Legal

Data Processing Addendum

Last updated: 27 Jan 2026

This Data Processing Addendum (DPA) applies when TimenBill processes personal data on behalf of a Customer under GDPR, UK GDPR, CCPA/CPRA, or similar privacy laws. It supplements our Terms of Service and Privacy Policy.

Roles and scope

  • The Customer is the controller (or business) of personal data in Customer Content.
  • TimenBill is the processor (or service provider) when handling Customer Content.
  • This DPA applies to the extent TimenBill processes personal data on behalf of the Customer.
  • For account administration and marketing activities, TimenBill acts as a controller.

Customer obligations

  • The Customer will ensure it has a lawful basis to process personal data.
  • The Customer will provide required notices and obtain required consents.
  • The Customer will not submit special categories of data unless agreed in writing.
  • The Customer is responsible for the accuracy, quality, and legality of Customer Content.
  • The Customer will use the Service in compliance with applicable privacy laws.

Processing instructions

  • We process personal data only on documented instructions from the Customer.
  • Instructions include use of the Service and any written instructions provided by the Customer.
  • We may process personal data to comply with legal obligations and to secure the Service.
  • If we cannot comply with an instruction, we will inform the Customer where required by law.

Confidentiality

  • Personnel who process personal data are bound by confidentiality obligations.
  • We provide privacy and security training to relevant personnel.
  • Confidentiality obligations survive termination of the DPA.

Security measures

  • We maintain technical and organizational measures designed to protect personal data.
  • Measures include access controls, least privilege, monitoring, and encryption in transit.
  • We review and update safeguards in light of risk, technology changes, and industry practices.

Subprocessors

We engage the following subprocessors to help deliver the Service.

SubprocessorPurposeLocation/Region
Microsoft Corporation (Azure App Service, Azure SQL Database, Azure Storage, Azure Key Vault, Application Insights)Hosting, database, file storage, secrets management, and monitoring.Australia Southeast.
Microsoft Corporation (Azure Static Web Apps)Web app hosting for customer-facing experiences.East Asia.
Microsoft Corporation (Azure Communication Services)Transactional email delivery and communication services.Global.
Microsoft Corporation (Microsoft Entra External ID / Azure AD B2C)Authentication, identity, and access management.Global.
Google LLC (Google Workspace APIs, Google Translate, AdSense)Email/calendar integrations, translation services, and ad delivery/measurement for the free plan.Global.
Stripe, Inc.Payment processing and subscription billing.Global.
ipapi.coIP geolocation for login security and fraud signals.Global.
ExchangeRate.hostForeign exchange rate data for currency conversion.Global.
Open Exchange RatesForeign exchange rate data for currency conversion.Global.
ForexRateAPIForeign exchange rate data for currency conversion.Global.

Locations reflect our current Azure deployment regions and vendor-managed service footprints. Some subprocessors are optional and used only when Customers enable the related integration (for example, Google Workspace or Stripe).

  • We remain responsible for subprocessors and require them to protect personal data.
  • We will provide notice of material subprocessor changes where required by law.
  • Customers may object to a new subprocessor on reasonable grounds related to data protection.
  • If we cannot resolve an objection, the Customer may terminate the affected Services.

Data subject rights and assistance

  • We assist Customers with responding to data subject requests, taking into account the nature of processing.
  • We assist with privacy impact assessments and prior consultations where required by law.
  • Requests must be submitted in writing and may be subject to reasonable verification.
  • We may charge reasonable fees for excessive or repetitive requests where permitted by law.

Incident response

  • We will notify Customers without undue delay after becoming aware of a personal data breach.
  • We will provide information reasonably needed to meet breach notification obligations.
  • The Customer is responsible for notifying regulators and data subjects where required.

International transfers

  • We may process personal data in Australia and other regions where our providers operate.
  • Where required, transfers are governed by appropriate safeguards, including the EU SCCs (Module 2) and the UK IDTA.
  • Transfer mechanisms may be updated to reflect regulatory changes.

Return or deletion

  • Upon termination, we will return or delete personal data in accordance with Customer instructions and applicable law.
  • We may retain data as required for legal, accounting, or compliance obligations.
  • Retention and export windows are described in our Privacy Policy.

CCPA/CPRA commitments

  • TimenBill acts as a service provider and does not sell personal information.
  • We do not share personal information for cross-context behavioral advertising.
  • We will not retain, use, or disclose personal information outside of providing the Service, except as permitted by law.
  • We will not combine personal information across customers except as permitted by law.

Audits and compliance

  • Upon reasonable notice, Customers may request information necessary to demonstrate compliance with this DPA.
  • Audits will be limited in frequency and scope to protect security and other customers.
  • We may provide summaries, reports, or attestations in lieu of on-site audits.
  • On-site audits require advance notice, a confidentiality agreement, and reasonable scope limits.
  • Customers are responsible for audit costs, including our reasonable time and expenses.

Order of precedence

  • If this DPA conflicts with the Terms of Service, this DPA controls for data protection matters only.
  • All other terms remain in effect.

Exhibit A: Processing details

  • Subject matter: Workspace administration, time tracking, billing, projects, and analytics.
  • Duration: For the term of the Customer subscription and any retention period.
  • Nature of processing: Hosting, storage, access controls, support, analytics, and compliance.
  • Processing activities: Collection, storage, access, use, disclosure, deletion, and export.
  • Data categories: User identity, contact details, workspace records, and billing metadata.
  • Data subjects: Customer users, clients, vendors, and authorized payers.

Exhibit B: Security measures

  • Access controls, role-based permissions, and least-privilege administration.
  • Encryption in transit and secure key management practices.
  • Logical segregation of customer data within shared infrastructure.
  • Monitoring, logging, and alerting for security events.
  • Regular backups and recovery procedures appropriate to risk.
  • Vulnerability management, patching, and secure development practices.
  • Incident response procedures and escalation processes.

Contact

Data protection inquiries: privacy@timenbill.com.See our Privacy Policy and Terms of Service.