logo

Data Processing Agreement

Version 1.2 · Last updated July 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer identified in the applicable order, subscription, purchase, or written agreement ("Customer") and Finkit, informacijske rešitve d.o.o., Tacenska cesta 26, SI-1000 Ljubljana, Slovenia, VAT ID SI60718480, company ID 2210355 ("ManicTime", "Finkit", "we", "us", or "Processor") for the use of ManicTime Cloud or related hosted services ("Services").

This DPA applies where ManicTime processes Personal Data on behalf of Customer in the course of providing the Services.

1. Definitions

"Applicable Data Protection Laws" means all applicable data protection and privacy laws relating to the processing of Personal Data under this DPA, including, where applicable, Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

"Controller", "Processor", "Personal Data", "Personal Data Breach", "Processing", "Data Subject", and "Subprocessor" have the meanings given to them under Applicable Data Protection Laws.

"Customer Data" means data submitted to, stored in, or processed by the Services on behalf of Customer.

2. Roles of the Parties

For ManicTime Cloud, Customer is the Controller of Personal Data and ManicTime acts as Processor on behalf of Customer.

Customer determines the purposes and means of processing, including which users are added, what data is collected, which features are enabled, and how the data is used within Customer's organization.

ManicTime processes Personal Data only to provide, operate, maintain, secure, and support the Services in accordance with Customer's documented instructions and this DPA.

3. Subject Matter and Duration

The subject matter of processing is the provision of ManicTime Cloud and related support, maintenance, security, and account administration services.

Processing continues for the duration of Customer's use of the Services, plus any additional period required for deletion, backup retention, legal compliance, dispute resolution, fraud prevention, accounting, security, or legitimate business records.

4. Nature and Purpose of Processing

ManicTime processes Personal Data to:

  • provide ManicTime Cloud time-tracking functionality;
  • store and display user activity timelines;
  • enable reports, dashboards, tags, teams, and administrative features;
  • provide authentication, access control, and API access where enabled;
  • maintain, monitor, secure, and troubleshoot the Services;
  • provide customer support;
  • communicate with Customer regarding the Services;
  • comply with applicable legal obligations.

ManicTime does not sell Personal Data and does not use Customer's tracked activity data for advertising.

5. Categories of Data Subjects

Personal Data may relate to:

  • Customer's employees;
  • contractors;
  • consultants;
  • administrators;
  • end users of ManicTime;
  • support contacts and other Customer representatives.

6. Categories of Personal Data

Depending on Customer's configuration and use of the Services, Personal Data may include:

  • names, email addresses, usernames, user identifiers;
  • team, role, and permission information;
  • computer or device identifiers;
  • IP addresses;
  • login and authentication information;
  • application usage data;
  • window titles;
  • website URLs and domains;
  • document names or file paths, where tracked;
  • manually entered tags, projects, tasks, notes, comments, or time entries;
  • leave, attendance, start/end time, overtime, and related work-time information, where enabled;
  • screenshots, where enabled by Customer;
  • API access information;
  • audit logs and security logs;
  • support communications and diagnostic information.

Customer is responsible for configuring the Services according to its own privacy requirements and internal policies, including deciding whether to enable screenshots, document title tracking, website tracking, application tracking, or integrations.

7. Customer Instructions

Customer instructs ManicTime to process Personal Data as necessary to provide the Services and as otherwise documented in:

  • the applicable agreement or order;
  • this DPA;
  • Customer's configuration and use of the Services;
  • written instructions provided by Customer and accepted by ManicTime.

ManicTime will inform Customer if, in ManicTime's opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited by law.

8. Confidentiality

ManicTime will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

ManicTime personnel may access Personal Data only where necessary to provide, maintain, secure, or support the Services.

9. Security Measures

ManicTime will implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Current measures include:

  • hosting ManicTime Cloud on Microsoft Azure;
  • storing ManicTime Cloud data in Microsoft Azure data centers in the United States (East US and East US 2 regions);
  • encryption in transit using HTTPS;
  • encryption at rest using Azure platform encryption (AES-256) for the PostgreSQL database and Azure Storage;
  • access controls for administrative systems;
  • separation of customer data;
  • authentication and authorization controls;
  • security and application logging;
  • backup and recovery procedures;
  • vulnerability management and security review processes;
  • periodic penetration testing;
  • two-factor authentication support where enabled;
  • least-privilege internal access.

Further details are in Annex II.

10. Subprocessors

Customer gives ManicTime general authorization to use Subprocessors to provide the Services.

ManicTime will use Subprocessors only where the Subprocessor is subject to contractual or other legally binding obligations designed to protect Personal Data, including obligations relating to confidentiality, security, and applicable data protection law.

Current Subprocessors are listed in Annex III. ManicTime will update the list when material Subprocessors are added or replaced. Customer may object to a new Subprocessor on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected Services.

11. International Transfers

ManicTime Cloud data is stored in Microsoft Azure data centers in the United States (East US and East US 2 regions). Personal Data may therefore be transferred to, stored in, or accessed from countries outside the United Kingdom, European Economic Area, or Switzerland.

Where required by Applicable Data Protection Laws, ManicTime will rely on appropriate transfer mechanisms, including the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or other lawful transfer mechanisms.

Onward transfers of Personal Data to Subprocessors located in or accessed from countries outside the United Kingdom, EEA, or Switzerland, including Microsoft Azure, IPinfo, SendGrid (Twilio), Google, Groove, and FastSpring, are made by ManicTime, as data exporter, on the basis of the European Commission Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum (or another lawful transfer mechanism) incorporated into the relevant Subprocessor's agreement. Further detail is set out in Annex IV.

12. Assistance with Data Subject Rights

Taking into account the nature of the processing, ManicTime will provide reasonable assistance to Customer, insofar as possible, to help Customer respond to Data Subject requests.

Customer is responsible for responding to Data Subject requests. Where possible, Customer should use the administrative features of the Services to access, export, correct, or delete Personal Data.

If ManicTime receives a Data Subject request relating to Customer's Personal Data, ManicTime will, where legally permitted, direct the Data Subject to Customer or notify Customer.

13. Assistance with Compliance

Taking into account the nature of processing and information available to ManicTime, ManicTime will provide reasonable assistance with Customer's obligations relating to:

  • security of processing;
  • Personal Data Breach notifications;
  • data protection impact assessments;
  • prior consultation with supervisory authorities, where required.

ManicTime may charge reasonable fees for assistance that goes beyond standard support or requires significant effort, unless the assistance is required due to ManicTime's breach of this DPA.

14. Personal Data Breach

ManicTime will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data.

The notification will include, to the extent known:

  • the nature of the breach;
  • categories and approximate number of affected Data Subjects, where known;
  • categories and approximate number of affected records, where known;
  • likely consequences, where known;
  • measures taken or proposed to address the breach;
  • contact point for further information.

Notification of a Personal Data Breach is not an acknowledgement of fault or liability. Customer is responsible for determining whether notification to regulators or Data Subjects is required.

15. Return and Deletion

Customer may export available Customer Data using the functionality provided by the Services or by contacting ManicTime support.

When Customer deletes a ManicTime Cloud account, Customer data is deleted immediately from the production database. Personal Data stored in backups may remain for up to 1 week until overwritten or deleted.

ManicTime may retain limited Personal Data where required by applicable law, backup retention, dispute resolution, fraud prevention, accounting, security, or legitimate business records.

16. Audit and Information Rights

ManicTime will make available information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

Where required by law, Customer may request an audit, subject to:

  • reasonable prior written notice;
  • normal business hours;
  • no unreasonable disruption to ManicTime's operations;
  • appropriate confidentiality obligations;
  • protection of other customers' data and system security;
  • first relying on available documentation, security reports, policies, and written responses where sufficient.

On-site audits require prior agreement and may be limited where equivalent information can be provided through documentation, third-party reports, or written responses.

17. API Access

Where Customer enables or uses ManicTime API access, Customer is responsible for managing credentials, tokens, integrations, and access permissions.

API authentication uses OpenID Connect / OAuth 2.0 (Authorization Code flow). Relevant API documentation is available at:

18. Customer Responsibilities

Customer is responsible for:

  • ensuring it has a lawful basis for processing Personal Data in ManicTime;
  • informing Data Subjects where required;
  • configuring tracking settings appropriately;
  • deciding whether to enable optional features such as screenshots, document title tracking, website tracking, or integrations;
  • managing users, permissions, teams, roles, and administrators;
  • securing Customer-managed devices, browsers, networks, and credentials;
  • reviewing exports, reports, and API integrations;
  • complying with employment, labor, privacy, monitoring, and workplace surveillance laws applicable to Customer.

19. On-Premise Deployments

Where Customer uses ManicTime Server on-premise instead of ManicTime Cloud, Customer hosts and controls the ManicTime Server environment.

For on-premise deployments:

  • Customer controls infrastructure, database, storage, backups, access controls, and encryption at rest;
  • Customer is responsible for server administration and security of the hosting environment;
  • ManicTime may process limited Personal Data only where Customer requests support, licensing, updates, or related services;
  • this DPA applies only to Personal Data processed by ManicTime on behalf of Customer.

20. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability in the applicable agreement, unless prohibited by Applicable Data Protection Laws.

21. Order of Precedence

If there is a conflict between this DPA and the main agreement, this DPA prevails with respect to processing of Personal Data.

If Standard Contractual Clauses or another mandatory transfer mechanism applies and conflicts with this DPA, that transfer mechanism prevails to the extent of the conflict.

22. Governing Law

This DPA is governed by the law specified in the applicable agreement. If no governing law is specified, this DPA is governed by the laws of Slovenia, unless Applicable Data Protection Laws require otherwise.


Annex I - Processing Details

A. Parties

Customer / Controller: The customer that subscribes to or uses ManicTime Cloud under the applicable order, subscription, or agreement. The Customer's identity and contact details are those provided in the Customer's order or account. Role: Controller (or Processor, where the Customer acts on behalf of a third-party Controller).

Processor: Finkit, informacijske rešitve d.o.o. / ManicTime, Tacenska cesta 26, SI-1000 Ljubljana, Slovenia. Contact: support@manictime.com. Role: Processor.

B. Description of Processing

ManicTime provides hosted time-tracking, reporting, dashboard, tagging, administration, API access, support, maintenance, and security services through ManicTime Cloud.

Processing includes collection, storage, organization, retrieval, display, reporting, export, deletion, and security monitoring of Personal Data submitted to or generated by the Services.

C. Purpose of Processing

The purpose is to provide ManicTime Cloud, including:

  • automatic time tracking;
  • user activity timelines;
  • productivity and work-time reporting;
  • team and administrative dashboards;
  • tagging and project/task reporting;
  • optional screenshots;
  • API access and integrations;
  • authentication and access management;
  • support, troubleshooting, security, and maintenance.

D. Categories of Data Subjects

Employees, contractors, consultants, administrators, Customer representatives, and other users authorized by Customer.

E. Categories of Personal Data

Name, email address, username, user ID, team and role information, computer/device identifiers, IP address, authentication and login data, application usage, website URLs/domains, window titles, document names/file paths where tracked, time entries and activity records, tags, projects, tasks, notes, comments, attendance/leave/overtime/work-time information where enabled, screenshots where enabled, API access information, audit/security logs, support and diagnostic data.

F. Sensitive Data

The Services are not designed for intentional processing of special categories of personal data.

Customer should not submit special category data unless Customer has determined that such processing is lawful and appropriate.

Because ManicTime can record window titles, website URLs, document names, notes, and screenshots depending on Customer configuration, Customer is responsible for configuring the Services to avoid unnecessary collection of sensitive or excessive data.

G. Frequency

Continuous during Customer's use of the Services.

H. Duration

For the duration of Customer's subscription or use of the Services, plus applicable deletion, backup, legal, accounting, security, and dispute-resolution periods.

I. Data Location

ManicTime Cloud data is stored in Microsoft Azure data centers in the United States (East US and East US 2 regions). Automated database backups are retained within the same United States regions (geo-redundant backup is not enabled).


Annex II - Technical and Organizational Measures

ManicTime applies technical and organizational measures designed to protect Personal Data processed through ManicTime Cloud.

1. Hosting and Infrastructure

  • ManicTime Cloud is hosted on Microsoft Azure.
  • ManicTime Cloud data is stored in Microsoft Azure data centers in the United States (East US and East US 2 regions).
  • Infrastructure access is restricted to authorized personnel.
  • Administrative access is limited based on business need.

2. Encryption

  • Data in transit is protected using HTTPS.
  • Data at rest is protected using Azure platform encryption (AES-256) applied to the PostgreSQL database, Azure Storage (including screenshots), and managed disks.
  • Customer-managed on-premise deployments rely on Customer's own database, disk, backup, and infrastructure encryption controls.

3. Access Control

  • Access to ManicTime systems is limited to authorized users.
  • Role-based permissions are available within ManicTime.
  • Customer administrators control user access within their ManicTime account.
  • Internal access follows least-privilege principles.
  • Two-factor authentication is supported where enabled.

4. Authentication

  • ManicTime Cloud uses authenticated access.
  • API authentication uses OpenID Connect / OAuth 2.0 Authorization Code flow.
  • API scopes are documented in ManicTime API documentation.
  • On-premise authentication options depend on Customer configuration and may include Windows authentication, Active Directory, or ManicTime user authentication.

5. Logging and Monitoring

  • Relevant system and security activity is logged.
  • ManicTime Cloud includes security and application logging for relevant activities.
  • Application performance and diagnostic telemetry is collected using Microsoft Azure Application Insights.
  • On-premise customers have direct access to server logs within their own infrastructure.
  • Logs are used for security, troubleshooting, support, and operational monitoring.

6. Data Separation

  • Customer data is logically separated.
  • Access to customer data is restricted.
  • ManicTime does not expose one customer's data to another customer.

7. Backups and Recovery

  • Backups are maintained for business continuity and disaster recovery.
  • Backup access is restricted.
  • Backups are retained for up to 1 week.

8. Vulnerability Management

  • ManicTime maintains and reviews product security.
  • Penetration tests are performed periodically.
  • Security issues are reviewed and remediated according to severity.
  • Responsible security disclosures can be sent to support@manictime.com.

9. Optional High-Risk Features

Some features may increase privacy sensitivity depending on Customer configuration, including screenshot capture, document title tracking, website URL tracking, application title tracking, notes, manually entered descriptions, and detailed employee activity reports.

Customer is responsible for enabling and configuring these features according to its legal obligations, employee notices, policies, and proportionality requirements.

10. Personnel Measures

  • Personnel with access to systems are subject to confidentiality obligations.
  • Access is granted based on business need.
  • Access may be revoked when no longer required.

Annex III - Subprocessors

Subprocessor Purpose Notes
Microsoft Azure (Microsoft Corporation) Cloud hosting, infrastructure, storage, networking, security, backups, and related cloud services, including Application Insights telemetry. ManicTime Cloud data stored in United States (East US and East US 2); backups retained up to 1 week.
IPinfo IP address geolocation for login security notifications, such as new sign-in location alerts. Receives end-user IP addresses.
SendGrid (Twilio) Transactional email delivery, including invitations, account notifications, and security notifications. Receives recipient email addresses and email content.
FastSpring Payment and subscription processing. Payment data is handled by FastSpring.
Groove Customer support communications. Support tickets and related support data.
Google Gmail / Google Workspace Email hosting and email communication. Includes support@manictime.com communications.

ManicTime will update this list when material Subprocessors are added or replaced.


Annex IV - International Transfer Terms

1. Position of the Parties

Finkit d.o.o. ("ManicTime") is established in Slovenia (EEA). Accordingly:

  • Where Customer is established in the EEA or the United Kingdom, the provision of Personal Data to ManicTime is not, by itself, a restricted international transfer.
  • Restricted international transfers arise where ManicTime, as Processor, transfers Personal Data to Subprocessors located in or accessed from countries outside the UK, EEA, or Switzerland, including Microsoft Azure, IPinfo, SendGrid (Twilio), Google, Groove, and FastSpring. These onward transfers are made on the basis of the transfer mechanisms incorporated into the relevant Subprocessor's agreement, with ManicTime acting as data exporter.

2. EU Standard Contractual Clauses

Where a transfer of Personal Data from the EEA requires an appropriate safeguard under Article 46 GDPR, the parties incorporate by reference the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 ("EU SCCs"), as follows:

  • Module Two (Controller to Processor) applies where Customer is a Controller and ManicTime is a Processor; Module Three (Processor to Processor) applies where Customer acts as a Processor on behalf of a third-party Controller;
  • Clause 7 (Docking Clause) applies;
  • Clause 9: Option 2 (general written authorization) applies, with the Subprocessor list and change-notification process set out in Section 10 and Annex III of this DPA;
  • Clause 11: the optional independent dispute-resolution language does not apply;
  • Clause 17 (Governing Law): the EU SCCs are governed by the law of Slovenia;
  • Clause 18 (Choice of Forum and Jurisdiction): disputes are resolved before the courts of Slovenia;
  • Annex I.A (List of Parties), Annex I.B (Description of Transfer), and Annex II (Technical and Organizational Measures) of the EU SCCs are populated by Annex I and Annex II of this DPA respectively; the list of Subprocessors in Annex III of this DPA serves as Annex III of the EU SCCs.

3. UK Transfers

Where a transfer is subject to the UK GDPR, the parties incorporate by reference the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner ("UK Addendum"). Tables 1 to 3 of the UK Addendum are populated by the information in this DPA and the EU SCCs above; for Table 4, the party that may end the UK Addendum when the approved version changes is the data importer.

4. Swiss Transfers

Where a transfer is subject to the Swiss Federal Act on Data Protection ("FADP"), the EU SCCs apply with the amendments necessary under Swiss law, including that references to the GDPR are read as references to the FADP, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC), and data subjects in Switzerland may enforce their rights in their place of habitual residence.

5. Alternative Mechanisms

Where a valid adequacy decision or framework certification, including any EU-US or UK extension of the Data Privacy Framework held by a Subprocessor, covers a transfer, the parties may rely on that mechanism in place of the clauses above.


Acceptance and Application

This DPA is published by Finkit d.o.o. ("ManicTime") and forms part of the agreement between ManicTime and each Customer that subscribes to or uses ManicTime Cloud. It applies automatically to every such Customer and does not require signature by either party to be effective.

This DPA takes effect on the earlier of (a) the Customer's acceptance of the applicable order, subscription, or agreement that references or incorporates this DPA, or (b) the Customer's use of the Services, and it remains in effect for as long as ManicTime processes Personal Data on the Customer's behalf.

Where a Customer requires a signed copy, ManicTime will, on request, provide this DPA executed on behalf of Finkit d.o.o. for the Customer's countersignature. A signed copy is not a condition of this DPA's effectiveness.

This version supersedes any prior version. ManicTime may update this DPA from time to time. Material changes will be notified in accordance with the applicable agreement.

Version 1.2 · July 1, 2026