Data Processing Addendum

This Data Processing Addendum (DPA) forms part of the agreement between CherryPay and the customer who uses CherryPay tools such as the Holiday Pay Calculator, Payroll CRM and free helper tools.

This draft is provided for guidance only and does not replace independent legal advice. You should review and adapt it with your professional advisers before relying on it as your formal controller–processor contract.

1. Parties and definitions

In this DPA:

• "CherryPay" means the legal entity that provides the CherryPay tools and acts as a processor under UK data protection law.
• "Customer" means the organisation that has entered into a services agreement with CherryPay and uses the tools to process data about its own staff, workers, clients or other individuals. The Customer is the controller for that data.
• "Data Protection Laws" means all laws and regulations relating to data protection, privacy and electronic communications which apply to the parties, including the UK GDPR and the Data Protection Act 2018.

Capitalised terms that are not defined in this DPA have the meaning given in the main service terms between the parties.

2. Subject matter, nature and duration of processing

CherryPay will process personal data on behalf of the Customer in connection with the provision of the following services:

• Holiday Pay Calculator.
• Payroll CRM.
• Any other CherryPay tools that the Customer subscribes to or uses under the main agreement.

The processing will involve storing, organising, calculating, generating, exporting and otherwise using personal data as needed to provide these services, and to maintain logs and records of activity.

This DPA applies for as long as CherryPay processes personal data on behalf of the Customer under the main agreement, and continues to apply until CherryPay has deleted or returned personal data in line with this DPA.

3. Categories of data subjects and types of personal data

The data subjects whose personal data may be processed under this DPA include:

• Employees and workers of the Customer.
• Contractors, subcontractors and other individuals whose details are stored in the tools.
• Directors, owners and key contacts of client companies recorded in the Payroll CRM.
• Users and staff of the Customer who access the tools.

The personal data processed may include, as determined by the Customer:

• Identification and contact details such as name, address, email address and phone number.
• Employment details such as job role, start date, leave date and working pattern.
• Payroll and holiday information such as hours worked, holiday taken, holiday entitlement and pay and earnings figures.
• Company and relationship details such as company names, company numbers, tax identifiers, relationship types and notes.
• Documents, messages and communications stored or generated in the tools.
• Technical identifiers such as user IDs, account IDs and log details.

The tools are not designed to capture special category data or criminal offence data. If the Customer chooses to store such data, the Customer is responsible for ensuring an appropriate lawful basis and condition for processing. CherryPay will treat any such data as personal data processed on the Customer's instructions.

4. Documented instructions

CherryPay will process personal data only on the documented instructions of the Customer, unless required to do so by applicable law. In that case, CherryPay will inform the Customer of that legal requirement before processing, unless the law prohibits this.

The Customer's initial instructions are to process personal data as necessary to provide the services described in this DPA and the main agreement. The Customer may issue additional reasonable written instructions from time to time. If CherryPay believes an instruction infringes Data Protection Laws, it will inform the Customer without undue delay.

5. CherryPay's obligations as processor

CherryPay will:

• ensure that individuals authorised to process personal data are subject to appropriate duties of confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement appropriate technical and organisational measures to protect personal data as described in section 8 (Security) of this DPA;
• respect the Customer's choices about data retention and deletion within the tools, where those features are available;
• notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer, and provide information to help the Customer meet any reporting obligations;
• taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests to exercise data subject rights;
• taking into account the nature of processing and the information available to CherryPay, assist the Customer in meeting the Customer's obligations regarding security of processing, data protection impact assessments and prior consultations with supervisory authorities, where required and reasonable;
• make available to the Customer information reasonably necessary to demonstrate compliance with the obligations that apply to CherryPay as a processor under Data Protection Laws.

6. Customer responsibilities

The Customer remains responsible for:

• Complying with its obligations as a controller under Data Protection Laws.
• Deciding which personal data is entered into the tools and for what purposes it is used.
• Providing all necessary privacy notices to data subjects.
• Ensuring it has a valid lawful basis for all processing carried out using the tools.
• Configuring the tools in a way that reflects its own policies on access, retention and deletion.

7. Sub‑processors

The Customer authorises CherryPay to appoint third party sub‑processors to support the provision of the services, for example hosting, infrastructure and email delivery providers.

CherryPay will:

• ensure that any sub‑processor is engaged under a written contract that imposes data protection obligations equivalent to those set out in this DPA; and
• remain responsible to the Customer for the performance of the sub‑processor's data protection obligations.

CherryPay will provide the Customer with details of current sub-processors on written request. CherryPay will give reasonable notice of any material changes to sub-processors. The Customer may object on reasonable grounds to a proposed material change and, if the parties cannot agree a solution, the Customer may terminate the affected services in accordance with the main agreement.

8. Security of processing

CherryPay will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk to data subjects.

Measures may include, as appropriate:

• Use of encrypted connections (HTTPS) for access to the tools where available.
• Access controls so only authorised staff and systems can access production data.
• Segregation of environments and role‑based access where appropriate.
• Secure development practices, patching and vulnerability management.
• Strong password storage for user credentials.
• Backups and logging to support recovery and investigation of incidents.

9. Personal data breaches

If CherryPay becomes aware of a personal data breach affecting personal data processed on behalf of the Customer, it will:

• notify the Customer without undue delay; and
• provide information reasonably required by the Customer to meet its own reporting obligations, as this information becomes available.

CherryPay will take appropriate steps to contain, investigate and mitigate the effects of the breach. The Customer is responsible for assessing the risk to data subjects and for deciding whether to notify any supervisory authority or affected individuals.

10. International transfers

CherryPay may process personal data, and permit sub‑processors to process personal data, outside the UK where necessary to provide the services.

Where this involves a transfer of personal data to a country that is not subject to a UK adequacy regulation, CherryPay will ensure that appropriate safeguards are in place, such as the use of approved standard contractual clauses and any required UK addendum, or another mechanism permitted under Data Protection Laws.

11. Assistance with data subject rights and assessments

Taking into account the nature of the processing, CherryPay will provide reasonable assistance to the Customer:

• to respond to requests from data subjects to exercise their rights under Data Protection Laws, where this is not possible for the Customer to do directly using the tools; and
• to carry out data protection impact assessments and any required consultations with supervisory authorities, in each case solely in relation to the services and the processing carried out by CherryPay.

CherryPay may charge a reasonable fee for assistance that is excessive, unusually complex or repeated.

12. Return and deletion of data

On termination or expiry of the services, or when the Customer otherwise asks, CherryPay will delete or return personal data processed on behalf of the Customer, unless CherryPay is required by law to retain it.

CherryPay may retain backup copies of personal data for a limited period after termination, in line with its backup and disaster recovery policies. Any retained data will remain subject to appropriate protections and will be securely deleted in accordance with those policies.

13. Information and audits

CherryPay will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and with the obligations that apply to CherryPay as a processor under Data Protection Laws.

Where that information is not sufficient, and if required by Data Protection Laws, the Customer may request an audit of CherryPay's relevant data processing activities. Any audit:

• must be agreed in advance with CherryPay, including scope, timing and duration;
• must be carried out in a way that minimises disruption to CherryPay's business and protects the confidentiality and security of other customers' data; and
• may be satisfied, where appropriate, by independent audit reports or certifications that CherryPay makes available.

14. Priority and changes

If there is any conflict between this DPA and the main agreement, this DPA will take priority in respect of the subject matter of data protection. The parties may update this DPA in writing to reflect changes in Data Protection Laws or the services.

This DPA is version 1.0 and was last updated on 9 February 2026.