DPA

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of and is incorporated into the agreement between you ("Client") and Peopl'd Limited, a company registered in England & Wales with company number 17212665 ("Peopl'd"), under which Peopl'd provides its HR Operating System service (the "Services").

This DPA reflects the parties' agreement on the processing of personal data in connection with the Service, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Last updated: 21 May 2026.

1. Definitions

In this DPA:

  • "Agreement" means the terms agreed between the parties in relation to the Services
  • "Applicable Data Protection Law" means UK GDPR, the Data Protection Act 2018 as amended and from time to time updated, and any other applicable data protection laws.
  • "Client Personal Data" is as set out in Annex 1
  • "Commissioner", "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Special Categories of Personal Data" have the meanings given in UK GDPR.
  • "Sub-processor" means any third party engaged by a Processor (in this case Peopl'd) who has or will process Client Personal Data.
  • "Services" means the Peopl'd HR Operating System and related services provided under the parties' main agreement.

2. Scope and roles

2.1 This DPA applies to Peopl'd's processing of Client Personal Data on behalf of the Client in connection with the Services.

2.2 This DPA is incorporated into the Agreement by reference and forms part of the Agreement.

2.3 For the avoidance of doubt:

  • The Client is the Controller of Personal Data submitted to or generated through the Service relating to its employees, workers, candidates, and other natural persons.
  • Peopl'd is the Processor of that data and processes only on the Controller's documented instructions.
  • Peopl'd is separately a Controller of account-level data relating to the Controller's own representatives (account holders, billing contacts). That processing is explained in Peopl'd's Privacy Policy, not by this DPA.

3. Subject matter and duration

3.1 Subject matter: Processing of Personal Data submitted to the Service by the Client for the purposes of generating, managing, and storing HR documents.

3.2 Duration: This DPA applies for the duration of the Client's use of the Service plus any applicable retention period set out below.

3.3 Nature and purpose of processing, and categories of Data Subjects and Personal Data, are set out in Annex 1.

4. Controller obligations

4.1 The Client warrants that it has all necessary rights, has identified an appropriate lawful basis, notified Data Subjects appropriately and where required gathered valid consent to provide the Personal Data to Peopl'd for processing as contemplated by this DPA.

4.2 The Client's documented instructions to Peopl'd for the processing of Personal Data are documented in the Agreement, this DPA, and the Client's instructions to us during their reasonable use of the Service.

5. Peopl'd's obligations as Processor

Peopl'd will:

5.1 Documented instructions. Process Personal Data only on the Client's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law. Where required by law, Peopl'd will inform the Client of that requirement before processing, unless prohibited by law.

5.2 Confidentiality. Ensure that persons authorised to process Client Personal Data are appropriately trained and bound by confidentiality obligations no less strict than this addendum and such obligations will survive the termination of their engagement with Peopl'd.

5.3 Security. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2.

5.4 Sub-processors. Engage Sub-processors only in accordance with Section 7 below.

5.5 Assistance with Data Subject rights. To the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Peopl'd, assist the Client to respond to requests from Data Subjects exercising their rights under UK GDPR. If Peopl'd receives a request from a Data Subject it will notify the Client promptly for the Client to manage.

5.6 Compliance assistance. To the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Peopl'd, assist the Client in ensuring compliance with its obligations under Articles 32 to 36 of UK GDPR (security, breach notification, DPIAs, prior consultation).

5.7 Return or deletion. At the choice of the Client return or delete all Client Personal Data after the end of the provision of the Services, and delete existing copies, unless UK or EU law requires storage. See also Section 10.

5.8 Audits. Make available to the Client all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR. Audit terms are set out in Section 9.

5.9 Inform. Inform the Client if it thinks that an instruction from the Client would not comply with the Applicable Data Protection Law.

To the extent legally permitted, the Client will be responsible for any costs arising from Peopl'd's provision of such assistance described in this clause 5.

6. Personal Data Breach

6.1 Peopl'd will notify the Client without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Client Personal Data.

6.2 The notification will, to the extent known, include:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected.
  • The name and contact details of Peopl'd's contact point for further information.
  • The likely consequences of the Personal Data Breach.
  • The measures taken or proposed to address the Personal Data Breach, including mitigation.

6.3 Peopl'd will cooperate with the Client's investigation and any notifications to the Commissioner or affected Data Subjects.

6.4 The obligations in this clause 6 will not apply to incidents that are caused by Client, or by access to the Services in breach of the Agreement, unless and until the Client has notified Peopl'd that they constitute a Personal Data Breach in which case Peopl'd will provide the Client with reasonable assistance (at Client's reasonable cost) in investigating the information set out in clause 6.2 above.

7. Sub-processors

7.1 The Client provides general written authorisation for Peopl'd to engage Sub-processors. The current list of Sub-processors is published at peopld.com/subprocessors

7.2 Peopl'd will:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
  • Remain liable to the Client for the acts and omissions of its Sub-processors in relation to Client Personal Data in the same way that Peopl'd would be liable if performing the services of each sub-processor under this DPA.

7.3 Notification of changes. Peopl'd will notify the Client of any intended addition or replacement of Sub-processors at least 30 days in advance, giving the Client the opportunity to object. If the Client objects on reasonable data-protection grounds, the parties will work in good faith to find a solution; if no solution is reached, the Client may terminate the affected portion of the Services without penalty.

8. International transfers

8.1 The Client authorises Peopl'd to transfer Personal Data outside the United Kingdom to the Sub-processors identified at peopld.com/subprocessors and in Annex 3.

8.2 For any transfer of Personal Data from the United Kingdom to a country not covered by a UK adequacy decision, Peopl'd will put in place appropriate safeguards to comply with the Applicable Data Protection Laws including the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum, as appropriate.

9. Audits

9.1 The Client may, on reasonable written notice and no more than once per calendar year, request information sufficient to demonstrate Peopl'd's compliance with this DPA.

9.2 Such information may include:

  • Up-to-date third-party audit reports (e.g. SOC 2) from Peopl'd or its Sub-processors, where available.
  • Responses to a reasonable security questionnaire.
  • A written statement of compliance.

9.3 Where the above information is insufficient to address a Client specific compliance concerns, the parties will discuss in good faith whether an on-site audit is appropriate. Any on-site audit will be during normal business hours, with reasonable notice, and in a manner that does not disrupt Peopl'd's normal business operations and Peopl'd will charge reasonable expenses for any such audit.

10. Return or deletion of personal data

10.1 On termination of the Services, the Client may export its data via in-app tools (where available) or by written request to Peopl'd at hello@peopld.com.

10.2 Unless otherwise instructed within 30 days of termination of the Agreement Peopl'd will delete the Client Personal Data.

10.3 Peopl'd may retain Client Personal Data after termination only:

  • Where required to comply with UK statutory retention obligations (e.g. tax, billing records).
  • In backups, which are overwritten on the ordinary cycle (within 90 days).

11. Liability

11.1 Each party's liability under this DPA is governed by the liability provisions of the Agreement.

11.2 Nothing in this DPA limits either party's statutory liabilities to Data Subjects or to the Commissioner under UK GDPR.

12. Term and termination

12.1 This DPA takes effect on the date the parties enter into the Agreement and continues for the duration of the Services.

12.2 Termination of this DPA does not affect the parties' obligations relating to Client Personal Data retained after termination.

13. General provisions

13.1 Order of precedence. In the event of any conflict between this DPA and the Agreement on matters relating to the processing of Personal Data, this DPA prevails.

13.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force.

13.3 Governing law. This DPA is governed by the laws of England & Wales. The courts of England & Wales have exclusive jurisdiction.

14. Contact

Data protection queries: hello@peopld.com

Data protection lead: Michelle Zappala, Founder & CEO.

Annex 1 — Description of processing

Subject matter of processing

The provision of the Peopl'd HR Operating System, which generates, manages, and stores HR documents on behalf of the Client.

Duration of processing

For the duration of the Client use of the Service, plus the retention periods set out in this DPA.

Nature and purpose of processing

  • Storage of Client-submitted Personal Data in encrypted databases.
  • AI-assisted generation of HR documents based on Controller inputs and Peopl'd templates.
  • Email-based authentication of authorised users.
  • Hosting and delivery of the Service.

Categories of Data Subjects

  • The Client employees, workers, contractors, candidates, and former employees.
  • The Client representatives (account holders, administrators).

Categories of Personal Data

  • Identifying information: name, work email, job title.
  • Employment data: start date, salary, terms, role, department.
  • Document content: any Personal Data the Client submits into Peopl'd-generated documents (e.g. employment contracts, handbooks, offer letters).
  • Account data: email address, authentication tokens, usage logs.

Special Categories of Personal Data

Peopl'd does not actively process special categories of Personal Data. However, the Client may inadvertently submit such data through document content (e.g. references to disability accommodations in a contract). The Client is responsible for minimising special-category data in submissions.

Annex 2 — Technical and organisational measures

Access control

  • Email + password sign-in with passwords hashed using industry-standard methods (Argon2 or bcrypt); magic-link sign-in available as a passwordless alternative.
  • Tenant-namespaced data storage (KV namespaced by tenant ID).
  • Server-side authorisation checks on every request.
  • Internal access on a need-to-know basis; access limited to the founder during the founding-member trial period.

Encryption

  • Data encrypted in transit via TLS 1.2+.
  • Data encrypted at rest in the primary database (Upstash, London region).

Hosting and infrastructure

  • Primary infrastructure hosted on UK and EU regions of Vercel and Upstash.
  • Sub-processors listed and updated at peopld.com/subprocessors.

Backup and resilience

  • Automated daily backups, retained for 30 days, overwritten on a rolling basis.
  • Service availability monitored via platform-provided tooling.

Data minimisation

  • Customer-provided fields are limited to those required for document generation.
  • AI processing of inputs uses Anthropic's no-training commercial terms; inputs are not retained by Anthropic.

Staff and confidentiality

  • All persons with access to Client Personal Data are bound by written confidentiality obligations.

Breach response

  • Breach notification within 48 hours, per Section 6.
  • Incident response process documented and reviewed annually.

Audit and logging

  • Authentication events logged.
  • Administrative actions logged.

Annex 3 — Sub-processors

The current list of Sub-processors is published at peopld.com/subprocessors

Peopl'd Limited · Company number 17212665 · Registered in England & Wales · ICO registration: ZC154670

About Privacy Cookies DPA Sub-processors Trust hello@peopld.com
© 2026 Peopl'd Ltd