Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller," "Customer") and Anthropon ("Processor," "we," "us") for the use of the Anthropon platform (the "Service"). This DPA sets out the terms under which we process personal data on your behalf in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, alteration, retrieval, use, disclosure, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose

This DPA applies to all Personal Data processed by Anthropon on behalf of the Customer in connection with the Service. The purpose of processing is to provide the Customer with human resources management functionality, including employee records management, leave management, workflow automation, document management, approvals, and reporting as described in the Service agreement.

3. Data Processing Details

The following details of processing apply:

• Subject matter: Provision of cloud-based HRIS services
• Duration: For the term of the Service agreement plus the data retention period
• Nature and purpose: Storage, retrieval, organization, and management of HR data as directed by the Controller
• Types of Personal Data: Employee names, contact details, employment information, compensation data, leave records, documents, identification numbers, and other HR-related data uploaded by the Controller
• Categories of Data Subjects: Employees, contractors, and other personnel of the Controller

4. Controller and Processor Obligations

4.1 Controller Obligations

The Controller shall:

• Ensure it has a lawful basis for processing Personal Data and for instructing the Processor to process such data
• Provide all necessary notices and obtain all necessary consents from Data Subjects as required by applicable law
• Ensure the accuracy and lawfulness of the Personal Data provided to the Processor
• Comply with applicable data protection laws in its use of the Service

4.2 Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Controller in responding to Data Subject requests, data protection impact assessments, and consultation with supervisory authorities
• Delete or return all Personal Data to the Controller upon termination of the Service, at the Controller's election
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall maintain a current list of Sub-processors and notify the Controller of any intended changes at least 30 days in advance. The Controller may object to a new Sub-processor on reasonable grounds within 14 days of notification. The Processor shall ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly notify the Controller of any Data Subject request received directly and shall not respond to such requests without the Controller's prior written authorization, except to direct the Data Subject to the Controller.

7. Security Measures

The Processor implements and maintains the following technical and organizational security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication (TOTP) for all user accounts
• Role-based access control with principle of least privilege
• Multi-tenant data isolation with tenant-scoped database queries
• Immutable audit logging of all data access and modifications
• Regular security assessments and vulnerability testing
• Automated backup with encrypted storage and tested recovery procedures
• Rate limiting and brute-force protection on authentication endpoints
• Session management with concurrent session limits and automatic expiry
• Input validation, CSRF protection, and security header enforcement

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

9. Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, an adequacy decision, or other legally recognized transfer mechanisms. The Processor shall inform the Controller of any intended transfers and the safeguards applied.

10. Audit Rights

The Controller shall have the right to audit the Processor's compliance with this DPA, either directly or through an independent third-party auditor, upon reasonable notice and during normal business hours. The Processor shall cooperate with and provide reasonable assistance to such audits. Audits shall not unreasonably interfere with the Processor's business operations and shall be conducted no more than once per year, unless a Data Breach or supervisory authority request necessitates an additional audit.

11. Term and Termination

This DPA shall remain in effect for the duration of the Service agreement. Upon termination of the Service agreement, the Processor shall, at the Controller's election, delete or return all Personal Data within 90 days and certify such deletion in writing, unless retention is required by applicable law. The obligations relating to confidentiality, data protection, and limitation of liability shall survive termination.

12. Contact

For questions or requests related to this DPA, please contact us:

• Data Protection: privacy@anthropon.com
• Security: security@anthropon.com
• Legal: legal@anthropon.com