--- title: Data Processing Agreement description: Governs how Proxhr processes, stores, and protects Customer Data across all services. Covers CCPA service provider obligations, sub-processor management, security measures, breach notification, audit rights, and data retention. Service-specific regulatory requirements (e.g., FCRA, HIPAA) are addressed in the applicable Order Form. date: 2026-05-24 lastmod: 2026-05-24 url: https://proxhr.com/policies/dpa/ --- Last Revised: May 24, 2026 --- # DATA PROCESSING AGREEMENT **Proxhr, Inc.** --- This Data Processing Agreement ("DPA") is incorporated into and forms part of the Master Services Agreement ("Agreement") between **Proxhr, Inc.** ("Provider") and the entity identified on the applicable Order Form ("Customer"). By executing an Order Form that references the Agreement, Customer acknowledges that it has read, understands, and agrees to be bound by the terms of this DPA. This DPA is available at **https://proxhr.com/policies** and may be updated by Provider from time to time in accordance with the change notification provisions of the Agreement. --- ## 1. SCOPE AND PURPOSE **1.1 Applicability.** This DPA governs the processing of Customer Data across all Services provided under the Agreement, except where an Order Form establishes service-specific regulatory terms that expressly supersede provisions of this DPA. **1.2 Roles.** For the general HR platform services described in the Agreement, Customer is the "Business" (the entity that determines the purposes and means of processing personal information) and Provider is the "Service Provider" under the California Consumer Privacy Act ("CCPA") and applicable US state privacy laws. **1.3 Purpose Limitation.** Provider shall process Customer Data solely for the purpose of performing the Services under the Agreement and applicable Order Form(s), and for no other commercial purpose. --- ## 2. CCPA SERVICE PROVIDER OBLIGATIONS Provider shall not: (a) **Sell or share** Customer Data as those terms are defined under the CCPA. (b) **Retain, use, or disclose** Customer Data for any purpose other than providing the Services specified in the Agreement, including not using Customer Data for targeted advertising. (c) **Retain, use, or disclose** Customer Data outside of the direct business relationship between Provider and Customer. (d) **Combine** Customer Data with personal information received from other sources except as permitted by the CCPA for service provider purposes. Provider certifies that it understands the restrictions in this Section 2 and will comply with them. --- ## 3. DATA SUBJECT RIGHTS **3.1 Cooperation.** To the extent applicable and not preempted by federal law, Provider shall reasonably assist Customer in responding to verifiable consumer requests under the CCPA or equivalent state privacy laws, including requests to access, delete, or correct personal information. **3.2 Federal Preemption.** Where Customer Data processed under a specific Order Form is governed by a federal regulatory regime (e.g., FCRA, HIPAA, FERPA) that preempts state privacy law consumer rights, the applicable Order Form will identify the exemption. Provider is not obligated to honor state-law deletion or access requests for data subject to such federal preemption. --- ## 4. SUB-PROCESSORS **4.1 Authorized Sub-processors.** Customer authorizes Provider to engage the sub-processors listed at **https://proxhr.com/policies/privacy** to process Customer Data. The initial authorized sub-processors include Amazon Web Services, Inc. (AWS) for cloud infrastructure and hosting abd Stripe payment services. **4.2 New Sub-processors.** Provider shall notify Customer at least **thirty (30) days** in advance before engaging any new sub-processor. Notification shall be via email to Customer's designated contact or via a publicly accessible changelog at **https://proxhr.com/policies/privacy**. **4.3 Objection Right.** Customer may object to a new sub-processor by providing written notice within fifteen (15) days of notification. If the Parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Order Form(s) without penalty. **4.4 Sub-processor Obligations.** Provider shall impose data protection obligations on each sub-processor no less protective than those in this DPA. Provider remains fully liable for the acts and omissions of its sub-processors. --- ## 5. DATA RESIDENCY AND TRANSFERS **5.1 Data Residency.** Provider shall host and process all Customer Data exclusively on servers located within the United States. **5.2 No International Transfers.** Provider shall not transfer Customer Data outside the United States without Customer's prior written consent. --- ## 6. SECURITY INCIDENT NOTIFICATION **6.1 Notification.** If Provider becomes aware of a confirmed Security Incident involving unauthorized access to, or acquisition, disclosure, or use of, Customer Data, Provider shall notify Customer without undue delay and no later than **seventy-two (72) hours** after confirmation. **6.2 Content.** The notification shall include, to the extent reasonably available: (a) the nature of the incident and categories and approximate volume of data affected; (b) likely consequences; (c) measures taken or proposed to address and mitigate the incident; and (d) a designated point of contact. **6.3 Updates.** Provider shall provide timely updates as additional information becomes available and cooperate with Customer's reasonable investigation and remediation requests. **6.4 No Admission.** Notification shall not be construed as an acknowledgment of fault or liability. --- ## 7. TECHNICAL AND ORGANIZATIONAL MEASURES **7.1 Security Program.** Provider maintains a comprehensive information security program designed to protect Customer Data, including: (a) **Access Controls:** IAM with Role-Based Access Control (RBAC), enforced on a least-privilege basis. (b) **Authentication:** Multi-factor authentication (MFA) for all Provider personnel and systems accessing Customer Data. (c) **Encryption:** AES-256 for data at rest; TLS 1.2 or higher for data in transit. (d) **Monitoring:** Continuous monitoring, audit logging, and intrusion detection for systems processing Customer Data. (e) **Personnel:** Background checks for personnel with access to Customer Data; mandatory security awareness training. **7.2 Certifications.** **7.2 Certifications.** Provider maintains an information security program aligned with SOC 2 Type II standards and is actively pursuing formal certification, which Provider anticipates obtaining within twelve (12) months of the date this DPA is first published. Upon achieving certification, Provider shall maintain such certification and make audit reports or summary findings available to Customer upon reasonable written request, subject to appropriate confidentiality protections. Prior to certification, Provider shall make available upon request a written summary of its current security controls and their alignment to SOC 2 criteria. --- ## 8. AUDIT RIGHTS **8.1 Audit.** Customer may, at its own expense and upon at least **thirty (30) days' prior written notice**, audit Provider's compliance with this DPA no more than once per twelve (12) month period, during normal business hours and in a manner that minimizes disruption. **8.2 Third-Party Auditor.** Customer may use a qualified, independent third-party auditor subject to confidentiality obligations. **8.3 Reports as Alternative.** Provider may satisfy audit requests by providing current SOC 2 Type II reports, penetration test summaries, or equivalent certifications. --- ## 9. DATA RETENTION AND DELETION **9.1 During Term.** Provider shall retain Customer Data only for so long as necessary to perform the Services and comply with applicable legal obligations. **9.2 Post-Termination.** Upon termination or expiration of the Agreement, Provider shall, at Customer's election, securely delete or return all Customer Data within **thirty (30) days**, except: (a) Data Provider is required to retain by applicable law, regulation, or legal process (including any service-specific retention requirements set forth in an Order Form). (b) Data in automated backups, which shall be deleted per Provider's standard rotation schedule (not to exceed **ninety (90) days**). **9.3 Certification.** Upon request, Provider shall certify in writing that deletion has been completed in accordance with this Section. --- ## 10. SERVICE-SPECIFIC REGULATORY OVERRIDES **10.1 Mechanism.** Where a Service is governed by a federal or state regulatory framework that imposes data handling requirements different from this DPA, the applicable Order Form shall contain a regulatory addendum specifying: (a) the governing regulation; (b) the roles and obligations of each Party under that regulation; (c) any preemption of state privacy law rights; and (d) any modified retention, deletion, or consumer rights procedures. **10.2 Precedence.** The regulatory addendum in an Order Form shall supersede conflicting provisions of this DPA with respect to the data processed under that Order Form. --- ## 11. GENERAL **11.1 Term.** This DPA remains in effect for the duration of the Agreement and for so long as Provider processes Customer Data. **11.2 Amendments.** Material changes to this DPA shall be communicated in accordance with the change notification provisions of the Agreement.