Legal
Data Processing Agreement
Last updated: 5 June 2026
This Data Processing Agreement ("DPA") governs the processing of personal data carried out by Rekka on your behalf in the course of providing the Service. It implements Article 28 of the GDPR and forms an integral part of our Terms of Service.
1. Parties
- Processor: Happy Cloud Studio Sp. z o.o., Ul. Grzybowska 87, 00-844 Warsaw, Poland, NIP 5272786566 ("we" or "Rekka").
- Controller: the customer that has accepted Rekka's Terms of Service ("you" or "Controller").
2. Definitions
Capitalised terms have the meaning given to them in the GDPR (Regulation (EU) 2016/679). "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Personal Data Breach" are used as defined there. "Service" has the meaning given in the Terms of Service.
3. Subject matter and duration
This DPA covers the Processing that Rekka carries out on your behalf for the sole purpose of providing the Service. Processing continues for as long as you have an active workspace and ends when the workspace is closed, subject to the deletion and return obligations in section 12.
4. Nature, purpose and types of data
Details are set out in Annex 1 (Description of Processing).
5. Your instructions
We process Personal Data only on your documented instructions. Using the Service in its standard configuration constitutes a documented instruction. The Terms of Service, this DPA and any feature you enable within the Service together describe the scope of those instructions. You may give further instructions in writing; we will tell you if we believe an instruction infringes applicable data protection law before acting on it.
6. Confidentiality
We ensure that personnel authorised to process Personal Data are bound by written confidentiality obligations or appropriate statutory duties of confidentiality, and that access is limited to staff who need it to perform their role.
7. Security of processing
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the data we process. A description of the current measures is set out in Annex 3 (Technical and Organisational Measures).
8. Sub-processors
You give us general authorisation to engage Sub-processors to provide the Service. Each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.
The current list of Sub-processors is in Annex 2. We will give you at least 30 days' notice before adding or replacing a Sub-processor, by email to the workspace Owner or by an in-app notice. If you object to the change on reasonable data-protection grounds, you may terminate the subscription for the affected Service before the new Sub-processor starts processing. Termination on this ground during a paid plan entitles you to a pro-rata refund of prepaid amounts.
We remain responsible for the acts and omissions of our Sub-processors to the same extent we are responsible under this DPA.
9. International transfers
Personal Data is processed primarily within the European Economic Area. Where Personal Data is transferred to a country outside the EEA not recognised by the European Commission as providing an adequate level of protection, the transfer is governed by the European Commission's Standard Contractual Clauses (Module Three for processor-to-processor transfers, Module Two for controller-to-processor transfers, as relevant), with supplementary technical and organisational measures where appropriate. You authorise us to enter into Standard Contractual Clauses with Sub-processors on your behalf for this purpose.
10. Assistance with data subject rights
The Service includes features that let you, as Controller, fulfil Data Subject requests directly (access, rectification, erasure, restriction and export of data from the workspace settings). When we receive a request from a Data Subject relating to your workspace, without undue delay we will forward the request to you and will not respond directly except to confirm receipt and direct the Data Subject to you. We will assist you, at your expense where the assistance is substantial, in responding to such requests through appropriate technical and organisational measures.
11. Personal data breaches
We will notify you without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach affecting your Personal Data. The notification will include, to the extent known: the nature of the breach, including the categories and approximate numbers of Data Subjects and records concerned; the likely consequences; the measures taken or proposed to address it and mitigate its effects; and the name and contact details of the point of contact for more information.
12. Return and deletion
On closure of your workspace, we soft-delete your Personal Data immediately and permanently erase it after a 30-day grace period, except where retention is required by law (for example invoices). Backups containing Personal Data are rotated within 30 days. On request before erasure, we will make Customer Data available for export.
13. Audits
We will make available to you the information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. To minimise disruption, we may satisfy audit requests by providing our existing documentation and Sub-processor reports where these reasonably address your audit scope.
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
15. Order of precedence
In the event of a conflict between this DPA and the Terms of Service regarding the Processing of Personal Data, this DPA prevails.
Annex 1. Description of Processing
- Subject matter: provision of the Rekka workplace wellness Service.
- Duration: the term of the Terms of Service, for as long as the workspace is active.
- Nature and purpose: hosting, storing, transmitting and otherwise processing Personal Data as necessary to deliver the Service's wellness features to the Controller's team.
- Categories of Data Subjects: the Controller's workspace Owners and the employees they invite.
- Types of Personal Data: identity and contact data (name, email); profile data (profile picture, date of birth, sex, language); and wellbeing content recorded by individuals (personal projects, time-tracking sessions, journal reflections, optional mood snapshots, habit tracking and exercise history). Wellbeing content may include special categories of data voluntarily provided by the individual, who alone can view it within the Service.
Annex 2. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | Frankfurt, Germany (EU) |
| Cloudflare, Inc. | Web hosting, CDN, edge application runtime, DDoS protection | Global edge network, EU data residency where supported |
| Brevo (Sendinblue SAS) | Transactional email delivery | France (EU) |
Annex 3. Technical and Organisational Measures
- Encryption: data encrypted in transit (TLS) and at rest.
- Access control: row-level security so each user can reach only their own data; the employer cannot see an employee's private wellbeing entries.
- Least privilege: administrative access limited to staff who need it, protected by strong authentication.
- Credentials: passwords stored only as salted hashes; private files served via short-lived signed URLs.
- Data residency: primary processing and storage hosted in the EU (Frankfurt).
- Resilience: regular backups with a 30-day rotation.
- Monitoring: server logging for security and abuse prevention, retained up to 90 days.
- Vendor management: written data processing agreements in place with every Sub-processor.
Contact
Happy Cloud Studio Sp. z o.o. Ul. Grzybowska 87, 00-844 Warsaw, Poland Privacy contact: Franco Toccu Email: privacy@happycloudstudio.com