Effective Date: 31 October 2025


Data Processing Addendum (DPA)

Introduction

This Data Processing Addendum (“DPA”) forms part of the HRSimplified Terms & Conditions and applies whenever HRSimplified processes Personal Information on behalf of a Customer.

This DPA describes the responsibilities of both parties regarding the processing of Personal Information in accordance with:

  • The Protection of Personal Information Act, 4 of 2013 (POPIA)
  • The General Data Protection Regulation (EU GDPR), where applicable
  • UK GDPR, where applicable
  • Any other applicable data protection legislation

This DPA forms part of the agreement between DataSimplified (Pty) Ltd, trading as HRSimplified, and the Customer.


1. Definitions

For the purposes of this DPA:

Customer means the organisation subscribing to HRSimplified.

Customer Data means all information uploaded, entered or stored within the HRSimplified platform by or on behalf of the Customer.

Personal Information has the meaning assigned under POPIA and includes Personal Data under GDPR where applicable.

Processing includes collecting, recording, storing, organising, retrieving, updating, using, transmitting, archiving and securely deleting Personal Information.


2. Roles and Responsibilities

For all Personal Information processed within HRSimplified:

The Customer acts as the:

  • Responsible Party (POPIA)
  • Data Controller (GDPR)

HRSimplified acts as the:

  • Operator (POPIA)
  • Data Processor (GDPR)

The Customer determines:

  • what information is collected;
  • the purpose for processing;
  • how long information should be retained (subject to legal obligations);
  • who may access the information.

HRSimplified processes Personal Information only on behalf of the Customer and in accordance with documented instructions.


3. Purpose of Processing

HRSimplified processes Customer Data solely for the purpose of delivering the subscribed HR services, including:

Customer Data is never processed for advertising purposes.


4. Types of Personal Information

Depending on how the Customer configures HRSimplified, Personal Information may include:

  • Employee names
  • Contact details
  • Identity numbers
  • Employment information
  • Payroll-related information
  • Leave records
  • Qualifications
  • Skills
  • Performance assessments
  • Emergency contacts
  • Uploaded employee documents
  • Time and Attendance records
  • Location data when Time & Attendance location tracking is enabled
  • User login activity

The Customer remains responsible for ensuring that the Personal Information collected is lawful and necessary.


5. Customer Responsibilities

The Customer agrees to:

  • comply with applicable data protection legislation;
  • ensure employees receive appropriate privacy notices;
  • obtain any required employee consent where necessary;
  • ensure data entered into HRSimplified is accurate;
  • manage user permissions appropriately;
  • remove users who should no longer have access;
  • securely store exported reports and downloaded information.

6. HRSimplified Responsibilities

HRSimplified agrees to:

  • process Personal Information only as instructed by the Customer;
  • implement appropriate technical and organisational security measures;
  • keep Customer Data confidential;
  • ensure staff with access to Customer Data are bound by confidentiality obligations;
  • notify Customers of qualifying security incidents without undue delay;
  • assist Customers with reasonable requests relating to Personal Information where legally permitted.

7. Security Measures

HRSimplified maintains commercially reasonable security controls including:

  • encrypted communications (HTTPS/TLS);
  • authentication and password policies;
  • role-based access controls;
  • audit logging;
  • secure cloud hosting;
  • regular backups;
  • disaster recovery procedures;
  • infrastructure monitoring;
  • vulnerability management.

Security measures are reviewed periodically and improved where appropriate.


8. Sub-processors

HRSimplified may engage carefully selected third-party service providers to support delivery of the Service.

Where sub-processors process Customer Data, HRSimplified ensures that appropriate contractual obligations are in place requiring those providers to protect Personal Information to standards consistent with this DPA.

A current list of significant sub-processors will be made available upon reasonable request.


9. International Data Transfers

Where Customer Data is transferred outside South Africa or the jurisdiction in which it was collected, HRSimplified will implement appropriate safeguards required under applicable data protection legislation.


10. Security Incidents

Should HRSimplified become aware of a Security Incident affecting Customer Data, HRSimplified will:

  • investigate the incident;
  • contain the incident where possible;
  • take reasonable corrective action;
  • notify the affected Customer without undue delay;
  • provide available information regarding the incident and remedial actions taken.

11. Customer Data Ownership

All Customer Data remains the exclusive property of the Customer.

HRSimplified does not acquire ownership of Customer Data by storing or processing it.

Customer Data is processed solely for the purpose of delivering the HRSimplified service.


12. Artificial Intelligence

HRSimplified will not use Customer Data or Personal Information to train artificial intelligence models, machine learning models or similar technologies without the Customer’s explicit written consent.

Where AI features are provided within HRSimplified, Customer Data is processed only to generate the requested output and not to improve or train underlying AI models unless expressly agreed.


13. Data Retention

Customer Data is retained in accordance with the Customer Data Ownership & Retention Policy.

Following subscription cancellation:

  • Customer Data is securely archived.
  • Data is retained for five (5) years unless legislation requires otherwise.
  • Customers may request temporary access to retrieve their information during this period.
  • Following expiry of the retention period, Customer Data is permanently deleted or anonymised.

14. Return or Deletion of Data

Customers may export their own information at any time while their subscription is active.

During the retention period Customers may request access to archived data in accordance with the Customer Data Ownership & Retention Policy.

Following permanent deletion, Customer Data cannot be recovered.


15. Data Subject Requests

Where legally required, HRSimplified will reasonably assist Customers in responding to requests relating to:

  • access;
  • correction;
  • deletion;
  • restriction;
  • objection;
  • portability,

to the extent such assistance is reasonably possible and permitted by law.


16. Audits

Upon reasonable written request, HRSimplified may provide information demonstrating compliance with this DPA.

Any audit or assessment must:

  • be reasonable in scope;
  • minimise operational disruption;
  • protect confidential information;
  • be subject to appropriate confidentiality obligations.

17. Changes to this DPA

HRSimplified may update this DPA from time to time to reflect changes in legislation, security practices or the Services.

The latest version will always be available on the HRSimplified website.


Contact

If you have any questions regarding this Data Processing Addendum or our processing of Personal Information, please contact:

DataSimplified (Pty) Ltd
Trading as HRSimplified

44 Fuchsia Street
Durbanville
Western Cape
South Africa
7550

Telephone: +27 87 378 1154

Email: [email protected]