See Factorial in Action: Free Monthly Webinar

    No pitch. Just the real product, real use cases, and your questions answered live.

    Reserve Your Spot
    Faqtic - Your Factorial Partner

    Data Processing Agreement (DPA)

    1. Parties and Roles

    1.1 Controller ("Customer"): the legal entity entering into the Agreement or Proposal or Terms and Conditions of Faqtic (and, if applicable, on behalf of its Group companies) that determines the purposes and means of processing.

    1.2 Processor ("Faqtic"): Marvin Molijn, acting as a sole proprietor under the trading name "Faqtic", registered in Spain with tax identification number ESY8201689H and professional address at Calle Llobregos 259 01 02, 08032, Barcelona ("we", "us", "our" or "Faqtic") which processes personal data on behalf of the Controller to deliver the Services (onboarding, configuration, troubleshooting, support, training).

    1.3 Sub-processor ("Factorial"): Everyday Software, S.L., engaged by Faqtic to provide/operate the Factorial HR Platform on Faqtic's instructions.

    1.4 The Controller and the Processor are each a "Party" and together the "Parties."

    2. Background and Objective

    2.1 The Parties have entered into a contractual relationship (the "Agreement"). Within the scope of its assignment, the Processor may access and process personal data for which the Controller is the data controller under applicable data protection legislation ("Data Protection Legislation").

    2.2 The objective of this DPA is to comply with the requirements of the Data Protection Legislation for a written agreement between controller and processor.

    2.3 The Processor shall process personal data only in accordance with this DPA and for the limited purpose of performing the obligations set out under the Agreement.

    2.4 Processing by the Processor includes the actions specified in the Agreement and this DPA.

    3. Definitions

    3.1 Personal data: any information relating to an identified or identifiable natural person.

    3.2 Processing: any operation performed on personal data (e.g., collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, alignment, restriction, erasure, destruction), automated or not.

    3.3 Data controller: the natural or legal person which determines the purposes and means of processing personal data.

    3.4 Data processor: the natural or legal person which processes personal data on behalf of the controller.

    3.5 Sub-processor: a subcontractor engaged by the Processor that processes personal data on behalf of the Controller for the Processor's service.

    3.6 Standard contractual clauses: the European Commission's standard data protection clauses for transfers to third countries, as updated from time to time.

    3.7 Data Protection Legislation: GDPR (Regulation (EU) 2016/679) and applicable Spanish data-protection laws implementing or supplementing the GDPR.

    4. Undertaking and Instructions

    4.1 The Processor shall process personal data on behalf of the Controller only to fulfil the Agreement and only during its term.

    4.2 The Processor shall process personal data in accordance with Data Protection Legislation, this DPA, the Agreement, and any documented instructions from the Controller (including via ticket/email).

    4.3 Where EU or Spanish law requires processing without Controller instruction, the Processor may do so but shall inform the Controller in advance where legally permitted.

    4.4 The Processor shall not use personal data for its own purposes.

    4.5 The Processor shall ensure persons authorised to process personal data are subject to confidentiality (contractual or statutory).

    5. Subject Matter, Duration, Nature and Purpose

    5.1 Subject & purpose: processing strictly to deliver onboarding, configuration, troubleshooting, support and training under the Agreement.

    5.2 Duration: for the term of the Agreement and any legally required retention.

    5.3 Nature: access, storage, viewing, structured queries, ticket handling, configuration assistance, and related operations necessary to render the Services.

    6. Categories of Data and Data Subjects

    6.1 Data subjects: Customer employees, workers, contractors, candidates, and Platform users designated by the Controller.

    6.2 Personal data: identification/contact details; employment/HR data; limited financial identifiers contained in HR records; logs/ticket metadata; and any data the Controller uploads or provides to Faqtic during the Services.

    6.3 Special categories: not intended; any such processing is incidental and only under the Controller's configuration/instructions.

    7. Transfer of Personal Data

    7.1 The Processor shall not transfer personal data to third countries (outside the EU/EEA) unless the Controller has specifically requested or approved such transfer in writing and appropriate GDPR safeguards are in place (e.g., SCCs or adequacy).

    7.2 Any approval shall specify the receiving entity and purpose of the transfer.

    8. Information Security

    8.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR).

    8.2 The Processor shall inform the Controller of the security measures implemented and notify the Controller well in advance of material changes that could affect the protection of personal data.

    9. Personal Data Breach

    9.1 In the event of a personal data breach involving Customer personal data, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of it, providing: (a) the nature of the breach, categories of data subjects and an estimate of affected persons; (b) information necessary for the Controller's statutory obligations; and (c) measures taken or proposed to address the breach and prevent recurrence.

    9.2 The Processor shall provide updates as further information becomes available and cooperate reasonably with the Controller, including with the AEPD if required.

    10. Assistance to the Controller

    10.1 Taking into account the nature of processing and information available, the Processor shall assist the Controller in: (a) responding to data-subject requests under Chapter III GDPR; and (b) ensuring compliance with Articles 32–36 GDPR (security, breach management, DPIAs, and prior consultations).

    10.2 The Processor shall redirect end-user (employee/worker) requests to the Controller unless expressly authorised in writing to respond.

    11. Sub-processors

    11.1 Authorised core Sub-processor: Factorial (Everyday Software, S.L.) to operate the Platform on Faqtic's instructions.

    11.2 Factorial's own sub-processors: the Controller acknowledges and accepts Factorial's published sub-processor list and change-notification process.

    11.3 Ancillary sub-processors: the Processor may use ancillary providers (e.g. ticketing, email, CRM) to process limited support metadata.

    11.4 The Processor shall impose on all sub-processors data-protection terms no less protective than this DPA and remains responsible for their performance.

    12. Audit and Compliance

    12.1 The Processor shall make available to the Controller the information necessary to demonstrate compliance with this DPA and the GDPR, and shall facilitate audits (including inspections) by the Controller or a mandated independent auditor (not a competitor, and bound by confidentiality).

    12.2 Audits require reasonable prior notice, shall occur during business hours, be proportionate in scope, and avoid undue disruption. Costs are borne by the Controller unless a material non-compliance by the Processor is established.

    13. Return and Deletion

    13.1 Upon expiry or termination of the Agreement, and at the Controller's choice, the Processor shall return or delete Customer personal data in its possession—save for minimal retention required by law or presence in backups subject to secure, time-bound deletion.

    13.2 Platform-resident data must be exported by the Controller from the Platform prior to deprovisioning.

    14. Damages and Compensation

    14.1 The Processor shall hold harmless and indemnify the Controller for damages attributable to the Processor's processing in breach of this DPA or Data Protection Legislation. Administrative fines are imposed on the Party that breaches its own obligations; neither Party shall bear the other Party's administrative fines.

    14.2 Unless otherwise agreed in writing, the Processor's compensation under the Agreement includes compensation for the Processor's undertakings under this DPA.

    15. Order of Validity

    15.1 This DPA is an integral part of the Agreement. If the terms of the Agreement and this DPA diverge or conflict on data-protection matters, this DPA prevails.

    16. Term and Termination

    16.1 This DPA is effective from signature and remains in force as long as the Processor processes personal data on the Controller's behalf.

    16.2 If the Processor breaches the DPA or Data Protection Legislation and fails to remedy within thirty (30) days of notice (or such other period agreed by the Parties), the Controller may terminate the Agreement with immediate effect (or on longer notice specified by the Controller).

    16.3 Upon termination/expiry, the Processor shall act per Clause 13 (return/deletion) and promptly seek the Controller's instructions where needed.

    17. Governing Law and Dispute Resolution

    17.1 This DPA shall be governed by and construed in accordance with Spanish law, excluding conflict-of-law rules.

    17.2 Disputes shall be resolved per the Agreement; absent such provision, disputes shall be submitted to the courts of Barcelona, Spain.

    Cookie Preferences

    We use cookies to improve your experience and analyze site traffic. Privacy Policy