This Data Processing Agreement ("DPA") forms part of the agreement between HourSquare ("Processor", "we", "us") and the customer ("Controller", "you") who has subscribed to the HourSquare platform (the "Service"). It governs the processing of personal data that you make available to us — typically the personal data of your employees and contractors — when you use the Service. This DPA is required by Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the equivalent provisions of the Law of Georgia on Personal Data Protection (Document No. 3144).
By subscribing to the Service, the Controller accepts this DPA. If your organisation requires a countersigned copy on company letterhead, contact legal@hoursquare.com.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR.
- "Personal Data" — any information relating to an identified or identifiable natural person processed under this DPA.
- "Data Subject" — the individual to whom Personal Data relates (typically your employees, contractors, candidates).
- "Processing" — any operation performed on Personal Data, including collection, storage, transmission, modification, deletion.
- "Sub-processor" — any third party engaged by the Processor to process Personal Data on the Controller's behalf.
- "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Roles
The Controller determines the purposes and means of processing Personal Data submitted to the Service. The Processor processes Personal Data only on documented instructions from the Controller, including those documented in this DPA, the Terms of Service, and any subsequent written instructions.
The subject matter, duration, nature, and purpose of processing, together with the categories of data subjects and types of Personal Data, are set out in Annex I.
3. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, except where required to do so by EU or Member State law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organisational measures set out in Annex II.
- Assist the Controller in fulfilling its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation).
- At the Controller's choice, delete or return all Personal Data after termination of services, and delete existing copies unless storage is required by law (see 10).
- Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as set out in 8.
- Inform the Controller without undue delay if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.
4. Security Measures
The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The measures in force at the date of this DPA are described in Annex II.
The Processor may update these measures from time to time provided the level of security is not materially reduced.
5. Sub-processors
The Controller grants the Processor general written authorisation to engage Sub-processors, subject to the conditions in this section.
The current list of Sub-processors is set out in Annex III. The Processor shall notify the Controller of any intended changes (addition or replacement) at least thirty (30) days in advance, giving the Controller the opportunity to object on reasonable grounds.
The Processor shall enter into a written agreement with each Sub-processor imposing the same data protection obligations as set out in this DPA, and remains fully liable to the Controller for the performance of those obligations.
6. Data Subject Rights
The Service provides the Controller with self-service tools to respond to requests from Data Subjects to exercise their rights under the GDPR (including access, rectification, erasure, restriction, portability, and objection). Where these tools are insufficient, the Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible.
If a Data Subject contacts the Processor directly with a request under the GDPR, the Processor shall promptly forward that request to the Controller and shall not respond to the Data Subject directly unless authorised by the Controller.
7. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller's data. The notification shall include, to the extent then known:
- The nature of the breach, including categories and approximate number of Data Subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its possible adverse effects.
- The name and contact details of the data protection contact at the Processor.
The Processor shall reasonably cooperate with the Controller and provide further information as it becomes available.
8. Audits
The Processor shall make available to the Controller, on reasonable written request and no more than once per calendar year (except in the case of a Personal Data Breach or regulatory investigation), information necessary to demonstrate compliance with this DPA. Such information may include the Processor's most recent third-party audit reports, security questionnaires, or written summaries of the technical and organisational measures.
On-site audits are permitted only where remote means are insufficient, with at least thirty (30) days' notice, during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations, and subject to confidentiality obligations.
9. International Data Transfers
Where the Processor transfers Personal Data outside the European Economic Area or the United Kingdom, the Processor ensures the transfer is subject to appropriate safeguards under Article 46 GDPR, including the European Commission's Standard Contractual Clauses (SCCs) where applicable. The Controller authorises the Processor to enter into the SCCs (Module Two: Controller-to-Processor) on the Controller's behalf with Sub-processors located outside the EEA where required.
10. Term and Termination
This DPA shall remain in force as long as the Processor processes Personal Data on behalf of the Controller. On termination of the underlying service agreement:
- The Processor shall cease processing Personal Data and, at the Controller's option, return or delete all Personal Data within ninety (90) days.
- The Controller may export its data via the self-service tools in the Service before termination.
- The Processor may retain Personal Data to the extent required by applicable law, in which case the Personal Data remains subject to the security obligations of this DPA.
Customer-initiated soft-deletion of a company account triggers a thirty (30) day grace period, after which Personal Data is purged from production systems.
11. Liability
The liability of each party arising out of or in connection with this DPA is governed by the limitations of liability in the underlying service agreement (the Terms of Service). Nothing in this DPA limits or excludes liability where such limitation or exclusion is prohibited by applicable law.
Annex I — Description of Processing
Subject matter
Provision of human resources management software-as-a-service to the Controller, including features for employee records, leave, time tracking, payroll, onboarding/offboarding, equipment, surveys, whistleblowing, announcements, and reporting.
Duration
For the duration of the Controller's subscription to the Service, plus any post-termination retention period as set out in 10.
Nature and purpose
Storage, retrieval, transmission, modification, deletion, and analytical aggregation of employee personal data for the Controller's HR administration, in accordance with the Controller's instructions.
Categories of Data Subjects
- The Controller's current and former employees
- The Controller's contractors and freelancers (where managed in the Service)
- The Controller's HR administrators, managers, and authorised users
- Job candidates, where applicable
- Whistleblowing reporters (where pseudonymous or anonymous)
Categories of Personal Data
- Identity and contact data (name, email, phone, address)
- Employment data (job title, department, position, contracts, start/end dates, salary, employment status)
- Time and attendance data (work weeks, time entries, leave requests, balances)
- Payroll data (basic salary, components, gross, deductions, tax, net, payslips)
- Sensitive financial / identity data (bank account, tax ID, social security number) — encrypted at rest
- Emergency contact information
- Documents uploaded by the Controller (contracts, IDs, certificates)
- Audit and activity logs
- Free-text fields submitted via surveys, whistleblowing reports, profile change requests
Special Categories of Personal Data
The Service is not designed to process special categories of personal data (Article 9 GDPR) such as health, religious belief, or political opinion. The Controller agrees not to upload such data into free-text fields. Where unavoidable (e.g., medical certificates accompanying leave requests uploaded as documents), the Controller remains the sole determiner of the purpose of processing.
Annex II — Technical and Organisational Measures
The Processor maintains a layered set of technical and organisational measures appropriate to the risk, aligned with industry-recognised security practices and Article 32 of the GDPR. Specific configurations — including vendor and product names, software versions, network paths, schedules, and recovery-time targets — are treated as confidential security information and are not disclosed in this document. Enterprise customers may request additional detail under a separate confidentiality agreement. Measures may be updated provided the overall level of security is not materially reduced.
Network and perimeter security
- Public-facing endpoints sit behind an upstream protection layer providing DDoS mitigation, edge web application firewall, and rate limiting.
- Only the minimum set of network paths required to deliver the Service is exposed publicly; administrative pathways are not reachable from the public internet and require authenticated, multi-factor-protected private access.
Encryption
- Client–server traffic is encrypted in transit using industry-standard transport-layer security.
- Particularly sensitive personal-data fields are additionally protected with application-level encryption, with key material managed separately from the data store.
- Internal service-to-service connections use encrypted transport.
Access control
- Strict multi-tenant logical isolation: each Controller's data is scoped to its own tenant in every read and write path.
- Granular role-based access control; the Controller manages its own internal role assignments.
- Two-factor authentication is available to all end users and required for privileged accounts.
- Sessions and access tokens are revoked promptly on relevant lifecycle events (user disable, employment termination, account closure).
Logging and monitoring
- Structured application logging and request correlation across services.
- Audit logging of access to sensitive personal data and of significant employment-lifecycle events, made available to the Controller.
Resilience and backup
- Production is deployed in a configuration designed to mitigate single-point-of-failure outages.
- Regular backups of production data are taken and their integrity is periodically verified through restore testing on non-production environments.
Software security practices
- Input validation, parameterised queries, and ORM-mediated database access.
- Reliable inter-service messaging with idempotent consumers.
- Periodic dependency vulnerability scanning and remediation.
Organisational measures
- Personnel with access to Personal Data are bound by confidentiality obligations.
- Access to production systems is granted on a need-to-know basis and reviewed periodically.
- Defined incident response procedure including a breach notification path to the Controller.
Annex III — Approved Sub-processors
The current Sub-processors engaged by the Processor are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, DDoS mitigation, WAF, edge TLS termination, private network access (Cloudconnexa) | Global edge network |
| Zoho Corporation (Zepto Mail) | Transactional email delivery (account confirmation, password reset, payslip delivery, notifications) | EU / US |
| Groq, Inc. | Large language model inference for AI-assisted reporting features (only when AI features are enabled by the Controller) | US |
An up-to-date list is maintained on this page. Material changes will be notified per 5.
Contact
Questions about this DPA, requests for a countersigned copy, or notifications under 5 (Sub-processors) and 7 (Breach Notification) should be sent to:
HourSquare — Data Protection Contact
Email: legal@hoursquare.com
Postal: HourSquare, Tbilisi, Georgia
This document is a template provided for transparency and is suitable for small-business engagements. Customers with bespoke procurement, regulated industry, or enterprise compliance requirements may request a countersigned, negotiated DPA at the address above.