Data Processing Agreement (DPA)

• RATech Privacy Policy / Data Protection Notice
• RATech Terms and Conditions
• Applicable data protection laws

Personal Data, Processing, Controller, and Processor shall have the meanings given under applicable data protection laws.

• The Customer acts as the Data Controller.
• RATech acts as the Data Processor, processing Personal Data solely on behalf of and under the instructions of the Customer.

• Provide HR Technology platforms, SAP SuccessFactors services, AI-driven solutions, analytics, integrations, and add-on products
• Perform contractual obligations
• Provide support, maintenance, and service improvements
• Comply with legal and regulatory requirements

Processing shall be carried out strictly in accordance with the Customer’s documented instructions unless otherwise required by law.

• Names, job titles, business contact details
• HR, payroll, recruitment, and employee-related data (where applicable)
• User credentials and system identifiers
• Technical data such as IP address, device, and usage logs

4.2 Categories of Data Subjects

• Customer employees
• Contractors
• Job applicants
• Authorized users of RATech platforms

• All personnel processing Personal Data are bound by confidentiality obligations
• Personal Data is accessed strictly on a need-to-know basis

• Secure cloud infrastructure
• Encryption and access controls
• Role-based access management
• Regular security reviews and audits

These measures are designed to protect Personal Data against unauthorised access, loss, alteration, or disclosure.

• Sub-processors are contractually bound by equivalent data protection obligations
• Customer data remains protected at all times

• Access
• Rectification
• Erasure
• Restriction or objection to processing
• Data portability (where applicable)

• RATech shall notify the Customer without undue delay
• Provide reasonable assistance to support regulatory notifications and mitigation actions

• Retained only for as long as required for contractual or legal purposes
• Securely deleted or anonymised upon termination of services, unless retention is
  required by law

• RATech ensures adequate protection through contractual safeguards
• Transfers are compliant with applicable data protection laws

• Make available information necessary to demonstrate compliance
• Cooperate with audits conducted by the Customer or regulators, subject to confidentiality and security requirements