Data Processing Addendum (DPA-SL)
For: HRMS (SaaS) — Shilpa Advisors | Version: 1.0 | Effective date: [●]
This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement / Subscription Order / Terms (the “Agreement”) between [Client Legal Name] (“Controller”) and Shilpa Advisors (“Processor”) for use of Shilpa Advisors HRMS (the “Services”).
1. Roles, Scope, and Order of Precedence
- 1.1 Roles. For HRMS employee data, Client is the Controller and Shilpa Advisors is the Processor under Sri Lanka’s PDPA.
- 1.2 Scope. Processor will process personal data solely to provide, secure, and support the Services as described in Annex I.
- 1.3 Precedence. If this DPA conflicts with the Agreement, this DPA governs data-protection matters.
2. Controller Instructions
- Processor will process personal data only on documented instructions from the Controller.
- Processor will promptly inform Controller if an instruction appears unlawful.
3. Confidentiality & Personnel
- Processor ensures all personnel with access to data are bound by confidentiality and trained in data protection.
- Access is limited strictly to personnel with a need-to-know basis.
4. Security (Technical & Organisational Measures)
Processor maintains appropriate TOMs (see Annex II) including role-based access, encryption, backups, and incident response.
5. Sub-Processors
Controller authorises the sub-processors listed in Annex III. Processor will impose equivalent data-protection terms and notify Controller of any material changes.
6. Assistance to Controller
Processor will assist with data-subject requests, DPIAs, and provide documentation demonstrating compliance.
7. Personal Data Breaches
Processor will notify Controller without undue delay of any breach and share incident details and mitigation steps.
8. International Transfers
Processor will apply safeguards consistent with PDPA for cross-border data transfers and identify the hosting regions upon request.
9. Return & Deletion of Data
Data can be exported anytime. Upon termination, Processor deletes personal data within 60 days (subject to legal retention).
10. Audits
Controller may request compliance evidence annually or post-incident, under confidentiality.
11. Liability & Indemnity
Liability aligns with the Agreement, except as prohibited by law.
12. Term & Termination
This DPA remains in force while data is processed. Confidentiality and deletion terms survive termination.
13. Governing Law & Venue
This DPA is governed by the laws of Sri Lanka, under the exclusive jurisdiction of the courts of Colombo.
Annex I — Data & Processing Details
| Subject Matter & Duration | Processing of HRMS employee data during subscription term plus backup retention. |
| Nature & Purpose | Provision, operation, and support of HRMS including authentication, attendance, payroll, payslips, and compliance exports. |
| Types of Personal Data | Employee master data, attendance logs, payroll data (earnings, deductions, EPF/ETF/APIT), documents (payslips, bank files), and access logs. |
| Categories of Data Subjects | Employees, contractors, trainees, and limited administrators of the Controller. |
| Controller Obligations | Maintain lawful basis, employee transparency, configure HRMS policies, and verify payroll outputs. |
Annex II — Technical & Organisational Measures (TOMs)
| Control Area | Measures Implemented |
|---|---|
| Access Controls | Role-based access, least privilege, strong passwords, session timeouts, MFA (if enabled). |
| Encryption | TLS 1.2+ in transit; AES-256 at rest; managed via cloud KMS. |
| Network Security | Segmented VPC, firewall/WAF, regular patching, secret management, code review. |
| Data Integrity & Availability | Daily encrypted backups; tested restores; RPO ≤ 24h, RTO ≤ 8h; DR runbooks. |
| Logging & Monitoring | Centralized logs (access, admin, auth); anomaly alerts; NTP time-sync. |
| Vendor Management | Sub-processor DPAs; regional data hosting; annual reviews. |
| Personnel & Training | Confidentiality agreements; onboarding/offboarding; annual security awareness. |
| Physical Security | Cloud data-center controls (ISO 27001, SOC 2); no on-prem processing. |
| Incident Management | Vulnerability scanning, remediation SLAs, playbooks, post-mortems for P1 incidents. |
| Privacy by Design | Data minimization, configurable retention, anonymised test data, masking. |
Annex III — Sub-Processor Register
| Sub-Processor | Service / Role | Data Processed | Primary Region |
|---|---|---|---|
| AWS (EC2/RDS/S3) | Hosting, databases, object storage | HRMS data, logs, backups | ap-south-1 / ap-southeast-1 |
| SendGrid / Mailgun | Transactional email delivery | Recipient email, metadata | Global |
| Vercel | Marketing site / blog hosting | IP, HTTP metadata | Global edge |
| Sentry (optional) | Error monitoring | Pseudonymous logs | EU / US |
| WhatsApp Gateway (optional) | Notifications / support | Phone numbers, message metadata | EU / US |
| Google Analytics (GA4) | Website analytics | Cookie IDs, truncated IPs | Global |
Change Management: Updates will be posted at /legal/subprocessors with prior notice to HRMS customers for objection rights as applicable.
Annex IV — Incident Notification Template
| Field | Details / Description |
|---|---|
| Time Discovered / Contained | [Insert timestamps and detection summary] |
| Systems Affected | [Modules or regions impacted] |
| Nature of Incident | [Confidentiality / Integrity / Availability issue] |
| Data Types & Volume | [Categories and approximate record count] |
| Consequences | [Likely impact on individuals or Controller] |
| Measures Taken | [Technical / organisational mitigation actions] |
| Recommended Controller Actions | [Any follow-up required by Controller] |
| Next Update Schedule | [Date/time for further updates until closure] |
