People operationsPower your HR operations, end to end
Finance & planningConnect pay, people, and planning
IT managementControl access, security, and systems

Humaans is GDPR compliant

Humaans is fully committed to compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (UK GDPR). As an HRIS handling sensitive employee data, we take our responsibilities seriously - both as a data processor acting on behalf of our customers and in how we handle data across every layer of our platform.

Here you'll find details on how we approach data protection. If you have additional questions, reach out at privacy@humaans.io.

Our role as a data processor

Humaans acts as a data processor on behalf of our customers, who are the data controllers. We process personal data strictly in accordance with each customer's documented instructions and our Data Processing Agreement (DPA). We do not use customer data for any purpose beyond delivering, maintaining, and improving the Humaans service.

A copy of our DPA is available on request or can be found on our Data Processing Addendum page.

Lawful basis & purpose limitation

We only process personal data where there is a valid lawful basis to do so. For customer employee data, this is governed by the DPA and the controller's own lawful basis. For our own processing activities (e.g. account management, billing), we rely on contractual necessity and legitimate interests. We do not process personal data beyond what is necessary for the stated purpose.

Data subject rights

Humaans provides built-in tools to help organisations respond to data subject requests in accordance with GDPR Articles 15–22, including:

  • Right of access - employees and administrators can view personal data held within Humaans
  • Right to rectification - personal data can be updated directly within the platform
  • Right to erasure - employee records and associated data can be deleted on request
  • Right to data portability - employee data can be exported in standard formats at any time
  • Right to restriction of processing - customers can restrict processing where applicable
  • Right to object - customers can contact us to exercise objection rights on behalf of their employees

We support our customers in responding to data subject requests promptly and within the timeframes required by law.

Security

We implement strong technical and organisational measures to protect personal data. All infrastructure is hosted within the European Union on Google Cloud Platform, which maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications. Data is encrypted both in transit (TLS 1.3) and at rest (AES-256).

Access controls, SSO enforcement (via Google Workspace, Microsoft Entra, and SAML 2.0), comprehensive audit logging, and automated security testing are all part of our security posture. For full details, visit our Security page.

International data transfers

Humaans infrastructure is hosted within the EU. Where sub-processors located outside the European Economic Area are involved in processing personal data, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. This includes the use of Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by transfer impact assessments where required.

Sub-processors

We maintain a list of sub-processors who process personal data on our behalf. All sub-processors are contractually bound to equivalent data protection obligations. We provide advance notice of any changes to our sub-processor list, giving customers the opportunity to object in accordance with Article 28 of the GDPR. Our current sub-processor list is available on our Sub-processors page.

Data retention & deletion

We retain customer data only for as long as it is needed to provide the service. When a customer terminates their account, all associated personal data is deleted within 90 days. Customers can also delete individual employee records at any time through the platform. We do not retain personal data beyond what is necessary for our contractual and legal obligations.

Breach notification

In the event of a personal data breach, we will promptly notify the relevant supervisory authority becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify affected data subjects without undue delay in accordance with Article 34. Affected customers will be informed promptly with details of the breach, its likely impact, and the measures taken in response.

Training & awareness

All Humaans staff receive data protection training as part of onboarding and on an ongoing annual basis. This includes GDPR principles, secure data handling practices, and incident response procedures. Staff with access to customer data receive additional role-specific training.

Data Protection Officer

We have appointed a Data Protection Officer (DPO). For any questions relating to data protection or to exercise your rights, you can reach our DPO at privacy@humaans.io.