Skip to content
BusinessHRM

Data Processing Agreement

Last updated June 1, 2026

This Data Processing Agreement (“DPA”) describes how BusinessHRM processes personal data on behalf of customers and supports compliance with data protection laws including the GDPR. It supplements our Terms of Service and applies where we act as a processor for your organisation.

1. Roles

For personal data within your workspace, your organisation is the controller and BusinessHRM is the processor. You determine the purposes and means of processing, and we process the data on your documented instructions, which include using the Service as configured by you.

2. Scope of processing

We process personal data only to provide and support the Service, to comply with your instructions, and as required by law. The categories of data and data subjects depend on how you use the Service, and may include employees, contractors, clients and contacts.

3. Confidentiality

We ensure that personnel authorised to process personal data are bound by confidentiality obligations.

4. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, and monitoring, as described on our Security page.

5. Subprocessors

You authorise us to engage subprocessors to help provide the Service, such as hosting, payment processing, and email delivery. We impose data protection obligations on them consistent with this DPA, and we remain responsible for their performance. We will inform you of changes to subprocessors and give you the opportunity to object on reasonable grounds.

6. Data subject requests

Taking into account the nature of the processing, we provide tools and reasonable assistance to help you respond to requests from data subjects to exercise their rights, such as access, correction and deletion.

7. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably needed for you to meet your own notification obligations.

8. International transfers

Where personal data is transferred across borders, we use appropriate safeguards as required by applicable law, such as standard contractual clauses.

9. Deletion and return

On termination of the Service, we will delete or return Customer Data in accordance with our Privacy Policy and applicable retention periods, unless retention is required by law.

10. Audits

We make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits in line with applicable law and reasonable confidentiality and security requirements.

Contact

For data protection questions or to request a signed DPA, email privacy@businesshrm.com.