Data Processing Agreement
Last Updated: February 23, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Data Controller") and PlanXpress ("Processor") for the use of PlanXpress workforce management services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by PlanXpress on behalf of the Customer
- "Data Controller" means the Customer, who determines the purposes and means of processing Personal Data
- "Data Processor" means PlanXpress, who processes Personal Data on behalf of the Customer
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed
- "GDPR" means the General Data Protection Regulation (EU) 2016/679
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
- "Sub-processor" means any third party engaged by PlanXpress to process Personal Data
2. Scope and Applicability
This DPA applies to all Personal Data processed by PlanXpress in connection with the provision of the Services described in the Terms of Service. PlanXpress acts as a Data Processor on behalf of the Customer, who acts as the Data Controller.
3. Data Processing Details
3.1 Nature and Purpose of Processing
PlanXpress processes Personal Data for the following purposes:
- Providing workforce management and forecasting services
- Generating staffing schedules and capacity plans
- Analyzing contact center performance metrics
- Delivering intraday monitoring and reporting
- Providing customer support and service delivery
3.2 Categories of Personal Data
The following categories of Personal Data may be processed:
- Contact Center Agent Data: Names, employee IDs, work schedules, shift assignments, performance metrics, attendance records
- Customer Account Data: Names, email addresses, job titles, company names, billing information
- Usage Data: IP addresses, browser information, access logs, feature usage patterns
- Business Metrics: Contact volumes, handle times, service levels, adherence statistics
3.3 Categories of Data Subjects
Personal Data may relate to the following categories of Data Subjects:
- Contact center agents and employees
- Workforce planners and managers
- Customer account administrators and users
3.4 Duration of Processing
PlanXpress will process Personal Data for the duration of the Service Agreement and for a period of 30 days following termination, unless otherwise required by law or requested by the Customer for data retrieval purposes.
4. Customer Obligations
The Customer warrants and represents that:
- It has all necessary rights and consents to provide Personal Data to PlanXpress for processing
- It complies with all applicable data protection laws in its role as Data Controller
- It has provided appropriate privacy notices to Data Subjects
- Processing instructions provided to PlanXpress comply with applicable laws
- It will notify PlanXpress immediately of any changes affecting the lawfulness of processing
5. Processor Obligations
PlanXpress shall:
- Process Personal Data only on documented instructions from the Customer (including those in this DPA and the Terms of Service)
- Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (as detailed in our Security Policy)
- Assist the Customer in responding to Data Subject requests (access, rectification, erasure, data portability, objection)
- Assist the Customer in ensuring compliance with data security, breach notification, and data protection impact assessment obligations
- Delete or return all Personal Data to the Customer after the end of the provision of services, unless required to retain it by law
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
6. Security Measures
PlanXpress implements the following technical and organizational security measures:
- Encryption: AES-256-GCM encryption for data at rest, TLS 1.2+ for data in transit
- Access Controls: Role-based access control, row-level security, multi-factor authentication options
- Network Security: Firewalls, intrusion detection, DDoS protection
- Application Security: CSP headers, CSRF protection, input validation, rate limiting
- Monitoring: 24/7 security monitoring, automated vulnerability scanning, audit logging
- Incident Response: Dedicated incident response team and documented procedures
For detailed security measures, please refer to our Security Policy.
7. Sub-processors
7.1 Authorized Sub-processors
The Customer provides general authorization for PlanXpress to engage the following Sub-processors:
| Sub-processor |
Service |
Location |
| Render (Render Services, Inc.) |
Cloud hosting and infrastructure |
United States |
| Neon (Neon, Inc.) |
PostgreSQL database hosting |
United States |
| Stripe, Inc. |
Payment processing |
United States |
| Plausible Analytics |
Privacy-friendly analytics |
European Union |
7.2 Sub-processor Changes
PlanXpress will provide at least 30 days' notice before adding or replacing any Sub-processor. Customers may object to a new Sub-processor on reasonable grounds relating to data protection. If the Customer objects and PlanXpress cannot accommodate the objection, the Customer may terminate the affected services.
7.3 Sub-processor Obligations
PlanXpress ensures that:
- All Sub-processors are bound by written agreements imposing data protection obligations no less protective than this DPA
- Sub-processors implement appropriate technical and organizational security measures
- PlanXpress remains fully liable to the Customer for the performance of Sub-processors
8. Data Subject Rights
PlanXpress will, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under data protection law, including:
- Right of Access: Request a copy of their Personal Data
- Right to Rectification: Correct inaccurate or incomplete Personal Data
- Right to Erasure: Request deletion of Personal Data ("right to be forgotten")
- Right to Restriction: Restrict processing under certain circumstances
- Right to Data Portability: Receive Personal Data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or direct marketing
PlanXpress will provide reasonable assistance to enable the Customer to respond to Data Subject requests within the timeframes required by applicable law (typically 30 days).
9. Data Breach Notification
In the event of a Personal Data breach, PlanXpress will:
- Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
- Provide the following information (to the extent available):
- Nature of the breach, including categories and approximate number of Data Subjects and data records affected
- Contact point for more information
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
- Provide reasonable assistance to help the Customer comply with its obligation to notify supervisory authorities and Data Subjects
- Investigate the breach and take appropriate remedial action
For detailed breach notification procedures, see our Breach Notification Policy.
10. Data Retention and Deletion
Upon termination or expiration of the Service Agreement, PlanXpress will:
- Provide the Customer with 30 days to retrieve their data via standard export mechanisms
- Delete or anonymize all Personal Data within 30 days of termination, unless:
- Required to retain the data by applicable law or regulation
- The Customer requests an extended data retrieval period (maximum 90 days, fees may apply)
- Provide written certification of data deletion upon Customer request
11. International Data Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. For such transfers, PlanXpress relies on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): EU Commission-approved Standard Contractual Clauses for transfers to countries without adequacy decisions
- Data Privacy Framework: For transfers to the United States, reliance on certified Data Privacy Framework participants where applicable
- Additional Safeguards: Technical measures including encryption, access controls, and monitoring as detailed in our Security Policy
Upon request, PlanXpress will provide copies of executed Standard Contractual Clauses.
12. Audits and Inspections
PlanXpress will make available to the Customer information necessary to demonstrate compliance with this DPA. The Customer may:
- Request documentation of PlanXpress's security measures and compliance status
- Conduct audits (including inspections) no more than once per year, with 30 days' advance notice
- Request third-party audit reports (e.g., SOC 2) where available, subject to confidentiality restrictions
Audits must:
- Be conducted during business hours with minimal disruption to operations
- Be subject to reasonable confidentiality obligations
- Be at the Customer's expense unless the audit reveals material non-compliance
13. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. PlanXpress shall be liable for any damages caused by processing that violates this DPA or applicable data protection law.
14. Term and Termination
This DPA will remain in effect for as long as PlanXpress processes Personal Data on behalf of the Customer. Upon termination of the Service Agreement, this DPA will terminate automatically, subject to the data retention and deletion obligations in Section 10.
15. Governing Law and Jurisdiction
This DPA shall be governed by the same law and jurisdiction provisions as the Terms of Service. For Customers subject to GDPR, disputes shall be resolved in accordance with GDPR Article 82 (Right to compensation and liability).
16. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
17. Amendments
PlanXpress may update this DPA from time to time to reflect changes in data protection laws or our data processing practices. Material changes will be communicated to Customers with at least 30 days' notice.
Questions about data processing?
Contact us at privacy@planxpress.com