Go to My Account
Request a Demo
a-minimalist-corporate-wallpaper-featuri_i0qJjvmeQFuLSRT4791Zug_cs3t7RsFR7yXmtqjsurSQw

Data Processing Agreement (DPA)

CheckOP - SaaS Field Operations Management Platform

Last update: February 10, 2026

Introduction and Scope

This Data Processing Agreement (hereinafter, "DPA" or "Agreement") sets forth the terms and conditions under which Progresus S.A.S. (hereinafter, "Progresus", "CheckOP" or "Processor") processes personal data on behalf of its customers (hereinafter, "Customer" or "Data Controller") in connection with the provision of the CheckOP service.

This DPA forms an integral part of the service contract between Progresus and the Customer, and supplements CheckOP's Terms and Conditions of Service and Privacy Policy.

2. Definitions

"Personal Data": Any information relating to an identified or identifiable natural person.

"Processing": Any operation performed on personal data, whether by automated means or not, such as collection, recording, organization, storage, modification, consultation, use, communication, transfer or deletion.

"Data Controller": The Client, who determines the purposes and means of the processing of personal data of its end users and customers.

"Data Processor": Progresus S.A.S., who processes personal data on behalf of the Controller.

"Sub-processor": any third party hired by the Data Controller to perform specific processing activities on behalf of the Controller.

"Data Subject": Natural person whose personal data is the subject of processing.

"Personal Data Breach": Security breach resulting in destruction, loss, accidental or unlawful alteration, unauthorized communication or access to personal data.

3. Roles and Responsibilities

3.1 The Client as Data Controller

The Client acts as the Controller when using CheckOP to manage personal data of its employees, contractors and end customers. The Customer:

  • Determines the purposes and means of the processing of personal data.
  • Is responsible for the lawfulness of the processing and for obtaining the necessary legal bases
  • Must inform data subjects about the processing.
  • Must respond to requests from data subjects to exercise their rights.
  • Is responsible for the accuracy of the data provided.

3.2 Progresus as Data Processor

Progresus acts as a Processor when processing personal data on behalf of the Client. Progresus:

  • Processes personal data only in accordance with the Client's documented instructions.
  • Does not use the data for its own unauthorized purposes
  • Implements appropriate security measures
  • Assists the Customer in fulfilling its obligations
  • Notifies the Customer of personal data breaches

3.3 Progresus as Data Controller

Progresus acts as Data Controller when it processes data for its own legitimate purposes, such as:

  • Management of the contractual relationship with the Customer
  • Billing and account management
  • Service improvement through aggregated analysis
  • Fulfillment of its own legal obligations

4. Object and Purpose of the Processing

4.1 Purpose

This DPA regulates the processing of personal data that the Customer enters, uploads or generates through CheckOP.

4.2 Purpose

The processing is carried out solely for:

  • Provide the contracted Subscription Service.
  • Manage tasks and operations in the field
  • Store and process data captured through forms
  • Enable geolocation and tracking of personnel
  • Generate reports and analysis requested by the Customer
  • Provide technical support
  • Comply with the Client's documented instructions

4.3 Nature of Processing

Processing includes: collection, recording, organization, structuring, storage, adaptation, consultation, use by transmission, combination, restriction, deletion and destruction of personal data.

5. Types of Personal Data

The types of personal data processed depend on the Customer's configuration and may include:

5.1 Customer User Data

  • First and last names
  • E-mail addresses
  • Telephone numbers
  • Access credentials (encrypted passwords)
  • Geolocation data (GPS)
  • Device information
  • Platform activity logs

5.2 Client's End Customer Data

  • Names and contact details
  • Physical addresses
  • Contracted services information
  • Digital signatures
  • Photographs and videos captured in the field
  • Any other data captured through forms configured by the Client.

5.3 Categories of Data Subjects

  • Client's employees and contractors
  • Client's end customers
  • Other third parties whose data is entered by the Client

6. Obligations of the Data Processor

6.1 Processing according to Instructions

Progresus will process personal data only:

  • According to the Customer's documented instructions.
  • For the purposes set out in this DPA and the service contract.
  • In accordance with applicable law

If Progresus considers that an instruction infringes data protection regulations, it will inform the Customer without delay.

6.2 Confidentiality

Progresus guarantees that the persons authorized to process personal data:

  • Have undertaken to maintain confidentiality.
  • Are subject to appropriate legal obligations of confidentiality
  • Have received the necessary training in data protection

6.3 Security Measures

Progresus implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

  • Encryption of data in transit (TLS 1.0-1.3, 2048-bit keys or higher).
  • Data-at-rest encryption (AES-256)
  • Role-based access control (RBAC)
  • Strong authentication with password complexity requirements
  • Web threat protection following OWASP
  • DDoS protection
  • Continuous security monitoring
  • Vulnerability scanning

Organizational measures:

  • Information security policies
  • Employee background checks
  • Security and privacy training
  • Incident management procedures
  • Business continuity plans

6.4 Assistance to the Responsible Party

Progresus will assist the Client, to the extent reasonable, to:

  • Handle requests for the exercise of rights of data subjects.
  • Conduct data protection impact assessments, when necessary
  • Notifying data breaches to authorities and data subjects, where appropriate
  • Demonstrate compliance with data protection obligations.

6.5 Data Breach Notification

In the event of a personal data breach, Progresus:

  • Notify the Customer without undue delay after becoming aware of the breach.
  • Provide information on the nature of the breach, categories and approximate number of data subjects affected
  • Describe the possible consequences of the breach
  • Describe the measures taken or proposed to be taken to remedy the breach

7. Sub-processors

7.1 General Authorization

The Client authorizes Progresus to engage sub-processors for the processing of personal data, subject to the conditions set forth in this DPA.

7.2 Current Sub-processors

The main sub-processors used by Progresus are:

Sub-processor Location Purpose
Amazon Web Services (AWS) United States Hosting and cloud infrastructure
Google Cloud Platform (GCP) United States Hosting and cloud infrastructure

7.3 Obligations to Subcontractors

Progresus:

  • Shall enter into written agreements with each sub-provider that impose data protection obligations equivalent to those in this DPA.
  • Remain accountable to Customer for the acts of its Sub-Processors
  • Notify the Client of any planned changes in Sub-Providers in reasonable advance

7.4 Objections to Sub-Assignees

Client may reasonably object to a new Sub-Clerk by notifying Progresus in writing within thirty (30) days of notification of the change. The parties will work in good faith to resolve the objection.

8. International Data Transfers

8.1 Location of Processing

Personal Data is primarily processed in data centers located in the United States, using AWS and GCP services.

8.2 Safeguards for Transfers

Progresus implements appropriate safeguards for international data transfers, which may include:

  • Approved standard contractual clauses.
  • Assessment of the legislation of the destination country
  • Additional technical and organizational measures

8.3 Regional Compliance

For customers located in jurisdictions with specific restrictions on international transfers, Progresus will work to implement additional safeguards as reasonably necessary.

9. Data Subject Rights

9.1 Customer's Responsibility

The Client, as Data Controller, is responsible for:

  • Dealing with requests from Data Subjects to exercise their rights.
  • Informing data subjects about their rights
  • Maintaining procedures for handling such requests

9.2 Assistance of the Controller

Progresus will assist the Client in the attention of requests for rights of data subjects, providing:

  • Functionalities on the platform to access, rectify or delete data.
  • Information necessary to respond to requests
  • Data export when requested

9.3 Direct Requests to the Processor

If a data subject contacts Progresus directly to exercise his or her rights, Progresus will:

  • Will inform the Data Subject that he/she should direct his/her request to the relevant Customer.
  • Notify the Customer of the request received, where identifiable.

10. Audits and Verification

10.1 Compliance Information

Progresus shall make available to the Customer reasonable information necessary to demonstrate compliance with the obligations set forth in this DPA.

10.2 Audits

The Customer has the right to conduct audits or inspections, directly or through an external auditor, subject to the following conditions:

  • At least thirty (30) days prior notice.
  • Audits shall be conducted during business hours and in a manner that does not interfere with normal operations.
  • The external auditor shall sign appropriate confidentiality agreements
  • The costs of the audit shall be borne by the Client
  • Audits shall be limited to what is strictly necessary to verify compliance.

10.3 Alternatives

Progresus may provide certifications, audit reports or third party assessments as an alternative to individual audits, when available.

11. Data Retention and Disposal

11.1 During the Contractual Relationship

Progresus will retain personal data for the period necessary to provide the Service and comply with the Customer's instructions.

11.2 Upon Termination of the Contract

Upon termination of the Service Contract:

  • Customer may export its data using the functionalities of the platform prior to termination.
  • Progresus will remove the personal data from the production databases within ninety (90) days after termination, upon written request from the Customer
  • Data in backups will be deleted according to the normal life cycle of the backups.

11.3 Exceptions

Progresus may retain personal data when:

  • It is required by applicable law
  • Is necessary to comply with legal or regulatory obligations
  • It is necessary to establish, exercise or defend legal claims.

12. Responsibility

12.1 Liability of the Processor

Progresus shall be liable to the Customer for damages caused by the processing when:

  • Has not fulfilled the obligations specifically addressed to processors.
  • Has acted outside or contrary to the Client's legal instructions.

12.2 Limitations

Progresus' liability shall be subject to the limitations set forth in the Terms and Conditions of Service.

12.3 Indemnification

Each party shall indemnify the other for any fines, penalties or damages resulting from the breach of their respective obligations under this DPA.

13. Term and Termination

13.1 Term

This DPA shall enter into force together with the Service Agreement and shall remain in force for as long as Progresus processes personal data on behalf of the Customer.

13.2 Survival

The provisions relating to confidentiality, limitation of liability and post-contractual obligations shall survive the termination of this DPA.

14. Modifications

Progresus may update this DPA to reflect changes in its data processing practices or legal requirements. Substantial changes will be notified to Customer upon reasonable notice.

15. Contact

For inquiries regarding this Data Processing Agreement:

Progresus S.A.S.

  • E-mail: soporte@checkop.co
  • Support Portal: https://support.checkop.co

This Data Processing Agreement forms an integral part of the service contract between Progresus S.A.S. and the Client, and is aligned with international good data protection practices.