Kronly
Data Processing Agreement
Last updated: June 9, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Oliniuc Bogdan-Nicolae PFA (Persoană Fizică Autorizată; CUI 46976220; Reg. No. F2022004979409; Bd. Bucureștii Noi nr. 136, parter, ap. 5, Sector 1, Bucharest, Romania) ("Kronly", "we", "us", the "Processor") and the organisation that uses the Kronly application to process personal data of its workforce (the "Customer", "you", the "Controller").
It applies where, and to the extent that, Kronly processes personal data on the Controller's behalf in the course of providing the Kronly construction-workforce-management service (the "Service"), as described in our Privacy Policy. It reflects the parties' agreement with respect to such processing in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR") and Romanian Law no. 190/2018.
This page is the standard (pro-forma) DPA offered to all Customers using Kronly for workforce management. To request a counter-signed copy, or to put a negotiated DPA in place, contact privacy@kronly.eu.
How this DPA is concluded. This DPA is incorporated by reference into the Terms of Service (see the "User Roles & Employer Responsibilities" section of the Terms). It is concluded, in electronic form for the purposes of Art. 28(9) GDPR, when a person authorised to act on behalf of the Customer accepts the Terms of Service by creating or operating a Manager account for the Customer's organisation — that person represents and warrants that they have authority to bind the Customer — or, at the latest, when the Customer first uses the Service to process employee personal data. The version of this DPA in force at acceptance is identified by the "Last updated" date above, which is the same policy version recorded with the account's acceptance of the Terms.
Where the Customer itself acts as a processor on behalf of a third-party controller, references to the "Controller" are to be read accordingly and Kronly acts as a sub-processor on the same terms.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR. In particular, "personal data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings set out in Art. 4 GDPR; "sub-processor" means any processor engaged by Kronly to process personal data on the Controller's behalf. "Applicable Data Protection Law" means the GDPR, Romanian Law no. 190/2018, Law no. 506/2004, and any other data-protection law applicable to the processing.
2. Subject Matter, Duration, Nature and Purpose
The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1. In summary, Kronly processes employee-related personal data solely to provide the Service to the Controller — time and attendance tracking, on-device proximity verification results, task and material-request management, job-site photo documentation, and payroll/salary report generation (including the employee CNP where provided) — and for no other purpose.
The processing continues for the duration of the Agreement and for any limited period afterwards required to return or delete the data in accordance with Section 11.
3. Roles and Obligations of the Controller
For employee-related personal data processed through the Service, the Controller (the employer) determines the purposes and means of the processing. The Controller warrants that:
- it has a valid legal basis under Art. 6 GDPR — and, for the CNP, complies with Art. 87 GDPR and Art. 4 of Law no. 190/2018 — for the personal data it enters into, or instructs Kronly to process, including any employee CNP;
- before entering employees' data, it has provided the notices required by Art. 13–14 GDPR and has informed employees and consulted employee representatives as required by Art. 5 of Law no. 190/2018;
- its processing instructions comply with Applicable Data Protection Law; and
- it is responsible, as controller, for the accuracy and lawfulness of the personal data and of the instructions it gives to Kronly.
4. Obligations of Kronly as Processor
In respect of personal data processed on the Controller's behalf, Kronly shall:
- (a) Documented instructions. Process the personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member State law; in that case Kronly will inform the Controller of the legal requirement before processing, unless the law prohibits this on important grounds of public interest. The Controller's instructions are set out in this DPA, the Agreement, and the Controller's configuration and use of the Service; further instructions must be agreed in writing. Kronly will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
- (b) Confidentiality. Ensure that persons authorised to process the personal data are bound by an appropriate obligation of confidentiality.
- (c) Security. Take all measures required pursuant to Art. 32 GDPR, as described in Annex 2.
- (d) Sub-processors. Respect the conditions in Section 6 for engaging another processor.
- (e) Data-subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests to exercise data-subject rights under Chapter III GDPR (see Section 8).
- (f) Assistance with compliance. Assist the Controller in ensuring compliance with its obligations under Art. 32–36 GDPR (security, breach notification, data-protection impact assessment, and prior consultation), taking into account the nature of the processing and the information available to Kronly (see Section 9 and Section 10).
- (g) Return or deletion. At the Controller's choice, delete or return all the personal data after the end of the provision of the Service, and delete existing copies, unless EU or Member State law requires storage (see Section 11).
- (h) Audits. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR, and allow for and contribute to audits, including inspections (see Section 12).
5. Security of Processing (Art. 32)
Kronly implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2. These include encryption of data in transit (TLS/HTTPS), EU-based hosting on access-restricted infrastructure, access controls limiting employee data to the Controller's managers/administrators and the data subject, and the privacy-by-design measures described in the Privacy Policy — for example, GPS coordinates are processed only on the worker's device and are never transmitted to Kronly. Kronly may update these measures from time to time, provided the overall level of security is not materially reduced.
6. Sub-processors
The Controller provides general authorisation for Kronly to engage the sub-processors listed in Annex 3 to process personal data on its behalf. Kronly shall:
- impose on each sub-processor, by contract, data-protection obligations equivalent to those set out in this DPA (Art. 28(4) GDPR), in particular sufficient guarantees to implement appropriate technical and organisational measures;
- remain fully liable to the Controller for the performance of each sub-processor's obligations; and
- inform the Controller (the Manager/administrator account holder) of any intended addition or replacement of a sub-processor that processes employee data — by email to the address associated with the Manager/administrator account and/or by in-app notice — giving at least 30 days' prior notice and an opportunity to object on reasonable data-protection grounds. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected part of the Service.
7. International Transfers
Kronly stores and processes personal data on servers located in the European Union. Personal data is processed outside the European Economic Area (EEA) only in the following limited cases: (i) delivery of push notifications through the Apple Push Notification service operated by Apple Inc. (USA) — device push token and notification content — under Apple's certification to the EU-US Data Privacy Framework; (ii) error monitoring by Sentry — technical error reports without personal identifiers, as described in Annex 3, stored in Sentry's EU data region (Frankfurt); any access from the United States by Sentry's operator, Functional Software, Inc., is covered by its certification to the EU-US Data Privacy Framework; and (iii) where the Controller's users choose optional social sign-in (Apple, Google, or Facebook), in which case the identity provider authenticates the user within its own infrastructure as an independent controller. Should any other sub-processor ever process personal data outside the EEA, Kronly will ensure that an appropriate transfer mechanism under Chapter V GDPR is in place — an adequacy decision, the European Commission's Standard Contractual Clauses, or another valid safeguard — and will update Annex 3 accordingly. Current sub-processor and transfer details are summarised in Annex 3 and in Section 15 of the Privacy Policy.
8. Assistance with Data-Subject Rights
Taking into account the nature of the processing, Kronly will assist the Controller, by appropriate technical and organisational measures and insofar as possible, in responding to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection (Chapter III GDPR). The Service provides self-service tools that allow the Controller's managers/administrators (and, for their own account, individual users) to view, correct, export, and delete personal data. If Kronly receives a data-subject request relating to personal data processed on the Controller's behalf, it will, without undue delay, refer the data subject to the Controller and notify the Controller, and will not respond to the request itself except on the Controller's documented instructions or as required by law.
9. Personal Data Breach
Kronly will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting personal data processed on the Controller's behalf, so that the Controller can meet its own 72-hour notification deadline under Art. 33(1) GDPR. The notification will, to the extent available, describe the nature of the breach, its likely consequences, the measures taken or proposed, and a contact point for further information. Kronly will provide reasonable assistance to the Controller in meeting its own obligations to notify the supervisory authority and affected data subjects under Art. 33–34 GDPR. Notification of a breach is not an acknowledgement of fault or liability.
10. Data-Protection Impact Assessment and Prior Consultation
Taking into account the nature of the processing and the information available to it, Kronly will provide reasonable assistance to the Controller with any data-protection impact assessment (Art. 35 GDPR) and any prior consultation of the supervisory authority (Art. 36 GDPR) that the Controller is required to carry out in relation to its use of the Service. A description of the Service's processing and safeguards, intended to support such an assessment, is provided in Annex 1, Annex 2, and the Privacy Policy.
11. Deletion or Return of Personal Data
On termination or expiry of the Agreement, Kronly will, at the Controller's choice, delete or return all personal data processed on the Controller's behalf and delete existing copies, unless EU or Member State law requires continued storage. In the absence of a contrary instruction, Kronly will delete the personal data within 30 days of the end of the Service, save for copies held in routine backups, which are overwritten on the ordinary backup cycle — at the latest within 6 months — and remain subject to this DPA until deleted. On the Controller's request, Kronly will certify the deletion in writing. The Controller is responsible for exporting, before deletion is completed under this Section and using the Service's export tools (or the post-termination export window described in the Terms of Service), any data it wishes to retain — for example, the payroll and time records the employer must keep under Art. 119 of the Codul Muncii.
12. Audits and Information
Kronly will make available to the Controller all information reasonably necessary to demonstrate compliance with Art. 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. To minimise disruption, the parties will agree the scope, timing, and conduct of any audit in advance; audits will take place during business hours, no more than once per year (unless required by a supervisory authority or following a personal data breach), and subject to confidentiality. Kronly may satisfy an audit request by providing existing documentation, certifications, or third-party audit reports where these reasonably address the Controller's request.
13. Liability, Precedence and Changes
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of a conflict between this DPA and the Terms of Service or Privacy Policy regarding the processing of personal data on the Controller's behalf, this DPA prevails. We may update this DPA to reflect changes in Applicable Data Protection Law, our sub-processors, or the Service; we will give notice of material changes in the manner described for sub-processor changes in Section 6 and update the "Last updated" date above.
14. Term, Governing Law and Contact
This DPA takes effect when the Controller first uses the Service to process employee personal data and remains in force for as long as Kronly processes personal data on the Controller's behalf. It is governed by Romanian law and the GDPR; disputes are subject to the jurisdiction provisions of the Agreement. For any question about this DPA, or to request a counter-signed copy, contact:
Oliniuc Bogdan-Nicolae PFA (Persoană Fizică Autorizată)
Bd. Bucureștii Noi nr. 136, parter, ap. 5, Sector 1, Bucharest, Romania
Tax ID (CUI): 46976220 · Reg. No.: F2022004979409
Email: privacy@kronly.eu
Annex 1 — Details of the Processing
- Subject matter: provision of the Kronly construction-workforce-management Service to the Controller.
- Duration: the term of the Agreement, plus the deletion/return period in Section 11.
- Nature and purpose: collection, storage, organisation, structuring, use, and erasure of employee-related personal data for the purpose of time and attendance tracking, on-device proximity verification, task and material-request management, job-site photo documentation, and generation of payroll/salary reports for the Controller's accountant.
- Categories of data subjects: the Controller's workers and managers (employees and, where applicable, contractors) who use or are managed through the Service.
- Categories of personal data: identification and contact data (name, email, phone number); account and authentication data, including device and session identifiers (device name, push token, session identifier and timestamps) and technical logs containing IP addresses; time and attendance records (clock-in/out times, durations); on-device proximity verification results (in-range / out-of-range — not GPS coordinates); task assignments and material requests; job-site photographs (with EXIF location metadata stripped before upload); and, where provided, the employee's CNP (Personal Numeric Code), processed solely for payroll/salary reporting.
- Special categories of data: none are intended to be processed. The CNP is a national identification number subject to the safeguards in Art. 87 GDPR and Art. 4 of Law no. 190/2018; it is not a special category of data under Art. 9 GDPR.
- Frequency of processing: continuous, for the duration of the Service.
Annex 2 — Technical and Organisational Measures (Art. 32)
- Encryption in transit and access-restricted storage: personal data is encrypted in transit (TLS/HTTPS); at rest, data is held on access-restricted EU servers and object storage on an internal network that is not exposed to the public internet, with administrative access limited and authenticated.
- Data minimisation by design: GPS coordinates are processed only on the worker's device and are never transmitted — only a boolean proximity result is sent; photo EXIF location metadata is stripped before upload; the CNP is optional and used only for the payroll export.
- Access control and tenant isolation: within the Controller's organisation, employee data is accessible only to the Controller's managers/administrators and to the data subject; multi-tenant isolation restricts access to the Controller's own organisation. Access to production systems by Kronly personnel is limited to those who require it and is subject to authentication and confidentiality obligations.
- Authentication: access tokens are short-lived and refresh tokens are revocable; sessions can be revoked per device.
- Hosting: data is hosted on servers located in the European Union (Hetzner data centres).
- Resilience and backup: routine backups, stored on access-restricted EU infrastructure, support availability and restoration and are subject to the deletion cycle in Section 11.
- Review: these measures are reviewed and updated as the Service evolves; the overall level of security will not be materially reduced.
Annex 3 — Approved Sub-processors
As at the "Last updated" date above, Kronly uses the following sub-processors to process personal data on the Controller's behalf. This list, and any changes to it, are also reflected in Section 9.3 of the Privacy Policy:
- Hetzner Online GmbH (Germany, EU) — cloud infrastructure hosting all core data and the self-hosted object storage for photos. Location: European Union.
- Apple Inc. — Apple Push Notification service (APNs) — delivery of push notifications to users' devices. Personal data: device push token and notification content. Location: United States; transfer mechanism: Apple Inc. is certified under the EU-US Data Privacy Framework.
- Brevo (Sendinblue SAS, France, EU) — (i) transactional email delivery (password reset, account-deletion confirmation): recipient email address and message content; (ii) live-chat widget on the Support page, loaded only when the visitor clicks "Start chat": chat messages, IP address, and browser/device information. Location: European Union.
- Sentry (Functional Software, Inc.) — error and crash monitoring. Personal data: none attached by design — error reports contain technical details only (error type, stack trace, request URL, user agent), never name, email, IP address, or account identifier; request URLs may incidentally contain resource identifiers. Location: European Union data region (Frankfurt, Germany); transfer mechanism: Functional Software, Inc. (USA) is certified under the EU-US Data Privacy Framework, covering any access from the United States.
- Apple, Google, and Meta (Facebook) — identity providers for optional social sign-in, where chosen by the user; they authenticate the user and return name, email, and a unique identifier. These providers act as independent controllers for their own authentication services.
Where a provider acts only as an independent controller for its own service (for example, the social sign-in identity providers), that is noted above; in all other cases Kronly remains responsible to the Controller for the sub-processor as set out in Section 6.