GDPR en ausencia

At absentify (BrainCore Solutions GmbH), protecting your data is our highest priority. We process personal data in full compliance with the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and the Swiss Federal Act on Data Protection (FADP/DSG). We operate a certified Information Security Management System (ISMS) according to ISO 27001.

Your rights under the GDPR and UK GDPR

You have the right to be informed, the right of access, rectification, erasure, restriction of processing, data portability, objection, and the right not to be subject to automated decision-making. absentify processes sensitive data such as employee and absence information on behalf of companies — with a strong focus on security and confidentiality.

Controller

BrainCore Solutions GmbH Panoramaweg 1, 8274 Tägerwilen, Switzerland

EU Representative (Art. 27 GDPR): Prighter Group GmbH Neustiftgasse 83/2A, 1070 Vienna, Austria Contact: https://app.prighter.com/portal/absentify

UK Representative (Art. 27 UK GDPR): Prighter Ltd 20 Primrose Street, London EC2A 2EW, United Kingdom Contact: https://app.prighter.com/portal/absentify

Data Protection Officer: privacy@absentify.com

General Contact: support@absentify.com

Supervisory Authorities

EU: You may lodge a complaint with any EU supervisory authority in your member state.

UK: Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom https://ico.org.uk

Technical and Organizational Measures (TOM)

Encryption: TLS 1.2+/1.3 during transmission, AES-256 at rest for all databases, storage, and backups

Access control: Role-based permissions (RBAC), multi-factor authentication (MFA), least-privilege principle, regular access reviews

Network security: Private endpoints for all sensitive services, Web Application Firewall (WAF) with OWASP protection, DDoS mitigation

Monitoring & logging: Microsoft Defender for Cloud, continuous system monitoring, immutable audit trails (365 days retention)

Backups: Geo-redundant encrypted backups with 14-day retention and point-in-time recovery testing

Organizational security: Employee training, internal policies, regular audits, documented incident response procedures

Certification: Operation of an ISO 27001-certified Information Security Management System (ISMS)

The ISO 27001 certificate is included as an attachment in the Data Processing Agreement (DPA).

Data Processing Agreement (DPA)

absentify provides a standardized Data Processing Agreement in accordance with Art. 28 GDPR / UK GDPR. The DPA is accepted electronically within the application – no signature or postal exchange is required.

The DPA is presented when first accessing absentify or within the workspace settings and can be accepted with a single click.

Acceptance is logged in a tamper-proof manner (timestamp, workspace ID, IP address, version).

The current DPA can be downloaded at any time directly from within the app.

The DPA includes Standard Contractual Clauses (SCCs) for international transfers and the UK International Data Transfer Addendum where applicable.

absentify provides a standardized SaaS solution; therefore, individual contract adjustments are not possible. Any updates to the DPA apply equally to all customers and will be communicated in advance.

Data Processing Locations and International Transfers

Primary processing locations: Data is processed in Switzerland and within the European Union via Microsoft Azure (Ireland and Denmark).

EU-UK transfers: The European Commission has adopted an adequacy decision for the United Kingdom, valid until December 27, 2025. We monitor this status continuously.

Third-country transfers: Transfers to third countries are only carried out if the requirements of Articles 44 et seq. GDPR are fulfilled, including:

EU Standard Contractual Clauses (SCCs)

UK International Data Transfer Agreement (IDTA)

Adequacy decisions

Additional technical and organizational safeguards

Subprocessors

We work exclusively with subprocessors within the European Union (EU) and the United Kingdom (covered by an EU adequacy decision). All subprocessors operate under GDPR-compliant Data Processing Agreements.

Current subprocessor list: subprocessors

We notify customers of any new subprocessors at least 30 days before engagement.

Data Protection Incidents

In the rare event of a data protection or security incident, we act immediately to analyze and resolve the issue. Where required, we notify the competent supervisory authority (including the ICO for UK-related incidents) within 72 hours and, if necessary, the affected individuals.

Data Subject Requests

For requests related to access, correction, deletion, restriction, or data portability, please contact us at: 📧 privacy@absentify.com

Or via our EU/UK representative portal: 🔗 https://app.prighter.com/portal/absentify

We support our customers in processing such requests in accordance with Articles 12–23 GDPR / UK GDPR. We respond within one month, extendable by two months for complex requests.

Data Retention

Customer data: Deleted immediately upon account deletion

Backups: Maximum 14 days retention

Security audit logs: 365 days (immutable)

Application logs: 30 days

Financial records: Managed by Paddle per their GDPR-compliant policies

Certifications

ISO 27001 (Information Security Management System) – certificate included in the DPA ✅

Microsoft 365 App Certification – successfully completed ✅

Microsoft Azure Compliance – ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 ✅

SOC 2 – currently not planned