Standard version, last updated: July 2026
This Data Processing Agreement ("DPA") is entered into between the company registering for FeelSafeHub, acting as the data controller ("Controller"), and FeelSafeHub, operated by Milica Krstić, based in Bratislava, Slovak Republic, acting as the data processor ("Processor"). It supplements and forms part of the service agreement between the Controller and the Processor.
"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Supervisory Authority" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
The Processor provides the Controller with the FeelSafeHub workplace wellbeing platform, through which the Controller's employees complete a daily wellbeing protocol and the Controller's HR users view aggregated participation data. This DPA applies for as long as the Processor processes Personal Data on the Controller's behalf under the service agreement, and continues to apply to any Personal Data retained after termination until it is deleted in accordance with Clause 9.
The Processor processes Personal Data to operate the FeelSafeHub platform: authenticating users, recording daily protocol completions and minutes, displaying resource content, scheduling group sessions, and generating aggregated, anonymized reporting for the Controller's HR users. The Processor does not use Personal Data for any purpose other than providing and improving the FeelSafeHub platform, and does not sell Personal Data or use it for advertising.
| Data subjects | Employees, HR users, and administrators of the Controller who use FeelSafeHub |
|---|---|
| Personal data | Name, email address, gender marker (used only for grammatical addressing in the interface), language preference, daily protocol completion timestamps and minutes earned, and resource view history |
| Restricted personal data | Free text reflections entered by employees (thought, sense of purpose, gratitude note). These are stored under technical access controls that make them inaccessible to the Controller's HR users, the Processor's personnel in the ordinary course of business, and any other employee |
| Special category data | None is intentionally collected. The Controller must not instruct the Processor to collect health data, trade union membership, or other special category data through any field in the platform |
The Controller provides general authorization for the Processor to engage the following sub-processors, each limited to the function described:
| Sub-processor | Function | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | Frankfurt, Germany (EU) |
| Vercel Inc. | Application hosting and content delivery | Global CDN, application data processed in the EU region where available |
| Hetzner Online GmbH | Underlying server infrastructure | Germany (EU) |
The Processor will give the Controller at least 30 days' notice before adding or replacing a sub-processor, and the Controller may object on reasonable data protection grounds. Where a sub-processor is located outside the EU/EEA, the Processor ensures an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses, before any Personal Data is transferred.
The Processor maintains technical and organizational measures appropriate to the risk, including:
The Processor will notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a breach affecting the Controller's Personal Data, and will provide the information reasonably needed for the Controller to meet its own notification obligations under Article 33 and 34 GDPR.
Employees may delete their own data at any time from within the app. On termination of the underlying service agreement, the Processor will delete or return all remaining Personal Data within 30 days, except where retention is required by law.
Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the service agreement between the parties.
This DPA is governed by the laws of the Slovak Republic and applicable European Union law. Any dispute arising from this DPA falls under the jurisdiction of the courts of Bratislava, Slovak Republic, without prejudice to a Data Subject's right to lodge a complaint with a supervisory authority.
By checking "I accept the Data Processing Agreement" during company registration, the Controller's authorized representative confirms they have read and agree to this DPA on behalf of the Controller. A countersigned copy is available on request by emailing milica@feelsafehub.com.