Legal

Data Processing Agreement

Last updated: April 27, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the customer organization ("Controller," "you") and Anima HR ("Processor," "we," "us"), located in New Jersey, United States.

This DPA applies when we process Personal Data on your behalf in connection with the Anima HR platform. It reflects the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the Brazilian LGPD, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

By using the Anima HR service, you accept this DPA. If you require a countersigned copy, contact us via our contact form.

2. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined in applicable data protection law.
  • "Processing" — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
  • "Controller" — the entity that determines the purposes and means of Processing Personal Data (you, the customer organization).
  • "Processor" — the entity that processes Personal Data on behalf of the Controller (Anima HR).
  • "Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" — the individual to whom Personal Data relates (your employees and workspace users).
  • "Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "SCCs" — the Standard Contractual Clauses adopted by the European Commission for international data transfers (Commission Implementing Decision (EU) 2021/914).
  • "Service" — the Anima HR platform and related services provided under the Agreement.

3. Scope & Roles

You are the Controller. Anima HR is the Processor. We process Personal Data solely on your documented instructions to provide the Service.

This DPA does not apply to data we collect as a Controller in our own right (e.g., marketing site contact forms, billing data). Our Privacy Policy governs that processing.

Multi-tenant isolation

Each customer organization receives a dedicated, isolated database. Your data is never co-mingled with other customers' data. Tenant identity is cryptographically enforced on every API request.

4. Processing Details

The details of Processing are described in Annex A. In summary:

ElementDescription
Subject matterProvision of the Anima HR platform
DurationTerm of the Agreement plus the data deletion period (90 days)
Nature & purposeHR management — leave, reviews, feedback, salary, surveys, people analytics, 1:1 notes
Categories of Data SubjectsYour employees, contractors, and workspace users
Types of Personal DataName, email, job title, department, manager, employment dates, salary, leave records, performance data, feedback, survey responses, custom fields

5. Processor Obligations

Anima HR shall:

  • Process Personal Data only on your documented instructions, unless required by applicable law (in which case we will inform you before processing, unless prohibited by law).
  • Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain the technical and organizational security measures described in Annex B.
  • Respect the conditions for engaging Sub-processors set out in Section 6.
  • Assist you in responding to Data Subject requests as described in Section 10.
  • Assist you in ensuring compliance with your obligations regarding data breach notification, DPIAs, and prior consultation.
  • At your choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless applicable law requires retention.
  • Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 13.
  • Immediately inform you if, in our opinion, an instruction from you infringes applicable data protection law.

6. Sub-processors

You provide general authorization for us to engage Sub-processors. The current list is in Annex C.

  • We will notify you at least 30 days before adding or replacing a Sub-processor by updating this page and, for Enterprise customers, by email notification.
  • You may object to a new Sub-processor within 14 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected Service.
  • We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
  • We remain fully liable for the acts and omissions of our Sub-processors.

7. International Data Transfers

You choose your data region during signup. Your tenant database is created exclusively in that region.

  • EEA region selected — your data remains in the EEA. No international transfer occurs.
  • Non-EEA region selected — if you or your employees are in the EEA, transfers are governed by the EU Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), which are incorporated into this DPA by reference.
  • UK transfers — the UK International Data Transfer Addendum to the EU SCCs applies.
  • Swiss transfers — the SCCs apply as modified by the Swiss Federal Data Protection and Information Commissioner.

Our primary infrastructure provider participates in the EU-U.S. Data Privacy Framework, providing an additional adequacy mechanism for EU-to-US transfers.

8. Security Measures

We implement the technical and organizational measures described in Annex B. Key measures include:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Dedicated database per tenant — no shared data stores
  • Per-tenant cryptographic signing keys (RSA-2048, encrypted with AES-256-GCM)
  • Role-based access control enforced at the API layer
  • Audit logging of all write operations
  • Sliding-window rate limiting per authenticated user
  • Tenant identity validation on every API call
  • Sensitive field redaction based on user role

We regularly review and update these measures to reflect evolving threats and industry best practices. We will not materially reduce the overall level of security during the term of the Agreement.

9. Data Breach Notification

In the event of a Data Breach affecting your Personal Data, we will:

  • Notify you without undue delay and in any event within 48 hours of becoming aware of the breach.
  • Provide sufficient information to enable you to meet your obligations to notify supervisory authorities and Data Subjects, including:
    • Nature of the breach (categories and approximate number of Data Subjects and records affected)
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach and mitigate its effects
    • Contact point for further information
  • Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • Not notify any third party (including supervisory authorities or Data Subjects) on your behalf unless you explicitly instruct us to do so or we are required by law.

10. Data Subject Requests

If we receive a request from a Data Subject regarding their Personal Data processed on your behalf, we will:

  • Promptly redirect the Data Subject to you, unless prohibited by law.
  • Notify you of the request within 5 business days.
  • Assist you in fulfilling the request through the Service's built-in data export, correction, and deletion features.
  • Not independently respond to the Data Subject unless instructed by you or required by law.

The Service provides self-service tools for administrators to export, correct, and delete employee data without requiring our involvement.

11. Data Protection Impact Assessments

Where required by applicable law, we will provide reasonable assistance to you in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to us.

12. Data Retention & Deletion

  • During the term — we retain your Personal Data for the duration of the Agreement, as necessary to provide the Service.
  • Upon termination — at your choice, we will delete or return all Personal Data within 90 days of account closure. You may export your data at any time during the term using the Service's built-in export features.
  • Exceptions — we may retain Personal Data to the extent required by applicable law (e.g., billing records for tax compliance). Such data will remain subject to the protections of this DPA.
  • Deletion confirmation — upon request, we will provide written confirmation that Personal Data has been deleted.

13. Audit Rights

  • We will make available to you all information reasonably necessary to demonstrate compliance with this DPA.
  • You may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations.
  • We may satisfy audit requests by providing:
    • SOC 2 Type II reports (when available)
    • ISO 27001 certification (when available)
    • Completed security questionnaires (SIG, CAIQ, or custom)
    • Penetration test summaries
  • If a third-party audit report reasonably addresses your audit request, we may provide that report in lieu of an on-site audit.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. This DPA does not limit either party's liability for breaches of data protection law to the extent such limitation is prohibited by applicable law.

15. Term & Termination

This DPA takes effect when you accept the Agreement and remains in effect until all Personal Data has been deleted or returned in accordance with Section 12. The obligations in this DPA survive termination of the Agreement to the extent necessary to protect Personal Data.

16. Governing Law

  • If you are established in the EEA, this DPA is governed by the laws of the EU Member State in which you are established.
  • If you are established in the UK, this DPA is governed by the laws of England and Wales.
  • If you are established in Switzerland, this DPA is governed by Swiss law.
  • In all other cases, this DPA is governed by the laws of the State of New Jersey, United States.

Annex A — Details of Processing

A.1 Subject matter and duration

Processing of Personal Data as necessary to provide the Anima HR platform under the Agreement, for the duration of the Agreement plus the 90-day deletion period.

A.2 Nature and purpose of Processing

Anima HR processes Personal Data to provide the following HR management capabilities:

  • Employee directory and profile management
  • Leave management (requests, approvals, balance tracking, accrual)
  • Performance review cycles (questions, responses, ratings, history)
  • Continuous feedback, peer recognition (kudos), and upward feedback
  • Salary management (history, request and approval workflows)
  • Employee surveys (creation, distribution, response collection, analytics)
  • People analytics (GWC assessments, competency tracking)
  • 1:1 meeting notes (freeform and structured templates)
  • Organizational hierarchy and reporting structure
  • Authentication and access control

A.3 Categories of Data Subjects

  • Employees of the Controller
  • Contractors and temporary workers of the Controller
  • Workspace administrators

A.4 Types of Personal Data

CategoryData elements
IdentityFull name, work email address, employee ID
EmploymentJob title, department, manager, start date, employment status
CompensationSalary history, salary change requests and approvals
LeaveLeave requests, balances, accrual records, approval history
PerformanceReview cycle responses, ratings, competency scores, review history
FeedbackFeedback entries, feedback requests, kudos, recognition messages
SurveysSurvey responses, anonymized analytics
Meetings1:1 notes (freeform text, structured template responses)
AnalyticsGWC assessment scores, people analytics data
Custom fieldsAny additional fields configured by the Controller
TechnicalAuthentication credentials (hashed), session tokens, audit logs (user ID, timestamp, action)

A.5 Special categories of data

The Service is not designed to process special categories of Personal Data (Article 9 GDPR) such as health data, biometric data, or data revealing racial or ethnic origin. If you configure custom fields that contain such data, you are responsible for ensuring an appropriate legal basis and additional safeguards.

Annex B — Technical & Organizational Security Measures

B.1 Encryption

  • All data in transit encrypted with TLS 1.2 or higher
  • All data at rest encrypted with AES-256 (databases, file storage, backups)
  • Per-tenant signing keys encrypted with AES-256-GCM, stored in a secure secrets manager

B.2 Tenant isolation

  • Each customer organization receives a dedicated database — no shared data stores between tenants
  • Tenant identity is cryptographically validated on every API request
  • Cross-tenant token reuse is prevented by binding authentication tokens to the tenant identifier

B.3 Access control

  • Role-based access control (RBAC) enforced at the API layer on every request
  • Two roles: employee (own data + team data if manager) and admin (all data + configuration)
  • Sensitive fields redacted based on user role and tenant configuration
  • Manager status derived at runtime from organizational hierarchy — not stored as a role

B.4 Audit & monitoring

  • All write operations logged with user identity, timestamp, and changed values
  • Sliding-window rate limiting per authenticated user
  • Input sanitization on all API endpoints
  • Security headers applied to all responses

B.5 Infrastructure

  • Multi-account architecture — tenant data isolated at the cloud account level
  • Data residency enforced — tenant database created exclusively in the chosen region
  • No customer data stored on employee devices or local systems
  • Infrastructure provider certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA eligible, FedRAMP

B.6 Business continuity

  • Automated backups with point-in-time recovery
  • Multi-region replication available (Enterprise plan)
  • Infrastructure designed for high availability with automatic failover

Annex C — Authorized Sub-processors

The following Sub-processors are authorized to process Personal Data under this DPA:

Sub-processorPurposeLocationCertifications
Amazon Web Services (AWS) Cloud infrastructure, database, file storage, CDN, and compute Your chosen region(s) SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA eligible, FedRAMP
Stripe Payment processing United States PCI DSS Level 1, SOC 1/2, ISO 27001

This list was last updated on April 27, 2026. We will update this page and notify Enterprise customers at least 30 days before adding or replacing a Sub-processor.