Stub for enterprise procurement. Use this DPA alongside the Terms of Service.
Have it reviewed by counsel for your specific compliance regime (DPDPA, GDPR, sector-specific
rules) before signing with regulated customers.
1. Roles
The Workspace Owner (“Customer”) is the Data Fiduciary under
India’s Digital Personal Data Protection Act, 2023 (DPDPA), and the equivalent
“Controller” under GDPR. HRMS (“Processor”) processes Personal Data
only on documented instructions from the Customer.
2. Subject matter & duration
Processing is carried out for the purpose of providing the HRMS Service, for the duration
of the underlying subscription, plus the retention periods set out in our Privacy Policy.
3. Nature & purpose of processing
- Storage and retrieval of employee records
- Calculation of payroll, attendance, leave and statutory deductions
- Generation and delivery of payslips, letters, and notifications
- Backup, restore, and disaster recovery
4. Categories of Data Principals
- The Customer’s employees, contractors, and applicable dependants
- The Customer’s HR administrators and managers using the Service
5. Categories of Personal Data
- Identity data (name, DOB, gender, photograph, contact details)
- Employment data (designation, salary, attendance, leave, performance)
- Statutory identifiers (PAN, Aadhaar, UAN, ESI, bank details) — encrypted at rest
- System logs (IP, browser, login times) for security purposes
6. Processor obligations
HRMS shall:
- Process Personal Data only on documented instructions from the Customer
- Ensure personnel authorized to process data are bound by confidentiality
- Implement the technical and organizational measures listed in Schedule A
- Assist the Customer in responding to Data Principal rights requests within statutory timelines
- Notify the Customer of any personal-data breach without undue delay (and within 72 hours)
- Delete or return all Personal Data on termination, subject to statutory retention
- Make available all information necessary to demonstrate compliance with this DPA
7. Sub-processors
The Customer authorizes HRMS to engage the following sub-processors:
- DigitalOcean (India) — cloud hosting, object storage (Bangalore region)
- Amazon Web Services (Mumbai) — transactional email via Amazon SES
- Sentry — error monitoring (stack traces only, no PII)
HRMS will notify the Customer of any addition or replacement of sub-processors at least
30 days in advance. The Customer may object on reasonable grounds related to data protection.
8. International transfers
Production data is stored within India. Where any sub-processor accesses data from outside
India, HRMS will ensure an appropriate transfer mechanism is in place (Standard Contractual
Clauses or other lawful basis).
9. Audit rights
HRMS will, upon reasonable prior written notice and no more than once per calendar year,
make available to the Customer documentation evidencing compliance with this DPA. On-site
audits require mutually agreed scope, scheduling and cost-sharing.
10. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
11. Schedule A — Technical & organizational measures
- Encryption in transit: TLS 1.2+ enforced for all client connections and inter-service traffic
- Encryption at rest: Fernet (AES-128) for PAN, Aadhaar, bank account numbers; full-disk encryption on production volumes
- Access control: tenant-level row isolation; role-based access control (RBAC); least-privilege admin access; SSO for internal staff
- Authentication hardening: password reset tokens expire in 24h; brute-force rate limiting on login and reset endpoints; session expiry on browser close by default
- Audit logging: immutable log of sensitive operations (data export, role grant, salary change, PII access)
- Backups: daily encrypted database backups with 14-day retention; quarterly restore drills
- Monitoring: centralised error tracking; production alerting for security-relevant events
- Personnel: background checks for engineers with production access; annual security training
- Incident response: documented breach-notification workflow with 72-hour notification commitment
12. Schedule B — Sub-processor list
Current as of 8 June 2026:
- DigitalOcean LLC — Hosting (Bangalore, India)
- Amazon Web Services India Pvt Ltd — Transactional email (Mumbai, India)
- Functional Software Inc. (Sentry) — Error monitoring (United States)
13. Contact
Data Protection enquiries: dpo@yourbrand.com