Data Processing Agreement

01 Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Master Service Agreement.

"Controller"

The Customer who determines the purposes and means of processing Personal Data through the use of the Buesuite HCM Platform.

"Processor"

Buesuite Technologies Pvt. Ltd., which processes Personal Data on behalf of the Controller in connection with the provision of the HCM Platform services.

"Personal Data"

Any information relating to an identified or identifiable natural person processed by Buesuite on behalf of the Customer through the HCM Platform.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed, including Customer's employees, contractors, job applicants, and other workforce members.

"Sub-processor"

Any third party engaged by Buesuite to process Personal Data on behalf of the Customer in connection with the HCM Platform services.

"Data Protection Laws"

All applicable laws relating to data protection and privacy, including GDPR, CCPA, DPDP Act 2023, LGPD, and any other applicable regional or national data protection legislation.

"Personal Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Standard Contractual Clauses" (SCCs)

The contractual clauses adopted by the European Commission for the transfer of Personal Data to third countries, as may be amended or replaced from time to time.

02 Scope & Purpose of Processing

This DPA applies to all processing of Personal Data by Buesuite on behalf of the Customer in connection with the provision of the Buesuite HCM Platform and related services.

2.1 Subject Matter

The subject matter of the processing is the provision of cloud-based Human Capital Management services, including but not limited to: employee data management, recruitment, performance management, learning & development, time & attendance, payroll processing, and workforce analytics.

2.2 Duration of Processing

Processing will continue for the duration of the Master Service Agreement plus any retention period required by applicable law or as specified in the data retention schedule, after which data will be deleted or returned as specified in Section 10.

2.3 Nature and Purpose of Processing

Buesuite processes Personal Data for the following purposes:

Providing and maintaining the HCM Platform services
Authenticating and authorizing users
Processing employee lifecycle transactions
Generating reports and analytics
Providing customer support
Ensuring security and preventing fraud
Complying with legal obligations

2.4 Types of Personal Data

The following categories of Personal Data may be processed:

Identity Data: Name, employee ID, government IDs, photographs
Contact Data: Email, phone, address, emergency contacts
Employment Data: Job title, department, manager, employment dates, compensation
Performance Data: Goals, reviews, feedback, training records
Time & Attendance: Work hours, leave balances, attendance records
Financial Data: Bank details, tax information, payroll data
Special Categories (where applicable): Health data, biometric data (with explicit consent)

2.5 Categories of Data Subjects

Data Subjects include:

Employees (full-time, part-time, temporary)
Contractors and consultants
Job applicants and candidates
Interns and trainees
Former employees (alumni)
Employee dependents and beneficiaries

03 Processor Obligations

Buesuite, as Processor, agrees to comply with the following obligations when processing Personal Data on behalf of the Controller:

3.1 Processing Instructions

Buesuite shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law. In such case, Buesuite shall inform the Controller of that legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

Buesuite shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All employees undergo background checks and sign confidentiality agreements.

3.3 Technical and Organizational Measures

Buesuite shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 4 of this DPA.

3.4 Sub-processing

Buesuite shall not engage another processor without prior specific or general written authorization of the Controller. Where general authorization is given, Buesuite shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. See Section 5 for the current list of sub-processors.

3.5 Assistance to Controller

Buesuite shall assist the Controller by appropriate technical and organizational measures:

In fulfilling the Controller's obligation to respond to Data Subject requests
In ensuring compliance with security, breach notification, and impact assessment obligations
In conducting data protection impact assessments where required

04 Security Measures

Buesuite implements comprehensive technical and organizational security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction.

🔐

Encryption

AES-256 at rest, TLS 1.3 in transit

🔑

Access Control

RBAC, MFA, SSO integration

🛡️

Network Security

Firewalls, IDS/IPS, DDoS protection

📋

Audit Logging

Complete activity audit trail

💾

Backup & Recovery

Daily backups, geo-redundant

🔍

Monitoring

24/7 SOC, threat detection

4.1 Certifications

Buesuite maintains the following security certifications and attestations:

SOC 2 Type II: Annual audit of security, availability, and confidentiality controls
ISO 27001: Information Security Management System certification
ISO 27701: Privacy Information Management System certification
CSA STAR: Cloud Security Alliance certification

📄

Security Documentation

Detailed security documentation, including our SOC 2 report and security whitepaper, is available to customers under NDA. Please contact security@buesuite.com to request access.

05 Sub-processors

Buesuite uses certain sub-processors to assist in providing the HCM Platform services. The Controller provides general authorization for Buesuite to engage sub-processors, subject to the notification mechanism described below.

🔔

Sub-processor Change Notification

Buesuite will notify customers at least 30 days in advance of any changes to sub-processors via email and this page. Customers may object to changes within 14 days of notification.

Infrastructure & Hosting Global

Sub-processor	Purpose	Location	Data Processed
Amazon Web Services (AWS)	Cloud infrastructure hosting	🇺🇸 US 🇪🇺 EU 🇮🇳 IN	All customer data
Microsoft Azure	Cloud infrastructure (select regions)	🇪🇺 EU 🇦🇪 UAE	All customer data
Cloudflare	CDN, DDoS protection, WAF	🌐 Global	Network traffic metadata
MongoDB Atlas	Database services	🇺🇸 US 🇪🇺 EU 🇮🇳 IN	All customer data

Communication Services Global

Sub-processor	Purpose	Location	Data Processed
Twilio / SendGrid	Email delivery, SMS notifications	🇺🇸 US	Email addresses, phone numbers, message content
Firebase Cloud Messaging	Push notifications	🇺🇸 US	Device tokens, notification content
Freshdesk	Customer support	🇺🇸 US 🇪🇺 EU	Support ticket data

Analytics & AI Services Optional

Sub-processor	Purpose	Location	Data Processed
OpenAI	AI-powered features (opt-in)	🇺🇸 US	Query content (anonymized)
Anthropic	AI assistant features (opt-in)	🇺🇸 US	Query content (anonymized)
Mixpanel	Product analytics	🇺🇸 US	Usage data (anonymized)

Integration Partners Customer Enabled

Sub-processor	Purpose	Location	Data Processed
Google Workspace	Calendar, SSO integration	🇺🇸 US 🇪🇺 EU	Calendar events, user authentication
Microsoft 365	Calendar, SSO, Teams integration	🇺🇸 US 🇪🇺 EU	Calendar events, user authentication
Zoom	Video conferencing integration	🇺🇸 US	Meeting metadata
LinkedIn	Recruitment, talent sourcing	🇺🇸 US	Candidate profile data

06 International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, Buesuite ensures that appropriate safeguards are in place.

6.1 Transfer Mechanisms

Buesuite relies on the following mechanisms for international data transfers:

Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (Module 2: Controller to Processor) are incorporated into this DPA by reference.
UK International Data Transfer Agreement (IDTA): For transfers from the UK.
Adequacy Decisions: Where applicable, transfers to countries with EU adequacy decisions.
Binding Corporate Rules: For intra-group transfers where applicable.

6.2 Data Residency Options

Buesuite offers data residency options allowing customers to choose where their data is primarily stored:

United States: AWS US-East (Virginia), US-West (Oregon)
European Union: AWS EU (Frankfurt, Ireland), Azure (Netherlands)
India: AWS Asia Pacific (Mumbai)
Middle East: Azure (UAE North)
Asia Pacific: AWS (Singapore, Sydney)

⚠️

Supplementary Measures

In light of the Schrems II decision, Buesuite has implemented additional technical and organizational measures, including encryption, access controls, and transparency reporting. Details are available in our Transfer Impact Assessment (TIA) document.

07 Data Subject Rights

Buesuite shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable Data Protection Laws.

7.1 Supported Rights

The Buesuite platform provides tools to facilitate the following Data Subject rights:

Right of Access: Export complete data subject records
Right to Rectification: Update or correct personal data
Right to Erasure: Delete data subject records (subject to legal retention requirements)
Right to Restriction: Limit processing of specific data
Right to Data Portability: Export data in machine-readable format (JSON, CSV)
Right to Object: Configure processing preferences

7.2 Request Handling

If Buesuite receives a request directly from a Data Subject, Buesuite will promptly notify the Controller and will not respond to the request unless authorized by the Controller or required by applicable law.

08 Personal Data Breach Notification

Buesuite shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting the Controller's data.

8.1 Notification Timeline

Initial Notification: Within 24 hours of confirmed breach
Detailed Report: Within 72 hours with full incident details
Ongoing Updates: Regular updates until incident resolution

8.2 Notification Content

Breach notifications will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact details of Buesuite's Data Protection Officer

09 Audit Rights

Buesuite shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

9.1 Documentation

Upon request, Buesuite will provide:

SOC 2 Type II audit report (annually)
ISO 27001 and ISO 27701 certificates
Penetration test executive summaries
Security questionnaire responses
Data processing records

9.2 On-site Audits

The Controller may conduct on-site audits with reasonable advance notice (minimum 30 days), subject to confidentiality obligations and Buesuite's reasonable security requirements. Audit costs shall be borne by the Controller unless the audit reveals material non-compliance.

10 Term and Termination

This DPA shall remain in effect for the duration of the Master Service Agreement and shall automatically terminate upon termination or expiration of the MSA.

10.1 Data Return or Deletion

Upon termination of the MSA, Buesuite shall, at the Controller's election:

Return Data: Provide all Personal Data in a commonly used, machine-readable format within 30 days
Delete Data: Securely delete all Personal Data within 90 days and provide certification of deletion

10.2 Retention Exceptions

Buesuite may retain Personal Data to the extent required by applicable law, in which case Buesuite shall continue to protect such data in accordance with this DPA.

11 Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Master Service Agreement.

11.1 Indemnification

Each party shall indemnify the other against any claims, damages, or expenses arising from that party's breach of this DPA or applicable Data Protection Laws.

11.2 Data Protection Authority Fines

To the extent permitted by law, liability for regulatory fines shall be allocated based on each party's responsibility for the processing that gave rise to the fine.

12 Contact Information

For questions about this DPA, to exercise rights, or to report data protection concerns, please contact us through the following channels:

Data Protection Officer dpo@buesuite.com

Legal & Privacy Team legal@buesuite.com

Security Team security@buesuite.com

EU Representative

Buesuite EU B.V.
Herengracht 420
1017 BZ Amsterdam
Netherlands

UK Representative

Buesuite UK Ltd.
71-75 Shelton Street
Covent Garden, London
WC2H 9JQ, UK

Registered Office

Buesuite Technologies Pvt. Ltd.
Tower A, 15th Floor, Cyber City
Gurugram 122002
Haryana, India

Download the Full DPA