Data Processing Agreement

Under the EU General Data Protection Regulation (GDPR), when a Data Processor processes personal data on behalf of a Data Controller, a written Data Processing Agreement (DPA) is required (Article 28). VisitorPass provides a DPA to every paying customer.

Who signs the DPA?

The DPA is an agreement between:

• Data Controller: Your organisation — the company or body that decides the purposes and means of processing visitor and employee data.
• Data Processor: AurisTec (operating VisitorPass) — acting only on your documented instructions.

What the DPA covers

1. Scope and subject-matter — processing activities carried out by VisitorPass on your behalf: storage, retrieval, anonymisation, deletion and transmission of visitor and employee data.
2. Duration — the DPA remains in force for the duration of your subscription and expires on account closure.
3. Nature and purpose of processing — visitor management, employee time tracking, space reservations, fault reporting and related functionality as described in the service documentation.
4. Type of personal data — visitor names, contact details, visit timestamps, signed documents, employee clock records, and any additional data you choose to collect.
5. Processor obligations — process data only on your instructions; ensure confidentiality obligations on all personnel with data access; maintain appropriate technical and organisational security measures.
6. Sub-processors — a list of authorised sub-processors is attached; we will notify you of any additions with 30 days' notice and you have the right to object.
7. Data subject rights — we assist you in responding to access, rectification, erasure and portability requests within the timescales required by GDPR.
8. Security measures — encrypted transmission (TLS), encrypted storage, access controls, regular backups, annual security reviews and staff data protection training.
9. Breach notification — we will notify you without undue delay (and at most within 72 hours of becoming aware) of any personal data breach affecting your data.
10. Audit rights — you may audit our processing activities relevant to this DPA on reasonable notice; we will provide all information necessary to demonstrate compliance.
11. Data return and deletion — on termination, all your data can be exported in machine-readable format; data is deleted from our systems within 30 days of account closure.
12. International transfers — data is stored within the European Economic Area. Any transfer outside the EEA is covered by Standard Contractual Clauses.

How to request your DPA

Email legal@visitorpass.eu with the subject line "DPA Request — [your company name]". We will send the DPA document within 2 business days for electronic signature.

Enterprise customers may negotiate custom DPA terms. Please indicate this in your email.

Related documents

• Privacy Policy — how we handle data as a service provider
• GDPR & Data Protection overview — platform features for compliance
• Terms of Service