Data processing agreement

Data processing agreement

Data processing agreement

Effective date:

Effective date:

Sep 15, 2025

Sep 15, 2025

Data Processing Addendum (EU/UK)

The GDPR and UK GDPR require a written agreement between a controller and a processor in order to allow the processing of personal data by the processor on behalf of the controller. For this reason, the parties have agreed to enter into this Data Processing Addendum (Addendum). 

This Addendum forms part of the agreement for the provision of the Ploy Platform, which is made up of an Order Form and Ploy’s Terms of Business (Agreement). In the event of conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail.

Unless a capitalised term is expressly defined in this Addendum, the capitalised term will have the meaning set out in the Agreement.

Subject-matter of processing:

Ploy will process personal data hereunder exclusively within the scope of the provision of the Service(s) to the Customer.

Nature and purpose of the processing:

Ploy will process personal data only:

  • as reasonably required to provide the Service(s); or

  • where initiated, requested or instructed by Authorised Users in connection with their use of the Service(s), or by the Customer;

in each case in a manner consistent with this Addendum and the Agreement.

Type of Personal Data:

Personal data made available by the Customer during the Customer’s receipt of the Service(s) or use of the Ploy Platform.  This could include (without limitation):

Employee Identifiers and Contact Information:

Data Collected: Full name, job title, work email address, manager, team, location (Country / City not address information) and department.

How it is Accessed: This data is collected when the Customer integrates Identity Providers (IdPs) such as Okta, Azure AD, or Human Resource Information Systems (HRIS) like BambooHR. The data is used to enable user management, automate employee onboarding and offboarding, and grant application access based on the user’s role.



Authentication and Login Data:

Data Collected: Email, OAuth tokens and login timestamps

How it is Accessed: Ploy accesses this data through integration with IdPs and Single Sign-On (SSO) providers. This data is used for secure authentication processes and to ensure proper access control.



Employee Lifecycle Data:

Data Collected: Employee status (active, inactive, terminated), hire date, role changes, and termination date.

How it is Accessed: This data is integrated from HRIS systems (e.g., HiBob, Humaans) and used for Employee Lifecycle Management services to automatically provision or deprovision accounts based on employment status, ensuring timely access revocation when employees leave.



Audit and Compliance Data:

Data Collected: Logs of user activity within the Ploy platform, access approvals, application installations, and any security incidents.

How it is Accessed: Ploy tracks this data through managed application tracking services and access catalog features. It is essential for audit trails, access reviews, and ensuring compliance with internal and external regulations.


Categories of data subjects:

Authorised Users and other Personnel of the Customer.

  1. Processor and Controller

    1. The parties agree that, for the personal data contained within the Customer Data (Protected Data), the Customer shall be the controller and Ploy shall be the processor. Nothing in this Addendum relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.

    2. Ploy shall process Protected Data in compliance with:

      1. the obligations of processors under Data Protection Laws in respect of the performance of its obligations under the Agreement; and

      2. the terms of this Addendum.

    3. The Customer shall ensure that it, and each Authorised User, complies at all times with:

      1. all Data Protection Laws in connection with the processing of Protected Data, the use of the Service(s) and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

      2. the terms of this Agreement.

    4. The Customer warrants, represents and undertakes, that at all times:

      1. the Protected Data is accurate and up to date;

      2. it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to Ploy (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Ploy or any other person; and

      3. all instructions given by it to Ploy in respect of personal data shall always be in accordance with Data Protection Laws.

  2. Instructions and details of processing

    1. To the extent Ploy processes Protected Data on behalf of the Customer, Ploy warrants, represents and undertakes that it shall:

      1. unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this Agreement, and in particular on the first page of this Addendum, as updated from time to time (Processing Instructions);

      2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and

      3. shall immediately inform the Customer if Ploy becomes aware of a Processing Instruction that, in Ploy’s opinion, infringes Data Protection Laws, provided that to the maximum extent permitted by Applicable Law, Ploy shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 2.1.3.

    2. The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Service(s) by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons, including as set out in the User Manual). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command Ploy is under no obligation to seek to restore it.

  3. Technical and organisational measures

    1. Ploy shall implement and maintain appropriate technical and organisational measures in relation to the processing of Protected Data. The parties have agreed that (taking into account the nature of the processing) Ploy’s compliance with clause 8 of the Agreement will constitute Ploy’s compliance with its obligations under this paragraph 3.1.

  4. Using staff and other Processors

    1. The Customer hereby gives Ploy a general consent to engage sub-processors for processing of Protected Data on behalf of the Customer (each a Sub-Processor). 

  1. As at the date of this Addendum, Ploy’s Sub-Processors are those listed in the List of Sub-Processors provided at the end of this Addendum.  Ploy shall notify the Customer before transferring any Protected Data to a new Sub-processor (Update Notice). Following receipt of the Update Notice the Customer shall notify Ploy if it objects to the new Sub-processor. If the Customer does not object to the Sub-processor within seven (7) days of receiving the Update Notice, the Customer shall be deemed to have accepted the Sub-processor. If the Customer has raised a reasonable objection to the new Sub-processor, and the parties have failed to agree on a solution within reasonable time, the Customer shall terminate the Agreement by written notice to Ploy on or before the date on which the transfer of Protected Data to the new Sub-Processor was due to commence, as set out in the Update Notice.

  2. Ploy shall:

    1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as set out in this Addendum, save that the Sub-Processor’s obligations in respect of assistance with audits shall be compliant with Applicable Law and may not precisely reflect Ploy’s obligations under paragraph 7.3; and

    2. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

  3. Ploy shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Ploy shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

  1. Assistance with compliance and data subject rights

    1. Ploy shall refer all data subject Requests it receives to the Customer without undue delay.

    2. Ploy shall provide such assistance to the Customer as is reasonably required (considering the nature of processing and the information available to Ploy) to ensure compliance with the Customer’s obligations under Data Protection Laws with respect to:

      1. security of processing;

      2. data protection impact assessments (as such term is defined in Data Protection Laws);

      3. prior consultation with a Supervisory Authority regarding high-risk processing; and

      4. notifications to the Supervisory Authority and/or communications to data subjects by the Customer in response to any personal data breach,

provided the Customer shall pay Ploy for all reasonable work, time, costs and expenses incurred by Ploy or any Sub-Processor(s) in connection with providing the assistance in this paragraph 5.2, calculated on a time and materials basis.

  1. International data Transfers

    1. Ploy will not transfer any Protected Data outside the United Kingdom or European Economic Area unless it has implemented a transfer mechanism compliant with Data Protection Laws (which may include the documents known as the European Union “Standard Contractual Clauses”, the United Kingdom “International Data Transfer Agreement”, or any other appropriate safeguard approved by the relevant authorities).

    2. The Customer acknowledges that, due to the nature of cloud Service(s), where an Authorised User accesses the Protected Data, such Protected Data may be transferred to the location of the Authorised User.  Any such transfer will be considered a transfer by the Customer, and not by Ploy, and it is the Customer’s responsibility to ensure that such locations afford an adequate level of protection for the Protected Data.

  2. Information and audit

    1. On request, Ploy shall provide the Customer (or auditors mandated by the Customer) with a copy of the third-party certifications and audits to the extent made generally available to its customers. Such information shall be Ploy’s Confidential Information as defined in the Agreement.

    2. Ploy will, during the Term but not more than once in any 12 month period, on at least 10 Business Days' notice and during normal business hours, permit the Customer and its third-party representatives to audit Ploy's compliance with its obligations.

    3. Ploy will give the Customer and its third-party representatives all reasonably necessary assistance to conduct such audits. The assistance may include, but is not limited to:

      1. physical access to, remote electronic access to, and copies of, records of Ploy’s activities under this Agreement related to the processing of Protected Data;

      2. access to and meetings with any of Ploy's personnel reasonably necessary to provide all explanations and perform the audit effectively; and

      3. inspection of all relevant records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process the Protected Data (provided that Ploy shall not be required to breach any of its obligations of confidentiality to any third party, and that Ploy will only be required to grant access to facilities which are under its direct control).

  3. Breach notification

    1. In respect of any personal data breach, Ploy shall, without undue delay (and in any event within 24 hours of Ploy becoming aware of the breach):

      1. notify the Customer of the personal data breach; and

      2. provide the Customer with details of the personal data breach.

  4. Deletion of Protected Data and copies

Following the end of the provision of the Service(s) (or any part) relating to the processing of Protected Data Ploy shall dispose of Protected Data in accordance with its obligations under this Addendum. Ploy shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with this Addendum .

  1. Compensation and claims

    1. Subject to the terms of the Agreement, Ploy shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Addendum or the Agreement:

      1. only to the extent caused by the processing of Protected Data under this Addendum and directly resulting from Ploy’s breach of this Addendum or the Agreement; and

      2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Addendum or the Agreement by the Customer.

    2. If a party receives a compensation claim from a person relating to processing of Protected Data in connection with this Addendum or the Agreement, it shall promptly provide the other party with notice and full details of such claim. 

    3. This paragraph 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to data subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

      1. to the extent not permitted by Applicable Law (including Data Protection Laws); and

      2. that it does not affect the liability of either party to any data subject.

  2. Survival

This Addendum (as updated from time to time) shall survive termination (for any reason) or expiry of the Agreement and continue until no Protected Data remains in the possession or control of Ploy or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.

  1. Definitions

    1. In this Addendum:

      1. the terms controller, data subject, data subject request, personal data, personal data breach, process, processes, processed and processing, processor, Supervisory Authority shall have the meaning ascribed to them in the Data Protection Laws.  The term transfer shall have the meaning ascribed to it in Article 44 of the UK GDPR;

      2. the terms defined in the Agreement shall have the meaning ascribed to them in the Agreement.  

    2.  The following terms have the meanings given below:

Data Protection Laws

  1. as applicable and binding on either party or the Service(s):

    1. UK GDPR as defined in the Data Protection Act 2018; 

    2. any laws which implement any such laws; and

    3. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;


Data Protection Losses

  1. all liabilities, including all:

    1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and

    2. to the extent permitted by Applicable Law:

      1. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;

      2. compensation which is ordered by a court or Supervisory Authority to be paid to a data subject; and

      3. the reasonable costs of compliance with investigations by a Supervisory Authority;


List of Sub-Processors

  1. Amazon Web Services, Inc. (AWS)


  3. Service: Cloud Hosting and Infrastructure Provider

  4. Location: London, United Kingdom (EU-West 2)

  5. Description: Amazon Web Services (AWS) is a leading cloud computing platform that we use for building, deploying, and managing the Ploy application. As our cloud hosting provider, AWS provides the infrastructure necessary to host our applications, ensuring high availability, scalability, and security. 


  7. Datadog


  9. Service: Application Performance Monitoring (APM) and Security Monitoring

  10. Location: Germany

  11. Description: Datadog is a comprehensive monitoring and security platform for cloud applications. It provides real-time insights into our application’s performance, infrastructure, and user experience, enabling us to detect and resolve issues quickly. Datadog’s monitoring tools help us ensure that our services are running efficiently and securely by tracking metrics, logs, and traces. Additionally, Datadog’s security features help us monitor and protect our infrastructure from potential threats.


  13. MailJet


  15. Service: Transactional Email Delivery

  16. Location: Germany & Belgium

  17. Description: MailJet is a cloud-based email service provider specialising in sending transactional emails, such as account notifications, password resets, and Ploy Platform emails to employees (sent by the Customer). These emails are crucial for maintaining communication with our users as well as Customer communicating with their employees via the Ploy platform. By using MailJet, we can ensure high deliverability rates and efficient management of our email users emails from within the Ploy platform