<img height="1" width="1" src="https://www.facebook.com/tr?id=2256810414611809&amp;ev=PageView &amp;noscript=1">

Data Processing Addendum

Last updated on May 7, 2025

lThis Data Processing Addendum (this “DPA”) is incorporated into and is subject to the terms and conditions of the HR for Health Master Subscription Agreement, the Order Form, and each other agreement referenced therein (collectively, the “MSA”) between The American HR Group, Inc. d/b/a HR for Health (“HR for Health”) and the party that executes and Order Form with HR for Health (“Client”, and together with HR for Health, are individually each a “Party” and collectively the “Parties”) pursuant to which HR for Health provides certain services to Client.

1. Definitions.  The below terms shall have the following definitions in this DPA. Any capitalized terms used in this DPA but not defined herein shall have the meaning given in the MSA or Applicable Data Privacy And Protection Laws

  1. Applicable Data Privacy And Protection Laws” means all applicable federal, territorial, provincial and state privacy, data protection and data security laws and regulations in the United States, as may be amended from time to time, that are applicable to the data Processed, collected, received, accessed, transmitted, disclosed or stored by the Parties under the MSA.

  2. Authorized Employees” means HR for Health’s employees who have a need to know or otherwise access Personal Information to enable HR for Health to perform its obligations under the MSA.

  3. Authorized Persons” means (i) Authorized Employees and (ii) HR for Health’s contractors, Subprocessors, agents, outsourcers and auditors who have a need to know or are otherwise required to access Personal Information in order to enable HR for Health to perform its obligations under the MSA.

  4. Business Contact Data” any Client business contact information which is required or obtained to administer the Services to Client that are subject of the MSA. Business Contact Data shall not constitute Client Data hereunder.

  5. Client Data” means any data disclosed by Client, or a third-party acting on Client’s behalf, to HR for Health, or collected by HR for Health or its Authorized Persons on Client’s behalf, under the MSA. “Client Data” shall include Client Personal Information and Client Confidential Information.

  6. Data Subject” means the identified or identifiable natural person to whom Personal Information relates.

  7. Data Subject Request” means valid exercises of a Data Subjects’ rights, such as to obtain, transfer, correct, delete, limit or control the Processing or use of Personal Information, as provided by Applicable Data Privacy And Protection Laws.

  8. Documented Instruction(s)” means any written communication authorized by Client and provided to HR for Health in order to instruct HR for Health regarding (i) HR for Health’s Processing of Personal Information, (ii) HR for Health’s handling of a Data Subject Request or (iii) any notifications or disclosures relating to a Security Incident.

  9. Personal Information” means “personal data,” “personal information,” “personally identifiable information,” “personal health information,” “nonpublic information,” “personal financial information,” or similar such term, each as defined by Applicable Data Privacy And Protection Laws, solely relating to HR for Health’s collection, use, sharing, storage, transmission, and/or disclosure of data pursuant to the MSA. “Personal Information” shall be limited to that data provided by Client to HR for Health for Processing or collected by HR for Health or its Authorized Persons on behalf of Client, pursuant to the MSA.

  10. Processing, Processes, or Process” means obtaining, recording, or holding Personal Information, or carrying out any operation or set of operations on Personal Information including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying Personal Information.

  11. Security Incident” means any confirmed act or omission that compromises the security of a HR for Health system that stores Client Personal Information or the physical or technical safeguards put in place by HR for Health that relate to the protection of Client Personal Information. The term “Security Incident” shall include any “security incident”, “data breach” or “security breach”, or other similar such term, impacting Client Personal Information in the custody of HR for Health that requires notification to Client under Applicable Data Privacy And Protection Laws.

  12. Service” has the meaning defined in the MSA.

  13. Subprocessor” means any other entity engaged by HR for Health to assist HR for Health in Processing Personal Information.

  14. The terms “Business Purpose,” “Controller,” “Processor,” “Sale,” “Service Provider,” “Share”, “Targeted Advertising” and “Cross-Context Behavioral Advertising” shall have the same meaning as in Applicable Data Privacy And Protection Laws, and their cognate terms shall be construed accordingly. 


2. Compliance with applicable data privacy and protection laws. 

  1. HR for Health Compliance

    1. All Personal Information that is provided by Client to HR for Health, or that is otherwise collected or maintained by HR for Health or its Authorized Persons on Client’s behalf, pursuant to the MSA shall be considered Client’s Personal Information. Client shall have and retain all right, title and interest in the Personal Information and HR for Health shall have no rights with respect thereto, other than as specifically contemplated by the MSA and this DPA.

    2. To the extent applicable, Client is disclosing Personal Information to HR for Health, and HR for Health is collecting Personal Information on behalf of Client, only for provision of the Service and Business Purposes. HR for Health agrees that it is Client’s Service Provider and Processor.

    3. HR for Health acknowledges that, to the extent it is Processing Personal Information subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), such Processing is subject to the applicable provisions of the CCPA. HR for Health acknowledges that it is obligated to provide the Data Subject the same level of privacy protection as is required of Client by the CCPA.

    4. To the extent prohibited by Applicable Data Privacy And Protection Laws, HR for Health certifies that it will not:

      1. Sell, Share or use for Targeted Advertising or Cross-Context Behavioral Advertising Client Personal Information;

      2. retain, use, or disclose Client Personal Information for any purpose other than the performance of Service unless permitted by Applicable Data Privacy And Protection Laws;

      3. retain, use, or disclose Client Personal Information outside of the direct business relationship between HR for Health and Client; and

      4. combine Client Personal Information that HR for Health receives from, or collects on behalf of, Client with Personal Information that HR for Health receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject unless HR for Health is acting in both (i) furtherance of a Business Purpose and (ii) in compliance with Applicable Data Privacy And Protection Laws.

    5. HR for Health shall notify Client if HR for Health makes a determination that HR for Health can no longer meet its obligations under Applicable Data Privacy And Protection Laws with regards to Personal Information and, in the event of such determination, Client shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of the affected Personal Information.

    6. Client shall have the right to take reasonable and appropriate steps, as provided in Section 6 of this DPA, to ensure that HR for Health is using Client Personal Information in a manner consistent with Applicable Data Privacy And Protection Laws and this DPA.

    7. HR for Health shall cooperate with Client with regards to Data Subject Requests as provided in Section 7.

    8. Client is hereby notified that HR for Health will engage its own service providers and contractors to assist HR for Health in the processing of Client Personal Information as provided in Section 4.

  2. Client Compliance; Representations and Warranties.

    1. Client represents and warrants that all Client Data provided to HR for Health for Processing has been collected and provided to HR for Health for Processing pursuant to the MSA in compliance with Applicable Data Privacy And Protection Laws.

    2. Client represents and warrants that the categories and locations of Data Subjects and types of Personal Information that is provided to HR for Health for Processing as described in Exhibit 1 is accurate. With regards to Personal Information that Client collects from a source other than HR for Health or an agent of HR for Health, Client shall provide any notices and collect any consents that are required by Applicable Data Privacy And Protection Laws. These notices and consents shall contain all disclosures necessary to comply with Applicable Data Privacy And Protection Laws for the provision of the Personal Information to HR for Health for Processing under the MSA.

  3. Assessments.  HR for Health shall make available to Client information that is necessary for Client to fulfil its obligations under Applicable Data Privacy And Protection Laws, including where Client is obligated under Applicable Data Privacy And Protection Laws to conduct a data privacy or security impact assessment. The Parties agree to cooperate with each other to promptly and effectively handle inquiries, complaints, audits, or claims from any court, governmental officials or supervisory authority(ies).


3. Processing of client data

    1. Ownership of Personal Information.  Personal Information is deemed to be Confidential Information of Client.

    2. Protection of Personal Information.  HR for Health shall implement administrative, physical, and technical safeguards to protect Personal Information that are no less rigorous than accepted industry practices and that are in compliance with Applicable Data Privacy And Protection Laws. At a minimum, HR for Health’s safeguards for the protection of Personal Information shall include: (i) limiting access of Personal Information to Authorized Persons; (ii) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment; (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; (v) implementing authentication and access controls within media, applications, operating systems and equipment; (vi) encrypting Personal Information stored on any mobile media; (vii) encrypting Personal Information transmitted over public or wireless networks; (viii) logically segregating Personal Information from information of HR for Health or its other Clients; (ix) implementing appropriate personnel security and integrity procedures and practices; and (x) providing appropriate privacy and information security training to HR for Health’s employees.

    3. Data Storage.  Client acknowledges that, as of the effective date of the MSA, HR for Health’s primary data storage facilities are in the United States. Client authorizes HR for Health, in connection with the provision of the Services, to make worldwide transfers of Personal Information to its affiliates and/or Authorized Persons for Processing and storage to provide Client the Service. When making such transfers, HR for Health shall ensure that appropriate protection and security measures are in place to safeguard the Personal Information transferred.

    4. Deidentification, Aggregation and Anonymization.  Notwithstanding the other provisions of the MSA, nothing shall prohibit HR for Health and its Authorized Persons from using aggregate, statistical and deidentified data generated or submitted through Client’s use and receipt of the Service, provided that such data is (i) not individually identifiable to any individual person, (ii) not Personal Information, as defined herein, and (iii) otherwise qualifies as deidentified or aggregated under Applicable Data Privacy And Protection Laws. 

    5. Enhancement Of Service.  In order to facilitate the provision of the Service, HR for Health and its Authorized Persons may use Subcontractor data in the Service being provided to Client, including by applying technologies and by developing and enhancing the efficiencies and means by which HR for Health provides the Service to Client, so long as such use is solely in furtherance of providing Service to Client or a Business Purpose.

    6. Return and Deletion of Personal Information.  Upon termination or expiration of the MSA and upon Client’s request, HR for Health will promptly return Client Personal Information (excluding HR for Health system logs) in its possession, in an electronic format and media to be reasonably agreed upon by the Parties, and, within a mutually agreed upon time frame, not to exceed sixty (60) calendar days of Client’s request. If Client requests deletion of Client Data, HR for Health shall delete Client Data within a commercially reasonable timeframe following termination or expiration of the MSA. However, HR for Health may retain one copy of Client Data as may be required by applicable laws or for audit purposes.


4. Authorized persons

    1. Subprocessors.  Client acknowledges that HR for Health may engage the Subprocessors in the performance of the Services. HR for Health’s current list of Subprocessors is available at https://hrfh.hrforhealth.com/dpa-subprocessors. HR for Health may update the list of Subprocessors from time to time. HR for Health agrees that such engagement shall be pursuant to a written agreement that complies with Applicable Data Privacy And Protection Laws and that provides a materially similar level of protection as required by applicable provisions of this DPA. HR for Health will ensure that any Authorized Persons applies appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Information and against accidental loss or destruction of, or damage to, Personal Information.

    2. Authorized Employees.  During the term of each Authorized Employee’s employment by HR for Health, HR for Health shall at all times cause Authorized Employees to abide strictly by HR for Health’s obligations under this DPA and HR for Health’s standard policies and procedures. 

5. Security incident procedures

  1. Security Incident Plan.  HR for Health agrees to implement and maintain a security incident plan covering how HR for Health will detect and respond to Security Incidents and how HR for Health will notify Client of any confirmed Security Incident. HR for Health further agrees to provide Client with the name and contact information for an individual who shall serve as Client’s primary contact and shall be available to assist Client as a contact in resolving obligations associated with a Security Incident.

  2. Notification.  HR for Health shall notify Client of a Security Incident within seventy-two (72) hours of HR for Health confirming that a Security Incident has occurred.

  3. Investigation.  HR for Health shall use industry standard efforts to remedy any Security Incident and shall act in compliance with Applicable Data Privacy And Protection Laws. Promptly following HR for Health’s notification to Client of a Security Incident, the Parties shall coordinate with each other to investigate the Security Incident. HR for Health agrees to reasonably cooperate with Client in Client’s handling of the matter and make available to Client sufficient materials for Client to comply with Applicable Data Privacy And Protection Laws. This provision shall not be construed as expanding Client’s audit rights under the MSA or this DPA.

  4. Remediation.  HR for Health shall provide assistance with any obligation of Client under Applicable Data Privacy and Protection Laws, as reasonably requested, to make notifications to the affected Data Subjects, regulatory authorities, or the public, regarding the Security Incident. HR for Health shall not make any statement or notification to any Data Subjects who are the subject of the affected Personal Information, supervisory authority, or otherwise, regarding the Security Incident without the prior written approval of Client. Nothing in this Section shall be construed to prevent HR for Health from making notifications and disclosures (i) to an Authorized Person who is necessary for the mitigation, investigation or remediation of a Security Incident, (ii) as required by an applicable contract with a third-party (including HR for Health’s insurer or other customers), or (iii) as required by Applicable Data Privacy and Protection Laws, provided that HR for Health shall not disclose the identity of Client or that Client Personal Information has been affected by the Security Incident unless required by Applicable Data Privacy and Protection Laws. HR for Health shall have no liability or responsibility arising from HR for Health’s compliance with Client’s Documented Instructions, including with regards to notifying impacted Data Subjects, supervisory authorities or Client’s customers of a Security Incident. 

6. Client rights and responsibilities

  1. Client Direction Client agrees that HR for Health and its Authorized Persons will be acting at the direction of and on behalf of Client with regards to the Processing of Personal Information to provide the Service pursuant to the MSA.

  2. Client Audit Rights During the Term of the MSA, HR for Health shall keep accurate records relevant to the security controls and policies in place to protect Personal Information. Upon Client’s reasonable written request, no more than twice per calendar year, HR for Health agrees to provide Client with a copy of the results of HR for Health’s most recent internal SSAE18 (SOC 2) audit reports, which results shall be HR for Health’s Confidential Information. In addition, upon Client’s written request, HR for Health shall make available summaries of security policies, security testing and security related audits via a secure video conferencing services or, in Client’s discretion, via a questionnaire submitted to HR for Health by Client, in order to demonstrate HR for Health’s compliance with this DPA. Such reports, results and summaries will be considered Confidential Information of HR for Health. Notwithstanding anything to the contrary herein or in the MSA, in no event shall Client be permitted to direct audit or testing of HR for Health’s information technology systems or an on-site of HR for Health’s facilities.

  3. Client Responsibility for Data Unless required by Applicable Data Privacy And Protection Laws, HR for Health shall not be required to verify information supplied to it by Client, nor shall HR for Health have the responsibility to verify, inquire, or investigate as to whether Client has the right to utilize the Client Personal Information provided to HR for Health under this DPA. Client agrees that it has the responsibility for the accuracy, quality, completeness, and appropriateness of Personal Information that Client, or for any third party acting on behalf of Client, provides to HR for Health. HR for Health reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse, or remove any or all Personal Information, in HR for Health’s sole discretion, from any content provided to HR for Health by Client.

7. Cooperation with data subject requests and inquiries

  1. Data Subject Requests Client will, as soon as practicable after receiving a verified Data Subject Request regarding Personal Information Processed by HR for Health, advise HR for Health of the Data Subject Request. Client will advise HR for Health of the jurisdiction, controlling law, and response requirements for the Data Subject in the form of Documented Instructions. HR for Health agrees to cooperate with Client to comply with Data Subject Requests. HR for Health will implement appropriate technical and organizational measures for the fulfilment of Client’s data privacy and protection regulatory obligations under Applicable Data Privacy And Protection Laws relating to Data Subject Requests. HR for Health agrees to respond to Client within thirty (30) calendar days or the time prescribed by Applicable Data Privacy And Protection Laws, whichever is shorter, in response to Client’s Documented Instructions relating to the handling of a Data Subject Request.

  2. Notification Of Direct Receipt HR for Health agrees to notify Client of HR for Health’s direct receipt of Data Subject Requests as soon as practicable, but in all cases within ten (10) business days of receipt. Client and HR for Health will coordinate a course of action regarding the handling of such requests. Unless otherwise agreed by the Parties or as provided in a Documented Instruction, HR for Health shall not take any action following its direct receipt of Data Subject Request other than to (i) confirm receipt of the Data Subject Request to the requesting individual and (ii) inform the Data Subject that the Data Subject should submit the request directly to Client.

  3. Record Keeping HR for Health also agrees to maintain records of Data Subject Requests for at least twenty-four (24) months, or as required under Applicable Data Privacy And Protection Laws, whichever period is longer. Further, HR for Health will reasonably cooperate with any audit or inquiry by any regulatory body with the authority to conduct such an audit or inquiry and will reasonably assist Client at Client’s expense in cooperation with any such audit or inquiry.

8. Scope of processing

  1. Non-US Personal Information. The Parties agree that Personal Information is not contemplated to include information about identifiable individuals residing in countries other than the United States (“Non-US Personal Information”). Client shall have the sole responsibility to determine the laws applicable to Client Data, including whether Client Data includes any Non-US Personal Information. Notwithstanding anything else in the DPA, HR for Health shall have no obligation to process Non-US Personal Information and may immediately destroy or return to Client any Non-US Personal Information without penalty, responsibility or liability. HR for Health shall have no responsibility to pre-screen Client Personal Information for compliance with this Section.

  2. Protected Health Information.  The Parties agree that Client Data is not contemplated to include “protected health information” as defined under Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 160.103 (“Protected Health Information”). Client shall have the sole responsibility to determine the laws applicable to Client Data, including whether Client Data includes any Protected Health Information. Client shall immediately notify HR for Health in the event that Client Data is determined to contain Protected Health Information and the Parties agree to evaluate the applicability and implementation of a Business Associate Agreement and execute the same, if necessary and mutually agreeable, as an addendum to the DPA. Notwithstanding anything else in the MSA or this DPA, HR for Health shall have no obligation to process Protected Health Information and may immediately destroy or return to Client any Protected Health Information without penalty, responsibility or liability. HR for Health shall have no responsibility to pre-screen Client Data for compliance with this Section.

  3. Business Contact Data. The Parties agree that, with respect to any Business Contact Data that may be considered Personal Information, HR for Health shall be considered a data Controller, and any terms in this DPA relating to obligations of a data Processor shall not apply thereto

9. Limitation of liability and indemnification

  1. Indemnification.  Except as modified by this Section 9, the exclusive remedies and limitation of liabilities of HR for Health and Client shall be those set out in the MSA. However, notwithstanding anything in the MSA, HR for Health shall have no liability to Client relating to or arising from acts or omissions by HR for Health that were undertaken at the express direction of Client.

  2. Limit of liability.  Nothing in this DPA shall be construed to extend HR for Health’s liability under the MSA beyond the liability contemplated by MSA’s liability cap provision.

  3. Privacy Defense and Indemnity of HR for Health.  Client shall defend, hold harmless and indemnify HR for Health against losses, liabilities, claims, or causes of action relating to, arising from, or based on breaches of Client’s obligations in this DPA as well as losses, liabilities, claims, or causes of action relating to, arising from, or based on:

    1. defects in Personal Information collection and attendant disclosures or consents by Client, including Client exceeding the scope of consent or disclosure;

    2. provision of Personal information to HR for Health for Processing pursuant to the terms and disclosures of the MSA and this DPA in violation of any law or regulation, including Applicable Data Privacy and Protection Laws;

    3. acts or omissions by HR for Health that were undertaken at the express direction of Client, including defects in Client’s Documented Instructions;

    4. failures of Client to provide opt-out or Data Subject Request features required by Applicable Data Privacy and Protection Laws;

    5. decisions by Client to not inform a regulator or Data Subject of a Security Incident;

    6. decisions by Client relating to HR for Health’s or Client’s response or handling of a Data Subject Request; or

    7. failures of Client to notify HR for Health that Client Personal Information contains Non-US/CAN Personal Information.

10. Application of MSA terms.  To the extent of conflict between the terms of the MSA and the terms of this DPA, the terms of this DPA shall control. All other terms and conditions of the MSA shall remain in full force and effect.

11. Amendments.  HR for Health may amend this DPA at any time. The Parties acknowledge that substantial changes to HR for Health’s obligations may be subject to changes in fees for the Service or alternation in the manner and means by which HR for Health performs the Service.

Exhibit 1

Details of processing 

The categories and locations of Data Subjects, types of Personal Information, and Processing operations and nature of Processing are set out below.

  1. Nature, purpose and subject matter of the Processing

    The nature, purpose and subject matter of the Processing is the provision of the Service as described in the MSA and related Order Forms.

  2. Duration of the Processing

    The duration of the Processing corresponds to the duration of the MSA

  3. Categories of Data Subjects

    Client’s and its affiliates’ employees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants) and end users

  4. Location of Data Subjects

    United States

  5. Types of Client Personal Information 

    Identifiers (such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, signature, physical descriptions and passport number)

    Employment- related information (such as work email address, job title, employee photo, date of birth, date of hire, age, nationality, immigration status, race, religion, sexual orientation, trade union membership, marital status, veteran status, disability status, criminal charges and convictions, salary and compensation data, insurance beneficiary information, emergency contact information, names of children, spouses or dependents)

    Internet or other electronic network activity information (such as browsing history, search history, and information regarding a Data Subject’s interaction with an internet website or application)

    Financial information (such as insurance policy number, bank account number, credit card number or debit card number)

    Geolocation data

    Inferences drawn from any of Personal Information to create a profile about a Data Subject reflecting the Data Subject’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

  6. Special Categories of Personal Information

Personal Information revealing:

  • Social security, driver’s license, state identification card, or passport number
  • Racial or ethnic origin
  • Trade union membership
  • Data concerning a Data Subject’s health, sex life or sexual orientation
  • Criminal convictions and offenses
  • Contents of a Data Subject’s mail, email, and text messages (other than communications relating to the administration of the MSA)

4872-1155-0198.6