Last updated: April 28, 2026
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements our Terms of Serviceand forms part of the agreement between you (the “Controller”) and SignHR Technologies Pvt. Ltd. (the “Processor”) when SignHR processes personal data on your behalf.
1. Subject matter and duration
SignHR processes personal data to provide the Services described in the agreement, for the duration of the subscription plus any additional retention period required by law.
2. Nature and purpose
We process personal data solely to operate, maintain, secure, and improve the Services. We do not process personal data for any other purpose without the Controller's instruction.
3. Categories of data subjects
Employees, contractors, and other personnel of the Controller; and end-users authorized by the Controller (e.g., HR administrators, managers).
4. Categories of personal data
- Identification: name, employee ID, photograph (if provided).
- Contact: email, phone, postal address, emergency contacts.
- Employment: role, department, manager, dates, contract type.
- Compensation: salary, benefits, statutory deductions.
- Attendance and leave records.
- Documents uploaded by the Controller (e.g., ID proofs, contracts).
5. Sub-processors
We use the following sub-processors. We notify Controllers at least 30 days before adding or replacing sub-processors. Controllers may object on reasonable grounds.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure & S3 storage | Mumbai, India |
| Hostinger | Cloud infrastructure | Mumbai, India |
| Razorpay | Payment processing | India |
| Resend | Transactional email delivery | Global |
| Brevo | Email delivery | Global |
6. International transfers
As a platform built for India, we prioritize local data residency. All primary workspace data is hosted in Mumbai, India. Where data is processed by global sub-processors, we ensure compliance with the Digital Personal Data Protection (DPDP) Act, 2023.
7. Security commitments
We implement appropriate technical and organizational measures, including:
- Data Isolation — We use a separate database for every organization to ensure strict data isolation and enhanced security.
- Encryption — TLS 1.3 for data in transit, AES-256 for data at rest. Customer-managed encryption keys available on Enterprise.
- Access control — Role-based access internally, with least-privilege provisioning. All staff access is logged.
- Authentication — Mandatory MFA for all SignHR staff. SSO available for customers on Enterprise plans.
- Network security — Private networks, WAF, and DDoS protection.
- Monitoring — 24/7 automated security monitoring with on-call rotation.
- Backups — Daily automated backups with 7-day retention. Quarterly restore testing.
8. Personal data breaches
We notify affected Controllers without undue delay, and in any case within 72 hours, of any personal data breach affecting their data, with available details about the breach, its likely consequences, and remediation steps.
9. Data subject rights
We assist Controllers in responding to data subject requests by providing tools to export, correct, and delete personal data within the platform. For requests we cannot fulfil through the product, we respond within 10 business days.
10. Audits
Controllers may audit our compliance with this DPA once per year, with reasonable notice. We will provide our latest SOC 2 report and complete reasonable security questionnaires in lieu of on-site audits where appropriate.
11. Deletion
Upon termination of the Services, we delete or return all personal data within 30 days, except where retention is required by law. Data is purged from backups within an additional 60 days.
12. Contact
DPA-related questions go to info@signhr.io.