Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Husu Ltd (“Husu” or “Processor”) and the client organisation identified in the relevant Order Form or other governing agreement (“Controller”). Together, Husu and the Controller are referred to as the “parties”.

This DPA sets out the terms on which Husu will process personal data on behalf of the Controller in the course of providing its HR and wellbeing platform and associated services (“Services”).

1. Definitions

1.1 In this DPA, the following terms have the meanings given below. Other capitalised terms not defined here have the meanings given in the main agreement between the parties.

• “Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in the United Kingdom, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, as amended or replaced from time to time.
• “UK GDPR” means the retained EU law version of the General Data Protection Regulation (EU) 2016/679, as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended from time to time.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Special Category Data” each have the meanings given to them in the UK GDPR.
• “Subprocessor” means any third party engaged by Husu to carry out processing activities in respect of Personal Data on behalf of the Controller.
• “Instructions” means the written instructions given by the Controller to Husu regarding the processing of Personal Data, as set out in this DPA and the main agreement, and as updated from time to time in writing.

2. Roles of the Parties

2.1 The parties acknowledge that, in relation to the processing of Personal Data described in this DPA, the Controller is the data controller and Husu is the data processor within the meaning of Data Protection Laws.

2.2 Each party shall comply with its respective obligations under Data Protection Laws in its capacity as controller or processor (as applicable).

3. Scope and Processing Details

3.1 The subject matter, nature, and purpose of the processing, the types of Personal Data processed, and the categories of Data Subjects are set out in Schedule 1 to this DPA.

3.2 Husu shall process Personal Data only to the extent necessary to provide the Services and in accordance with the Instructions, except where otherwise required by applicable law.

4. Documented Instructions

4.1 Husu shall process Personal Data only on the documented Instructions of the Controller, which Instructions are set out in this DPA and the main agreement and may be supplemented or varied in writing from time to time.

4.2 If Husu is required by applicable law to process Personal Data otherwise than in accordance with the Instructions, it shall inform the Controller of that legal requirement before processing (unless that law prohibits such notification on grounds of public interest).

4.3 If Husu considers that any Instruction infringes Data Protection Laws, it shall promptly notify the Controller. Husu shall not be obliged to follow an Instruction that, in its reasonable opinion, would cause it to act in breach of Data Protection Laws.

5. Confidentiality

5.1 Husu shall ensure that persons authorised to process Personal Data on its behalf are subject to appropriate obligations of confidentiality (whether contractual or statutory) in respect of that Personal Data.

5.2 Husu shall limit access to Personal Data to those personnel who need access in order to provide the Services.

6. Security

6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Husu shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR.

6.2 The technical and organisational measures implemented by Husu are described in Schedule 2 to this DPA. These measures include, where implemented:

• access control and authentication;
• session management;
• encryption of data in transit;
• logging and monitoring;
• vulnerability and code quality management;
• automated testing;
• backup and recovery procedures;
• vendor management; and
• staff confidentiality obligations.

6.3 Husu may update or modify the security measures described in Schedule 2 from time to time, provided that any such changes do not materially reduce the overall level of security protection afforded to the Personal Data.

7. Subprocessors

7.1 The Controller provides general authorisation for Husu to engage Subprocessors to assist in the provision of the Services, subject to the requirements of this clause 7.

7.2 A current list of Subprocessors is maintained at https://husu.co.uk/legal/dpa (see Schedule 1 below). Husu will notify the Controller of any intended changes to its Subprocessors (whether by addition or replacement) by updating the list at the above address and, where reasonably practicable, by providing direct notice. The Controller may object to a new Subprocessor by notifying Husu in writing within 14 days of receiving notice.

7.3 Husu shall impose data protection obligations on each Subprocessor that are equivalent to those imposed on Husu under this DPA. Husu remains liable to the Controller for the performance of any Subprocessor’s obligations under this DPA to the extent that Husu would itself be liable.

8. Assistance with Data Subject Rights

8.1 Taking into account the nature of the processing, Husu shall assist the Controller by implementing appropriate technical and organisational measures, insofar as reasonably possible, to enable the Controller to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws.

8.2 Husu shall promptly notify the Controller if it receives a request from a Data Subject exercising any right under Data Protection Laws in respect of Personal Data processed under this DPA. Husu shall not respond to any such request without the prior written authorisation of the Controller, except as required by law.

8.3 Husu may charge a reasonable fee for assistance provided under this clause 8 where such assistance goes beyond what is reasonably necessary for standard operation of the Services.

9. Assistance with Compliance

9.1 Husu shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance to the Controller with its obligations under Articles 32 to 36 of the UK GDPR (security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with the supervisory authority).

9.2 Husu may charge a reasonable fee for assistance provided under this clause 9 where such assistance goes beyond what is reasonably necessary for standard operation of the Services.

10. Personal Data Breaches

10.1 Husu shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

10.2 Such notification shall include, to the extent available at the time: (a) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the approximate number of Personal Data records concerned; (b) the name and contact details of the relevant contact at Husu; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.3 Husu’s target contractual notification window is 48 hours from becoming aware of the breach.

10.4 Husu shall cooperate with the Controller and take such steps as may be reasonably required to assist the Controller in investigating, remediating, and notifying any Personal Data Breach to the relevant supervisory authority and affected Data Subjects, where required.

11. International Transfers

11.1 Husu shall not transfer Personal Data to a country or territory outside the United Kingdom except in accordance with Data Protection Laws and this clause 11.

11.2 Where Husu transfers Personal Data to a Subprocessor located outside the United Kingdom, it shall ensure that an appropriate safeguard is in place, including one or more of the following:

• a UK adequacy regulation covering the destination country or territory;
• UK International Data Transfer Agreements (IDTAs) or addenda to EU Standard Contractual Clauses (SCCs) approved for use under UK law; or
• another lawful transfer mechanism recognised under UK GDPR.

11.3 Details of the transfer mechanisms applicable to each Subprocessor are set out in Schedule 1.

12. Audit and Information Rights

12.1 Husu shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and with the obligations imposed on Husu as a processor under Data Protection Laws.

12.2 Husu shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to: (a) reasonable advance written notice (not less than 30 days, except in the case of a suspected or confirmed breach); (b) the auditor being subject to appropriate confidentiality obligations; (c) the audit being conducted during normal business hours in a manner that minimises disruption to Husu’s operations; and (d) the Controller bearing the reasonable costs of any audit.

12.3 The Controller agrees to use reasonable efforts to avoid duplicative or unduly burdensome audit requests, and to rely on Husu’s security documentation, certifications, and attestations as a first step before requesting an on-site inspection.

13. Return and Deletion

13.1 At the choice of the Controller and upon written request, Husu shall delete or return all Personal Data to the Controller on termination or expiry of the main agreement, and shall delete existing copies unless retention is required by applicable law.

13.2 The process and timeline for return and deletion are set out in Schedule 3 to this DPA.

14. Special Category Data

14.1 The Controller acknowledges that the Services involve wellbeing surveys which may touch on matters that could indirectly relate to health or other sensitive topics. The Controller is responsible for ensuring that it has an appropriate condition under Article 9 of the UK GDPR (and, where applicable, Schedule 1 of the Data Protection Act 2018) for any Special Category Data processed through the Services, and for providing appropriate notices and obtaining any required consents from Data Subjects.

14.2 Husu implements a minimum reporting threshold of five (5) respondents before aggregated survey results are made available to the Controller’s administrators, as a technical safeguard to protect individual anonymity.

15. Liability

15.1 Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions set out in the main agreement between the parties.

15.2 This DPA does not limit or exclude either party’s liability for obligations that cannot be limited or excluded under Data Protection Laws, including obligations directly imposed by the UK GDPR or the Data Protection Act 2018.

16. General

16.1 This DPA forms part of and is incorporated into the main agreement between the parties. In the event of any conflict between this DPA and the main agreement in relation to the processing of Personal Data, this DPA shall prevail to the extent of the inconsistency.

16.2 This DPA shall be governed by and construed in accordance with the law of Scotland and the parties submit to the exclusive jurisdiction of the Scottish courts.

Schedule 1 — Description of Processing

Schedule 2 — Technical and Organisational Measures

The following technical and organisational measures are implemented by Husu to ensure a level of security appropriate to the risk of processing personal data in connection with the Services.

Schedule 3 — End-of-Contract Return and Deletion

This Schedule sets out the process for return and deletion of personal data following the end of the agreement between the parties.