Data Processing Agreement

The Customer is the data controllerof the personal data it (or its workforce members) uploads to or generates inside the platform (“Customer Personal Data”). CorperaHQ is the data processorof that data and processes it strictly on the Customer's documented instructions.

For data the Customer's representatives submit to the marketing website (corperahq.com) — e.g. demo requests, contact forms, newsletter signups — CorperaHQ is the controller, governed by our Privacy Policy.

• Subject matter: processing of Customer Personal Data to provide the platform.
• Duration: for the duration of the Customer's subscription, plus a deletion window of up to 30 days after termination (see §10).
• Nature: hosting, storing, transmitting, displaying, indexing, backing up, and (where the Customer has enabled them) generating notifications, exports, payroll runs, and AI-assisted summaries from Customer Personal Data.
• Purpose: to provide and improve the platform in accordance with the Terms and the Customer's instructions.

The Customer determines what personal data is processed. Typical categories include:

• Workforce members — name, contact details, role, designation, hire/leave dates, salary components, attendance, leave balances, performance notes, documents uploaded by HR.
• Leads & candidates — name, contact details, company, lifecycle stage, message bodies, attachments.
• End users — name, contact details, application data, skill-test results.
• Customer admins — login credentials (hashed), audit-log identifiers, session metadata.

CorperaHQ does notrequire, and the Customer is not authorised to submit, special-category data (race, religion, health, etc.) beyond what is needed for statutory employment record-keeping in the Customer's jurisdiction. The Customer is responsible for collecting any additional consents required for the data it chooses to process.

• Process Customer Personal Data only on the Customer's documented instructions (including this DPA).
• Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational measures described in §6.
• Assist the Customer in fulfilling its obligations to respond to data-subject requests under applicable law (see §8).
• Notify the Customer without undue delay of any personal-data breach affecting Customer Personal Data (see §7).
• Make available all information necessary to demonstrate compliance, and permit reasonable audits, subject to the conditions in §11.

The Customer authorises CorperaHQ to engage the following sub-processors:

• MongoDB Atlas (database hosting, primary region configurable on request)
• Amazon Web Services (compute, object storage for uploaded documents; EC2 + S3)
• Cloudflare (edge networking, CDN, DDoS mitigation)
• Resend / SendGrid (transactional and product-update email delivery)
• Twilio + WhatsApp Cloud (notification delivery, where enabled by the Customer)
• Vercel (marketing-site hosting only — does not handle Customer Personal Data)
• Anthropic / OpenAI (AI summarisation features, only invoked on data the Customer explicitly opts in to send)

We will provide at least 30 days' notice via email and the in-app changelog before adding or replacing a sub-processor that materially affects the processing of Customer Personal Data. The Customer may object to a new sub-processor in writing within that window; we will work in good faith to provide a commercially reasonable alternative, failing which the Customer may terminate the affected service on the effective date of the change.

CorperaHQ maintains a defence-in-depth security program designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Key measures include:

• Tenant isolation. Every database query carries the Customer's tenant identifier; cross-tenant access is blocked at the data-access layer and verified by automated checks.
• Encryption. AES-256 at rest on the database and object storage; TLS 1.2+ in transit for every public surface.
• Access control. Least-privilege role-based access for our personnel; production access is restricted to a named set of operators and is fully logged.
• Authentication for Customer admins. Password hashing with bcrypt, optional TOTP / WebAuthn 2FA, force-logout via token-version invalidation, configurable per-tenant policies (force-2FA, session expiry).
• Audit log. Every mutation in the platform is recorded with actor, tenant, timestamp, IP, and before/after values; 12-month retention by default, longer on request.
• Backups. Daily encrypted backups with point-in-time restore; cross-region replication available on Growth and Enterprise plans.
• Vulnerability management. Continuous dependency scanning, periodic penetration testing, and a responsible-disclosure inbox at security@corperahq.com.

We will notify the Customer in writing without undue delay, and in any event within 72 hours of becoming aware, of any personal-data breach affecting Customer Personal Data. The notification will include:

• The nature of the breach, including categories and approximate numbers of data subjects and records affected, where known;
• The likely consequences;
• The measures taken or proposed to address the breach and mitigate its possible adverse effects.

Notifications go to the primary admin email on file for the Customer's account. The Customer is responsible for keeping that address current.

The platform provides tools that let the Customer access, rectify, export, and delete Customer Personal Data without our involvement (CSV exports on every module, per-record edit, account deletion under Settings → Danger zone). Where the Customer requires our assistance to respond to a data-subject request, we will provide reasonable assistance taking into account the nature of the processing and the information available to us.

CorperaHQ may transfer Customer Personal Data outside the Customer's region for processing by CorperaHQ or its sub-processors. Where such transfers occur from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor where applicable), incorporated into this DPA by reference. Data residency constraints can be configured per Customer on Growth and Enterprise plans.

Upon termination of the Customer's subscription, the Customer may export Customer Personal Data through the platform within 30 days of the effective date of termination. After 30 days, CorperaHQ will delete or anonymise Customer Personal Data in active production systems within a further 30 days, and from encrypted backups within 90 days. CorperaHQ may retain Customer Personal Data where required by applicable law for the minimum period required.

CorperaHQ will make available, on written request and subject to reasonable confidentiality undertakings, summaries of its most recent independent security assessments and answers to a standard security questionnaire (e.g. SIG-Lite or CAIQ). Customers on the Enterprise plan may request an on-site or remote audit once per twelve-month period, conducted by a mutually agreed third-party auditor, at the Customer's expense, during normal business hours, and without disrupting the Service.

Liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect on the date the Customer first accepts the Terms of Service and remains in force for as long as CorperaHQ processes Customer Personal Data on the Customer's behalf.

Questions about this DPA, requests for a counter-signed copy, sub-processor objections, and audit requests should be sent to hello@corperahq.com. Security disclosures should go to security@corperahq.com.