Data Processing Addendum

Effective: 18 March 2026

You can find our previous DPA here.

Preamble

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between Humaans Software UK LTD (“Humaans”, “we”, “us”, “our”) and you (“Customer”, “you”, “your”). This DPA applies as set out in clause 17.2 of the Agreement.

1. Definitions and Interpretation

In this DPA, unless the context requires otherwise, the following terms have the following meanings:

“Applicable Data Protection Laws” means all laws and regulations relating to the processing of personal data that apply to Humaans’ processing of Customer Personal Data, including (a) the EU General Data Protection Regulation 2016/679 (the “EU GDPR”); (b) the UK GDPR as defined in The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019; (c) the Data Protection Act 2018 (“DPA 2018”); and (d) any applicable ePrivacy legislation, in each case as amended, superseded or replaced from time to time.

“Customer Personal Data” means any personal data that the Customer makes available to Humaans in connection with the provision of the Services, including the personal data described in Annex A.

“DPIA” means a data protection impact assessment as described in Article 35 of the EU GDPR.

“EEA” means the European Economic Area, being the Member States of the European Union together with Iceland, Norway and Liechtenstein.

“ICO” means the UK Information Commissioner’s Office.

“Restricted Transfer” means a transfer of Customer Personal Data to a country or territory outside the UK or EEA that is not subject to an adequacy decision by the European Commission or the UK Secretary of State (as applicable).

“SCCs” means (a) in respect of transfers subject to the EU GDPR, the standard contractual clauses annexed to the European Commission Implementing Decision (EU) 2021/914; and (b) in respect of transfers subject to the UK GDPR, the International Data Transfer Agreement issued by the ICO (the “UK IDTA”).

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

“Sub-Processor” means any third-party processor engaged by Humaans to process Customer Personal Data on behalf of the Customer.

“TOMs” means the technical and organisational security measures described in Annex B.

The terms “controller”, “processor”, “data subject”, “personal data”, “process” (and its derivatives) and “supervisory authority” shall have the meanings given to them in the EU GDPR.

The Customer is the controller and Humaans is the processor in respect of Customer Personal Data processed under this DPA.

2. Scope and Processing Instructions

2.1. Humaans shall process Customer Personal Data only on the documented instructions of the Customer, unless processing is required by applicable law to which Humaans is subject, in which case Humaans shall (to the extent permitted by applicable law) inform the Customer of that legal requirement before carrying out the processing.

2.2. The Agreement (including this DPA), together with the Customer’s use and configuration of the Services, constitute the Customer’s complete and final instructions to Humaans for the processing of Customer Personal Data. Any processing outside the scope of these instructions shall require a prior written agreement between the parties.

2.3. Humaans shall immediately notify the Customer if, in Humaans’ opinion, an instruction from the Customer infringes Applicable Data Protection Laws.

2.4. Details of the subject matter, duration, nature and purpose of processing, the types of Customer Personal Data and the categories of data subjects are set out in Annex A.

2.5. The Customer shall ensure that it has all necessary rights, consents and lawful bases to enable the lawful transfer and processing of Customer Personal Data by Humaans in accordance with this DPA, and shall provide all applicable notices to data subjects required under Applicable Data Protection Laws.

3. Humaans as Controller

3.1. The parties acknowledge that Humaans independently determines the purposes and means of processing certain personal data in connection with the Services, including account registration data, usage analytics, and billing information. In respect of such processing, Humaans acts as an independent controller and such processing is governed by Humaans’ Privacy Policy, not this DPA.

3.2. For the avoidance of doubt, Humaans does not “sell” personal data (as that term is defined under the California Consumer Privacy Act or any similar legislation).

4. Confidentiality

4.1. Humaans shall ensure that any personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory.

4.2. Humaans shall limit access to Customer Personal Data to those personnel who require such access on a need-to-know basis for the performance of the Services.

4.3. Humaans shall ensure that personnel authorised to process Customer Personal Data receive appropriate data protection training.

5. Security

5.1. Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Humaans shall implement and maintain the TOMs set out in Annex B to ensure a level of security appropriate to the risk.

5.2. Humaans shall regularly test and evaluate the effectiveness of the TOMs to ensure the ongoing security of processing.

5.3. Humaans may update the TOMs from time to time, provided that any such update does not materially decrease the overall level of security of the Services.

6. Security Incidents

6.1. In the event of a Security Incident, Humaans shall notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Incident. For the purposes of this clause 6, Humaans shall be deemed to have become “aware” of a Security Incident when a senior member of Humaans’ security or privacy team with responsibility for incident management has confirmed that a Security Incident has occurred.

6.2. Such notification shall include, to the extent reasonably available at the time of notification:

(a) the nature of the Security Incident, including the categories and approximate numbers of data subjects and personal data records concerned;

(b) the name and contact details of Humaans’ data protection contact from whom more information may be obtained;

(c) the likely consequences of the Security Incident; and

(d) the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.

6.3. Where it is not possible to provide all of the above information at the same time, Humaans may provide it in phases without undue further delay.

6.4. Humaans shall promptly take all reasonable steps to contain, investigate and remediate any Security Incident.

6.5. Humaans shall cooperate with the Customer and provide reasonable assistance in relation to any notification the Customer is required to make to a supervisory authority or to affected data subjects under Applicable Data Protection Laws.

6.6. The notification of, or response to, a Security Incident by Humaans under this clause 6 shall not be construed as an acknowledgement by Humaans of any fault or liability with respect to the Security Incident.

7. Sub-Processors

7.1. The Customer provides a general written authorisation for Humaans to engage the Sub-Processors listed in Annex C as at the date of this DPA, and to engage further Sub-Processors in accordance with this section 7.

7.2. Humaans shall enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA.

7.3. Humaans shall remain fully liable to the Customer for the performance of each Sub-Processor’s obligations. Where a Sub-Processor fails to fulfil its data protection obligations, Humaans shall remain liable to the Customer for the acts and omissions of that Sub-Processor as if they were the acts and omissions of Humaans.

7.4. Humaans shall provide the Customer with at least fourteen (14) days’ prior written notice of any proposed addition or replacement of Sub-Processors (including the name and location of the proposed Sub-Processor and the activities it will perform).

7.5. The Customer may object to a new Sub-Processor by providing written notice to Humaans within fourteen (14) days of receiving notice under paragraph 7.4, together with documentary evidence that reasonably demonstrates that the proposed Sub-Processor does not or cannot comply with the requirements of this DPA. Humaans shall not engage the proposed Sub-Processor until the objection period under this paragraph 7.5 has expired without objection.

7.6. In the event of an objection under paragraph 7.5, Humaans shall use reasonable endeavours to make available to the Customer a commercially reasonable change to the Services to avoid the use of the objected-to Sub-Processor. If Humaans is unable to make available such a change within thirty (30) days of receiving the objection, either party may terminate the Agreement without penalty by providing written notice to the other party.

8. International Transfers

8.1. Humaans shall not make a Restricted Transfer of Customer Personal Data unless appropriate safeguards have been put in place in accordance with Applicable Data Protection Laws.

8.2. In respect of Restricted Transfers subject to the EU GDPR, the SCCs (Module 2: Controller to Processor) are hereby incorporated by reference into this DPA, with the Customer as data exporter and Humaans as data importer.

8.3. In respect of Restricted Transfers subject to the UK GDPR, the UK IDTA is hereby incorporated by reference into this DPA.

8.4. Humaans shall implement supplementary technical and organisational measures where necessary to ensure an essentially equivalent level of protection for Customer Personal Data transferred outside the UK or EEA.

8.5. Where required, Humaans shall cooperate with the Customer in carrying out a transfer impact assessment in relation to any Restricted Transfer.

8.6. Humaans shall promptly notify the Customer if it becomes aware that a Restricted Transfer can no longer be made in compliance with Applicable Data Protection Laws.

8.7. In the event that Humaans receives a request or order from a government authority or law enforcement body for access to or disclosure of Customer Personal Data, Humaans shall:

(a) promptly redirect the requesting authority to the Customer, unless prohibited by law;

(b) notify the Customer of such request prior to making any disclosure, to the extent legally permitted;

(c) challenge the request where there are reasonable grounds to consider it unlawful; and

(d) not make any voluntary disclosure of Customer Personal Data to any government authority.

9. Audits and Compliance

9.1. Humaans shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the EU GDPR and this DPA.

9.2. Humaans shall make its then-current SOC 2 Type II and ISO 27001 audit reports (or equivalent industry-standard certifications) available to the Customer upon written request, no more than once per year. Such reports shall be treated as Humaans’ confidential information. Up-to-date security and compliance information is also available at Humaans’ Trust Center.

9.3. Where the Customer can demonstrate a specific and justified need that cannot reasonably be satisfied by the audit report provided under paragraph 9.2, Humaans shall allow and contribute to audits carried out by the Customer or a third-party auditor mandated by the Customer, subject to the following conditions:

(a) the Customer shall provide Humaans with at least thirty (30) days’ prior written notice;

(b) such audits shall not be conducted more than once per year (except following a Security Incident);

(c) audits shall be conducted during normal business hours and in a manner that minimises disruption to Humaans’ operations;

(d) the Customer shall bear all costs associated with the audit; and

(e) any third-party auditor shall enter into a confidentiality agreement acceptable to Humaans before commencing the audit.

9.4. Humaans shall maintain records of processing activities carried out on behalf of the Customer in accordance with Article 30(2) of the EU GDPR.

10. Data Subject Rights

10.1. Humaans shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject rights under Applicable Data Protection Laws.

10.2. Humaans shall notify the Customer within five (5) Business Days of receiving any request from a data subject in respect of their Customer Personal Data. Humaans shall not respond to any such request without the Customer’s prior written instructions, unless required to do so by applicable law.

10.3. The Services provide self-service functionality enabling the Customer to access, correct, delete, export and restrict processing of Customer Personal Data. Where a data subject right cannot be fulfilled through such self-service functionality, Humaans shall provide reasonable manual assistance upon request.

10.4. Humaans shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any supervisory authority), unless otherwise prohibited by law.

11. Data Protection Impact Assessments

11.1. Humaans shall provide reasonable assistance to the Customer with any DPIA and any prior consultation with a supervisory authority that the Customer is required to undertake under Applicable Data Protection Laws, in each case solely in relation to the processing of Customer Personal Data and taking into account the nature of processing and the information available to Humaans.

12. Duration and Termination

12.1. This DPA shall come into effect on the date the Customer agrees to the Agreement and shall remain in effect for as long as Humaans processes Customer Personal Data on behalf of the Customer.

12.2. The Customer may request the return of Customer Personal Data within thirty (30) days of termination or expiry of the Agreement. Upon such request, Humaans shall return a complete copy of all Customer Personal Data to the Customer by secure file transfer in such format as the Customer reasonably requests.

12.3. Following such return (or the expiry of the thirty (30) day request window without a request from the Customer), Humaans shall delete Customer Personal Data from production systems. All remaining copies of Customer Personal Data will be purged within ninety (90) days of deletion from production systems.

12.4. Upon written request from the Customer, Humaans shall provide written certification of the deletion of Customer Personal Data in accordance with clause 12.3.

12.5. Humaans may retain Customer Personal Data to the extent and for the period required by applicable law, provided that such data is:

(a) retained only for the minimum period required;

(b) blocked from further processing and used only for the purpose for which retention is required; and

(c) deleted promptly once the legal requirement for retention has expired.

13. Cooperation

13.1. Humaans shall cooperate, on request, with any supervisory authority in the performance of its tasks in relation to the processing of Customer Personal Data under this DPA.

13.2. Humaans shall maintain a designated data protection contact to whom enquiries regarding the processing of Customer Personal Data may be directed.

14. Liability

14.1. The liability of each party under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.

15. General

15.1. To the extent of any conflict or inconsistency between this DPA and the remainder of the Agreement with respect to the processing of Customer Personal Data, this DPA shall prevail.

15.2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of that provision shall not affect the other provisions of this DPA, and all provisions not affected by such invalidity or unenforceability shall remain in full force and effect.

15.3. This DPA shall be governed by the law that governs the Agreement, unless otherwise required by Applicable Data Protection Laws.

ANNEX A — Processing Details

Personal Data Processing Purposes And Details:

Subject Matter: Provision of the Services

Duration of Processing: Duration of customer’s subscription to the Services

Data Processing Activities: Storing and managing employee records and documents, and facilitating HR processes.

Purposes:

• To enable users to use the Humaans application.
• To improve the functionality of the Humaans application.

Personal Data Categories:

To use the application, the user who signs up ​to the Services must​ provide the following information:

• First and last name
• Job role
• Email address
• Company name
• Company address

Humaans also processes the following system-generated data:

• IP address information
• Usage and audit log data (actions taken within the platform)

Once users have signed up, ​all further data collection is optional​, and the list of types of personal data collected​ can be customised and extended by the user​, and it is their responsibility to communicate their requirements on personal data to their employees.

The application ​encourages but does not require​ the user to use the service to collect various personal data on employees, including but not limited to:

• First and last name, middle name, preferred name, and pronouns
• Home address
• Remote work location (city, region, country, timezone)
• Personal and professional email addresses
• Personal and professional telephone number
• Date of birth
• Nationalities
• Gender
• Profile photo
• Personal bio
• Spoken languages
• Social media identifiers (LinkedIn, Twitter/X, GitHub)
• Employee identifier
• Bank account details
• Tax identifiers (e.g. Social Security Number, National Insurance Number) and tax codes
• Scan of ID, Passport, Visa or other forms of identification
• Employment details, such as role, compensation, contract type, probation dates, and working patterns
• Offboarding details, including leaving reason and notes
• Time off information, such as holiday or sick days taken
• Timesheets containing hours worked
• Performance review data, including ratings and peer feedback
• Personal documents, such as employment agreement and share options agreement
• Next of kin name, telephone number, email address, and relationship
• Dietary preferences and food allergies
• Diversity and equal opportunities data (e.g. ethnicity, disability status) — where voluntarily provided
• Equipment assigned to the individual (type, serial number)
• Any custom or profile fields configured by the customer
• Any other personal data contained in the data provided by the user

Special Category Data: The Customer may configure the Services to collect personal data that constitutes special category data under Article 9 of the EU GDPR (such as data revealing racial or ethnic origin, health information, or religious beliefs). Where the Customer chooses to process such data using the Services, the Customer is responsible for ensuring that an appropriate legal basis under Article 9(2) of the EU GDPR is in place. Humaans shall apply the same technical and organisational measures set out in Annex B to protect any special category data.

Data Subject Types:

• Company executives and administrators
• Employees
• Contractors who the customer wishes to add to the service
• Third-party administrators who the customer consents to provide access to their account

ANNEX B — Technical and Organisational Measures

Humaans implements and maintains the following technical and organisational security measures to protect Customer Personal Data. These measures are reviewed and updated periodically to reflect current threats and industry best practices.

Encryption

• Customer Personal Data is encrypted at rest using AES-256 encryption via the cloud infrastructure provider.
• Application-level encryption (AES-256) applied to sensitive fields within the database, ensuring data remains protected during routine operations and maintenance.
• All data in transit is protected using TLS 1.3 (with TLS 1.2 as a minimum).

Access Controls

• Role-based access control (RBAC) enforced across all systems.
• Principle of least privilege applied to all access grants.
• Multi-factor authentication (MFA) required for access to production systems and administrative tools.
• Single sign-on (SSO) supported for enterprise customers.
• Unique credentials required for all personnel; shared accounts are prohibited.
• Periodic access reviews conducted to ensure appropriateness of access rights.

Network Security

• Firewalls and network access control lists to restrict unauthorised access.
• Intrusion detection and prevention systems deployed.
• DDoS protection mechanisms in place.
• Network segmentation to isolate production environments.

Application Security

• Secure software development lifecycle (SDLC) practices followed.
• Mandatory code review for all production changes.
• Automated test suites executed on each code change, including authentication and permission controls.
• Automated dependency scanning for known vulnerabilities.
• Annual penetration testing conducted by qualified third parties.
• HTTP Strict Transport Security (HSTS) enforced and security headers (Content-Security-Policy, X-Frame-Options, X-XSS-Protection) applied to mitigate common web vulnerabilities.

Monitoring and Logging

• Centralised logging of security-relevant events.
• Comprehensive audit logs capturing user actions, data modifications, and access events with full metadata.
• Security event monitoring and alerting.
• Anomaly detection for unusual access patterns or behaviours.

Business Continuity

• Daily backups of Customer Personal Data.
• Geographic redundancy for backup storage.
• Documented disaster recovery plan.
• Periodic restore testing to verify backup integrity.

Physical Security

• All Customer Personal Data is hosted on EU-based, SOC 2 and ISO 27001 certified cloud infrastructure (Google Cloud Platform).
• Humaans does not operate on-premise data centres.

Personnel Security

• Confidentiality agreements (NDAs) in place for all personnel.
• Annual security awareness training provided to all personnel.
• Access to Customer Personal Data requires stated justification and is logged through an audited access path.
• Access to Customer Personal Data promptly revoked upon termination of employment or engagement.

Vendor Management

• Due diligence conducted on all Sub-Processors prior to engagement.
• Periodic security assessments of Sub-Processors.

Incident Response

• Documented incident response plan with defined roles and responsibilities.
• Post-incident reviews conducted to identify root causes and preventive measures.

Data Minimisation

• Collection of personal data limited to what is necessary for the provision of the Services.
• Retention policies applied to ensure data is not held longer than necessary.

Certifications

• SOC 2 Type II certification maintained.
• ISO 27001:2022 certification maintained.

ANNEX C — Approved Sub-Processors

Approved Sub-Processors

Sub-Processors used for application infrastructure:

Sub-Processors used for communication and customer support:

Sub-Processors engaged when the corresponding feature is enabled: