Skip to main content

Data Processing Agreement

Last updated: 2026-05-30

This Data Processing Agreement (“DPA”) forms part of the Ghugi Terms of Service and sets out how Ghugi processes personal data on your behalf. It is required under Article 28 of the UK GDPR and applies automatically to every Ghugi customer that uploads payslip data about identifiable individuals.

1. Parties and roles

  • Controller: you, the Ghugi customer organisation. You decide what personal data is uploaded to Ghugi and for what purpose.
  • Processor: Babiha Care Solutions Limited, trading as Ghugi. A company registered in England and Wales (company number 17081576, registered office 8b Kelvin House, Kelvin Way, Crawley, RH10 9WE, United Kingdom, ICO registration ZC132791). We process personal data only to provide the service to you, and only on your documented instructions.

2. Subject matter and duration

The subject matter is the processing necessary to operate the Ghugi service. This DPA takes effect when you create an account or start a trial and continues until your account is deleted and your data has been removed from Ghugi’s systems.

3. Nature and purpose of processing

Ghugi stores, organises, transmits, and deletes personal data on your behalf for the purpose of sending payslips to your employees by email and keeping a record of what was sent. We do not process personal data for our own purposes, other than the legitimate interests described in the Privacy Policy for account-holder data.

4. Types of personal data and categories of data subjects

Data subjects: your employees who receive payslips through Ghugi.

Categories of personal data:

  • name and email address;
  • employee code (optional);
  • contents of payslip PDFs you upload, which typically include home address, gross and net pay, tax code, National Insurance number, tax and NI deductions, employer and employee pension contributions, year-to-date totals, employer PAYE reference, and bank account details where shown on the payslip.

Special category data: Ghugi does not collect or intentionally process special category data. Payslips may occasionally contain data that reveals trade union membership (via subscription deductions) or sickness absence (via statutory sick pay). Where this is the case, you remain the controller and are responsible for your lawful basis for including it.

5. Controller obligations

You warrant that you have a lawful basis to upload payslip data to Ghugi, that you have informed your employees about the processing (for example, through your own privacy notice), and that you will keep your employee list in Ghugi accurate.

6. Processor obligations

Ghugi will:

  1. process personal data only on your documented instructions — your acceptance of these Terms counts as a general instruction to process the uploaded payslip data for the purpose of providing the service;
  2. ensure everyone who processes the data is bound by confidentiality;
  3. implement the technical and organisational security measures set out in Schedule 2;
  4. assist you with data subject rights requests as described in section 8;
  5. assist you, taking into account the nature of the processing and the information available to us, with your data protection impact assessments and any prior consultation with the ICO under UK GDPR Articles 35 and 36;
  6. notify you without undue delay — and in any event within 48 hours of becoming aware — of a personal data breach affecting your data, so you have time to meet your own 72-hour deadline to notify the ICO;
  7. delete or return your data at the end of the contract, as set out in section 12;
  8. make available the information necessary to demonstrate compliance with this DPA and allow audits as described in section 11.

7. Sub-processors

You authorise Ghugi to use the sub-processors listed in Schedule 3. We will notify you by email or in-app at least 30 days before we add or change a sub-processor, giving you a reasonable chance to object. If you object and we cannot accommodate you, you may terminate your subscription and receive a pro-rated refund of unused prepaid fees.

Where we engage a sub-processor, we impose data-protection obligations on it, by a written contract, that provide an equivalent level of protection to those in this DPA. We remain fully liable to you for any sub-processor’s failure to meet those obligations.

8. Data subject rights

If one of your employees contacts Ghugi directly to exercise a right (access, rectification, erasure, etc.), we will forward the request to you within 5 working days and will not respond substantively ourselves. You are responsible for responding; we will assist where reasonably possible.

9. Security

Ghugi implements the technical and organisational measures described in Schedule 2. These measures are reviewed at least annually and are appropriate to the risk of the data we process.

10. International transfers

Your payslip content, account data, serverless compute, and rate-limit store are all in the United Kingdom: Supabase database and storage on AWS London (eu-west-2), Vercel serverless functions pinned to lhr1 (London), and Upstash Redis on AWS London (eu-west-2). Every other primary data flow is EU-only: payslip email transits via Resend on AWS eu-west-1 (Ireland), error monitoring runs on Sentry’s EU region (Frankfurt), and admin email runs on Zoho’s EU region (Netherlands). No international transfer applies to any of these data flows.

Some sub-processors’ parent companies are in the USA and parts of their service still operate outside the UK / EEA — specifically Resend’s account metadata, logs, and API records (the payslip email transit itself stays in the EU per the previous paragraph), Vercel’s web-analytics aggregation, Cloudflare’s control plane, and, where a customer connects a Gmail or Outlook sender, Google or Microsoft. Where personal data is transferred to the USA, Ghugi relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable. You authorise these transfers as part of this DPA.

11. Audit

Ghugi will make available, on written request and no more than once a year, the information needed to show we are complying with this DPA. Because multiple customers’ data sits in shared infrastructure, on-site audits are not practical; we will instead provide written responses, third-party security reports, and, where reasonable, a virtual walkthrough.

12. Return or deletion of data

On termination of your subscription Ghugi will delete the personal data we process on your behalf within 30 days, except: (a) the payslip send-history records (employee name, email, and send / delivery metadata), which we retain for up to 48 months to support payroll record-keeping, consistent with our Privacy Policy, and then delete; (b) audit-log records, which we keep for 13 months and then delete; and (c) data that applicable law requires us to retain. On written request made within the 30-day window, we will provide an export of your data before deletion.

13. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service, except that nothing in this DPA limits either party’s liability for breach of its obligations under UK GDPR where such limitation is not permitted by law.

14. Governing law

This DPA is governed by the laws of England and Wales and is subject to the dispute resolution provisions of the Terms of Service.

Schedule 1 — Processing details

  • Duration: the duration of your Ghugi subscription, plus up to 30 days after termination.
  • Nature: storage, transmission (via email), organisation, and deletion of personal data.
  • Purpose: operating the Ghugi service on your behalf.
  • Categories of data subjects: your employees who receive payslips through Ghugi.
  • Categories of personal data: name, email, employee code, and the full contents of the payslip PDFs you upload.

Schedule 2 — Technical and organisational measures

Ghugi implements the following measures, reviewed at least annually:

  • Encryption in transit: HTTPS/TLS 1.2 or higher for all traffic between browsers, Ghugi servers, and sub-processors.
  • Encryption at rest for secrets: outgoing SMTP passwords are encrypted using AES-256-GCM, with the key held in environment configuration separate from the database.
  • Logical tenant isolation: every organisation’s data is protected by row-level security (RLS) policies in the database. Cross-tenant access is denied by default.
  • Access control: only named engineers have production database access and that access is logged.
  • Audit logging: every administrative action (employee delete, retention change, organisation update, etc.) is recorded in an append-only audit log.
  • Backups: automated daily backups are retained by our database sub-processor (Supabase).
  • Change management: code changes go through peer review and automated testing before deployment.
  • Dependency management: automated security scanning of dependencies; patches are applied in a reasonable time.
  • Breach response: documented incident response plan, including the 48-hour breach-notification commitment to controllers in section 6.
  • Personnel: everyone with data access is bound by written confidentiality obligations.

Schedule 3 — Authorised sub-processors

NameRoleLocation of processing
Supabase Inc.Database, authentication, Storage (payslip PDFs), audit logsUnited Kingdom (AWS eu-west-2, London) — no cross-border transfer
Stripe Payments UK LtdSubscription billingUK + US under UK Addendum to EU SCCs
Resend, Inc.Transactional email deliveryEmail transit in EU (AWS eu-west-1, Ireland); Resend account metadata, logs, and API records in the US under UK Addendum to EU SCCs
Vercel, Inc.Hosting, serverless compute, cookieless web analyticsServerless compute pinned to United Kingdom (Vercel lhr1, London); web-analytics aggregation in the US under UK Addendum to EU SCCs
Cloudflare, Inc.DNS, CDN, TLS termination, and bot management for ghugi.com (HTTP-level metadata and IP addresses only; never sees payslip content)Global edge network; UK / EU edge for UK visitors, under UK Addendum to EU SCCs
Functional Software, Inc. (Sentry)Application error monitoring (stack traces, URL paths, request metadata; PII scrubbed before send — no emails, names, NI numbers, payslip content, IPs, or session-replay data reach Sentry)EU region (Frankfurt) — no cross-border transfer
Upstash, Inc.Serverless Redis for rate-limiting (short-lived IP + email hashes only)United Kingdom (AWS eu-west-2, London) — no cross-border transfer
Zoho Corporation B.V.Business email mailbox for Ghugi-side admin correspondence (hello / support / billing / privacy / legal); does not process payslip contentEU (zoho.eu region, Netherlands) — no cross-border transfer
Google LLC (conditional)Gmail API — engaged only if customer connects a Google Workspace senderWherever the customer’s own Google Workspace tenant is hosted (admin-controlled data region; EU available on Frontline Plus / Enterprise Plus editions); transfers to the US, where they occur, are governed by UK IDTA
Microsoft Corporation (conditional)Microsoft Graph / Outlook — engaged only if customer connects a Microsoft 365 senderWherever the customer’s own Microsoft 365 tenant is hosted (UK and EEA locales available via Advanced Data Residency); transfers to the US, where they occur, are governed by UK IDTA

If you connect your own SMTP relay as the sender, that relay is your choice and is not a Ghugi sub-processor.