Data Processing Agreement
Effective date: May 25, 2026
This Data Processing Agreement ("DPA") is entered into between the customer that uses the Service ("Customer") and Saadi Myftija, a sole proprietor operating Shiftkeeper ("Shiftkeeper", "Provider", "we", "us", or "our").
This DPA forms part of and supplements the agreement governing Customer's use of Shiftkeeper, including our Terms of Service and any applicable order form (together, the "Agreement"). It applies where Shiftkeeper processes Customer Personal Data on Customer's behalf. If there is a conflict concerning the processing of Customer Personal Data, this DPA controls solely to the extent of that conflict. The Agreement's payment terms, disclaimers, exclusions of damages, and aggregate limitation of liability continue to apply to this DPA.
By entering into the Agreement, Customer enters into this DPA for itself and, where applicable, its authorized affiliates that use the Service. Customer remains responsible for those affiliates and will act as the sole point of contact. Affiliates may exercise rights under this DPA only through Customer, and all claims by Customer and its affiliates are subject in aggregate to the Agreement's limitation of liability.
1. Definitions
"Applicable Data Protection Law" means data protection and privacy laws applicable to Shiftkeeper's processing of Customer Personal Data under the Agreement, including, where applicable, Regulation (EU) 2016/679 ("GDPR"), the GDPR as incorporated into United Kingdom law ("UK GDPR"), and the Swiss Federal Act on Data Protection.
"Customer Data" means data submitted to, stored in, sent to, or otherwise processed by the Service for Customer. "Customer Personal Data" means Personal Data contained in Customer Data.
"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Shiftkeeper. It does not include unsuccessful attempts that do not compromise Customer Personal Data.
"Subprocessor" means a third party engaged by Shiftkeeper to process Customer Personal Data on Customer's behalf. Terms such as "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given to them under Applicable Data Protection Law.
2. Roles and scope
As between the parties, Customer is the Controller of Customer Personal Data and Shiftkeeper is the Processor. If Customer acts as a Processor for another Controller, Shiftkeeper acts as Customer's Subprocessor. Customer is responsible for ensuring that it has all rights, notices, consents, and lawful bases needed to provide Customer Personal Data and instructions to Shiftkeeper.
Shiftkeeper is an independent Controller for Personal Data it processes for its own legitimate business purposes, such as account administration, direct billing, legal compliance, fraud prevention, and business communications. Such processing is governed by our Privacy Policy, not this DPA.
The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex I.
3. Customer instructions
Shiftkeeper will process Customer Personal Data only on Customer's documented instructions, including to provide, maintain, secure, monitor, and support the Service; to prevent or address technical problems; and as otherwise described in the Agreement and this DPA. Customer's configuration and use of the Service, API requests, support requests, and use of Customer-selected integrations are documented instructions.
Shiftkeeper may process Customer Personal Data where required by applicable law. Unless the law prohibits notice, Shiftkeeper will inform Customer of that legal requirement before processing. Shiftkeeper will promptly inform Customer if, in our opinion, an instruction infringes Applicable Data Protection Law and may suspend the affected processing until the parties resolve the issue.
4. Confidentiality and personnel
Shiftkeeper will ensure that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality and access it only as needed to perform their responsibilities. Access is limited according to the principle of least privilege and is removed when no longer required.
5. Security
Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, Shiftkeeper will maintain appropriate technical and organizational measures designed to protect Customer Personal Data. The measures currently in place are described in Annex II.
Customer is responsible for using the Service securely, managing its Authorized Users and permissions, protecting credentials and API keys, configuring Customer-selected integrations appropriately, and avoiding submission of categories of data that the Agreement prohibits.
6. Security incidents
Shiftkeeper will notify Customer without undue delay after becoming aware of a Security Incident. The notice will include, to the extent known and available, the nature of the incident, affected data and Data Subjects, likely consequences, mitigation taken or proposed, and a contact for further information. Information may be provided in phases as the investigation progresses.
Shiftkeeper will take reasonable steps to contain, investigate, and mitigate the Security Incident and will reasonably cooperate with Customer's legal notification obligations. Notification is not an acknowledgment of fault or liability. Customer is responsible for notifying regulators, Data Subjects, or other parties unless Applicable Data Protection Law requires Shiftkeeper to do so.
7. Data Subject requests
Taking into account the nature of the processing, Shiftkeeper will provide reasonable assistance, including through functionality available in the Service, so Customer can respond to requests to exercise Data Subject rights. If Shiftkeeper receives a request relating to Customer Personal Data directly from a Data Subject, we will not respond on Customer's behalf unless authorized or legally required and will direct the requester to Customer where reasonably possible.
8. Compliance assistance
Taking into account the nature of processing and information available to Shiftkeeper, we will provide reasonable assistance with Customer's obligations under Articles 32 through 36 of the GDPR, including security of processing, breach assessments and notifications, data protection impact assessments, and prior consultations with supervisory authorities.
Customer will reimburse Shiftkeeper's reasonable costs for assistance beyond standard Service functionality or documentation, except to the extent charging those costs is prohibited by Applicable Data Protection Law.
9. Subprocessors
Customer provides general written authorization for Shiftkeeper to use the Subprocessors listed in Annex III and to appoint replacement or additional Subprocessors. Shiftkeeper will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective, in all material respects, than those applicable to Shiftkeeper under this DPA. Shiftkeeper remains responsible for its Subprocessors' performance of those obligations.
Shiftkeeper will provide reasonable advance notice of a new Subprocessor where practicable. If an urgent change is reasonably necessary for security, legal compliance, service continuity, or to replace a Subprocessor that has ceased providing services, Shiftkeeper may make the change before providing notice and will notify Customer without undue delay afterward. Customer may object on reasonable, documented data protection grounds. If the parties cannot resolve the objection and no commercially reasonable alternative is available, Customer's sole remedy is to discontinue the affected part of the Service. Any termination and refund rights remain subject to the Agreement.
Providers that process Personal Data for their own purposes, including a payment provider acting as merchant of record, are not Subprocessors under this DPA. A third-party integration, such as Customer's Slack workspace, is Customer-directed and remains subject to Customer's agreement with that provider.
10. Data location
Shiftkeeper's standard production environment hosts core application processing and the primary database in Google Cloud's europe-west1 (Belgium) region. Production database backups are stored in europe-west3 (Frankfurt, Germany). These are the currently available standard Shiftkeeper hosting regions; Customer-specific region selection is not currently offered. These locations describe Shiftkeeper's standard configuration as of the effective date and do not create a data residency guarantee or service level commitment unless expressly stated in an applicable Order.
This regional configuration applies to core application workloads and data at rest. It does not mean that every processing operation occurs exclusively within the European Union. For example, static content and requests may pass through a global content delivery network; limited diagnostic or support data may be accessed from other locations; and data sent to a Customer-selected integration is processed according to that provider's terms and configuration.
11. International transfers
Shiftkeeper will not transfer Customer Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country that is not recognized as providing an adequate level of protection unless an appropriate transfer mechanism and safeguards are in place. These may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss adaptations to the Standard Contractual Clauses, or another mechanism permitted by Applicable Data Protection Law.
Where required, Shiftkeeper will assess relevant transfers and implement supplementary technical, contractual, or organizational measures appropriate to the risk. Information reasonably necessary for Customer's transfer assessment will be made available on request, subject to confidentiality and security restrictions.
12. Return and deletion
During the term, Customer may request an export of Customer Data where the Service supports export. Following termination or expiration of the Agreement, Shiftkeeper will, at Customer's choice, return or delete Customer Personal Data, unless applicable law requires retention. Customer should request return before deletion or account closure.
Customer Personal Data in backups will be isolated from further processing and deleted through the ordinary backup lifecycle, unless restoration is required for disaster recovery. If restored, the data will remain subject to this DPA and will be deleted again in accordance with the applicable deletion process. Shiftkeeper may retain de-identified data that can no longer be associated with Customer or a Data Subject.
13. Information and audits
Shiftkeeper will make available information reasonably necessary to demonstrate compliance with this DPA. Customer must first use information, questionnaires, certifications, and independent audit reports that Shiftkeeper makes generally available. If that information is not reasonably sufficient, Customer may request an audit no more than once in any 12-month period, unless Applicable Data Protection Law or a competent supervisory authority requires an additional audit.
Audits must be preceded by at least 30 days' written notice unless Applicable Data Protection Law or a competent supervisory authority requires shorter notice, occur during normal business hours, avoid unreasonable disruption, and be limited to systems and records relevant to Customer Personal Data. An auditor must be independent, qualified, bound by confidentiality, and not a competitor of Shiftkeeper. An audit will not include access to source code, penetration testing, data belonging to other customers, or information that would compromise security. Remote review will be used unless an on-site inspection is legally required and reasonably necessary. Customer bears its own costs and will reimburse Shiftkeeper's reasonable costs of any non-routine audit, except to the extent prohibited by Applicable Data Protection Law.
14. Term and legal effect
This DPA begins when Customer accepts the Agreement or first provides Customer Personal Data to Shiftkeeper and remains in effect until Shiftkeeper no longer processes Customer Personal Data. The governing law, dispute resolution, liability limitations, and other general terms of the Agreement also apply to this DPA, except to the extent prohibited by Applicable Data Protection Law.
If a change to Applicable Data Protection Law requires an amendment to this DPA, the parties will cooperate in good faith to make the required change. Shiftkeeper may update this DPA to reflect legal, regulatory, or Service changes, provided an update does not materially reduce the protection of Customer Personal Data during a current subscription term.
Annex I
Details of processing
- Subject matter
- Providing the Shiftkeeper workforce scheduling, on-call management, coverage, notification, web application, Slack application, API, support, and related services.
- Duration
- For the term of the Agreement and the limited period after it necessary to return or delete Customer Personal Data, subject to legal retention obligations and backup lifecycles.
- Nature and purpose
- Collection, recording, organization, storage, retrieval, consultation, transmission, synchronization, display, support, troubleshooting, security monitoring, and deletion as needed to provide and protect the Service under Customer's instructions.
- Data Subjects
- Customer's Authorized Users, personnel, contractors, workspace members, administrators, and other individuals whose Personal Data Customer submits to the Service.
- Personal Data
- Names, business email addresses, profile images, time zones, workspace and user identifiers, roles and permissions; team, channel, and user-group information; schedule, rotation, on-call, availability, override, coverage request, and notification data; API and authentication metadata; IP addresses, device and browser information, logs, diagnostic data, and support content.
- Sensitive or special-category data
- The Service is not intended for special categories of Personal Data under Article 9 GDPR, highly sensitive financial data, health data, government identifiers, or payment card data. Customer must not submit such data except where expressly agreed in writing.
- Processing frequency
- Continuous or as initiated by Customer and its Authorized Users during the term of the Agreement.
Annex II
Technical and organizational measures
Shiftkeeper may update these measures as the Service evolves, provided the overall level of protection is not materially reduced.
Encryption and transmission
Encryption in transit using TLS; encrypted connections to the production database; encryption at rest through managed cloud provider controls; secrets kept in managed secret storage rather than application source code.
Access and authentication
Role-based access, least-privilege service accounts, scoped production access, credential protection, session controls, and separation of application responsibilities.
Tenant and environment separation
Logical organization identifiers and authorization checks separate customer records. Development and production environments use separate cloud projects, resources, and credentials.
Availability and recovery
Managed regional infrastructure, database deletion protection, automated production backups, point-in-time recovery, retained backup generations, and health monitoring.
Monitoring and incident response
Application and infrastructure logging, error and performance monitoring, uptime checks, and operational incident response.
Application security
Source control, automated validation, dependency management, input validation, credential hashing where applicable, and controlled production deployments.
Data minimization and retention
Collection limited to data needed for Service functions, customer-controlled content management where available, and backup expiry through scheduled lifecycle controls.
Organizational safeguards
Confidentiality obligations, access revocation, and contractual data protection requirements for Subprocessors.
Annex III
Subprocessors
Current as of May 25, 2026. Location describes the expected location of Customer Personal Data or the provider's principal processing location; provider personnel and their own subprocessors may operate in other countries subject to Section 11.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Google Cloud EMEA Limited and Google affiliates | Application hosting, managed database, backups, networking, task processing, secrets, logs, and infrastructure monitoring | Customer Personal Data and service metadata | Belgium (europe-west1); database backups in
Frankfurt, Germany (europe-west3); global content
delivery and support where applicable |
| Functional Software, Inc. (Sentry) | Error reporting, diagnostics, and application performance monitoring | User and organization identifiers, IP address, request and device metadata, error context, and technical logs | European Union region (Germany); limited access from other locations subject to transfer safeguards |
| Fastmail Pty Ltd | Business email and Customer-requested support communications | Sender details, email addresses, message content, headers, and technical delivery metadata | United States and Australia; other locations used by Fastmail subject to transfer safeguards |
Google Cloud EMEA Limited and Google affiliates
- Purpose
- Application hosting, managed database, backups, networking, task processing, secrets, logs, and infrastructure monitoring
- Data
- Customer Personal Data and service metadata
- Location
- Belgium (
europe-west1); database backups in Frankfurt, Germany (europe-west3); global content delivery and support where applicable
Functional Software, Inc. (Sentry)
- Purpose
- Error reporting, diagnostics, and application performance monitoring
- Data
- User and organization identifiers, IP address, request and device metadata, error context, and technical logs
- Location
- European Union region (Germany); limited access from other locations subject to transfer safeguards
Fastmail Pty Ltd
- Purpose
- Business email and Customer-requested support communications
- Data
- Sender details, email addresses, message content, headers, and technical delivery metadata
- Location
- United States and Australia; other locations used by Fastmail subject to transfer safeguards
Cloudflare hosts and secures the public Shiftkeeper website and processes limited visitor data such as IP addresses. Paddle acts as merchant of record for subscription payments. These providers are described in our Privacy Policy and generally do not process Customer Personal Data on Shiftkeeper's behalf in providing the core Service.
Contact
Questions about this DPA, data protection requests, and notices may be sent to [email protected].