Data Processing Agreement
Last updated: 7 July 2026 (version 2026-07-07)
Pre-launch reference: this DPA is not yet offered for unrestricted self-service sign-up. The processor's legal identity and registered office are being verified; an approved DPA is provided before any customer workspace is activated.
1. Parties
This Data Processing Agreement ("DPA") is between:
- the customer organisation whose administrator accepts this DPA during account creation, or that is identified in an order form or signed commercial agreement ("Customer"); and
- the HollyHR service provider identified in the Customer's approved order form, onboarding documents or signed commercial agreement ("HollyHR").
Customer is the controller for employee personal data entered into HollyHR. HollyHR is the processor for that employee personal data. HollyHR may be a controller for account, billing, website, support, and operational data as described in the Privacy Policy.
2. Relationship to other terms
This DPA forms part of the HollyHR Terms of Service or signed customer agreement. It is accepted when a customer administrator agrees to the Terms of Service and this DPA during account creation, or when it is executed as part of a signed agreement. If this DPA conflicts with the Terms of Service for processor obligations, this DPA controls for the relevant personal data.
3. Processing details
The processing is described in Schedule 1. HollyHR will process Customer Personal Data only to provide, secure, support, maintain, and improve the HollyHR service, and only for the duration of the customer relationship unless a shorter retention instruction or legal obligation applies.
4. Customer instructions
Customer instructs HollyHR to process Customer Personal Data:
- to provide the HollyHR application and related support;
- as configured by Customer administrators and authorised users;
- as described in this DPA, the Terms of Service, the Privacy Policy, and agreed order materials;
- to comply with applicable UK law where HollyHR is legally required to act.
HollyHR must not process Customer Personal Data for another purpose unless Customer gives documented instructions or UK law requires the processing. HollyHR will tell Customer if an instruction appears to infringe UK data protection law, unless UK law prohibits that notice.
5. Confidentiality
HollyHR will ensure that personnel authorised to process Customer Personal Data are under appropriate confidentiality obligations, whether by contract, employment terms, or statutory obligation.
6. Security measures
HollyHR will implement appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
Current measures include:
- TLS for data in transit;
- provider encryption at rest for database, document storage, and backups;
- field-level encryption for selected banking, tax/government identifier, and compensation values where implemented in the application;
- organisation-level access controls and role-based authorisation;
- audit logging for sensitive actions;
- private document storage with signed download URLs;
- merge gates for lint, typecheck, tests, security guards, and secrets scanning;
- operational runbooks for incident response, DSAR, erasure, backup, and restore/rollback.
Security measures may evolve, provided HollyHR does not materially reduce the overall protection for Customer Personal Data.
7. Sub-processors
Customer gives HollyHR general written authorisation to use sub-processors for the service, subject to this section. The current sub-processor list is maintained at /legal/sub-processors.
HollyHR will:
- maintain a current list of sub-processors that may process Customer Personal Data;
- impose data protection obligations on sub-processors that provide an equivalent level of protection for Customer Personal Data;
- remain liable to Customer for sub-processor performance of those obligations;
- give Customer notice of intended additions or replacements where required by the signed agreement;
- give Customer a reasonable opportunity to object to material sub-processor changes where required by the signed agreement.
8. Data subject rights assistance
Taking account of the nature of processing, HollyHR will assist Customer with data subject requests relating to Customer Personal Data, including requests for access, rectification, erasure, restriction, objection, and portability.
Current assistance mechanisms include organisation export, per-subject export support, deletion/erasure workflows, and documented operational runbooks. Customer remains responsible for determining whether a request is valid and whether exemptions, retention duties, or legal holds apply.
9. Security incident assistance
HollyHR will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice should include, where available:
- the nature of the incident;
- affected data categories and approximate record volumes;
- likely consequences;
- measures taken or proposed to address and mitigate the incident;
- a contact point for follow-up.
HollyHR will provide reasonable assistance for Customer's UK GDPR breach notification obligations, taking account of the nature of processing and the information available to HollyHR.
10. DPIA and consultation assistance
Taking account of the nature of processing and information available to HollyHR, HollyHR will provide reasonable assistance with data protection impact assessments and regulator consultation obligations where Customer's use of HollyHR requires that assistance.
11. Return, deletion, and retention
On termination or expiry of the services, Customer may export Customer Personal Data before account closure where the application provides export tools. At Customer's choice, HollyHR will delete or return Customer Personal Data after service termination, unless UK law requires continued storage.
Deletion from live systems is subject to the product's deletion workflows. Encrypted backups age out according to the documented backup retention window. Some records may be retained or anonymised where needed for legal obligation, audit evidence, security, billing, tax, accounting, legal claims, or compliance.
12. Audit and information
HollyHR will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 obligations. Customer may request audit information no more than once per calendar year unless a material incident or regulator request justifies a different cadence. Audits must be scoped to avoid compromising other customers, HollyHR security, or confidential provider information.
13. International transfers
Where Customer Personal Data is transferred outside the UK, HollyHR will rely on an appropriate transfer mechanism, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another mechanism recognised under UK data protection law. The sub-processor list records current provider locations and transfer posture where known.
14. Processor records and compliance
HollyHR will maintain appropriate records of processing activities required for its processor role and will comply with its direct UK GDPR processor obligations. Nothing in this DPA relieves either party of responsibilities it has directly under UK data protection law.
15. Customer responsibilities
Customer is responsible for:
- having a lawful basis for employee personal data it enters into HollyHR;
- giving appropriate privacy information to employees and other data subjects;
- configuring user access appropriately;
- responding to employee data subject requests as controller;
- determining retention, deletion, legal hold, and employment-record preservation requirements;
- ensuring its instructions to HollyHR comply with UK data protection law.
Schedule 1 — Processing details
| Subject matter | Hosting and operation of the HollyHR HR management service for Customer. |
|---|---|
| Duration | Customer subscription term plus documented retention, backup ageing, and legal hold periods. |
| Nature and purpose | Store, organise, secure, display, export, delete, and support HR records and related service data. |
| Data subjects | Customer employees, contractors, administrators, managers, emergency contacts, and customer representatives. |
| Personal data | Identity, contact, employment, department, time-off, compensation, bank/payroll, emergency contact, document metadata, uploaded HR documents, account, authentication, support, billing, audit, and service metadata. |
| Special-category data | Not intentionally collected as a core field; Customer may upload documents or notes that contain special-category data, so Customer controls whether this is entered. |
| Controller obligations | Customer decides lawful basis, notices, data minimisation, retention, data subject response, and legal hold posture. |
| Processor obligations | HollyHR processes only on documented instructions and provides the safeguards and assistance described in this DPA. |
Questions
For questions about this DPA, or to execute it as a signed agreement instead of the click-through acceptance, contact us via the details on the contact page.