA is to establish the rights and obligations of the parties regarding the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2) Roles and scope

For the purposes of GDPR:

  • The Customer acts as the Data Controller for personal data relating to its workforce, invited users, and organization that is processed through the Service.
  • Dupexi Group Oy acts as the Data Processor for that Customer personal data.

The Customer determines the purposes and means of processing workforce and organization data through the Service. Dupexi processes that personal data solely on behalf of and according to the documented instructions of the Customer.

Documented instructions include the Customer's use of the Service in accordance with the Terms of Service, configuration of organization settings and roles, and written instructions sent to support@dupexi.com.

This DPA does not cover personal data for which Dupexi acts as an independent Data Controller, such as direct marketing analytics on public website pages, Dupexi's own billing relationship with the Customer organization, or support communications initiated directly with Dupexi. That processing is described in our Privacy Policy.

3) Subject matter and duration

This DPA applies to personal data processed through the Dupexi web and mobile workforce scheduling platform, including shift planning, work logs, team coordination, notifications, and related reporting features.

Processing will continue for as long as the Customer maintains an active account or until the personal data is deleted or returned in accordance with this DPA and Dupexi's retention policies.

4) Nature and purpose of processing

Dupexi processes personal data for the purpose of providing the Service, including:

  • Workforce scheduling and shift assignment
  • Employee and worker coordination across locations
  • Work logs, attendance tracking, and approvals
  • Worker availability and scheduling preferences
  • Organization invites, onboarding, and role management
  • In-app and push notifications about shifts and work activity
  • Monthly work summaries and related exports
  • Profile photo storage and display
  • User authentication, account management, and access control
  • Service maintenance, security monitoring, fraud prevention, and support

5) Categories of personal data

Depending on how the Customer uses the Service, personal data may include:

  • Names and email addresses
  • User account and authentication information
  • Profile photos or avatars uploaded to the Service
  • Organization, location, and role or permission information
  • Employee and worker membership records
  • Shift assignments, schedules, and availability preferences
  • Worker notes submitted with availability or scheduling data
  • Work logs, attendance records, and related notes
  • Monthly work summaries and summary line items
  • Invite records for users who have not yet registered
  • Push notification device tokens
  • In-app feedback submissions
  • Language, timezone, and display preferences (such as time format)
  • Application, usage, and security logs (such as IP address, device or browser type, and authentication or security events)

Dupexi does not intentionally process special categories of personal data through the Service. The Customer is responsible for ensuring that only necessary personal data is submitted and that any sensitive information is not uploaded unless legally permitted and appropriately safeguarded.

6) Categories of data subjects

Personal data may relate to:

  • Organization owners
  • Managers and location managers
  • Supervisors
  • Employees and workers
  • Invited users who have not yet accepted an invitation
  • Other authorized users of the Service

7) Customer responsibilities

The Customer is responsible for:

  • Complying with applicable data protection laws.
  • Providing any required notices to data subjects.
  • Obtaining any necessary legal basis for processing personal data.
  • Ensuring that instructions provided to Dupexi comply with applicable law.
  • Managing invitations, roles, and access within its organization.
  • Responding to data subject requests, except where Dupexi is required to assist under this DPA.

8) Processor obligations

Dupexi shall:

  • Process personal data only on documented instructions from the Customer, unless required by applicable law (in which case Dupexi will inform the Customer of that legal requirement unless prohibited by law).
  • Inform the Customer without undue delay if Dupexi believes a Customer instruction infringes GDPR or other applicable data protection law.
  • Ensure that personnel authorized to process personal data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect personal data, as described in Section 9.
  • Not engage another processor (subprocessor) without authorization as described in Section 10.
  • Assist the Customer, taking into account the nature of processing, with data subject requests under Section 12.
  • Assist the Customer, upon reasonable request and taking into account the nature of processing, with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by GDPR.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data and, where feasible, within 72 hours of becoming aware.
  • Make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and allow audits as described in Section 14.
  • At the choice of the Customer, delete or return Customer personal data upon termination of the Service, as described in Section 13, unless retention is required by law.

9) Security measures

Dupexi implements technical and organizational security measures designed to protect personal data against unauthorized access, loss, misuse, disclosure, alteration, or destruction. Such measures include:

  • Authentication controls and secure session management
  • Organization-scoped access controls and row-level security for multi-tenant data isolation
  • Role-based permissions within Customer organizations (such as owner, manager, worker, and location manager)
  • Encryption of data in transit (TLS) and encryption at rest where supported by infrastructure providers
  • Secure cloud hosting and managed database infrastructure
  • Monitoring, logging, and security event recording
  • Automated backup and recovery procedures with defined retention limits
  • Access restrictions for Dupexi personnel and subprocessors on a need-to-know basis

Dupexi may update its security measures from time to time provided that such changes do not materially reduce the overall level of protection.

10) Subprocessors

The Customer provides general written authorization for Dupexi to engage subprocessors that process Customer personal data where necessary to provide the Service.

As of the date of this DPA, Dupexi uses the following subprocessors:

  • Supabase, Inc. — cloud database, authentication, file storage, and serverless backend functions
  • Vercel, Inc. — hosting of the web application and related API routes
  • Stripe, Inc. — subscription billing and payment processing for Customer accounts
  • Resend, Inc. — delivery of transactional emails (such as worker invitations and service notifications)
  • Functional Software, Inc. (Sentry) — application error monitoring and diagnostic logging
  • Expo (Expo Push Notification Service) — delivery of mobile push notifications to registered devices

Dupexi remains responsible to the Customer for the performance of subprocessors and ensures that subprocessors are subject to data protection obligations no less protective than those in this DPA.

Dupexi will provide at least 30 days' prior notice before engaging a new subprocessor that processes Customer personal data, or before replacing an existing subprocessor in a way that materially changes processing. The Customer may object on reasonable grounds relating to data protection by notifying Dupexi in writing within the notice period. If the parties cannot resolve the objection, the Customer may terminate the affected paid Service as its sole remedy.

An updated subprocessor list will be published on this page when material changes occur.

11) International data transfers

Dupexi configures production services to use EU/EEA hosting where available. Primary Customer workforce data is stored and processed through Supabase infrastructure selected for the production environment.

Some subprocessors may process limited personal data in the United States or other countries outside the European Economic Area (EEA), including for payment processing, email delivery, error monitoring, application hosting, and push notification delivery.

Where personal data is transferred outside the EEA, Dupexi will ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses, adequacy decisions, or equivalent transfer mechanisms offered by subprocessors.

12) Data subject requests

To the extent reasonably possible and taking into account the nature of the processing, Dupexi will assist the Customer in responding to requests from data subjects concerning:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Portability
  • Objection

The Customer remains responsible for responding to such requests. End users who cannot reach their organization administrator may contact Dupexi support as described in the Privacy Policy; Dupexi will coordinate with the Customer where appropriate.

13) Deletion and return of data

Upon verified request from an authorized Customer representative before account closure, Dupexi will use commercially reasonable efforts to provide an export of Customer personal data in a commonly used electronic format within 30 days, where technically feasible.

Upon termination of the Service or upon verified deletion request from an authorized Customer representative, Dupexi will delete or return Customer personal data, unless retention is required by applicable law or necessary for legitimate backup, security, fraud prevention, billing dispute resolution, or operational purposes.

Certain backup copies may remain temporarily until automatically deleted through standard retention processes. Organization records created for workforce operations (such as historical schedules or work logs) may remain subject to the Customer's retention choices and legal obligations until deleted through authorized organization administration or verified support requests.

14) Audit rights

Upon reasonable written request and no more than once per year, Dupexi will provide information reasonably necessary to demonstrate compliance with this DPA.

Dupexi may satisfy audit requests through documentation, security summaries, subprocessors information, certifications, or other appropriate evidence. On-site audits may be considered only where required by applicable law and subject to reasonable confidentiality, scheduling, and security constraints.

15) Liability

Liability relating to the processing of personal data shall be governed by the liability provisions set forth in the applicable Terms of Service between the parties.

16) Changes to this DPA

Dupexi may update this DPA from time to time to reflect changes in legal requirements, services, subprocessors, or processing activities.

Updated versions will be published with a revised "Last updated" date. Material changes to subprocessors will be handled in accordance with Section 10.

17) Contact

Questions regarding this DPA or data protection matters may be directed to: support@dupexi.com

Dupexi Group Oy
Business ID: 3630170-2
Finland