FeelSafeHub
Why now For whom Our story Contact
Open the app
← Back to the website

Data Processing Agreement

Standard version, last updated: July 2026

This is FeelSafeHub's standard Data Processing Agreement under Article 28 of the GDPR. It applies automatically to every company that registers for FeelSafeHub and accepts it during setup, and it governs how FeelSafeHub processes personal data on your company's behalf inside the app. It does not cover commercial terms such as pricing, contract length, or what is included in your plan: those are set out separately in your service agreement with FeelSafeHub.
PARTIES

Who this agreement is between

This Data Processing Agreement ("DPA") is entered into between the company registering for FeelSafeHub, acting as the data controller ("Controller"), and FeelSafeHub, operated by Milica Krstić, based in Bratislava, Slovak Republic, acting as the data processor ("Processor"). It supplements and forms part of the service agreement between the Controller and the Processor.

1

Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Supervisory Authority" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2

Subject matter and duration

The Processor provides the Controller with the FeelSafeHub workplace wellbeing platform, through which the Controller's employees complete a daily wellbeing protocol and the Controller's HR users view aggregated participation data. This DPA applies for as long as the Processor processes Personal Data on the Controller's behalf under the service agreement, and continues to apply to any Personal Data retained after termination until it is deleted in accordance with Clause 9.

3

Nature and purpose of processing

The Processor processes Personal Data to operate the FeelSafeHub platform: authenticating users, recording daily protocol completions and minutes, displaying resource content, scheduling group sessions, and generating aggregated, anonymized reporting for the Controller's HR users. The Processor does not use Personal Data for any purpose other than providing and improving the FeelSafeHub platform, and does not sell Personal Data or use it for advertising.

4

Categories of data subjects and personal data

Data subjectsEmployees, HR users, and administrators of the Controller who use FeelSafeHub
Personal dataName, email address, gender marker (used only for grammatical addressing in the interface), language preference, daily protocol completion timestamps and minutes earned, and resource view history
Restricted personal dataFree text reflections entered by employees (thought, sense of purpose, gratitude note). These are stored under technical access controls that make them inaccessible to the Controller's HR users, the Processor's personnel in the ordinary course of business, and any other employee
Special category dataNone is intentionally collected. The Controller must not instruct the Processor to collect health data, trade union membership, or other special category data through any field in the platform
5

Processor obligations

  • Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member state law
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures under Article 32 GDPR, as described in Clause 7
  • Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their GDPR rights
  • Assist the Controller with its obligations relating to data protection impact assessments and prior consultation with supervisory authorities, where applicable
  • Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting the Controller's data
  • At the Controller's choice, delete or return all Personal Data at the end of the provision of services, and delete existing copies, except where EU or member state law requires storage
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to reasonable audits, including inspections, conducted by the Controller or an auditor it appoints, on reasonable notice
6

Sub-processors

The Controller provides general authorization for the Processor to engage the following sub-processors, each limited to the function described:

Sub-processorFunctionLocation
SupabaseDatabase, authentication, and file storageFrankfurt, Germany (EU)
Vercel Inc.Application hosting and content deliveryGlobal CDN, application data processed in the EU region where available
Hetzner Online GmbHUnderlying server infrastructureGermany (EU)

The Processor will give the Controller at least 30 days' notice before adding or replacing a sub-processor, and the Controller may object on reasonable data protection grounds. Where a sub-processor is located outside the EU/EEA, the Processor ensures an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses, before any Personal Data is transferred.

7

Security measures

The Processor maintains technical and organizational measures appropriate to the risk, including:

  • Row level security at the database layer, so that individual employee entries and private notes are technically inaccessible to HR users, administrators, and the Processor's own personnel in the ordinary course of business
  • Encryption of data in transit and at rest
  • Access to administrative functions restricted to authenticated, authorized personnel only
  • Automatic deletion of Personal Data once the Controller's chosen retention period (6, 12, or 24 months) has elapsed
  • Regular review of access permissions and security advisories on the underlying infrastructure
8

Personal data breach notification

The Processor will notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a breach affecting the Controller's Personal Data, and will provide the information reasonably needed for the Controller to meet its own notification obligations under Article 33 and 34 GDPR.

9

Deletion or return of data

Employees may delete their own data at any time from within the app. On termination of the underlying service agreement, the Processor will delete or return all remaining Personal Data within 30 days, except where retention is required by law.

10

Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the service agreement between the parties.

11

Governing law

This DPA is governed by the laws of the Slovak Republic and applicable European Union law. Any dispute arising from this DPA falls under the jurisdiction of the courts of Bratislava, Slovak Republic, without prejudice to a Data Subject's right to lodge a complaint with a supervisory authority.

12

Acceptance

By checking "I accept the Data Processing Agreement" during company registration, the Controller's authorized representative confirms they have read and agree to this DPA on behalf of the Controller. A countersigned copy is available on request by emailing milica@feelsafehub.com.

Controller
Company name, signatory, and date confirmed at registration
Processor
Milica Krstić, FeelSafeHub, Bratislava, Slovak Republic
FeelSafeHub

Prevention before the breaking point

Try the app Website privacy Terms DPA Contact
© 2026 FeelSafeHub. Made in Bratislava. EN · SR/HR · DE · SK