Back

Data Processing Addendum

This Data Processing Addendum applies to all customers who have subscribed to our Services on or after May 12, 2025

Overview

This Data Processing Addendum is current as of May 12, 2025 and explains our data processing activities carried out as a Data Processor on behalf of our Customers.

Background

This Data Processing Addendum (‘DPA‘) forms part of the agreement between Humi by Employment Hero (‘us‘, ‘we‘, or ‘our‘) and our Customers (‘you’ or ‘your‘). It reflects our agreement with you regarding the processing of your Customer Personal Information and acts as an addendum to the Platform Terms and Conditions, and/or any other terms and conditions that you agree to when receiving Services from us (the ‘Agreement‘).

1. Definition

In this DPA:

Affiliates means any corporation or other business entity controlling, controlled by or under common control with Humi Soft Inc. A current list of Affiliates is available here;

Applicable Law means all laws, regulations, orders, rules, judgments, directives, industry agreements or determinations in force from time to time applicable to a party and relevant to the Agreement or this DPA, including, without limitation, the Personal Information Protection and Electronic Documents Act (PIPEDA);

Customer means you, the specific party which has entered into the Agreement with us;

Customer Personal Information means Personal Information in respect of which you are the Data Controller, and we are the Data Processor; but which excludes Personal Information processed by us when acting as a Data Controller;

Data Breach means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Information;

Data Controller means the entity which alone or jointly with others determines the purposes and means of processing of Personal Information;

Data Processor means an entity which processes Personal Information on behalf of a Data Controller;

Data Protection Law means any privacy and data protection laws that may be applicable to the parties (including data privacy laws that are specific to the region in which you or our relevant Affiliate entity is based like Australia, Canada, the United Kingdom and New Zealand), and any amendments to or replacements of such laws and regulations;

Individual has the meaning given to it in the PIPEDA;

Personal Information means any information relating to an identified or identifiable natural person and an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing means the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information;

Services means the provision of cloud-based human resources and payroll software services where we act on behalf of our Customer, and/or other products and services provided by us and/or our Affiliates under the Agreement through our websites, platforms and apps where we act in the capacity of a Data Processor;

Sub-Processor means any entity which is engaged by us or by any other sub-processor of ours who may access or process Customer Personal Information;

User means individual users of the Services including employees of your organisation

.

1.1 Clarifications for this DPA

1.1.1 any words following the terms “like”, “include”, “for example” or any similar expression will be construed as illustrative and will not limit the sense of the words, description, definition, phrase or term preceding those terms;

1.1.2 references to Clauses and Schedules are, unless otherwise stated, references to the clauses of, and schedules to, this DPA; and

1.1.3 references to this DPA or any other agreement or document are to this DPA or such other agreement or document as it may be varied, amended, supplemented, restated, renewed, novated, or replaced from time to time.

 

2.Data processing terms

2.1 General data processing terms

2.1.1 Roles of the parties: You are the Data Controller and we are the Data Processor of the Customer Personal Information. We require certain Personal Information to set up and manage your account on our platforms and apps and to provide Services under the Agreement. We may also provide specific services and support relating to individuals where we determine the purposes for which, and means in which, the Personal Information is processed, and in these cases, we will process Personal Information as a Data Controller.

2.1.2 Scope of this DPA: This DPA only applies to the processing of Customer Personal Information by us in connection with the Services under the Agreement. The categories of Individuals and types of Customer Personal Information processed are set out in Schedule 1 of this DPA. Customer Personal Information is processed for the purpose of providing the Services and other purposes as identified in Schedule 1 of this DPA. We may process Customer Personal Information for the duration of the Agreement (or longer to the extent permitted by Applicable Law).

2.1.3 Legal compliance obligation: Each party agrees that in relation to this DPA, it is compliant with, and will remain compliant with all Applicable Law. You will make sure that you have provided notice to individuals of the data processing activities carried out under this DPA.

2.1.4 Our rights and responsibilities: Other than for anything to the contrary in the Agreement, in relation to Customer Personal Information, we will:

a. process Customer Personal Information only in accordance with your instructions as established in the Agreement or as you have provided to us in writing from time to time, given that these instructions are reasonable and subject to our right to charge additional sums at our current rates should the scope of the agreed services be exceeded. In addition to this, we may:

i. process Customer Personal Information as required under Applicable Law and take reasonable steps to inform you of such a requirement before processing the data, unless the law prohibits this; and

ii. process Customer Personal Information when analysing and/or providing support in relation to the Services, and carrying out measures to further develop and improve the Services for our customer base as a part of the ongoing delivery of Services, provided that necessary safety measures are put in place as may be required by Applicable Law;

b. promptly notify you, if in our opinion, an instruction given to us by you infringes Data Protection Law;

c. where applicable, make sure that access to Customer Personal Information is given to our (or our Sub-Processors’) personnel who are contractually bound to respect the confidentiality of this type of Customer Personal Information;

d. implement appropriate technical and organisational measures to protect against unauthorised or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information. These measures will be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage, or theft of Customer Personal Information, and having regard to the nature of the Customer Personal Information which is to be protected and is set forth in Schedule 1 of this DPA. You acknowledge that we may change the security measures through the adoption of new or enhanced security technologies, and you authorise us to make such changes provided that they do not materially diminish the level of protection. We make information about our most up-to-date security measures applicable to the Services available here;

e. at your reasonable request and at your cost, to the extent that this is possible, assist you with your obligations to respond to requests from individuals looking to exercise their rights under Data Protection Law (to the extent that the Customer Personal Information is not accessible to you through the Services provided under the Agreement);

f. at your reasonable request and at your cost, taking into account the nature of the processing and the information available to us, assist you with your obligations under Applicable Law; and

g. at your written request, delete or return to you any Customer Personal Information within the agreed period of time after the end of the provision of the Services as set out in the Agreement (or within a reasonable period of time if the Agreement is silent on this point), unless Applicable Law requires storage of the Customer Personal Information.

2.1.5 Data storage: Personal Information that we hold will be stored and managed on secure data centres by our third-party storage provider. You can find out more about locations in which we store your data in our Privacy Policy.

 

2.2 Sub-Processors

2.2.1 Appointment of Sub-Processors: You agree that we may transfer Customer Personal Information or give access to Customer Personal Information to Sub-Processors for the purposes of providing the Services or other purposes identified in Schedule 1 of this DPA, provided that we comply with our requirements under this section of the DPA. We will remain responsible for our Sub-Processor’s compliance with the obligations of this DPA. We will make sure that any Sub-Processors, to whom we transfer Customer Personal Information, enter into written agreements with us requiring them to agree to terms no less protective, in any material respect, than this DPA.

2.2.2 List of current Sub-Processors and notice of updates to the list: A current list of Sub-Processors is available here and is deemed to be pre-approved by you. We can at any time and without justification either appoint a new Sub-Processor, or remove or change an existing Sub-Processor. If you subscribe for updates in regard to the Sub-Processor list by emailing privacy@employmenthero.com, you will be given prior written notice of additions to the Sub-Processor list by email, or via the Services. We recommend that you occasionally check our website, platforms, or apps for communications concerning updates to the Sub-Processor list.

2.2.3 Objections to Sub-Processors: If you do not legitimately object to changes to the Sub-Processor list within 30 days’ of being notified of a new Sub-Processor, the Sub-Processor list update is considered to be approved by you. Legitimate objections to the Sub-Processor list update must contain reasonable and documented data protection grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Law. In the event that you reasonably object to a new Sub-Processor, we will use reasonable efforts to make available to you a change in the Services or recommend a commercially reasonable change to your use of the Services. This will be done to avoid processing of Personal Information by the new Sub-Processor to whom you object without unreasonably burdening you. If we are unable to make these types of changes available to you within within a reasonable period of time, which will not exceed 60 days, you may, subject to the terms of the Agreement, terminate the applicable Services, which cannot be provided by us without the use of the objected-to new Sub-Processor with written notice to us.

2.2.4 Access to our agreements with Sub-Processors: We may, at our discretion, provide you with a copy of our agreements with Sub-Processors (subject to redaction of any confidential information and this being reasonable for us to do). These copies may be provided by us in a manner to be determined by us, only upon the written request by you via email to privacy@employmenthero.com, and at your sole expense.

2.3 International transfer mechanisms

2.3.1 You acknowledge that, in connection with providing the Services, Customer Personal Information may be transferred to, or accessed from a country outside of Canada. We will ensure that any international transfers or access to Customer Personal Information comply with applicable Canadian privacy laws, including the PIPEDA and any substantially similar provincial privacy legislation. Where required by Canadian law, we will implement appropriate contractual or other measures to ensure a comparable level of protection for Personal Information transferred outside Canada.

2.4 Data Breach

2.4.1 We will notify you in writing (including via email), without undue delay, if we become aware of a Data Breach that impacts you and requires notice to you under Applicable Law. We will take steps, within a reasonable timescale, to remedy the Data Breach and provide further information to you as may be reasonably required.

2.4.2 We will make reasonable efforts to identify the cause of any Data Breach and take steps as we deem necessary and reasonable to remediate the cause of the Data Breach to the extent the remediation is within our reasonable control.

2.4.3 Our assistance under this clause which exceeds any obligations set out by Applicable Law will be chargeable, as incurred, at our current rates unless you demonstrate that that type of assistance is required because of a failure by us to comply with our obligations under this DPA.

2.4.4 The obligations under this clause will not apply to Data Breach that are caused by you or your personnel.

2.5 Audits and inspections

2.5.1 To the extent required by Applicable Law, and upon written request from you within reasonable intervals between each request and at your cost and expense, we will audit the security of our processes and computing environment that we use in handling Customer Personal Information. This audit will be performed no more than once annually and it may be performed by independent third-party security professionals as chosen by us (in which case such choice is made at our expense). In the event that we have recently acted in respecting such rights for another customer, or undergone any type of audit that would provide the relevant information needed by you, we will provide you with a summary of those recent audit results.

2.5.2 We will respond, no more frequently than annually, to any reasonable security questionnaire provided by you which seeks to assist your assessment of our compliance with the security obligations under this DPA and which may be applicable to the Services. The responses to these questionnaires and any supporting evidence provided by us will be considered confidential information.

2.5.3. If you want to change this instruction regarding exercising the audit rights, then you have the right to change this instruction to the extent required to ensure compliance with Applicable Law, which must be requested in writing via email to privacy@employmenthero.com, in which case we will have no obligation to provide commercially confidential information.

 

2.6 Return or deletion of Personal Information

2.6.1 At the end of the Services, at your written request, we must securely destroy Customer Personal Information, and delete existing copies unless Applicable Law requires storage of such Customer Personal Information.

2.6.2 We may provide written a certification of deletion regarding deletion of your Customer Personal Information if you request it in writing via email to privacy@employmenthero.com, and only provided that you have a right to receive a certification of deletion under Applicable Law.

 

2.7 Limitation on liability

2.7.1 The parties acknowledge and agree that our total cumulative liability, together with our Affiliates, arising out of or in relation to this DPA is subject to the liability sections of the Agreement (namely the applicable sections of the Platform Terms and Conditions and/or any other specified terms and conditions of an Agreement entered into between you and us).

2.7.2 Our and our Affiliates’ total liability for all claims from you and all of your affiliates arising out of or in relation to the Agreement and the DPA, will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by you and your Affiliates, and will not be understood to apply individually and severally to you and/or to any of your affiliates that is a contractual party to any such DPA.

 

2.8 Other general terms

2.8.1 Changes to this DPA: We reserve the right to make any updates or changes to this DPA to reflect changes in our Services, information practices, operational requirements, or changes to laws and regulations. You should periodically review this DPA to see any amendments that have been made. If we make any significant changes to this DPA, we may provide notice to you via email or by other means of communication like in-platform or in-app notifications.

 

 

Schedule 1 – Data Processing Information

Nature and purpose of processing operations

The nature of processing is the collection, recording, organisation, storage, adaptation, use, disclosure, or transfer of Customer Personal Information.

The Customer Personal Information will be processed for the purpose of providing, and further improving the Services provided by us.

Categories of Individuals

You (the Customers), Users and other persons authorised to use the Services by Customer of the Services provided by us and our Affiliates.

Categories of data

This data primarily includes data relevant for processing carried out in the provision of the Services including:

Categories of Personal Information

  • Business account information including business name and details, logos and information relating to representatives of the business;
  • Individual account information including name, date of birth, age, gender, sex, marital status, profile photo;
  • Contact information including residential and/or postal address, email address, telephone number, and social media handles;
  • Payroll information including information relating to payroll processing, salary and other compensation, timesheets and bank account information;
  • General business information including information relating to employees’ and the businesses goals, accomplishments, training and development, awards and performance, feedback and reviews, onboarding and offboarding details, and implementation process information;
  • Employment related information including occupation or job title, information relating to current and former employers, key dates relating to the current role and/or past roles, superannuation information, salary and/or pension details including documents such as payslips and payment summaries, timesheets, performance reviews and workplace engagement information, workplace issues and incident information citizenship and visa status for work eligibility purposes, emergency contact information, and tax information;
  • Recruitment related information including job vacancy details, profile photo, company details relevant to the job posting such as work location and contact emails, and the name and contact details of any personnel involved in the recruitment process; and
  • Job application related information including name, contact email, job seeker profiles, CV, cover letter, profile photo, work preferences, salary expectations, education history, work history, qualifications, languages, and references.

Special Categories of Personal Information (or Sensitive Information)

  • You or users of the Services may submit Special Category Personal Information to the platform or app at their discretion, or we may collect such data with prior consent for the purpose of providing its Services to you or relevant end-users. 
  • This data primarily includes:
    • sensitive information provided in compliance documentation stored on the Services by you or end-users;
    • ID documents and information provided within such documents that may include details about ethnicity or race, religious beliefs;
    • health information such as disability information, health status relevant to administration of long-term disability or other medical benefit programs, vaccination history, medical reports, return or work/adjustment reports and workplace injury reports; and
    • work eligibility information such as immigration status, visa status and details, and criminal history and background.

Duration of Processing

We will process Customer Personal Information for the duration of the Agreement (or longer to the extent permitted by Applicable Law).

 

Schedule 2 – Technical and Organisational Measures

The Technical and Organisational Measures are detailed in our Security Portal.

The measures identified in these pages may be updated by us from time to time in accordance with clause 2.1.4(d).