Skip to content

Data processing addendum (DPA) for teams

How Timemark processes data on behalf of teams. Our data processing addendum (DPA) for business customers.


In short: When your team uses Timemark, your team controls the photos and member data it collects, and Timemark only processes that data to run the service for you. This page is the legal Data Processing Addendum (DPA) for business customers. It is written for your legal, security, and procurement teams. Everyday users do not need to read it. For a plain explanation, see Who owns your photos.

This Data Processing Addendum is incorporated by reference into the agreement between Timemark and the customer (the “Customer”) that uses a Timemark team or Teamspace. It applies only to personal data that Timemark processes on the Customer’s behalf as Customer Data.

  • Controller, Processor, Data Subject, Personal Data, Processing have the meanings given in the GDPR.
  • Timemark means OCEAN GALAXY PTE. LTD. (UEN: 202305760Z).
  • Customer Data means the photos, visible watermark content, project docs, Checklist records, project addresses, Attendance records, member details, and other personal data that the Customer or its members put into a Timemark team.
  • Customer Representatives means Team Owners, Team Admins, or other authorized users who configure, manage, or instruct Timemark on behalf of the Customer.
  • Sub-processor means a third party engaged by Timemark to process Customer Data.

The Customer is the Controller of Customer Data. Timemark is the Processor. Where the Customer is itself acting as a processor for another controller, Timemark is a sub-processor.

For data where Timemark is the controller, such as account and billing data, the Privacy policy applies instead.

ItemDetail
Subject matterProvision of the Timemark team and Teamspace service
DurationFor the term of the agreement, plus any retention period
Nature and purposeCollecting, storing, organizing, syncing, and exporting work photos and related data
Types of personal dataPhotos, visible watermark content, project docs, Checklist records, project addresses, Attendance records, team feature records, member name, contact details, profile picture, device model
Categories of data subjectsThe Customer’s members, and individuals who appear in or are referenced by photos

Timemark will:

  • Process Customer Data only on the Customer’s documented instructions, including the agreement and this DPA.
  • Ensure people authorized to process Customer Data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures, as described in the security and third-party service information we make available.
  • Assist the Customer in responding to data subject requests, taking into account the nature of the processing.
  • Assist the Customer with security, breach notification, and data protection impact assessments.
  • Delete Customer Data at the end of the agreement or applicable Teamspace retention period, except where law requires retention. The Customer is responsible for exporting data through Timemark’s export tools before deletion.

The Customer’s documented instructions include this DPA, the agreement, Teamspace settings, Team Owner or Team Admin configurations, support requests, product actions, integration settings, and other written or in-product instructions from Customer Representatives.

The Customer is responsible for ensuring those instructions are lawful, including instructions related to employee monitoring, location tracking, Attendance Mode, exports, share links, webhooks, and third-party sync destinations.

Integration settings that send Customer Data to a webhook endpoint, SharePoint, Google Drive, or another Customer-configured destination are documented instructions from the Customer.

Timemark does not monitor, review, or classify Customer Data to determine the Customer’s industry, project type, or use case, except where needed to provide the service, secure Timemark, enforce the agreement, or comply with law.

The Customer authorizes Timemark to engage Sub-processors to provide the team service. A current list of services is available in Third-party services. Sub-processors that may process Customer Data include hosting and infrastructure providers such as AWS and Alibaba Cloud in Singapore, storage, geocoding, weather, diagnostics, support, and connected sync or webhook infrastructure where needed for the features the Customer uses. Payment, account, analytics, and advertising services may process Timemark controller data as described in the Privacy policy, but they are not authorized to receive Customer Data for advertising.

Timemark will impose data protection obligations on each Sub-processor that are no less protective than this DPA, and remains responsible for their performance. The Customer gives Timemark general authorization to use Sub-processors. Timemark will maintain a current Sub-processor list in Third-party services and will notify the Team Owner by email of material additions or replacements that process Customer Data. The Customer may object within 30 days on reasonable data protection grounds. If the parties cannot resolve the objection, Timemark may disable the affected feature or the Customer may stop using the affected service.

International transfers and data residency

Section titled “International transfers and data residency”

Customer Data in Teamspace is hosted in the United States by default. If Timemark makes data residency available for an Enterprise Customer, Timemark will host in-scope Customer Data at rest in the selected data region.

Data residency applies only to the Customer Data and systems Timemark designates for that Enterprise data residency option. Operational data such as billing, support records, security logs, abuse-prevention records, email delivery, and user-directed third-party destinations may be processed outside the selected region.

When the Customer uses an Integration to send Customer Data to a webhook endpoint, SharePoint, Google Drive, or another destination it configures, that transfer is the Customer’s instruction to Timemark. The Customer is responsible for choosing the destination, confirming that the destination country and provider meet its data protection requirements, and satisfying any data export or transfer obligations that apply to the Customer. Timemark will transmit the data as instructed. After the destination receives it, Timemark does not control that destination’s processing.

Where Customer Data is transferred out of the EEA or UK, Timemark relies on approved transfer mechanisms, such as the Standard Contractual Clauses.

If Timemark receives a request from a data subject relating to Customer Data, it will not respond directly except on the Customer’s instruction or as legally required. Timemark will promptly inform the Customer and help the Customer respond.

Timemark will notify the Customer without undue delay and, where feasible, within 48 hours after becoming aware of a personal data breach affecting Customer Data. Timemark will provide available information about the nature of the breach, affected data, likely consequences, and measures taken or planned, and may provide details in phases as the investigation continues.

Timemark will make available information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, Sub-processor information, and reasonable questionnaire responses. If an audit is legally required and the available information is not sufficient, the Customer may request an audit on at least 30 days’ notice, no more than once per year, during normal business hours, subject to confidentiality, security, and access restrictions. Audits must not access other customers’ data, Timemark source code, trade secrets, or production systems except where Timemark expressly agrees.

For personal information subject to the CCPA, Timemark acts as a Service Provider. Timemark will not sell or share such information, will not retain, use, or disclose it except to provide the service or as permitted by the CCPA, and will not combine it with information from other sources except as the CCPA allows. Timemark certifies that it understands and will comply with these restrictions.

On termination of the agreement, the Customer must export Customer Data through Timemark’s export tools before the Teamspace is deleted or before the applicable retention period expires. If a Free Teamspace is scheduled for automatic deletion, Timemark will email the Team Owner 1 month before deletion. Timemark will delete Customer Data after the applicable retention period or when the Customer deletes the Teamspace, except where retention is required by law.

This DPA governs Timemark’s processing of Customer Data as a processor. It does not restrict the Customer from using Customer Data, photos, project docs, Checklist records, exports, reports, Photo Codes, verification results, or other Timemark outputs for lawful business purposes under the Terms of service and applicable law.

If there is a conflict between this DPA and the Terms of service or Business and Teamspace terms, this DPA prevails only for Timemark’s processing of Customer Data as personal data. Other commercial, payment, intellectual property, acceptable-use, authenticity, disclaimer, liability, ownership, and service-access terms remain governed by the Terms of service and Business and Teamspace terms.