Data Processing Agreement

Parties

This DPA is entered into as of the date the Customer first accepts the Timenox Terms of Service, and remains in effect for the duration of that agreement.

1. Definitions

The following terms have the meanings given below. Capitalized terms not defined here have the meaning given in the Timenox Terms of Service or applicable data protection law.

2. Scope and Details of Processing

The following describes the processing activities carried out by Timenox on behalf of the Customer:

3. Roles and Responsibilities

3.1 Customer (Controller)

The Customer is solely responsible for:

• Determining the lawful purpose and legal basis for processing employee Personal Data
• Informing employees that Timenox is being used and what data is collected
• Obtaining consent or ensuring another valid legal basis where required by applicable law
• Configuring the platform in a manner consistent with applicable data protection law
• Responding to data subject requests from employees and directing them appropriately
• Ensuring that the use of optional features (location, photo verification) complies with applicable employment and privacy law in the Customer's jurisdiction

3.2 Timenox (Processor)

Timenox will:

• Process Personal Data only in accordance with the Customer's documented instructions, unless required to do otherwise by applicable law
• Promptly inform the Customer if Timenox believes any instruction violates applicable data protection law, without being obligated to follow such instruction
• Not process Personal Data for any purpose beyond what is necessary to deliver the Timenox service
• Not sell, share, or otherwise disclose Personal Data to third parties for their own commercial purposes

4. Processor Obligations

5. Sub-processors

The Customer provides general written authorization for Timenox to engage sub-processors for the delivery of the Service. Timenox currently uses sub-processors in the following categories:

Timenox will:

• Ensure all sub-processors are bound by data protection obligations no less protective than those in this DPA
• Remain fully liable to the Customer for any failure by a sub-processor to fulfill its data protection obligations
• Provide notice of intended changes to sub-processors (additions or replacements) by updating this DPA or notifying the Customer

The Customer may object to a new sub-processor by notifying Timenox in writing within 14 days of receiving notice. If the parties cannot resolve the objection within a reasonable period, the Customer may terminate the affected portion of the Service without penalty.

6. Technical and Organisational Security Measures

Timenox implements appropriate technical and organisational measures to protect Personal Data against unauthorized access, loss, alteration, or disclosure, taking into account the nature, scope, and purposes of processing and the risks to data subjects.

These measures are reviewed and updated periodically to reflect evolving threats and best practices. Timenox will provide the Customer with reasonable information about its security measures upon written request.

7. Data Subject Rights

The Customer, as Controller, is responsible for responding to data subject rights requests from employees. Timenox will assist the Customer in fulfilling these obligations to the extent technically feasible and reasonable, given its role as Processor.

Timenox's assistance covers the following rights:

8. Security Incident and Breach Notification

In the event that Timenox becomes aware of a confirmed Security Incident affecting Personal Data processed under this DPA, Timenox will:

• Notify the Customer without undue delay, and where feasible, within 72 hours of becoming aware of the incident
• Provide sufficient information to allow the Customer to meet its own notification obligations to supervisory authorities and affected data subjects
• Include in the notification, to the extent then known: nature of the incident, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the incident
• Cooperate with the Customer's investigation and take reasonable steps to mitigate the effects of the incident

Notification by Timenox is not an acknowledgment of fault or liability. The Customer is responsible for determining whether supervisory authority notification or data subject notification is required under applicable law.

9. Data Retention and Deletion

Timenox retains Personal Data for as long as the Customer's account is active and as necessary to provide the Service.

Upon termination or expiry of the Customer's subscription:

• The Customer may request an export of their data within 30 days of the termination date by contacting support@timenox.com
• After the 30-day window, Timenox will delete or render inaccessible all Personal Data associated with the Customer's account, unless retention is required by applicable law
• Backups and technical logs may be retained for a limited further period consistent with Timenox's internal data lifecycle policies, after which they are securely purged

Upon Customer request, and at no additional cost, Timenox will provide written confirmation that deletion has been completed.

10. International Data Transfers

Timenox is based in India and uses cloud infrastructure that may involve data processing in jurisdictions outside the EEA, UK, or the Customer's home country.

Where Personal Data is transferred outside the EEA or UK to a country not recognized as providing adequate protection, Timenox will ensure that appropriate safeguards are in place, which may include:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into agreements with sub-processors where required
• Adequacy decisions, where applicable
• Other transfer mechanisms recognized as lawful under applicable data protection law

Customers in the EEA or UK who require executed SCCs or additional transfer documentation may request them at support@timenox.com.

11. Audit Rights

The Customer has the right to assess Timenox's compliance with this DPA through the following mechanisms:

• Documentation review: Timenox will provide written answers to reasonable security and compliance questionnaires submitted by the Customer
• Certification sharing: Where available, Timenox will share relevant security certifications or third-party audit summaries
• On-site audit: The Customer may, at its own expense and with at least 30 days' prior written notice, conduct or commission a third-party audit of Timenox's processing activities — limited in scope to data processing under this DPA, and subject to reasonable confidentiality obligations

Audits must be conducted during normal business hours, in a manner that does not unreasonably interfere with Timenox's operations. Timenox reserves the right to charge a reasonable fee for time spent supporting extensive audit requests.

12. Liability

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Timenox Terms of Service, which are incorporated into this DPA by reference.

As between the parties:

• Timenox is liable for damages caused by processing that is not in compliance with its Processor obligations under this DPA and applicable law
• The Customer is liable for damages caused by instructions given to Timenox that do not comply with applicable data protection law, or by the Customer's failure to fulfill its Controller obligations
• Timenox's aggregate liability under this DPA shall not exceed the cap set out in the Terms of Service (fees paid in the 12 months preceding the event giving rise to the claim)

Nothing in this DPA limits either party's liability for fraud, wilful misconduct, or any liability that cannot be excluded under applicable law.

13. Governing Law

This DPA is governed by and construed in accordance with the laws of India, without regard to conflict of law provisions, consistent with the governing law provisions in the Timenox Terms of Service.

Notwithstanding the foregoing, where the Customer is established in the EEA or UK and processing is subject to GDPR or UK GDPR, the DPA shall be interpreted and applied in a manner consistent with those regulations, and any Standard Contractual Clauses executed between the parties shall be governed by the applicable EU or UK law specified therein.

Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution mechanism set out in the Terms of Service.

14. General Provisions

• Order of precedence: In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the subject matter of data processing.
• Entire agreement: This DPA, together with the Terms of Service, constitutes the entire agreement between the parties regarding data processing and supersedes all prior discussions on the subject.
• Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force.
• Updates: Timenox may update this DPA from time to time to reflect changes in applicable law, technology, or processing activities. Material updates will be communicated to the Customer with reasonable notice. Continued use of the Service constitutes acceptance of the updated DPA.
• Countersignature: Customers who require a formally countersigned DPA (e.g., for enterprise procurement or regulatory purposes) may request one by contacting support@timenox.com. This DPA is otherwise effective upon acceptance of the Terms of Service.

Contact for Data Protection Matters

For questions regarding this DPA, data subject rights requests forwarded through the Customer, or to request a countersigned DPA: