Data Processing Agreement

If you are a Customer (“Controller”) that processes personal data of individuals located in the EEA, UK, or other privacy-regulated jurisdictions using the Perch Service, this DPA applies to that processing. By (a) accepting our Terms of Service and (b) uploading personal data into the Service, you and Perch agree to this DPA. A countersigned copy is available on request — email privacy@onperch.co with your legal entity name and billing email.

This DPA is between you(the “Customer” or “Controller”) and Perch, operated by [LEGAL ENTITY NAME](the “Processor” or “Perch”). Terms such as personal data, processing, data subject, controller, processor, and supervisory authorityhave the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”) and, where applicable, the UK GDPR and Data Protection Act 2018.

Perch processes personal data on behalf of the Customer to provide the Perch Service under the Terms. In relation to this processing, the Customer is the Controller and Perch is the Processor. The Customer alone determines the purposes and means of processing Customer Data.

Subject matter: provision of the Perch shift-scheduling Service.

Duration:the term of the Customer’s subscription, plus any additional period during which Customer Data is retained in accordance with the Terms and Privacy Policy.

Nature and purpose: storage, organization, display, transmission, and deletion of personal data to enable shift scheduling, workforce management, staff communications, and related services.

Types of personal data:

• Identity data: name, profile image (if provided)
• Contact data: email address, phone number (if provided)
• Employment data: role/position, qualifications, availability, preferences, pay-rate notes (if entered by the Customer)
• Schedule data: shifts, breaks, time-off requests, attendance
• Usage data: login times, feature usage, IP address, browser fingerprint

Categories of data subjects:

• The Customer’s administrators, managers, and account holders
• The Customer’s employees, contractors, or other staff whose schedules are managed in Perch

Special categories (GDPR Art. 9): none intended. The Customer shall not upload special-category data (health, religion, biometrics, etc.) without first putting in place additional safeguards and notifying Perch in writing.

Perch shall process Customer personal data only on the Customer’s documented instructions, including with regard to transfers of personal data to a third country or international organization. The Terms, this DPA, and the Customer’s use of the Service’s features constitute the Customer’s documented instructions. If Perch cannot comply with an instruction, Perch shall promptly notify the Customer.

Perch shall immediately inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.

Perch ensures that persons authorized to process Customer personal data have committed themselves to confidentiality (whether by contract or by statutory duty) and access personal data only on a need-to-know basis.

Perch implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS) and at rest (where supported)
• Logical access controls including least-privilege role-based access and mandatory authentication
• Segregation of Customer data in multi-tenant databases with programmatic access controls
• Regular review of security practices of sub-processors
• Audit logging of administrative and billing actions
• Incident-response procedures, including for detection, escalation, and notification
• Business continuity measures appropriate to the Service

A current security-measures summary is available on request. Perch may update these measures from time to time, provided the updates do not materially diminish the overall level of security.

The Customer authorizes Perch to engage the sub-processors listed in our Privacy Policy to process Customer personal data. Perch shall:

• Enter into a written agreement with each sub-processor imposing data-protection obligations no less protective than those in this DPA;
• Remain fully liable to the Customer for the performance of each sub-processor’s obligations;
• Notify the Customer of intended changes to the sub-processor list at least 30 days in advance. The Customer may object to a new sub-processor on reasonable data-protection grounds. If the parties cannot agree on an alternative within a reasonable period, the Customer may terminate the affected portion of the Service and receive a pro-rated refund for any pre-paid fees.

Taking into account the nature of the processing, Perch shall assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection).

Perch provides self-service tools for administrators to access, correct, and delete staff data within the application. For requests that cannot be fulfilled via self-service, the Customer may contact privacy@onperch.co.

If Perch receives a data-subject request directly, Perch shall promptly redirect the request to the Customer without responding substantively, except as necessary to identify the relevant Customer.

Perch shall notify the Customer without undue delay (and in any case within 72 hours) after becoming aware of a personal data breach affecting Customer Data. The notification shall include, to the extent known:

• The nature of the breach, including categories and approximate numbers affected
• Contact details of Perch’s point of contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

Perch shall cooperate with the Customer and provide reasonable assistance in the Customer’s obligations under Art. 33 and Art. 34. Perch’s notification of a breach is not an acknowledgment of fault or liability.

Perch shall provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to Perch.

Where Perch transfers Customer personal data out of the EEA, UK, or Switzerland to a country not covered by an adequacy decision, such transfer is made subject to appropriate safeguards, including:

• The EU Standard Contractual Clauses (Commission Decision 2021/914), incorporated by reference (Module 3 — processor to processor, or Module 2 — controller to processor — as applicable), which both parties agree to execute on request;
• The UK International Data Transfer Addendum and/or the UK International Data Transfer Agreement, where transfer involves UK personal data;
• Supplementary measures as needed, including encryption and contractual restrictions on sub-processor access.

Upon termination of the Services and at the Customer’s choice, Perch shall delete or return all personal data processed on behalf of the Customer, and delete existing copies, unless applicable law requires continued storage. Absent instruction, Perch shall delete Customer Data within 90 days of termination.

Backups containing Customer Data will be retained only for the minimum period required by our backup rotation and then deleted in the ordinary course.

Perch shall make available to the Customer all information necessary to demonstrate compliance with the obligations in this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. Audits shall:

• Be conducted no more than once per year, unless required by law or by a supervisory authority, or following a verified security breach;
• Be scheduled at least 30 days in advance;
• Be conducted during normal business hours in a manner that minimizes disruption;
• Be subject to reasonable confidentiality obligations including non-disclosure of commercially sensitive information;
• Be at the Customer’s own expense.

Perch may satisfy audit obligations by providing recent third-party attestations (e.g., SOC 2 or ISO 27001 reports of sub-processors, or security-measures summaries) where reasonably responsive to the audit scope.

In the event of conflict between documents, the following order of precedence applies: (1) the EU Standard Contractual Clauses (where incorporated); (2) this DPA; (3) the Terms of Service; (4) any other agreement between the parties.

This DPA takes effect on the date the Customer first uploads personal data into the Service and remains in effect until all Customer Data has been deleted or returned in accordance with Section 12. Termination of the Terms of Service for any reason also terminates this DPA, except that obligations which by their nature should survive shall survive.

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, unless otherwise required by applicable law.

This DPA is governed by the same law as the Terms of Service, subject to any mandatory law protecting data subjects in their country of residence.

Data-protection inquiries: privacy@onperch.co.