Skip to main content

Data Processing Agreement

Last updated: 2026-04-20

This Data Processing Agreement (“DPA”) forms part of the Ghugi Terms of Service and sets out how Ghugi processes personal data on your behalf. It is required under Article 28 of the UK GDPR and applies automatically to every Ghugi customer that uploads payslip data about identifiable individuals.

1. Parties and roles

  • Controller: you, the Ghugi customer organisation. You decide what personal data is uploaded to Ghugi and for what purpose.
  • Processor: Ghugi. We process personal data only to provide the service to you, and only on your documented instructions.

2. Subject matter and duration

The subject matter is the processing necessary to operate the Ghugi service. This DPA takes effect when you create an account or start a trial and continues until your account is deleted and your data has been removed from Ghugi’s systems.

3. Nature and purpose of processing

Ghugi stores, organises, transmits, and deletes personal data on your behalf for the purpose of sending payslips to your employees by email and keeping a record of what was sent. We do not process personal data for our own purposes, other than the legitimate interests described in the Privacy Policy for account-holder data.

4. Types of personal data and categories of data subjects

Data subjects: your employees who receive payslips through Ghugi.

Categories of personal data:

  • name and email address;
  • employee code (optional);
  • contents of payslip PDFs you upload, which typically include home address, gross and net pay, tax code, National Insurance number, tax and NI deductions, employer and employee pension contributions, year-to-date totals, employer PAYE reference, and bank account details where shown on the payslip.

Special category data: Ghugi does not collect or intentionally process special category data. Payslips may occasionally contain data that reveals trade union membership (via subscription deductions) or sickness absence (via statutory sick pay). Where this is the case, you remain the controller and are responsible for your lawful basis for including it.

5. Controller obligations

You warrant that you have a lawful basis to upload payslip data to Ghugi, that you have informed your employees about the processing (for example, through your own privacy notice), and that you will keep your employee list in Ghugi accurate.

6. Processor obligations

Ghugi will:

  1. process personal data only on your documented instructions — your acceptance of these Terms counts as a general instruction to process the uploaded payslip data for the purpose of providing the service;
  2. ensure everyone who processes the data is bound by confidentiality;
  3. implement the technical and organisational security measures set out in Schedule 2;
  4. assist you with data subject rights requests as described in section 8;
  5. notify you without undue delay — and in any case within 72 hours of becoming aware — of a personal data breach affecting your data;
  6. delete or return your data at the end of the contract, as set out in section 12;
  7. make available the information necessary to demonstrate compliance with this DPA and allow audits as described in section 11.

7. Sub-processors

You authorise Ghugi to use the sub-processors listed in Schedule 3. We will notify you by email or in-app at least 30 days before we add or change a sub-processor, giving you a reasonable chance to object. If you object and we cannot accommodate you, you may terminate your subscription and receive a pro-rated refund of unused prepaid fees.

8. Data subject rights

If one of your employees contacts Ghugi directly to exercise a right (access, rectification, erasure, etc.), we will forward the request to you within 5 working days and will not respond substantively ourselves. You are responsible for responding; we will assist where reasonably possible.

9. Security

Ghugi implements the technical and organisational measures described in Schedule 2. These measures are reviewed at least annually and are appropriate to the risk of the data we process.

10. International transfers

Your payslip content is stored and processed in the EU (Ireland). The UK government has recognised the EU as providing an adequate level of data protection, so no additional safeguards are required for UK→EU transfers.

Some sub-processors’ parent companies are based in the USA. Where personal data is transferred to the USA, Ghugi relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable. You authorise these transfers as part of this DPA.

11. Audit

Ghugi will make available, on written request and no more than once a year, the information needed to show we are complying with this DPA. Because multiple customers’ data sits in shared infrastructure, on-site audits are not practical; we will instead provide written responses, third-party security reports, and, where reasonable, a virtual walkthrough.

12. Return or deletion of data

On termination of your subscription Ghugi will delete all your personal data within 30 days, except (a) audit-log records that we keep indefinitely for security, and (b) data that applicable law requires us to retain. On written request made within the 30-day window, we will provide an export of your data before deletion.

13. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service, except that nothing in this DPA limits either party’s liability for breach of its obligations under UK GDPR where such limitation is not permitted by law.

14. Governing law

This DPA is governed by the laws of England and Wales and is subject to the dispute resolution provisions of the Terms of Service.

Schedule 1 — Processing details

  • Duration: the duration of your Ghugi subscription, plus up to 30 days after termination.
  • Nature: storage, transmission (via email), organisation, and deletion of personal data.
  • Purpose: operating the Ghugi service on your behalf.
  • Categories of data subjects: your employees who receive payslips through Ghugi.
  • Categories of personal data: name, email, employee code, and the full contents of the payslip PDFs you upload.

Schedule 2 — Technical and organisational measures

Ghugi implements the following measures, reviewed at least annually:

  • Encryption in transit: HTTPS/TLS 1.2 or higher for all traffic between browsers, Ghugi servers, and sub-processors.
  • Encryption at rest for secrets: outgoing SMTP passwords are encrypted using AES-256-GCM, with the key held in environment configuration separate from the database.
  • Logical tenant isolation:every organisation’s data is protected by row-level security (RLS) policies in the database. Cross-tenant access is denied by default.
  • Access control: only named engineers have production database access and that access is logged.
  • Audit logging: every administrative action (employee delete, retention change, organisation update, etc.) is recorded in an append-only audit log.
  • Backups: automated daily backups are retained by our database sub-processor (Supabase).
  • Change management: code changes go through peer review and automated testing before deployment.
  • Dependency management: automated security scanning of dependencies; patches are applied in a reasonable time.
  • Breach response: documented incident response plan, including the 72-hour notification commitment in section 6.5.
  • Personnel: everyone with data access is bound by written confidentiality obligations.

Schedule 3 — Authorised sub-processors

NameRoleLocation of processing
Supabase Inc.Database, authentication, file storageEU (Ireland, eu-west-2)
Stripe Payments Europe LtdSubscription billingIreland; data may transfer to US parent
Resend Inc.Transactional emailEU (Ireland)
Vercel Inc.Hosting and edge deliveryGlobal edge; origin USA

Customer-selected outgoing email providers (your own SMTP account, Gmail, or Outlook) are your choice and are not Ghugi sub-processors.