Data Processing Addendum

Last updated: 25 Jan 2023

This DPA applies as set out in section 18.2 of the Terms of Service.

Introduction

Humaans Software UK LTD (“Humaans Software UK”, “Humaans”, “we”, “us”, “our”) has contracted to provide you (“you”, “your(s)”, “user”) with our cloud-based people management software as a service called Humaans through the humaans.io website (“Services”).

Humaans has agreed to provide Services to you in accordance with the terms of the Terms of Service. In providing these Services, we shall process Customer Personal Data (as defined below) on your behalf. From the date that you agree to the Terms of Service, we will process and protect such Customer Personal Data in accordance with the terms of this Data Protection Addendum for the duration of your subscription to the Services.

You acknowledge that we may process personal data provided by you as a controller to provide the Services. Information regarding our obligations as a controller and your rights as a data subject are set out in our Privacy Policy. For personal data that we process under your instructions, we are a processor, and you hereby confirm that you have all necessary appropriate consents and notices in place to enable lawful transfer of such personal data to us.

Interpretation

1. In this DPA, save where the context requires otherwise, the following words and expressions have the following meaning:

"Customer Personal Data" means any personal data that you make available to us in connection with the provision of the Services, including, the personal data identified in Annex A;

"DPA" or “Data Protection Addendum” means this data processing addendum;

"DPA 2018" means the Data Protection Act 2018;

"Data Protection Laws" means the GDPR, any national implementing or supplementary legislation and any other applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Customer Personal Data;

"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

"GDPR" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the "EU GDPR") and, where applicable, the "UK GDPR" as defined in The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019;

"ICO" means the UK Information Commissioner's Office;

"Objection" has the meaning given to it in paragraph 2.4;

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;

"Sub-Processor" means any processor engaged by Humaans who agrees to receive from Customer Personal Data; and

The terms "controller", "processor", "data subject", "personal data", "process" and "supervisory authority" shall have the same meaning as set out in the GDPR.

1. Data Processing

1. 1.1. Humaans will only process Customer Personal Data in accordance with:
1. (a) the Terms of Service, to the extent necessary to provide the Services to you; and
2. (b) your written instructions,

unless processing is required by European Union, Member State or UK law to which Humaans  is subject, in which case Humaans shall, to the extent permitted by applicable law, inform you of that legal requirement before processing that Customer Personal Data.

1. 1.2. The Terms of Service (subject to any changes to the Services) and this DPA shall be your complete and final instructions to Humaans in relation to the processing of Customer Personal Data.
2. 1.3. Processing outside the scope of this DPA or the Terms of Service will require prior written agreement between you and Humaans on additional instructions for processing.
3. 1.4. You shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful processing of Customer Personal Data by Humaans in accordance with the Terms of Service.
4. 1.5. You will obtain any consents required under applicable Data Protection Laws for the lawful processing of Customer Personal Data by Humaans in accordance with the Terms of Service.

2. Sub-Processors

1. 2.1. You agree that Humaans may use the Sub-Processors set out in Annex A to process Customer Personal Data, provided it enters into a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor with regard to their processing of Customer Personal Data as are imposed on Humaans under this DPA.
2. 2.2. Humaans shall provide you with fourteen (14) days' notice of any proposed changes to the Sub-Processors it uses to process Customer Personal Data (including any addition or replacement of any Sub-Processors).
3. 2.3. You may, on reasonable grounds, object to Humaans' use of a new Sub-Processor by providing Humaans with:
1. (a) written notice within seven (7) days after Humaans has provided notice to you as described in paragraph 2.2;
2. (b) documentary evidence that reasonably shows that the Sub-Processor does not or cannot comply with the requirements in this DPA,

(an "Objection").

1. 2.4. In the event of an Objection, Humaans will use reasonable endeavours to make available to you a commercially reasonable change to the Services to prevent the applicable Sub-Processor from processing the Customer Personal Data. If Humaans is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate, without penalty, the Terms of Service by providing written notice to the other party.
2. 2.5. Humaans shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to you for the acts and omissions of any Sub-Processor as if they were the acts and omissions of Humaans.

3. International Transfers

1. 3.1. Humaans shall not transfer the Customer Personal Data to a recipient in a country or territory outside the UK or EEA unless:
1. (a) the recipient, or the country or territory in which it processes or accesses the Customer Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Customer Personal Data as set out in the DPA 2018 or regulations made by the UK Secretary of State under the DPA 2018; or
2. (b) the transfer is based on:
1. (i) the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593;
2. (ii) the appropriate module of the Standard Contractual Clauses annexed to the Commission Implementing Decision C/2021/3972,

in each case as amended and approved by the ICO for use in respect of transfers subject to the UK GDPR; or

1. (c) the transfer is:
1. (i) based on any other transfer mechanism approved by the ICO; or
2. (ii) otherwise lawful under the GDPR.

4. Data Security, Audits and Security Notifications

1. 4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Humaans shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures listed in Article 32(1) of the GDPR.
2. 4.2. You may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third party auditors) Humaans' compliance with the security measures set out in this DPA, including by conducting audits of Humaans' data processing facilities. Humaans shall assist with, and contribute to any audits conducted in accordance with this paragraph 4.2, provided that:
1. (a) such audits are not, other than following a Security Incident, carried out more than once a year;
2. (b) you reimburses Humaans any costs or expenses charged to or incurred by Humaans in arranging access to its Sub-Processors' processing facilities.
3. 4.3. Upon your request, Humaans shall make available all information reasonably necessary to demonstrate compliance with this DPA.
4. 4.4. Where required under Article 28(3)(h) of the GDPR, Humaans shall immediately notify you in the event that Humaans believes your instructions conflict with the requirements of the GDPR or other EU, Member State or UK laws.
5. 4.5. If Humaans or any Sub-Processor becomes aware of a Security Incident, Humaans will:
1. (a) notify you of the Security Incident without undue delay;
2. (b) investigate the Security Incident and provide such reasonable assistance to you (and any law enforcement or regulatory official) as required to investigate the Security Incident; and
3. (c) take steps to remedy any non-compliance with this DPA.
6. 4.6. Humaans shall treat the Customer Personal Data as your confidential information, and shall ensure that any employees or other personnel that have access to the Customer Personal Data have agreed in writing to protect the confidentiality and security of the Customer Personal Data and do not process such Customer Personal Data other than in accordance with this DPA.

5. Access Requests and Data Subject Rights

1. 5.1. Save as required (or where prohibited) under applicable law, Humaans shall notify you of any request received by Humaans from a data subject, whether directly or through a Sub-Processor, in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
2. 5.2. Humaans shall:
1. (a) provide you with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Services; or
2. (b) where requested by you, promptly correct, delete, block, access or copy Customer Personal Data within the Services.
3. 5.3. Humaans shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

6. Assistance

1. 6.1. Where applicable, taking into account the nature of the processing, and to the extent required under applicable Data Protection Laws, Humaans shall:
1. (a) use all reasonable endeavours to assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising data subject rights laid down in the GDPR; and
2. (b) provide reasonable assistance to you with any data protection impact assessments and with any prior consultations to any Supervisory Authority of yours, in each case solely in relation to processing of Customer Personal Data and taking into account the information available to Humaans.

7. Duration and Termination

1. 7.1. Subject to paragraph 7.2 below, Humaans shall, within ninety (90) days of the date of cancellation of the Services:
1. (a) if requested to do so by you, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Humaans; and
2. (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by Humaans or any Sub-Processors.
2. 7.2. Humaans and its Sub-Processors may retain Customer Personal Data to the extent required by applicable law, or as Humaans may deem necessary to prosecute or defend any legal claim, provided that such Customer Personal Data is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue, and always provided that Humaans shall ensure the confidentiality of all such Customer Personal Data.

ANNEX A

Personal Data Processing Purposes And Details:

Subject Matter: Provision of the Services

Duration of Processing: Duration of customer’s subscription to the Services

Data Processing Activities: Storing and managing employee records and documents, and facilitating HR processes.

Purposes:

• To enable users to use the Humaans application.
• To improve the functionality of the Humaans application.

Personal Data Categories:

To use the application, the user who signs up ​to the Services must​ provide the following information:

• First and last name
• Job role
• Email address
• Company name
• Company address

In addition to the above personal data categories, Humaans processes:

• IP address information

Once users have signed up, ​all further data collection is optional​, and the list of types of personal data collected​ can be customised and extended by the user​, and it is their responsibility to communicate their requirements on personal data to their employees.

The application ​encourages but does not require​ the user to use the service to collect various personal data on employees, including but not limited to:

• First and last name
• Home address
• Personal and professional email addresses
• Personal and professional telephone number
• Date of birth
• Nationality
• Gender
• Bank account details
• Scan of ID, Passport, Visa or other forms of identification
• Employment details, such as role and compensation
• Time off information, such as holiday or sick days taken
• Timesheets containing hours worked
• Personal documents, such as employment agreement and share options agreement
• Next of kin name, telephone number, and email address
• Any other personal data contained in the data provided by the user

Data Subject Types:

• Company executives and administrators
• Employees
• Contractors who the customer wishes to add to the service
• Third-party administrators who the customer consents to provide access to their account

Approved Sub-Processors

Sub-Processors used for application infrastructure:

Sub-Processors used for communication and customer support: