Data Processing Agreement — RotaFlux
RotaFlux DPA terms under Article 28 GDPR.
Last updated: May 1, 2026
This Data Processing Agreement (the “DPA”) is entered into between:
- The customer subscribing to the RotaFlux service (the “Controller”), and
- de Prados y Bodega Ingenieros S.L. (VAT/CIF: B86106705), with registered address at Ciudalcampo, 28707 San Sebastián de los Reyes, Madrid (Spain), as the service provider (the “Processor”).
It forms an integral part of the contractual relationship governing the use of RotaFlux. In case of conflict between this DPA and the terms of service, this DPA prevails on matters of personal data protection.
1. Object
The Processor will process, on behalf of the Controller, the personal data needed to deliver the shift-scheduling service through the RotaFlux platform (https://rotaflux.enredando.me).
2. Nature, purpose and duration of processing
- Nature: automated processing for the generation of shift schedules.
- Purpose: provide the contracted service to the Controller, under its documented instructions.
- Duration: as long as the contractual relationship with RotaFlux lasts. After termination, as set out in Section 11 (“Return and deletion”).
3. Types of personal data and categories of data subjects
| Category | Description |
|---|---|
| Employee identifiers | Name, internal ID or equivalent |
| Work information | Role, contracted hours, professional category |
| Preferences and constraints | Shift preferences, desired days off, incompatibilities, planned holidays |
Categories of data subjects: employees of the Controller organization whose shifts are scheduled through the service.
Special categories (Article 9 GDPR): none. The service does not require health, religion, union, sexual orientation or other special-category data. The Controller commits not to upload data in those categories.
4. Processor obligations
The Processor commits to:
a. Process personal data only on documented instructions from the Controller, except for applicable legal obligations. b. Ensure confidentiality of personnel authorized to process the data. c. Implement appropriate technical and organizational measures as described in Section 9. d. Assist the Controller in responding to data subject requests, in carrying out impact assessments, and in prior consultations with supervisory authorities. e. Notify without undue delay any personal data breach affecting the processing. f. Return or delete personal data at the end of the service, as provided in Section 11. g. Make available to the Controller the information necessary to demonstrate compliance.
5. Subprocessors
The Controller grants general authorization for the involvement of the subprocessors publicly listed at Subprocessors, under the terms described there.
The Processor:
- Will notify the Controller at least 15 days in advance of any addition or replacement of subprocessors.
- Will impose on each subprocessor, by contract, the same data protection obligations set out in this DPA.
- Remains liable to the Controller for compliance by the subprocessors.
The Controller may object to a new subprocessor on reasonable data protection grounds. In that case, the parties shall negotiate a solution in good faith; if none is possible, the Controller may terminate the contract without penalty.
6. International transfers
The main service infrastructure is located in the European Union. Some support operations (transactional email, monitoring, payments) involve subprocessors based outside the European Economic Area, mainly the United States. Those transfers rely on the Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914).
7. Assistance to the Controller
The Processor will assist the Controller, through appropriate technical and organizational measures and to the extent possible, in responding to:
- Data subject rights requests (access, rectification, erasure, objection, restriction, portability).
- Controller obligations under Articles 32 to 36 GDPR (security of processing, breach notification, impact assessments, prior consultation).
8. Breach notification
The Processor will notify the Controller of any personal data breach affecting the processing, without undue delay and no later than within 72 hours of effective detection. The notification will include, to the extent known at the time:
- Nature of the breach, categories and approximate number of affected data subjects.
- Likely consequences.
- Measures taken or proposed to mitigate effects.
- Point of contact for more information.
9. Technical and organizational measures
The Processor will maintain at least the following measures:
- Encryption in transit: TLS for all communications.
- Encryption at rest: database encrypted at disk level.
- Access control: enforced authentication, principle of least privilege for operational access, audit log of administrative access.
- Credential security: passwords stored as hashes with an appropriate function (never in plaintext).
- Backups: encrypted, with documented retention and rotation.
- Testing and audit: regular security and dependency reviews.
- Incident response plan: documented detection, containment, notification and resolution procedures.
- Personnel confidentiality: confidentiality agreements and periodic training.
10. Audit
The Controller may audit the Processor’s compliance, once a year and upon prior written request with at least 30 days of notice. Audits will be conducted in a way that does not impair service operation. The Controller bears audit costs unless material non-compliance is found.
Alternatively, the Processor may provide the Controller with current third-party certifications or external audit reports covering the scope of the requested audit.
11. Return and deletion
Upon termination of the contract, at the Controller’s choice expressed in writing within 30 days of cancellation:
a. Return: the Processor will make personal data available to the Controller in a structured, commonly used format. After delivery and verification, data is deleted from the Processor’s systems. b. Deletion: the Processor will delete personal data from active systems within 30 days, and from backups according to the rotation cycle, unless legally required to retain it.
If the deadline lapses without an explicit instruction, option (b) applies.
12. Liability
The Processor’s liability for breaching this DPA is subject to the limits of liability set out in the terms of service, except where applicable law mandates a different regime.
13. Governing law
This DPA is governed by Spanish law and by Regulation (EU) 2016/679 (GDPR), as well as Spanish implementing law (LOPDGDD).
14. Acceptance
Accepting the terms of service at signup constitutes acceptance of this DPA, without need for a separate signature. Customers requiring a separately executed DPA as a standalone document can request it at [email protected].