Data Processing Agreement

1. Definitions

• "Controller" means you, the Kore Payroll customer, who determines the purposes and means of processing personal data.
• "Processor" means Kore Payroll Limited, which processes personal data on your behalf.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" has the meaning given in UK GDPR Article 4(1).
• "Processing" has the meaning given in UK GDPR Article 4(2).
• "UK GDPR" means the UK General Data Protection Regulation as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018.
• "Sub-processor" means any third party appointed by the Processor to carry out processing activities on behalf of the Controller.

2. Subject matter and nature of processing

Kore Payroll processes personal data as a data processor on your behalf, solely to provide the payroll and HR administration Service as set out in our Terms of Service. The processing activities include:

• Storing and processing employee personal data (names, addresses, NI numbers, tax codes, bank details, salary information).
• Calculating payroll, deductions, and statutory payments.
• Submitting Real Time Information (RTI) to HMRC.
• Generating payslips, P60s, P11Ds, and other employment documents.
• Processing pension auto-enrolment data.
• Maintaining an immutable audit log of all processing activities.

Categories of data subjects: Your employees, workers, and other individuals whose payroll you process.

Categories of personal data: Identity data (name, date of birth), contact data (address), national insurance numbers, tax codes, salary and financial data, bank account details, employment data, absence and health data (for statutory sick pay calculations).

Special categories: Health data (limited to that necessary for SSP and other statutory calculations). Processing of special category data is strictly limited to what is necessary for compliance with employment law obligations.

Duration: For the term of your subscription plus the retention period specified in our Privacy Policy.

3. Controller's obligations

You, as the Controller, warrant and undertake that:

• You have a lawful basis under UK GDPR for all personal data you input into the Service.
• You have provided all required notices to data subjects (employees) about the processing of their personal data, including informing them that their data is processed by Kore Payroll as your service provider.
• The personal data you provide is accurate and up to date.
• You have complied with all your obligations under UK GDPR and the Data Protection Act 2018.
• Your instructions to us will at all times comply with data protection legislation.

4. Processor's obligations

As your data Processor, Kore Payroll undertakes to:

• 4.1 Process only on documented instructions. Process personal data only on your documented instructions, including with regard to transfers to third countries (unless required to do so by applicable law).
• 4.2 Confidentiality. Ensure that persons authorised to process personal data are bound by confidentiality obligations.
• 4.3 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex A to this DPA and in our Security Policy.
• 4.4 Sub-processors. Not engage any sub-processor without your prior authorisation (general authorisation is given in Annex B). We will impose the same data protection obligations on sub-processors and remain liable for their performance.
• 4.5 Data subject rights. Assist you in responding to data subject requests by providing appropriate technical and organisational measures, insofar as possible, for fulfilment of your obligation to respond to such requests.
• 4.6 Assistance. Assist you in ensuring compliance with security obligations (Article 32), data breach notifications (Articles 33–34), data protection impact assessments (Article 35), and prior consultation (Article 36).
• 4.7 Deletion or return. At your choice, delete or return all personal data to you after the end of the provision of services relating to processing, and delete existing copies unless required to retain them by applicable law.
• 4.8 Audit rights. Make available to you all information necessary to demonstrate compliance with Article 28 of UK GDPR and allow for and contribute to audits and inspections conducted by you or a mandated auditor, subject to reasonable prior notice and confidentiality obligations.

5. Sub-processors

By accepting this DPA, you grant us general written authorisation to engage sub-processors. Current approved sub-processors are listed in Annex B. We will provide at least 30 days' notice of any new sub-processor appointment, giving you the opportunity to object.

6. International transfers

We store and process personal data in the United Kingdom. Where any transfer outside the UK is necessary (as described in our Privacy Policy), we ensure appropriate safeguards are in place (UK adequacy decision or UK International Data Transfer Agreements).

7. Security incidents and data breaches

We will notify you without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting your data. Our notification will include, to the extent possible: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of personal data records affected, likely consequences, and measures taken or proposed.

8. Termination

On termination of our Services, we will retain your data for 90 days and make it available for export on request. Following this period, we will securely delete all personal data except where legal obligations require retention (e.g. HMRC audit trail requirements for up to 7 years).

Annex A — Technical and Organisational Security Measures

The following measures are implemented to protect personal data processed under this DPA:

• Encryption at rest: AES-256 encryption for all stored data.
• Encryption in transit: TLS 1.3 for all data transmitted between clients and our systems.
• Access controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication available for all users.
• Physical security: Data hosted in ISO 27001-certified UK data centres with physical access controls, CCTV, and 24/7 security.
• Network security: Web application firewall (WAF), intrusion detection, DDoS mitigation.
• Audit logging: Comprehensive, immutable audit log of all data access and modifications.
• Vulnerability management: Regular automated vulnerability scanning and annual CREST-certified penetration testing.
• Incident response: Documented incident response plan with defined roles, escalation procedures, and regulatory notification processes.
• Employee security: Security awareness training for all staff, background checks for employees with access to production systems, binding confidentiality agreements.
• Business continuity: Regular data backups, tested recovery procedures, and documented business continuity plan.
• Data minimisation: Processing limited to what is necessary for the purpose specified.

Annex B — Approved Sub-processors

The following sub-processors are currently authorised to process personal data under this DPA:

We will provide at least 30 days' notice before adding any new sub-processor to this list.

Contact

For questions about this DPA or to exercise your rights as a Controller: dpo@korepayroll.co.uk

For customers requiring a countersigned DPA document for their own compliance records, please contact legal@korepayroll.co.uk.