Dopusto

DPA · Version 2.0 · 4/20/2026

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between Konsepto d.o.o. ("Processor") and the customer (the "Controller") that uses the Dopusto service. It is entered into in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR") and the Slovenian Personal Data Protection Act (ZVOP-2).

Last updated: 20 April 2026. Version 2.0. Effective upon acceptance of the Terms of Service.

1. Parties and roles

  • Controller — the customer (employer) that creates a tenant on Dopusto and uploads employee records.
  • Processor — Konsepto d.o.o., which provides Dopusto.
  • Each party is independently responsible for complying with the obligations that fall upon it as a controller or processor under applicable data protection law.

2. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller to provide the Dopusto service (leave management and related workflows) for the duration of the subscription, including any grace windows before full account closure.

3. Nature and purpose of processing

The Processor performs hosting, storage, retrieval, display, transmission to authorised Users, and deletion of Personal Data, solely for the purpose of operating Dopusto in accordance with the Controller's instructions provided through the application's configuration and through written instructions sent to dpo@dopusto.si.

4. Categories of data subjects and personal data

Data subjects: the Controller's employees, managers, administrators and other personnel whose data the Controller or its Users submit to Dopusto.

Categories of Personal Data:

  • Identification data (first name, last name, e-mail, public ID).
  • Contact data (phone, address, postal code, city, country).
  • National identifiers (EMŠO, tax ID — encrypted at rest).
  • Bank account number (IBAN — encrypted at rest).
  • Demographic data relevant to ZDR-1 leave calculation (date of birth, gender, marital status, number of children, disability status, single-parent status).
  • Employment data (job title, department, manager, hire date, contract type, weekly hours).
  • Emergency contact details provided by the employee.
  • Photo (if uploaded by the employee or administrator).
  • Leave records (requested dates, type, working days, reason where provided, sickness certificate where required by the leave type).
  • Authentication data (hashed password, TOTP secret — encrypted, session identifiers).
  • Audit log (who did what, when, from which IP and user agent).

5. Obligations of the Controller

The Controller warrants that (a) it has a valid legal basis for the collection and processing of the Personal Data it uploads, (b) it has informed its employees about the processing in line with Articles 13 and 14 GDPR, (c) it restricts access within Dopusto to personnel who need it, and (d) it responds directly to data subject requests that it receives.

6. Obligations of the Processor (Article 28 GDPR)

The Processor shall:

  1. process Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law;
  2. ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
  3. take all measures required pursuant to Article 32 GDPR (security of processing), as described in Annex II;
  4. respect the conditions for engaging sub-processors set out in Section 9;
  5. assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling its obligations to respond to data subject requests under Chapter III GDPR;
  6. assist the Controller in complying with Articles 32–36 GDPR (security, breach notification, data protection impact assessment and prior consultation);
  7. at the Controller's choice, delete or return all Personal Data to the Controller after the end of the services, and delete existing copies, unless EU or Member State law requires storage (see Section 14);
  8. make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (Section 15).

7. Security measures (Annex II)

  • Encryption in transit (TLS 1.2+).
  • Encryption at rest of sensitive identifiers (EMŠO, tax ID, IBAN, TOTP secret, OAuth tokens) with AES-256-GCM.
  • Argon2id hashing of passwords.
  • Role-based access control; principle of least privilege.
  • Mandatory two-factor authentication for administrators.
  • Audit logging of security-relevant events; logs retained for five (5) years.
  • Nightly backups of the database with off-site retention (30 days) and periodic restore tests.
  • Content Security Policy, CSRF tokens, rate limiting and dependency monitoring.
  • Background workers for automatic anonymisation after statutory retention ends.
  • Staff training on data protection and secure development; confidentiality obligations in staff and contractor agreements.
  • Annual review of the security posture and updates to these measures as appropriate.

8. Breach notification

The Processor will notify the Controller without undue delay, and in any case within seventy-two (72) hours of becoming aware of a Personal Data breach affecting Personal Data processed on behalf of the Controller. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed to mitigate the breach.

9. Sub-processors

The Controller provides general written authorisation for the engagement of sub-processors, subject to the Processor's obligation to (a) notify the Controller of any intended addition or replacement of sub-processors through in-app notification at least thirty (30) days in advance, giving the Controller the opportunity to object, and (b) impose on each sub-processor the same data protection obligations as set out in this DPA.

Current sub-processors:

  • Hetzner Online GmbH (DE) — hosting of application servers, databases and backups, EU data centre.
  • Paddle.com Market Limited (IE) — payment processing, invoice issuance, VAT collection.
  • Google Ireland Limited — only for customers who opt in to Google Calendar synchronisation; scope limited to calendar events for approved leave.
  • Postmark / transactional e-mail provider — outbound e-mail delivery (verification codes, notifications).

10. International transfers

All processing takes place in the EU/EEA. If a sub-processor's future parent company would fall outside the EU/EEA, the Processor will implement EU Standard Contractual Clauses and any supplementary measures required under applicable law, and will inform the Controller accordingly.

11. Assistance with data subject rights

The Controller is the primary point of contact for data subjects. If the Processor receives a request directly, it will forward it to the Controller and will not respond unless instructed. The Processor provides self-service tools (e.g. data export at /my/data, employee anonymisation) to help the Controller respond to data subject requests.

12. Data protection impact assessment (DPIA)

The Processor will provide reasonable assistance with DPIAs and prior consultations that involve processing carried out on the Controller's behalf.

13. Records of processing activities

The Processor maintains records of its processing activities as required by Article 30(2) GDPR and makes them available to the Controller or competent supervisory authority upon request.

14. Return or deletion of Personal Data

Upon the Controller's request, the Processor will make an export of the Controller's Personal Data available through the application. After the end of the service, or after a Company Closure grace window, the Processor will anonymise Personal Data as described in the Terms of Service, subject to statutory retention obligations (Slovenian Employment Records Act — ZEPDSV — ten years; tax records — ten years; audit logs — five years). Records retained after anonymisation do not allow re-identification of data subjects.

15. Audits and inspections

Once per calendar year, the Controller may request an audit of the Processor's compliance with this DPA, at its own cost, with at least thirty (30) days' written notice and during business hours. Audits must not disrupt the Processor's operations or compromise the confidentiality of other customers. The Processor may propose third-party audit reports or certifications (e.g. ISO 27001) as a substitute.

16. Liability

Each party is liable for damages caused by its own breach of this DPA as provided in Article 82 GDPR and the Terms of Service.

17. Term and termination

This DPA remains in force as long as the Processor processes Personal Data on behalf of the Controller. Sections addressing security, confidentiality, breach notification, return/deletion and records survive termination to the extent required by law.

18. Governing law

This DPA is governed by the laws of the Republic of Slovenia and must be read consistently with GDPR.

Annex — Data Protection Officer and contact

Konsepto, oblikovanje in kreativne rešitve, d.o.o. (Konsepto d.o.o.)
Dunajska cesta 136, 1000 Ljubljana, Slovenia
Matična št.: 7440405000 · VAT ID: SI90994299
Registered with the District Court in Ljubljana (Okrožno sodišče v Ljubljani), Srg 2026/4810.
Konsepto d.o.o. is not required to appoint a DPO under Article 37 GDPR but has designated a Data Protection Contact:
dpo@dopusto.si
Supervisor: Informacijski pooblaščenec RS — ip-rs.si.

Questions? Contact.