CHRIS HR
Sign in

Data Processing Agreement (DPA) — summary

A summary of the key terms on personal-data processing in the CHRIS service, in line with Art. 28 GDPR. A signed copy of the DPA is available on request via hello@chris.hr.

Roles

Your organization is the data controller for its employees' personal data entered into CHRIS. Web rješenja d.o.o., Markuševečka cesta 115, 10040 Zagreb, Croatia, OIB (tax ID): 97669668809, is the data processor and processes the data solely on the organization's documented instructions.

Subject matter, duration and purpose

Processing is carried out to provide the CHRIS service — keeping employee records and managing leave — and lasts for the duration of the service contract.

Categories of data subjects and data

Data subjects are the organization's employees and members. The following categories of data are processed:

  • name and work email address,
  • employment details: start date, contract type and leave quotas,
  • leave requests, including the leave type (which may indicate health-related leave),
  • optionally: HR notes, an emergency contact and a CV.

Processor obligations

As the data processor, we commit to the following:

  • we process data only on the organization's instructions,
  • persons with access to the data are bound by confidentiality,
  • we apply appropriate technical and organizational security measures (role-based access control, two-factor sign-in, EU data storage),
  • we assist the organization with data-subject rights and security obligations,
  • we notify the organization of a personal-data breach without undue delay.

Sub-processors

The following sub-processors are engaged to provide the service, and all data is stored in the European Union:

We will notify organizations in advance of planned changes to sub-processors.

  • Supabase — database and authentication (EU region),
  • Stripe — payment processing,
  • Mailgun EU — email delivery,
  • Hetzner (via Nebion) — hosting in the EU.

Deletion and return of data

After the contract ends, we delete the data at the organization's request or no later than within 30 days. Before deletion, the organization can request an export of its data.

Signed DPA

This summary is for information and does not replace the agreement itself. Request the signed Data Processing Agreement at hello@chris.hr.

Version 1.0 — June 2026.