Data Processing Agreement

Last updated: 2 June 2026

This Data Processing Agreement (DPA) governs the processing of personal data that Timelista carries out on behalf of Customers using the Timelista service. It forms an integral part of the Terms of Service and applies whenever Timelista acts as a data processor.

1. Parties

  • Data controller: the Customer – the natural or legal person using the Timelista service.
  • Data processor: ALEKSANDER MARIANSKI (the Timelista / Timelista.no service), company reg. no. 926 341 979, Hanaveien 12A, 4327 SANDNES, Norway – email: kontakt@timelista.no.

2. Purpose of the processing

Timelista processes personal data solely to provide and improve the Timelista service, never for its own independent purposes. Typical purposes include:

  • registration and management of working time (time tracking);
  • keeping a personalliste in accordance with statutory requirements;
  • management of holidays, absences and shift plans;
  • invoicing and administration of the service subscription;
  • user support and service related to the platform.

3. Categories of data and data subjects

Data subjects: the Customer and its personnel using the service, the Customer's employees, and the owners and administrators of the Customer's business.

Data: first name, last name, email, phone, national ID / D-number, organisation number, company affiliation, registered working hours, breaks, absences and holidays, check-in and check-out times in the personalliste, system metadata and login data.

Processing of national ID numbers and other unique identifiers takes place in accordance with section 12 of personopplysningsloven – only where there is a legitimate need for secure identification, including the statutory keeping of a personalliste. As a rule, Timelista is not intended for the processing of special categories of personal data (Article 9 GDPR).

4. Sub-processors

To ensure a secure and scalable platform, Timelista uses reliable sub-processors that process personal data solely on behalf of Timelista and in accordance with this Agreement:

  • Cloud infrastructure provider (EEA): hosting of the application, databases and storage. Data is kept within the EEA and encrypted at rest and in transit.
  • Transactional email provider: sending notifications, reminders and account-related emails to users.
  • Payment provider: handling of payments and subscriptions.
  • Backup and monitoring provider (EEA): backups, availability monitoring and application error tracking.

All sub-processors are bound by agreements ensuring at least the same level of data protection as this Agreement. An up-to-date list of exact names and addresses is available on request at kontakt@timelista.no.

5. Place of processing and transfers

Timelista ensures that all processing, as a rule, takes place within the EU/EEA. If, in exceptional cases, data is transferred to a third country, legally binding transfer mechanisms are used, such as the EU Standard Contractual Clauses (SCC) or adequacy decisions.

6. Technical and organisational measures

Timelista implements technical and organisational measures that protect the confidentiality, integrity and availability of the data, including:

  • encrypted data transfer (TLS) and encryption of stored data and backups;
  • hashing of user passwords;
  • regular backups and procedures for recovery after incidents;
  • access control, event monitoring, logging and security alerts;
  • confidentiality obligations for all personnel;
  • regular security updates and system reviews;
  • physical security of data centres provided by the infrastructure providers.

7. Personal data breaches

In the event of a personal data breach, Timelista will notify the Customer without undue delay, no later than 48 hours after the breach is detected, with information about the nature of the breach, possible consequences and measures taken. The obligation to report the breach to the Norwegian Data Protection Authority and to the data subjects rests with the Customer as the data controller.

8. Assistance to the Customer

Timelista assists the Customer, to the extent possible and taking into account the nature of the service, in fulfilling data subjects' rights (Articles 15–22 GDPR) and the obligations under Articles 32–36 GDPR – through features in the service that enable access, export, modification and deletion of data.

9. Audit

The Customer has the right to verify that Timelista complies with its obligations under this Agreement. Timelista shall make available the necessary documentation and information. Audits may be carried out by agreement and with reasonable notice, in a manner that does not disrupt Timelista's ordinary operations. The Customer bears all costs associated with carrying out the audit, including costs for external auditors, organisational costs and any cost Timelista incurs in connection with preparation and participation. At Timelista's request, the Customer shall reimburse all reasonable costs incurred by Timelista before the audit begins.

10. Storage and deletion of data

Timelista stores personal data for as long as necessary to fulfil the agreed purposes, or for as long as the Customer has an active account. Upon termination of the Agreement, the data is deleted or returned to the Customer, except to the extent further storage is required under Norwegian law (including bokføringsforskriften for the personalliste and statutory retention obligations, up to five years).

11. Liability and governing law

The parties are liable for damage in accordance with Article 82 GDPR. Timelista's liability is limited to the fees paid in the 12-month period preceding the incident. The Agreement is governed by Norwegian law, in particular personopplysningsloven; disputes are settled at the venue where Timelista has its place of business.

12. Updates

Timelista may update this Agreement. The version in force at any given time is available at timelista.no.