Data Processing Agreement
This DPA governs StaffHero’s processing of personal data on behalf of customers (the controllers) when they run surveys. It forms part of our Terms of Service.
Last updated: 21 June 2026
1. Parties & roles
This Data Processing Agreement (“DPA”) is between the Customer (the “Controller”) and GroundForm Software LLC, trading as StaffHero (the “Processor”), and applies whenever StaffHero processes personal data on the Customer’s behalf under the Terms of Service.
The Customer is the controller of employee survey data and determines the purposes and means of processing. StaffHero is the processor and acts only on the Customer’s documented instructions, which include the Terms of Service, this DPA, and use of the product’s features.
Our contact for data-protection matters under this DPA is the StaffHero privacy team (hello@staffhero.com).
2. Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service or in Applicable Data Protection Law. In this DPA:
- “Applicable Data Protection Law” means all data-protection and privacy laws that apply to the processing under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the GDPR as retained in UK law and the UK Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and applicable US state privacy laws such as the California Consumer Privacy Act as amended (“CCPA”).
- “Controller” means the Customer, which determines the purposes and means of processing the Personal Data.
- “Processor” means StaffHero (GroundForm Software LLC), which processes Personal Data on the Controller’s behalf.
- “Personal Data” means the personal data within Customer Data that StaffHero processes on the Controller’s behalf under the Terms of Service, as described in Annex 1.
- “Data Subject” means an individual to whom Personal Data relates — for example a respondent, a member of the Customer’s roster, or an administrator.
- “Sub-processor” means a third party engaged by StaffHero to process Personal Data on the Controller’s behalf, as listed on the Subprocessors page (Annex 3).
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under this DPA.
- “Standard Contractual Clauses” or “SCCs” means the clauses approved by the European Commission in Decision 2021/914 for the transfer of personal data to third countries.
- “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
- “Restricted Transfer” means a transfer of Personal Data to a country or organization not benefiting from an adequacy decision under Applicable Data Protection Law.
3. Relationship to the Terms
This DPA forms part of, and is governed by, the Terms of Service. It applies to StaffHero’s processing of Personal Data on the Controller’s behalf. If there is any conflict between this DPA and the rest of the Terms on a matter of personal-data processing, this DPA prevails. Where the Standard Contractual Clauses apply, they prevail over this DPA to the extent of any conflict.
4. Subject matter, nature & duration
Subject matter: provision of the StaffHero anonymous survey and insights platform. Nature & purpose: collecting and aggregating employee feedback, generating the AI Leadership Brief, and enabling anonymous clarification threads. Duration: for as long as StaffHero provides the service to the Customer, plus the deletion period in Section 14. Details are in Annex 1.
5. Processor obligations
StaffHero will:
- process personal data only on the Controller’s documented instructions, including for transfers, unless required by law (in which case we’ll inform the Controller unless legally prohibited);
- ensure personnel authorized to process the data are bound by confidentiality;
- implement the technical and organizational measures in Annex 2;
- assist the Controller by appropriate technical and organizational measures, insofar as possible and taking into account the nature of processing, to respond to data-subject requests (Section 8);
- assist the Controller in ensuring compliance with its obligations on security of processing, notification of a Personal Data Breach, data protection impact assessments, and prior consultation with a supervisory authority (Articles 32 to 36 GDPR), taking into account the nature of processing and the information available to StaffHero;
- notify the Controller of a Personal Data Breach as set out in Section 7;
- make available the information necessary to demonstrate compliance and allow for audits as described in Section 9.
6. Sub-processors
The Controller authorizes StaffHero to engage the subprocessors listed on our Subprocessors page (Annex 3). Each subprocessor is bound by data-protection terms no less protective than this DPA. We will give at least 30 days’ notice of intended additions or replacements, during which the Controller may object on reasonable data-protection grounds; if we can’t resolve the objection, the Controller may terminate the affected service.
StaffHero remains responsible for its sub-processors’ performance of their data-protection obligations.
7. Personal data breaches
StaffHero will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will describe, to the extent known and as it becomes available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its effects.
Where survey data is involved, the Controller (the employer) is responsible for any notification to data subjects and supervisory authorities; StaffHero will provide reasonable assistance so the Controller can meet those obligations. StaffHero’s notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.
8. Data-subject requests
Because surveys are designed to be anonymous to the Controller, StaffHero will assist the Controller in handling data-subject requests by appropriate technical and organizational measures, insofar as possible. Genuinely anonymized, aggregated data may not be attributable to an individual and therefore may not be subject to access or erasure.
If StaffHero receives a request directly from a data subject relating to the Controller’s Personal Data, it will, where lawful, refer the request to the Controller rather than respond itself, and will not disclose the Personal Data except on the Controller’s instructions or as required by law.
9. Audit
On reasonable written request (no more than once a year, unless required by a supervisory authority or following a Personal Data Breach), StaffHero will make available the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. This is satisfied through written responses, policies, summaries of measures, and the descriptions in Annex 2 and on our Security page. StaffHero does not hold a SOC 2 or ISO certification and does not represent that it does; audit rights under this Section are met by documentation and written responses rather than on-site inspection.
10. US state privacy laws (service provider terms)
This Section applies where the Customer is a “business” (or equivalent) and StaffHero is a “service provider” or “processor” under the CCPA or another US state privacy law. Terms in quotation marks have the meaning given in those laws.
StaffHero processes personal information only to provide the service under the Terms (the “business purpose”), and on the Customer’s behalf. StaffHero will not:
- “sell” or “share” personal information, and does not exchange it for money or other valuable consideration or for cross-context behavioural advertising;
- retain, use, or disclose personal information for any purpose other than the business purpose, or outside the direct business relationship with the Customer, except as permitted by law;
- combine personal information received from the Customer with personal information from any other source, except as permitted by the CCPA for a service provider; and
- pool one customer’s data with another’s, or use survey content to build any cross-customer dataset or benchmark or to train AI models.
StaffHero certifies that it understands and will comply with these restrictions. StaffHero will assist the Customer in responding to verifiable consumer requests and will notify the Customer if it determines it can no longer meet its obligations under Applicable Data Protection Law. The Customer may take reasonable and appropriate steps to stop and remediate unauthorized processing.
11. International transfers
Customer Data is stored in the region selected at signup (EU or US). Where a transfer of Personal Data is a Restricted Transfer, the parties rely on the following safeguards, which are incorporated into this DPA by reference:
- for transfers from the EEA, the EU Standard Contractual Clauses — Module Two (controller to processor) between the Controller and StaffHero, and Module Three (processor to processor) for onward transfers to Sub-processors;
- for transfers of UK data, the UK Addendum (or the IDTA where applicable) to the SCCs;
- for transfers of Swiss data, the SCCs as amended by the Swiss Federal Data Protection and Information Commissioner’s addendum (with references to the GDPR read as references to the FADP, and the Swiss authority as competent authority); and
- an adequacy decision where the destination country benefits from one, in which case the SCCs are not required for that transfer.
Annex 1 and Annex 2 supply the information required by the SCC appendices (parties, description of processing, and technical and organizational measures); the Subprocessors page (Annex 3) identifies the Sub-processors and their locations. Where the SCCs apply, they prevail over this DPA to the extent of any conflict, and their docking, audit, and option clauses operate consistently with Sections 6, 8, and 9 of this DPA.
12. Liability
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the exclusions and limitations of liability in the Terms of Service. Any reference in those limitations to liability under the Terms includes liability under this DPA, and the parties’ aggregate liability across the Terms and this DPA is subject to a single combined cap as stated in the Terms. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law, including a data subject’s rights.
13. General
We may update this DPA to reflect changes in the service, our Sub-processors, or Applicable Data Protection Law; we will update the “last updated” date and give notice of material changes, and we will not make changes that materially reduce the protections in this DPA without notice. The list of authorized Sub-processors is maintained on the Subprocessors page (Annex 3), which is kept current and forms part of this DPA. Except where the Standard Contractual Clauses require a different governing law or forum, this DPA is governed by, and disputes are resolved under, the governing law and dispute-resolution terms of the Terms of Service.
14. Return & deletion
On termination, and at the Controller’s choice, StaffHero will delete or return the personal data and delete existing copies within 30 days, unless retention is required by law. Backups are purged on a rolling basis (up to 30 days).
Annex 1 — Processing details
- Categories of data subjects: the Customer’s employees/contractors who are invited to respond; the Customer’s administrators.
- Categories of personal data: contact details (roster names/emails), survey responses and open-text comments, segment attributes the Customer defines (e.g. team, tenure; optionally gender/age), pseudonymous routing references.
- Special categories: not intentionally collected; open-text comments may incidentally contain sensitive information — handled under the confidentiality controls in Annex 2.
- Purposes of processing: providing the StaffHero anonymous survey and insights platform — collecting and aggregating employee feedback, generating the AI Leadership Brief, routing anonymous clarification threads, and supporting the Customer.
- Frequency: continuous for the duration of the service.
- Duration: for the term of the service to the Customer, plus the return-and-deletion period in Section 14 (within 30 days after termination; backups purged on a rolling basis up to 30 days).
For the purposes of the SCC appendices: Annex I.A (parties) is the Controller (Customer) as data exporter and GroundForm Software LLC as data importer; Annex I.B (description of transfer) is set out in this Annex 1; Annex I.C (competent supervisory authority) is the authority of the Controller’s EEA establishment, or where the Controller is not EEA-established, an authority determined under the SCCs (and the ICO for UK data, the FDPIC for Swiss data); and Annex II (technical and organizational measures) is set out in Annex 2.
Annex 2 — Technical & organizational measures
- Code-enforced confidentiality: identity references are stripped before any controller-facing screen, export, report, or API; results are suppressed below 5 responses and verbatim comments below 7, with a higher bar for small/sensitive segments.
- Encryption in transit; data at rest on managed Postgres; strict per-organization (tenant) isolation.
- Regional data residency (EU/US) routed by the organization’s home region.
- No IP logging against survey responses; ±60-second timestamp jitter; PII-free audit logging.
- Rate-limiting and abuse protection on public endpoints; least-privilege access for personnel; error monitoring with sensitive data redacted.
- Authentication and access management via a managed identity provider; administrator sessions are authenticated and access is least-privilege.
- Use of reputable managed sub-processors for hosting, database, and email, each bound by a data processing agreement (Annex 3); resilience and backups are provided by those managed services.
Annex 3 — Authorized subprocessors
The current list of authorized subprocessors, with purposes and locations, is maintained on our Subprocessors page and forms part of this DPA.
How to put this in place
This DPA applies automatically to customers who run surveys. If your organization needs a countersigned copy, contact hello@staffhero.com.
Related: Privacy · Terms · Cookies · DPA · Subprocessors · Refund · Security