Data Processing Agreement

Version v1.0 · Last updated: 12 May 2026 · Between StafFixHR ("Processor") and the Client ("Controller").

This Data Processing Agreement ("DPA") forms part of the Terms of Service. It sets out the processor obligations of StafFixHR under the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Indian Digital Personal Data Protection Act 2023 ("DPDP Act"), and equivalent local data-protection laws.

1. Subject matter and duration

Processor processes Personal Data on behalf of Controller solely for the purpose of providing the Service. Processing continues for the Subscription Term plus the retention period set out in the Privacy Policy.

2. Nature and purpose of processing

• Hosting and serving HR records (employees, payslips, leaves, attendance, etc.)
• Performing payroll calculations and statutory reports requested by Controller
• Sending in-product, email, and (when enabled) WhatsApp/SMS notifications
• Generating audit logs, backups, and security telemetry
• Providing support, including time-limited access granted by Controller

3. Categories of Personal Data

Employee identity (name, contact, government IDs), employment terms (salary, designation, dates), payroll/tax data, attendance/leave records, documents uploaded by employees, and any custom fields configured by Controller.

Special-category data (Art. 9 GDPR) is processed only if Controller chooses to upload it; Controller alone is responsible for the lawful basis for such processing.

4. Categories of Data Subjects

• Controller's employees, contractors, interns, and former employees
• Controller's HR admins, payroll admins, managers, and board members (authorised users)
• Candidates who apply through Controller's public careers page

5. Controller obligations

• Have a lawful basis (Art. 6 GDPR / DPDP Act §7) for each processing activity instructed of Processor.
• Provide privacy notices to its employees; obtain consent where required.
• Honour data-subject rights (access, rectification, erasure, portability) — Processor will assist as set out in §8.
• Configure access controls within the Service to enforce least-privilege among its own staff.

6. Processor obligations

• Process Personal Data only on Controller's documented instructions, including for international transfers, unless required otherwise by EU/Indian law (in which case Processor will notify Controller, unless prohibited).
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Annex A).
• Not engage sub-processors without Controller's general written authorisation (granted by accepting this DPA). Current sub-processor list is in the Privacy Policy §4.
• Notify Controller within 72 hours of becoming aware of a Personal Data Breach affecting Controller's data.
• Assist Controller with DPIAs, prior consultations, and responses to supervisory authorities to a reasonable extent.
• Return or delete all Personal Data on termination, unless EU/Indian law requires retention.
• Make available all information necessary to demonstrate compliance with this DPA; submit to audits and inspections by Controller or a mandated auditor (with reasonable notice; subject to a confidentiality undertaking; not more than once per year unless a Breach occurs).

7. Sub-processors

Controller authorises Processor to engage the sub-processors listed in the Privacy Policy §4. Processor will give Controller at least 30 days' prior written notice of any new sub-processor. Controller may object on reasonable data-protection grounds; if a resolution cannot be agreed, Controller may terminate the affected portion of the Service for a pro-rated refund.

8. Data-subject rights

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures to respond to requests from Data Subjects under Chapter III GDPR / DPDP Act Ch. III. Self-service export/erasure tools in the Service satisfy most requests directly.

9. International transfers

Transfers of Personal Data outside the EEA / UK rely on (a) the 2021 EU Standard Contractual Clauses (Module 2: controller → processor; Module 3: processor → sub-processor), and (b) the UK IDTA addendum where the UK GDPR applies. The SCCs/IDTA are incorporated by reference and prevail over conflicting clauses in this DPA for those transfers. A signed copy is available on request.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service §15, except where mandatory law (including GDPR Art. 82) imposes non-excludable liability for damages to Data Subjects.

10A. Governing law & exclusive jurisdiction

This DPA is governed by the laws of India and any dispute arising out of or relating to it shall be subject to the exclusive jurisdiction of the courts at Vadodara, Gujarat, India. This exclusive forum applies regardless of the Controller's place of establishment, save where EU / UK GDPR vests non-derogable jurisdiction in a Data Subject's local courts for individual claims under GDPR Art. 79.

11. Termination of the DPA

This DPA terminates automatically when the underlying Service agreement terminates. On termination, Processor will, at Controller's option (made within 30 days of termination), return all Personal Data or delete it, except where Union or Indian law requires retention.

Annex A — Technical & Organisational Measures

• Access control: JWT-based access; role-based authorisation; least-privilege defaults; mandatory password complexity + bcrypt hashing; passkey/WebAuthn supported; sessions revocable.
• Encryption: TLS 1.2+ in transit; AES-256 at rest for object storage; database encryption-at-rest via provider (Railway).
• Network: firewalled production environment; no public DB exposure; Cloudflare DNS with DNSSEC; rate limits on auth endpoints.
• Operational: daily DB backups (365 day retention); audit logging of mutations; mutation logs include actor, timestamp, before/after.
• Data minimisation: only fields required for HR/payroll/statutory functions are collected; field-level deletion supported via APIs.
• Personnel: employees with production access sign confidentiality undertakings; access is granted on need-to-know and revoked promptly on role change/exit.
• Vendor management: sub-processors signed under DPAs at least as protective as this one.
• Incident response: documented playbook; security incidents materially affecting Client Data notified within 72 hours.

Annex B — Sub-processors

See Privacy Policy §4 for the current list.

Annex C — Standard Contractual Clauses

For EU/EEA transfers, Module 2 of the 2021 SCCs applies. For UK transfers, the UK IDTA addendum applies. Hardcopy on request to legal@staffixhr.com.

Disclaimer: This DPA is a best-practice draft. Enterprise EU customers may require a signed counter-DPA on their template; we are happy to negotiate. Have this reviewed by qualified counsel before relying on it for large engagements.