Skip to main content
FabWise

Trust

Data Processing Agreement

Data Processing Agreement (DPA)

Effective Date: 2026-05-11 Last Updated: 2026-05-11

This Data Processing Agreement (DPA) forms part of the Terms of Service (the Agreement) between FabWise, LLC (Processor, we, us, or our), a Georgia limited liability company with a mailing address of 990 Peachtree Industrial Blvd Unit #1233, Suwanee, GA 30024, and the customer entity agreeing to the Agreement (Controller or you).

This DPA applies when Processor Processes Personal Data on behalf of Controller while providing the timeclock software Service (the Service). All capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

  • Data Protection Laws means all applicable U.S. privacy laws, including CCPA/CPRA and other state privacy laws.
  • Personal Data means any information relating to an identified or identifiable natural person that Processor Processes on behalf of Controller.
  • Sub-processor means any third party engaged by Processor to Process Personal Data.

2. Territorial Restriction

The Service is intended solely for use within the United States of America. Controller shall not, and shall not permit any Authorized Users to, access or use the Service from outside the United States. Processor does not support or authorize international use of the Service.

3. Processing of Personal Data

3.1 Processor shall Process Personal Data only:

(i) to provide the Service; (ii) according to Controller's documented instructions (including in the Agreement); and (iii) as required by applicable law.

3.2 Controller's instructions include processing Personal Data for time/attendance tracking, reporting, payroll exports, geofencing (if enabled), and related workforce management features.

3.3 Processor shall not:

(i) sell Personal Data (as defined under CCPA); (ii) retain, use, or disclose Personal Data for any purpose other than Permitted Purposes or as permitted by law; or (iii) combine Personal Data with data from other sources except as instructed by Controller.

See Annex 1 for details of processing.

4. Controller Responsibilities

Controller represents and warrants that:

(i) it has all necessary rights and lawful bases to provide Personal Data to Processor; (ii) it will comply with all Data Protection Laws (including obtaining required consents for location tracking, biometrics, etc.); and (iii) its instructions to Processor comply with applicable law.

5. Security

5.1 Processor will implement and maintain commercially reasonable administrative, technical, and physical safeguards to protect Personal Data (including encryption in transit and at rest, access controls, and regular security testing).

5.2 No system is 100% secure. Processor does not guarantee absolute security.

5.3 Processor shall notify Controller as soon as reasonably practicable after becoming aware of a Security Incident affecting Controller's Personal Data.

6. Sub-processors

6.1 Controller grants general authorization for Processor to engage Sub-processors (including Stripe for payment processing and cloud hosting providers). A current list is maintained at https://fabwise.app/trust/subprocessors.

6.2 Processor shall impose data protection obligations on each Sub-processor at least as protective as this DPA and remains liable for their compliance.

6.3 Notification of new Sub-processors. Processor will notify Controller of new Sub-processors at least 14 days before engagement, providing Controller a reasonable opportunity to object.

7. Assistance with Controller Obligations

Processor shall assist Controller (at Controller's reasonable cost) with data subject rights requests, breach notifications, and other compliance obligations under Data Protection Laws.

8. Data Return or Deletion

Upon termination of the Agreement or at Controller's request, Processor shall delete or return all Personal Data, subject to legal holds and backups.

9. Audits

Controller may audit Processor's compliance upon reasonable advance notice and at Controller's expense (unless material non-compliance is found).

10. CCPA-Specific Terms

Processor acts as a service provider under CCPA. Processor will not retain, use, or disclose Personal Data except for the Permitted Purposes or as otherwise permitted by CCPA.

11. Term and Termination

This DPA survives termination of the Agreement for as long as Processor Processes Personal Data on behalf of Controller.

12. Governing Law

This DPA is governed by Georgia law, except where Data Protection Laws require otherwise.

Accepted by Controller via acceptance of the Terms of Service.

Annex 1: Details of Processing

  • Subject Matter: Provision of cloud-based timeclock SaaS Service for workforce time and attendance management.
  • Duration: Term of the Agreement + post-termination retention period as set forth in the Agreement.
  • Nature and Purpose: Collection, storage, processing, and reporting of time entries, attendance, location (if enabled), and related data per Controller's instructions.
  • Categories of Data Subjects: Controller's employees and Authorized Users.
  • Categories of Personal Data: Name, employee ID, contact info, time/attendance records, location/GPS data (if enabled), IP address, device data.
  • Sensitive Data: None intended. Controller must not upload special category data without prior written agreement.
  • Location of Processing: Primarily United States.

Annex 2: Technical and Organizational Security Measures (Summary)

  • Encryption of Personal Data in transit and at rest
  • Role-based access controls and Multi-Factor Authentication (MFA)
  • Regular vulnerability scanning and penetration testing
  • Incident response plan
  • Employee confidentiality agreements and security training
  • Use of SOC 2 / compliant cloud infrastructure (e.g., AWS)