GDPR & Data Processing Agreement

This DPA is between:

• Data Controller — the company that has registered for and is using the OnboardZero platform (you).
• Data Processor — [YOUR COMPANY NAME] B.V., operating OnboardZero, registered in the Netherlands (KVK [YOUR KVK NUMBER]).

By using OnboardZero to collect and store employee data, you (as controller) instruct us (as processor) to process personal data on your behalf under the terms set out below.

The subject matter of this DPA is the processing of employee and contractor personal data using the OnboardZero onboarding platform. Processing commences when you send your first invite and continues for the duration of your active subscription.

Upon termination of the subscription, data is retained for a maximum of 30 days to allow export, after which it is permanently deleted.

OnboardZero processes employee personal data on your behalf solely to:

• Collect onboarding information submitted by employees via secure invite links
• Store that data encrypted in an EU-based database
• Display and manage submissions in your HR dashboard
• Optionally transmit employee records to Personio if you have configured that integration
• Send transactional emails (invite links, confirmation notices) via Resend

We do not use employee personal data for any purpose other than providing the Service to you.

Data subjects: Employees and contractors of the controller who are invited to complete the onboarding form.

Categories of personal data processed:

• Identity data: full name, date of birth, nationality
• Contact data: home address, phone number, personal email
• Emergency contact: name and phone number of a nominated contact
• Financial and tax data: BSN (citizen service number), IBAN bank account number — both encrypted at rest using AES-256-GCM

OnboardZero commits to the following obligations under GDPR Article 28:

• Process personal data only on your documented instructions and not for any other purpose
• Ensure that all staff with access to personal data are bound by confidentiality obligations
• Implement and maintain appropriate technical and organisational security measures (encryption at rest and in transit, access controls, rate limiting)
• Assist you in responding to data subject rights requests (access, erasure, portability) within the timeframes required by GDPR
• Notify you of any personal data breach within 72 hours of becoming aware of it, to allow you to fulfil your own reporting obligations to the AP
• Delete or return all personal data upon termination of the subscription, at your choice
• Make available all information necessary to demonstrate compliance with GDPR Article 28 upon reasonable request

OnboardZero uses the following approved sub-processors. By using the Service, you consent to these sub-processors. We will notify you of any changes at least 14 days in advance.

All processing by OnboardZero and our sub-processors takes place within the European Union / European Economic Area. We do not transfer personal data to third countries outside the EU/EEA.

If a future sub-processor requires a transfer outside the EU/EEA, we will implement appropriate safeguards (Standard Contractual Clauses as required under GDPR Chapter V) and notify you in advance.

This page provides an overview of our data processing commitments. For customers who require a formal signed Data Processing Agreement — for example for enterprise procurement, insurance purposes, or compliance audits — a full DPA document is available upon request.

To request a signed DPA, email hello@onboardzero.com with the subject line "DPA Request". We will respond within 5 business days.