Enterprise · GDPR

Data Processing Agreement

Our standard DPA template for enterprise customers. GDPR Article 28 compliant.

Version 1.0 · June 1, 2025GDPR Article 28SCCs included

Need a signed DPA?

Email legal@remotepool.jp with your organisation’s legal name and signatory details. We will countersign and return within 3 business days.

1.Scope & Purpose

This DPA forms part of the agreement between RemotePool Pte. Ltd. (Processor) and the enterprise customer (Controller). RemotePool processes personal data on behalf of the Controller solely to provide the platform services described in the applicable service agreement. RemotePool will not process Personal Data for any other purpose without prior written consent.

2.Nature of Processing

Subject matter	Engineer talent profiles, employment records, payroll data, communications
Duration	For the term of the service agreement plus the retention period in the Privacy Policy
Nature	Collection, storage, retrieval, structuring, use, disclosure, erasure
Categories of data	Identity, contact, professional, financial, communications
Categories of data subjects	Engineers, company employees and HR managers using the platform

3.Processor Obligations

RemotePool agrees to:

1Process Personal Data only on documented instructions from the Controller, unless required by applicable law
2Ensure that persons authorised to process Personal Data have committed to confidentiality
3Implement appropriate technical and organisational measures (Article 32 GDPR)
4Not engage a new Sub-processor without prior written notice of at least 14 days
5Assist the Controller with data subject rights requests, breach notifications, and DPIAs
6At the Controller's choice, delete or return all Personal Data after the service ends
7Make available all information necessary to demonstrate compliance and allow for audits

4.Approved Sub-processors

The Controller authorises the following sub-processors. RemotePool will give 14 days’ written notice before engaging new ones.

Sub-processor	Purpose	Location
AWS / Vercel	Infrastructure hosting	US, EU, AP
Stripe	Payment processing	US
SendGrid / Resend	Transactional email	US
OpenAI / Google AI	AI-powered matching features	US

5.International Transfers

Where Personal Data is transferred outside the EEA or UK, such transfers are protected by Standard Contractual Clauses (SCCs) as adopted by the European Commission, incorporated by reference into this DPA. RemotePool will not transfer Personal Data to any country without implementing appropriate safeguards.

6.Security Measures

TLS 1.2+ encryption in transit; AES-256 at rest for sensitive fields

Bcrypt hashing for passwords; tokenised storage for payment credentials

Role-based access control (RBAC) with least-privilege principle

Audit logging of all administrative and data access events

Automated vulnerability scanning and dependency updates

Incident response procedure with breach notification within 72 hours of discovery

7.Data Breach Notification

RemotePool will notify the Controller without undue delay — and in any event within 72 hours — after becoming aware of a Personal Data breach likely to result in a risk to data subjects’ rights. Notification will include:

Nature of the breach
Categories and approximate number of data subjects and records concerned
Likely consequences of the breach
Measures taken or proposed to address the breach

8.Term & Termination

This DPA is effective for the duration of the service agreement. Upon termination RemotePool will, at the Controller’s election, securely delete or return all Personal Data within 30 days, unless longer retention is required by law.

Ready to execute the DPA?

Contact legal@remotepool.jp with your organisation’s legal name and signatory details.