Data Processing Agreement (DPA)

GDPR-Compliant Data Processing

This DPA governs how we process personal data on behalf of our customers.

Definitions

  • Controller: The customer (your organization)
  • Processor: Office 1 Solution
  • Personal Data: Employee and user information
  • Processing: Any operation performed on personal data
  • Data Subject: The individual whose data is processed

Scope and Purpose

Office 1 Solution processes personal data solely for the purpose of providing HRIS services as described in our Terms of Service.

Controller and Processor Obligations

Controller (Customer) Obligations

  • Ensure lawful basis for data collection
  • Provide data subject notices
  • Respond to data subject requests
  • Ensure data accuracy

Processor (Office 1 Solution) Obligations

  • Process data only on documented instructions
  • Ensure confidentiality of personnel
  • Implement appropriate security measures
  • Assist with data subject requests
  • Assist with data breach notifications
  • Delete or return data upon termination

Data Security Measures

Security MeasureImplementation
Encryption in TransitTLS 1.2 or higher
Encryption at RestAES-256
Access ControlRole-based access, MFA
Monitoring24/7 security monitoring
BackupsDaily encrypted backups

Sub-processors

We use the following categories of sub-processors:

  • Cloud infrastructure providers (Microsoft Azure, AWS)
  • Email service providers
  • Customer support tools
  • Analytics services

See our complete Sub-processor List for details.

Data Subject Rights

We will assist you in responding to data subject requests:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

Data Breach Notification

In the event of a personal data breach:

  • We will notify you within 72 hours of discovery
  • Notification will include nature of breach and affected data
  • We will assist with your notification obligations

International Data Transfers

Data transfers outside the EEA are protected by:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable
  • Additional safeguards as required

Audits and Compliance

You may audit our compliance:

  • Annual SOC 2 reports provided
  • Security questionnaires upon request
  • On-site audits with reasonable notice (fees may apply)

Data Retention and Deletion

Upon termination of services:

  • We provide 30 days for data export
  • Data securely deleted within 90 days
  • Deletion certificates available upon request

Liability and Indemnification

Each party’s liability is limited as set forth in the main Terms of Service.

Term and Termination

This DPA remains in effect for the duration of the Terms of Service.

DPA Questions

📧 Email: [email protected]

📧 DPO: [email protected]

Privacy Policy Privacy Policy Service Level Agreement (SLA) Service Level Agreement (SLA)