Data Protection Addendum (DPA)
HROne Data Processing Amendment v. 1.0 (as of Aug 2023).
Effective 1st Aug 2023-
Uneecops Workplace Solutions Pvt LTD (“HROne”) is committed to protecting the privacy and security of the Personal Data that it processes for its customers. This Data Processing Addendum (the “DPA”) explains Ping HROne’s privacy and security commitments and enables HROne to demonstrate compliance with applicable Privacy Laws.
This DPA relates to the processing by HROne of Personal Data provided by_________________(“Customer”) under the applicable subscription or license agreement and ordering documentation between Customer and HROne (collectively, the “Agreement”). This DPA is incorporated into and forms part of and is subject to the terms and conditions of, the Agreement. If an Affiliate of Customer has executed an ordering document with HROne but is not the original signatory to the Agreement, this DPA is an addendum to and forms part of such ordering documentation. Any capitalized terms used in this DPA and not otherwise defined herein shall have the meanings ascribed to such terms in the Agreement. HROne Corporation (“HROne”) is committed to protecting the privacy and security of the Personal Data that it processes for its customers. This Data Processing Addendum (the “DPA”) explains HROne’s privacy and security commitments and enables HROne to demonstrate compliance with applicable Privacy Laws.
1. Definitions :-
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Addendum XX/XX/XXXX” has the meaning given to it in section 2.
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or HROne (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- “Client Personal Data” means any Personal Data Processed by HROne (i) on behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise Processed by HROne, in each case under or in connection with instructions given by Client in writing, consistent with the Terms.
- “Controller to Processor s” means the Standard Contractual Clauses (processors) for Article 26(2) of Directive 95/46/EC set out in Decision 2010/87/EC as the same are revised or updated from time to time by the European Commission.
- “Data Protection Laws” means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 (“GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i), the Data Protection Act 1998 of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 1998;
- Privacy Shield” means the EU-US Privacy Shield Framework; and under GDPR.
- “Services” means the services to be supplied by HROne to Client or Client Affiliates under the Terms.
The terms “Controller“, “Data Subject“, “Personal Data“, “Personal Data Breach“, “Process“, “Processor” and “Supervisory Authority” have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.
Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.
2.Formation of this Addendum :-
This Addendum is deemed agreed by the Parties, and comes into effect, on the “Addendum Effective Date”, being the later of (i) the date that this Addendum is accepted by Client; and (ii) HROne.
3. Roles of the Parties :-
The Parties acknowledge and agree that about the Processing of Client Personal Data, and as more fully described in Annex 1 hereto, Client acts as a Controller and Uneecops acts as a Processor (as defined in section 5.2.4 below).
The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Client’s Affiliates or the relevant Controller(s) to comply with such Laws.
4. Description of Personal Data Processing :-
In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by HROne under this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex 1 does not create any obligation or rights for any Party.
5. Data Processing Terms :-
5.1
Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Uneecops of Client Personal Data. Client agrees not to provide HROne with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the GDPR.
5.2
HROne shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and HROne shall:
5.2.1
process the Client Personal Data relating to the categories of Data Subjects for the Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, to provide the Services and as otherwise necessary to perform its obligations under the Terms including about transfers of Client Personal Data to a third country outside to an international organization; Uneecops shall immediately inform Client if, in HROne’s opinion, an instruction infringes applicable Data Protection Laws;
5.2.2
ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2.3
implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data as per following:
(a) pseudonymization and encryption of Client Personal Data.
(b) ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services that process Client Personal Data.
(c) restoring availability and access to Client Personal Data promptly in the event of a physical or technical incident; and
(d) regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client’s Personal Data.
Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between Uneecops (HROne) and Client.
5.2.4
Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically authorizes HROne to engage another Processor to Process the Client Personal Data (“Other Processor“), and specifically the Other Processors listed in Annex 2 hereto, subject to HROne’s:
(a) notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by emailing notice of the intended change to Client.
(b) including data protection obligations in its contract with each Other Processor that are materially the same as those set out in this Addendum; and
(c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations about the Processing of the Client’s Personal Data.
In relation to any notice received under section 5.2.4 a., the Client shall have a period of 30 (thirty) days from the date of the notice to inform HROne in writing of any reasonable objection to the use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of the Client’s objection, work together in good faith to attempt to find a commercially reasonable solution for the Client that avoids the use of the objected-to Other Processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty or indemnification whatsoever.
5.2.5
to the extent legally permissible, promptly notify Client of any communication from a Data Subject regarding the Processing of Client Personal Data, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Client Personal Data and, taking into account the nature of the Processing, assist Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Controller(s)’ obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR; Client agrees to pay HROne for time and for out of pocket expenses incurred by Uneecops in connection with the performance of its obligations under this Section 5.2.5;
5.2.6
upon HROne’s becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) to comply with its obligations under the applicable Data Protection Laws.
5.2.7
to the extent required by the applicable Data Protection Laws, provide reasonable assistance to Client, Client’s Affiliates’ or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and information available to Uneecops; Client agrees to pay Uneecops for time and for out of pocket expenses incurred by Uneecops in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR;
5.2.8
cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at the option of Client, Client’s Affiliates or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data Processed by HROne, unless (and solely to the extent and for such period as) Country law requires storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, HROne may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms; and
5.2.9
make available to Client all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by Client. For the purposes of demonstrating compliance with this Addendum under section 5.2.9, the Parties agree that once per year during the term of the Terms, HROne will provide to Client, on reasonable notice, responses to cybersecurity and other assessments. Client agrees to pay HROne for time and for out-of-pocket expenses incurred by HROne in connection with assistance provided in connection with such audits, responses to cybersecurity, and other assessments.
6. Data Transfers
HROne is certified in Information Security Management as per ISO 27001 HROne shall notify Client in writing without undue delay if it can no longer comply with its obligations under the Privacy compliance, and, in such a case, HROne will have the option of (i) promptly taking reasonable steps to remediate any non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer mechanism to carry out the purposes of the Terms. HROne acts as a Processor with respect to Personal Data received pursuant to a data transfer.
In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the relevant Controller(s), as the case may be), if applicable (as “data exporter”) and Uneecops (as “data importer”), with effect from the commencement of the relevant transfer, shall enter into the Controller to Processor SCCs (mutatis mutandis, as the case may be) in respect of any transfer (or onward transfer) from Client or Client Affiliate to Uneecops, where such transfer would otherwise be prohibited by applicable Data Protection Laws or by the terms of data transfer agreements put in place to address applicable Data Protection Laws. Appendix 1 to the Controller to Processor SCCs shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Addendum and the processing operations are deemed to be those described in the Terms. Appendix 2 to the Controller to Processor SCCs shall be deemed to be prepopulated with the following “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood for the rights and freedoms of natural persons, Uneecops shall implement appropriate technical and organizational measures as set forth in the Addendum.”
7. Precedence:-
The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.
8. Indemnity :-
To the extent permissible by law, Client shall indemnify and hold harmless HROne against all (i) losses, (ii) third-party claims, (iii) administrative fines, and (iv) costs and expenses (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by HROne and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.
9. Severability :-
The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.
Others
The organization ensures that the contract to process PII addresses the organization’s role in providing assistance with the customer’s obligations.
The Agreement considers the following and follows :-
- Privacy by Design and Default
- Achieving Security of Processing
- Notification of breaches involving PII to a Supervisory Authority
- Notification of breaches involving PII to Customers and PII Principals
- Conducting Privacy Impact Assessment
- Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection authorities are needed.
- HROne shall inform the customer if in its opinion a processing instruction infringes applicable legislation or regulation.
- The organization does not use PII processed under a contract for the purposes of Marketing and Advertising
- Coordinate with Clients to help Audit the systems. The organization provides the customer with the appropriate information so that it can demonstrate compliance with their obligations.
- HROne shall use Azure and Microsoft as subprocessors with Security and Privacy requirements fulfilled.
- The organization shall comply with all statutory and regulatory requirements, ISO 27001, and EU GDPR requirements.
- The Data shall be deleted or de-identified after the processing is complete (This is after the retention period selected is complete).
- HROne shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII.
Access, Correction, and/or Erasure of PII of Data subjects can be done by contacting the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related to PII that can be done by contacting the Data Protection Officer below:
Name: Gaurav Gupta
Email ID: DPO@hrone.cloud
Contact Number: 0120-6984700
Uneecops Workplace Solutions Private Limited (HROne) | Customer: |
| By: |
Print Name: | Print Name: |
Title: Data Protection Officer | Title: |
Date: | Date: |
Annex 1: Description of Processing of Client Personal Data
This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR and, as applicable, Controller to Processor SCC.
Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Client’s Personal Data are set out in Section 2 of the Terms.
The nature and purpose of the Processing of the Personal Data
Due diligence and Background Verification of Organizations and Individuals.
The categories of Data subjects to whom the Client’s Personal Data relates.
Employees and Contractors of Clients.
The types of Client Personal Data to be Processed.
Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, Username
Special categories of data
(PII)
The obligations and rights of the Client
The obligations and rights of the Client are set out in the Terms and this Addendum.
Data exporter (as applicable)
The data exporter is a Client of HROne that uses the Services.
Data importer (as applicable)
The data importer is Uneecops Workplace Solutions Pvt LTD (HROne), a company that provides services to the client, which requires receiving the Client’s query data.
Processing operations (as applicable)
The personal data transferred will be subject to the following basic processing activities: The provision of HROne to Client for Due Diligence and Background Verification as per Client requirements.
Annex 2: Authorized Other Sub-Processors
Infrastructure Subprocessors
HROne may use the following Subprocessors to host or store Customer Data or provide other infrastructure that helps with the delivery of our Services:
Service Specific Subprocessors-
Microsoft Azure | HROne. cloud Web hosting | INDIA |
Google LLC | Programmatic Services, Analytics / Cross-Party Reporting Services, analytics tools Technology Service Provider | United State |
Hubspot | Cloud-based Customer Service and Support | United State |
Text Local | Cloud-based Mobile SMS Notification Service | INDIA |
Brevo (Previously Sendinblue) | SendGrid powers the transactional and marketing emails | Belgium (European Union) |
Microsoft Exchange | Cloud-based Email Communications | INDIA (Asia Pacific) |
Onboarding and annual due diligence
Following our supplier security policy, HROne performs mandatory due diligence of all sub-processors through information security, privacy, and legal reviews. Sub-processor due diligence is performed during onboarding and once annually and includes a review of the following –
- SOC 2 Type 2, ISO 27001, GDPR, or similar industry-standard security or Audit reports
- Compliance with applicable data protection laws and regulations.
- Vulnerability assessment and penetration testing reports.
- Information security and privacy policy documents
- Supplier due diligence questionnaire
- Business continuity plans and disaster recovery reports.
Contractual Safeguards
HROne generally requires its processor sub-processors to satisfy equivalent obligations required from HROne (as a Processor or a Controller) as outlined in applicable Data Protection Addendum (DPA) and Data Protection laws as per GDPR and other applicable Compliance.
Process to Engage New Sub-processors.
For all Customers who have executed HROne’s standard DPA, HROne will provide notice of updates to the list of sub-processors that are utilized or which HROne proposes to utilize to deliver its Services.
HROne undertakes to keep this list updated regularly to enable its customers to stay informed of the scope of sub-processing associated with HROne Application Services
Under the DPA, a Customer may object in writing to the processing of its Personal Information by a new sub-processor within ten (10) days following the update of this policy, and such objection shall describe the Customer’s legitimate reason(s) for objection. If the Customer does not object during such a period, the new sub-processor(s) shall be deemed accepted.
Updates
HROne will keep this list updated by adding the names of new or replacement sub-processors.
If you have any questions or concerns regarding our Sub-processor or a processor, please send us a detailed message at privacy@hrone.cloud, and we will try to resolve your concerns.