Data Processing Addendum (DPA)

Last updated: 2026-04-24

Parties

This DPA is between the customer ("Controller") and Custom Projects AS ("Processor"), and applies when Custom Hours processes personal data on behalf of the Controller.

Service

Custom Hours is a time tracking, project tracking, employee hour registration, approval, absence tracking, and reporting service operated by Custom Projects AS. Organisation number: 934561112. Country: Norway.

Subject matter and duration

Custom Hours processes personal data to provide the Service. Processing continues for the duration of the customer's use of the Service, unless a longer retention period is required by law or agreed with the customer.

Nature and purpose of processing

• Authentication and access control
• Company, employee, role, and membership administration
• Project tracking and hour entry submission
• Hour review, approval, rejection, reporting, and export workflows
• Absence tracking and related administrative review
• Audit logging for accountability and security
• Operational troubleshooting and security monitoring
• Subscription and billing status handling through payment providers

Types of personal data

• Employee identifiers: name, email, role, company membership
• Company data: company settings, employee access, subscription metadata
• Project data: assigned projects and related work entries
• Work data: dates, times, breaks, comments, status, rejection reason
• Absence data: absence type, dates, status, and related administrative notes
• Audit data: timestamps, actor, action, and changed values where applicable
• Security/technical data: session identifiers, timestamps, IP/user-agent if stored

Categories of data subjects

• Customer employees
• Customer administrators and owners

Processor obligations

• Process data only on documented instructions from the Controller.
• Ensure confidentiality for personnel with access to personal data.
• Implement appropriate technical and organizational security measures.
• Assist with data subject requests where applicable.
• Notify the Controller of personal data breaches without undue delay.
• Use subprocessors only as needed to provide, secure, and maintain the Service.

Subprocessors

Custom Projects AS may use subprocessors for hosting, database services, email, authentication, monitoring, and payment processing. Custom Projects AS remains responsible for subprocessors' performance of their obligations.

International transfers

The Service is intended for EU/EEA-oriented business use. If transfers outside the EU/EEA occur, appropriate safeguards will be used as required by law.

Security measures

• Tenant isolation enforced server-side
• Server-side sessions with HttpOnly cookies
• Access control by role
• Audit logging for key mutations
• Validation and authorization checks on protected routes
• Standardized error handling for public endpoints

Deletion and return of data

Upon termination, the Controller may request export and/or deletion of customer data within a reasonable time, unless retention is required by law.

Contact

For DPA requests, contact Custom Projects AS through the contact details provided during account setup or customer communication.