Post one job to 20+ job boards in a click. Start free.

ParsleyHR

Legal

Data Processing Agreement

Last updated: May 23, 2026

This Data Processing Agreement (“DPA”) is incorporated by reference into the ParsleyHR Terms of Service and applies wherever ParsleyHR processes personal data on behalf of a Customer. Capitalized terms not defined here have the meanings given in the Terms of Service.

For a signed copy of this DPA - including Standard Contractual Clauses where required - email legal@parsleyhr.com and we will send a countersigned copy within one business day.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person that Customer uploads or generates within the ParsleyHR Service (primarily: job applicant names, contact details, resumes, and hiring notes).

“Controller” means the party that determines the purposes and means of processing Personal Data. “Processor” means the party that processes Personal Data on behalf of the Controller.

“Applicable Data Protection Law” means GDPR, UK GDPR, CCPA/CPRA, and any other data-protection legislation that applies to the processing described in this DPA.

2. Roles

With respect to Personal Data that Customer submits to the Service, Customer is the Controller and ParsleyHR is the Processor. With respect to account and billing data that ParsleyHR holds about Customer’s employees or administrators, ParsleyHR is the Controller; the ParsleyHR Privacy Policy governs that processing.

3. Scope and purpose of processing

ParsleyHR processes Personal Data only to provide and improve the Service in accordance with Customer’s documented instructions - primarily, storing and displaying applicant data so Customer can manage its hiring process. ParsleyHR will not process Personal Data for any other purpose without Customer’s explicit consent, except where required by law.

4. Customer instructions

Customer’s use of the Service constitutes its instructions to ParsleyHR to process Personal Data as described in this DPA. If ParsleyHR believes an instruction would violate Applicable Data Protection Law, it will notify Customer promptly and may decline to carry out that instruction.

5. Technical and organizational security measures

ParsleyHR maintains technical and organizational measures appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest.
  • Principle of least privilege: production system access is restricted to a small, named set of engineers and is reviewed regularly.
  • Multi-factor authentication on all privileged accounts and admin systems.
  • Audit logging of access to Personal Data.
  • Vendor risk reviews for all sub-processors prior to onboarding.
  • A documented incident response process.

A current Technical and Organizational Measures (TOMs) document is available on request at legal@parsleyhr.com.

6. Confidentiality

ParsleyHR ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and have received training on data protection requirements.

7. Sub-processors

ParsleyHR uses a limited set of sub-processors to provide the Service, including providers for cloud hosting, payment processing, transactional email, customer support tooling, and analytics. A current list is available on request. ParsleyHR will give Customer at least 14 days’ prior written notice (via email or in-product) before engaging a new sub-processor. If Customer objects to a new sub-processor on reasonable data-protection grounds and ParsleyHR cannot accommodate the objection, Customer may terminate the relevant subscription without penalty by notifying us within 14 days.

8. International data transfers

ParsleyHR primarily stores and processes Personal Data in the United States. Where Personal Data originating in the EEA, UK, or Switzerland is transferred to the United States or another country without an adequacy decision, ParsleyHR relies on the EU Standard Contractual Clauses (Module Two: Controller to Processor, or as applicable) and the UK International Data Transfer Addendum, supplemented by the technical measures described in Section 5. Executed SCCs are included in the signed DPA available on request.

9. Data subject rights

If ParsleyHR receives a request from a data subject exercising rights under Applicable Data Protection Law (access, rectification, erasure, portability, restriction, or objection), ParsleyHR will promptly forward the request to Customer and reasonably assist Customer in responding, taking into account the nature of the processing and the information available to ParsleyHR. Customer is responsible for responding to data subject requests.

10. Personal data breach notification

ParsleyHR will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting Customer’s Personal Data. The notification will include, to the extent then known, a description of the breach, the categories and approximate volume of data affected, likely consequences, and the measures taken or proposed to address the breach.

11. Data protection impact assessments

Where required by Applicable Data Protection Law, ParsleyHR will provide Customer with reasonable assistance in conducting a data protection impact assessment relating to the processing under this DPA.

12. Return or deletion of Personal Data

Upon termination or expiry of the Terms of Service, or upon Customer’s written request, ParsleyHR will - at Customer’s election - return or securely delete all Personal Data it holds on Customer’s behalf, within 90 days, except where retention is required by applicable law. ParsleyHR will certify deletion in writing upon request.

13. Audit rights

Customer may, upon reasonable written notice and no more than once per calendar year, request documentation demonstrating ParsleyHR’s compliance with this DPA. ParsleyHR will provide relevant certifications, audit reports (ISO 27001, SOC 2, or equivalent, when available), or written responses to reasonable compliance questionnaires. On-site audits require ParsleyHR’s prior written consent and are subject to a confidentiality agreement.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA takes precedence solely with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the SCCs take precedence.

15. Contact

For DPA-related questions or to request a signed copy, email legal@parsleyhr.com.