Data Processing Addendum

Data Processing Addendum

We have updated our Data Processing Addendum (“DPA”) in accordance with Article 28 – which now contains additional provisions to assist our customers with their compliance with the General Data Protection Regulation. Usage of BizMerlinHR is governed by BizMerlinHR’s online Terms of Service.  If your organization is located in the EU, or if your state law requires, this Data Processing Addendum is automatically incorporated into the Terms of Service, and applies to its processing of personal data, and covers GDPR.

Just as BizMerlinHR is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.  You enter into a legally binding contract with BizMerlinHR as a data processor.

This BizMerlinHR Data Processing Addendum (“Addendum”) amends the BizMerlinHR Terms of Service (the “Agreement”) by and between you and BizMerlinHR, a US corporation with registered offices at 11710 Plaza America Dr, Suite 2000, Reston, VA, 20190 and forms part of the Master Services Agreement or Terms of Service available at or such other location as the Terms of Service may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and BizMerlinHR, pursuant to which Customer has accessed BizMerlinHR’s services as defined in the applicable Agreement.

The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below. This DPA shall not replace or supersede any agreement or addendum relating to the processing of personal data negotiated by the Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA. Should you require further information, you can make a request to

  1. Definitions

(a) “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679);

(b) “Data Processor”, “Data Subject”, “Processor”, “Processing”, “Sub-Processor”, and “Supervisory Authority” shall be interpreted in accordance with applicable Data Protection Legislation;

(c) Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’), which information is subject to the GDPR or the laws of non-EU EEA countries that have formally adopted the GDPR; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Processing Details

The subject matter of BizMerlinHR’s data processing is employee records and company’s HR processes: all information that the employer tracks in the system.  This information is retained for the duration that the employer chooses to track. The nature and the purpose of the processing are controlled by the employer.

3. Data Protection

3.1. Where a Data Subject is located in the European Economic Area, that Data Subject’s Personal Data will be processed by BizMerlinHR and as part of providing the Services, this Personal Data may be transferred to other regions, including to the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation.

3.2. When BizMerlinHR Processes Personal Data in the course of providing the Services, BizMerlinHR will:

3.2.1. process the Personal Data as a Data Processor, only for the purpose of providing the Services in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by you. If BizMerlinHR is required by law to Process the Personal Data for any other purpose, BizMerlinHR will provide you with prior notice of this requirement, unless BizMerlinHR is prohibited by law from providing such notice;

3.2.2. notify you if, in BizMerlinHR ’s opinion, your instruction for the processing of Personal Data infringes applicable Data Protection Legislation;

3.2.3. notify you without undue delay, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to BizMerlinHR’s Processing of the Personal Data;

3.2.4. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized access, unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;

3.2.5. notify you without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;

3.2.6. ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and

3.2.7. upon termination of the Agreement, BizMerlinHR will promptly initiate its purge process to delete or anonymize the Personal Data.

3.3 in the course of providing the Services, you acknowledge and agree that BizMerlinHR may use Sub-Processors to Process the Personal Data. BizMerlinHR’s use of any specific Sub-Processor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between BizMerlinHR and Sub-Processor. For a list of sub-processors please visit:

4. Technical and Organizational Measures

4.1 Provider will implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk. The appropriateness of the measures is subject to technical progress and further development. Provider shall regularly monitor its compliance with the respective technical and organizational measures and will verify this monitoring upon recipient’s request.

4.2 If changes to the technical and organizational measures agreed by the parties in writing or to the manner in which Provider implements these technical and organizational measures are required by Recipient, such changes shall be implemented by the Provider following Recipient’s instructions.

4.3 Provider provides Recipient with sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects, as described in “Commitment to GDPR” at

5. Assistance and Records

5.1 Taking into account the nature of Processing, Provider will assist Recipient by appropriate technical and organizational measures in the fulfillment of Recipient’s and/or Other Controllers’ obligation to comply with the rights of Data Subjects and in ensuring compliance with Recipient’s and/or Other Controllers’ obligations relating to the security of processing, the notification of a Personal Data Breach and the data protection impact assessment, taking into account the information available to Provider.

5.2 Provider will maintain an up-to-date record of the name and contact details of each Sub-Processor of the Recipient Personal Data and, where applicable, the Sub-Processors’ representative and data protection officer. Upon request, the Provider will provide an up-to-date copy of this record to the Recipient.

6. Sub-Processors

6.1 In addition to the sub-processors, BizMerlinHR application can also be integrated with other third-party applications and add ons by using the API key/auth token of BizMerlinHR and/or the third party application.  Such integrations are at the discretion of the customer, and the use of those third party applications is governed by the terms and conditions agreed by and between the customer and those application owners.

6.2 Recipient hereby explicitly approves the engagement of the sub-processors listed in the list of Sub-Processors. As noted on that document, use of some sub-processors is optional. Recipient’s use of any feature or API which requires use of a sub-processor, is to be construed as Recipient’s consent to such sub-processing. Provider will notify Recipient in advance of any addition to sub-processors at least 30 days in advance unless such notice period is practically or legally infeasible. Recipients shall not unreasonably object to any intended change. However, an objection from a Recipient that is based on any Other Controllers’ objection of the respective sub-processor shall always be considered as reasonable grounds to object.

6.3 Provider shall impose the same data protection obligations as set out in this DPA on any approved Subprocessor prior to the Sub-Processor Processing any Recipient Personal Data and ensure that the relevant obligations (including but not limited to the information and audit rights provided for in Section “Audit”) can be directly enforced by Recipient or Other Controllers against the Provider’s Sub-Processors.

6.4 Provider remains responsible for its sub-processors and liable for their acts and omissions as for its own acts and omissions and any references to Provider’s obligations, acts and omissions in this DPA shall be construed as referring also to the Provider’s Sub-Processors.

7. Audit

BizMerlinHR shall make available, upon Client’s written request and at Client’s expense, information necessary to demonstrate compliance with this EU Data Processing Addendum. If EU Data Protection Laws require BizMerlinHR to provide Client with access to BizMerlinHR’s facilities or information, then BizMerlinHR shall permit Client to audit BizMerlinHR’s compliance with the data security and data protection obligations under this EU Data Processing Addendum. The client may request such an audit no more than once in each twelve (12) month period and such audit shall be conducted during regular business hours. In order to request an audit of BizMerlinHR’s facilities and information, Client shall (a) notify BizMerlinHR in writing thirty (30) days in advance, detailing the dates and duration of the audit and the identity and the qualifications of the auditor, (b) agree in writing with BizMerlinHR on the scope of the audit and the security and confidentiality controls required for access to the information, facilities or processes in scope of such audit and (c) cause such auditor to sign a non-disclosure agreement that is satisfactory to BizMerlinHR with BizMerlinHR. BizMerlinHR may object to any external auditor if, in BizMerlinHR’s reasonable opinion, the auditor is not qualified, does not have an appropriate security clearance, is a competitor to BizMerlinHR, or is not independent. If BizMerlinHR objects to the identity or qualifications of any proposed auditor, BizMerlinHR shall provide reasons for such objection and Client will be required to propose another auditor. All information provided or made available to Client or its auditor pursuant to such audit shall be considered BizMerlinHR’s Confidential Information.

8. Miscellaneous

8.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For the avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that BizMerlinHR may amend this Addendum from time to time by posting the relevant amended and restated Addendum on BizMerlinHR’s website, and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to BizMerlinHR’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.

8.2 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.

8.3 The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the State of Commonwealth of Virginia and the laws of the United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the State of Virginia with respect to any dispute or claim arising out of or in connection with this Addendum.

Need a signed Addendum? 

BizMerlinHR’s data protection agreement (DPA) is incorporated into BizMerlinHR’s Terms of Service and automatically takes effect.

There is no need to sign any additional agreement.