BuddiesHR

Data Processing Agreement (DPA) - Template

Last updated: October 2025

This DPA template is for informational purposes only. It is not automatically applicable to customers using BuddiesHR. A signed version can be provided upon request.

Note from the founders

We're a small, 2-person team. Our DPA is intentionally simple because we believe in clarity over legal jargon - and because our data processing activities are limited in scope and complexity. It still covers all mandatory GDPR requirements (Article 28), but we keep it lean to reflect how we actually operate as a small SaaS company.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between The Jeffrey Company, doing business as BuddiesHR ("Processor", "we", "us"), and the customer using BuddiesHR services ("Controller", "you").

1. Purpose

This DPA governs the processing of personal data that we perform on your behalf while providing our SaaS products. Each party agrees to comply with its respective obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

2. Roles of the Parties

  • • You act as the data controller for the data you upload or generate in our apps.
  • • We act as the data processor, processing such data only to provide and improve the service.

3. Scope of Processing

We process customer data solely to:

  • • Provide, maintain, and secure the service.
  • • Prevent or address service or technical issues.
  • • Comply with applicable law.

We never sell, rent, or use customer data for marketing purposes.

4. Security

We maintain appropriate technical and organizational measures to protect data against loss, unauthorized access, or disclosure. These include (at minimum):

  • • Hosting on secure, GDPR-compliant infrastructure (for example, AWS and Hetzner in the EU).
  • • Encrypted data transmission (HTTPS/TLS).
  • • Access control limited to authorized personnel.
  • • Regular backups and monitoring.

5. Sub-processors

We use a limited number of trusted sub-processors to deliver our services (for example, hosting, email delivery, and analytics). Each sub-processor is bound by equivalent data protection obligations.
The current list of sub-processors is available here.

6. Data Subject Requests

If we receive a request directly from a data subject (for example, an employee) concerning their personal data, we will redirect the request to you unless otherwise required by law.

7. Data Breach Notification

In case of a confirmed data breach affecting personal data, we will notify you without undue delay and provide information to help you comply with your legal obligations.

8. Data Retention & Deletion

Upon termination of your account, customer data is deleted within a reasonable period (usually within 90 days), unless retention is required by law (for example, billing records). You may request earlier deletion through our support channel.

9. Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the main Terms of Service.

10. Governing Law

This DPA is governed by the same law and jurisdiction as the main Terms of Service.