Data Processing Agreement (DPA)

Last updated: November 2025

This Data Protection Addendum together with its Schedules (“DPA”) is part of CastHR’s terms and conditions, or other written or electronic agreement between CastHR and the Customer, as amended or supplemented from time to time, all together forming the “Agreement”.

In this DPA, references to “Services” shall have the same meaning as set out in the terms and conditions.

Where there is any conflict between the terms of this DPA and any other part of the Agreement, the following order of precedence shall apply: (1) SCCs/UK Addendum/UK IDTA (as applicable); (2) this DPA; and (3) any other part of the Agreement.

1. Definitions & Interpretation

Capitalised terms in this DPA have the meanings given to them below:

  • “Adequacy Decision” — a finding by the European Commission, or a government or body authorised to make a finding, in accordance with Data Protection Laws, that a Recipient Country ensures an adequate level of protection of personal data.

  • “Affiliate” — an entity that directly or indirectly controls, or is controlled by, or under common control with, the subject entity. “Control” means the ownership or control of at least 50% of the voting rights in the entity.

  • “Applicable Law” — any law, enactment, regulation, or rule applicable to the Parties, including but not limited to the Data Protection Laws.

  • “Controller” — the party that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as defined by Data Protection Laws.

  • “Customer” — the Customer entity that has entered into the Agreement.

  • “Customer Affiliate” — an Affiliate of the Customer.

  • “Data Protection Laws” — local, national or international laws and regulations which relate to the protection or Processing of Personal Data, including but not limited to:

    • (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); European Union (“EU”) member state data protection laws; and the Privacy and Electronic Communications Directive 2002/58/EC
    • (b) the UK Data Protection Act 2018 and UK GDPR
    • (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003; HIPAA; California Consumer Privacy Act; California Privacy Rights Act; Canada PIPEDA; Swiss Federal Act on Data Protection; Australian Privacy Act 1988

    In each case as amended, supplemented or replaced from time to time.

  • “Data Subject” — an identified or identifiable natural person, including as applicable a “consumer” as that term is defined by Data Protection Laws.

  • “Non-Adequate Country” — a country that is not considered by the European Commission to ensure an adequate level of personal data protection.

  • “Parties” — the parties to this DPA, specifically CastHR and: (a) Customer; or (b) a Customer Affiliate, each a “Party”.

  • “Personal Data” — any information relating to a Data Subject that is included in the data, information or material provided, inputted, or submitted by the Customer, Customer Affiliates, Users, or others into the Services.

  • “Personal Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

  • “Processing” — any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure or destruction.

  • “Processor” — a party that Processes Personal Data on behalf of a Controller, including as applicable any “service provider” or “contractor” as defined by applicable Data Protection Laws.

  • “Restricted Transfer” — a transfer of Personal Data outside the EEA or the UK which requires further steps to be taken under Data Protection Laws.

  • “CastHR” — the CastHR entity which has executed the Agreement.

  • “CastHR Affiliate” — an Affiliate of CastHR.

  • “Supervisory Authority” — a public regulatory or supervisory authority established in accordance with Data Protection Laws, for instance the UK Information Commissioner’s Office (“ICO”) for the UK, or relevant EU data protection authorities for EU member states.

  • “Sub-Processor” — another party engaged by a Party to assist with that Party’s Processing of Personal Data.

  • “User” — an individual who is authorised to use the Services (employees, consultants, contractors, agents or other third parties of the Customer or Customer Affiliate).

2. Application of this DPA

2.1 For the purposes of this DPA only, and to the extent necessary under the Data Protection Laws, the Customer enters into this DPA on behalf of itself and any Customer Affiliate(s) who may be involved in the Processing of Personal Data.

2.2 A Customer Affiliate is not a party to the other parts of the Agreement by virtue of this clause, but only a party to this DPA.

2.3 Each Customer Affiliate agrees to be bound by the obligations of this DPA to the extent that such obligations apply to its involvement in Processing Personal Data.

2.4 Where CastHR Affiliates are involved in the Processing of Personal Data, CastHR shall ensure that those CastHR Affiliates are bound by equivalent obligations to those contained in this DPA.

3. Processing Roles

3.1 The Parties agree that where the EU or UK Data Protection Laws apply to the Processing of Personal Data, the Customer is the Controller, and CastHR is the Processor, in relation to the Processing described in Schedule 1.

3.2 CastHR will act in accordance with the Customer’s documented instructions and in accordance with the Data Protection Laws.

3.3 The Customer may alternatively be acting as a Processor under the EU or UK Data Protection Laws, in which case CastHR will be the Customer’s Sub-Processor, and the obligations in this DPA will apply to CastHR as a Sub-Processor.

4. Customer’s Obligations

4.1 The Customer shall:

  • (a) comply with the Data Protection Laws in Processing Personal Data; and
  • (b) procure the compliance of Customer Affiliates, Users, or third parties who use the Services with the Data Protection Laws.

4.2 The Customer warrants on an ongoing basis that:

  • (a) it has an appropriate lawful basis under the Data Protection Laws to share Personal Data with CastHR in connection with the Services; and
  • (b) where acting as a Processor, the relevant Controller has authorised: (i) the Customer’s Personal Data Processing instructions to CastHR; (ii) the Customer’s appointment of CastHR as a Sub-Processor; and (iii) CastHR’s use of further Sub-Processors as described in Section 5.

5. Use of Sub-Processors

5.1 The Customer acknowledges and agrees that CastHR may engage Sub-Processors to Process Personal Data on the Customer’s behalf.

5.2 CastHR maintains a list of Sub-Processors at https://casthr.co/legal/subprocessors which is updated from time to time.

5.3 CastHR shall:

  • (a) enter into a written agreement with each Sub-Processor imposing data protection terms substantially similar to those in this DPA;
  • (b) remain responsible for the Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor; and
  • (c) provide the Customer with at least 30 days’ prior notice of the addition or replacement of any Sub-Processor by updating the list at the URL specified above or by email notification.

5.4 The Customer may object to CastHR’s use of a new Sub-Processor by notifying CastHR in writing within 30 days of receiving notice. If the Customer objects, the parties will work together in good faith to find a commercially reasonable solution. If no solution can be found, the Customer may terminate the affected Services.

6. Personal Data Breach

6.1 CastHR shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data.

6.2 CastHR shall provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

6.3 CastHR shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to help investigate, mitigate and remediate each such Personal Data Breach.

Breach Notification Timeline

In the event of a Personal Data Breach, CastHR shall:

  • (a) notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the Personal Data Breach;
  • (b) provide the Customer with sufficient information including:
    • The nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned
    • The likely consequences of the Personal Data Breach
    • The measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects

7. Data Subject Rights

7.1 CastHR shall, taking into account the nature of the Processing, provide reasonable assistance to the Customer to enable the Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws.

7.2 To the extent that the Customer is unable to independently access the relevant Personal Data within the Services, CastHR shall, at the Customer’s request, provide the Customer with commercially reasonable cooperation and assistance to respond to any such Data Subject request.

7.3 The Customer shall be responsible for any costs arising from CastHR’s provision of such assistance.

8. Return and Deletion of Personal Data

8.1 Upon termination or expiry of the Agreement, CastHR shall, at the Customer’s election, delete or return all Personal Data to the Customer, and delete existing copies unless applicable law requires storage of the Personal Data.

8.2 The Customer may request return or deletion of Personal Data at any time during the term of the Agreement by providing written notice to CastHR.

Data Deletion Process

Upon termination or expiry of the Agreement, CastHR shall:

  • (a) Within thirty (30) days of the effective date of cessation of any Services involving the Processing of Personal Data, delete and procure the deletion of all copies of the Personal Data, unless applicable law requires continued storage;
  • (b) Provide written certification to the Customer that such deletion has been completed;
  • (c) Delete all Personal Data from backup systems in accordance with CastHR’s standard backup retention and deletion procedures.

The Customer may request earlier deletion of Personal Data by providing written notice to CastHR at [email protected].

9. Security Measures

9.1 CastHR shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.

9.2 Such measures shall include:

  • (a) encryption of Personal Data in transit and at rest;
  • (b) measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • (c) measures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • (d) regular testing, assessment and evaluation of the effectiveness of technical and organisational measures.

9.3 Details of CastHR’s security measures are available at https://casthr.co/legal/security.

10. Audits

10.1 CastHR shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.

10.2 CastHR shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to:

  • (a) the Customer providing reasonable prior written notice of at least 30 days;
  • (b) such audits being conducted no more than once per year unless required by a Supervisory Authority or in response to a Personal Data Breach;
  • (c) the Customer and its auditor executing CastHR’s standard confidentiality agreement; and
  • (d) the Customer reimbursing CastHR for time and resources expended in connection with such audits.

11. Restricted Transfers

11.1 The Customer acknowledges that CastHR may transfer and Process Personal Data outside the EEA or the UK in connection with the provision of the Services.

11.2 Where such transfers constitute Restricted Transfers, CastHR shall ensure that appropriate safeguards are in place, including through the use of Standard Contractual Clauses as set out in Schedule 2.

11.3 CastHR shall provide reasonable assistance to the Customer to facilitate the implementation of appropriate transfer mechanisms.

12. General Provisions

12.1 This DPA shall be governed by the same law that governs the Agreement.

12.2 This DPA shall remain in effect for as long as CastHR Processes Personal Data on behalf of the Customer.

12.3 Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.

12.4 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Schedule 1: Details of Processing

Subject matter of Processing

CastHR will Process Personal Data as necessary to provide the Services in accordance with the Agreement.

Duration of Processing

CastHR will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or until deletion of Personal Data in accordance with Section 8.

Nature and purpose of Processing

CastHR will Process Personal Data for the purposes of:

  • Providing the HR management platform and related services
  • Maintaining and supporting the Services
  • Complying with applicable laws
  • As otherwise instructed by the Customer through use of the Services

Types of Personal Data

The Personal Data may include:

  • Identity data (name, title, employee ID)
  • Contact data (email, phone number, address)
  • Employment data (job title, department, manager, start date, employment status)
  • Compensation data (salary, bonuses, benefits)
  • Performance data (reviews, goals, feedback)
  • Time-off data (leave requests, balances, approvals)
  • Documents (contracts, policies, certifications)
  • Any other data uploaded or submitted by the Customer or Users

Categories of Data Subjects

  • Employees
  • Contractors
  • Job applicants
  • Former employees
  • Employee dependents and emergency contacts

Schedule 2: Standard Contractual Clauses

Where Restricted Transfers occur, the parties agree to be bound by the Standard Contractual Clauses (Controller to Processor) as approved by the European Commission.

The following details apply:

  • Data exporter: The Customer (as Controller)
  • Data importer: CastHR (as Processor)
  • Data subjects, categories of data, special categories of data, processing operations, and purposes: As described in Schedule 1

Contact details

Technical and organisational security measures: As described in Section 9 and at https://casthr.co/legal/security.

For transfers subject to UK Data Protection Laws, the parties agree to be bound by the UK Addendum to the Standard Contractual Clauses as issued by the UK Information Commissioner’s Office.

Contact

For any questions regarding this DPA or to exercise any rights under this DPA, please contact: [email protected]