Pay transparency laws are landing at different speeds across the EU — Cleira works in every member state today. See what's ready in your country → Free pay-gap analysis launches 1 July — get early access →
Cleira
Try it free Get early access Book a demo
Automated translation. Some sections are shown in English; the English version prevails.

Data Processing Agreement (DPA)

Effective date: July 2026.

This Data Processing Agreement forms part of the agreement between the customer ("Controller") and Unidian SRL ("Cleira", "Processor") and applies where Cleira processes personal data on the Controller's behalf in connection with the paid Cleira services. It is designed to meet the requirements of Article 28 of the GDPR.

1. Roles

The Controller determines the purposes and means of processing the workforce/HR data it uploads. Cleira processes that data only as a Processor, on documented instructions from the Controller, including as set out in the agreement and this DPA.

2. Subject matter and details of processing

  • Subject matter: provision of EU Pay Transparency Directive (2023/970) compliance analysis and reporting.
  • Duration: the term of the agreement plus any wind-down period set out below.
  • Nature and purpose: storing and analysing workforce data to compute gender pay-gap metrics and generate reports.
  • Categories of data subjects: the Controller's workers / employees.
  • Types of personal data: identifiers, job category/grade, seniority, location, base pay, variable pay, gender and FTE, as uploaded by the Controller.

3. Cleira's obligations

  • Process personal data only on the Controller's documented instructions.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see Section 6).
  • Assist the Controller, taking into account the nature of processing, with data-subject requests and with its obligations under Articles 32–36 GDPR.
  • Notify the Controller without undue delay after becoming aware of a personal-data breach.
  • Make available information necessary to demonstrate compliance and allow for audits as set out in the agreement.

4. Sub-processors

The Controller authorises Cleira to engage sub-processors (including its website hosting provider, Cloudflare, Inc., and the EU-based infrastructure provider used for the paid product services, to be identified in Cleira’s sub-processor list once the product is live) under written terms imposing equivalent data-protection obligations. Cleira will inform the Controller of intended changes and give it the opportunity to object.

5. Data isolation

On paid plans, each Controller's data is held in its own dedicated, isolated database — never shared or co-mingled with another customer's data. The Controller's divisions / business units share that single isolated database, separated by role-based access controls.

6. Security measures

Cleira maintains measures appropriate to the risk, including EU-based hosting, encryption in transit and at rest, role-based access control, audit logging, and configurable data-retention controls. Detailed measures are described in the agreement's security schedule.

7. International transfers

Cleira processes personal data within the EU/EEA. Any transfer outside the EEA will be subject to an appropriate safeguard under Chapter V GDPR, such as Standard Contractual Clauses.

8. Return and deletion

On termination, Cleira will, at the Controller's choice, delete or return the personal data and delete existing copies, unless retention is required by law.

9. Contact

Data-protection contact: privacy@cleira.eu. Supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), www.dataprotection.ro.