Data Processing Addendum (DPA)
Effective date
June 01, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Dhi ADT (legal entity: ADT Nederland B.V., Queens Towers, Delflandlaan 1, 1062 EA Amsterdam, Netherlands, KvK: 76553426, VAT: NL860671707B01) ("Processor", "Dhi ADT", "we", "us") and the Customer ("Controller", "Customer", "you"), and governs the processing of Personal Data in connection with the services provided by Dhi ADT (the "Services").
This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("Swiss FADP"), and other applicable data protection laws (together, "Data Protection Laws"). Its structure aligns with commonly adopted enterprise DPA frameworks used by leading SaaS, HR, payroll, and workforce management providers.
1. Purpose
The parties acknowledge that, in connection with the Services, Dhi ADT may process Personal Data on behalf of the Customer. This DPA establishes the responsibilities of each party regarding the processing and protection of that Personal Data, and forms part of the Master Services Agreement, EOR Agreement, or Payroll Services Agreement between the parties (the "Main Agreement").
2. Definitions
For the purposes of this DPA:
| Controller | means the entity determining the purposes and means of processing Personal Data – in this case, the Customer. |
| Processor | means the entity processing Personal Data on behalf of the Controller – in this case, Dhi ADT. |
| Personal Data | means any information relating to an identified or identifiable natural person. |
| Data Subject | means the individual to whom Personal Data relates. |
| Processing | means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction. |
| Sub-processor | means any third party engaged by Dhi ADT to process Personal Data on behalf of the Customer. |
| Supervisory Authority | means the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, as the lead supervisory authority for Dhi ADT under the GDPR's one-stop-shop mechanism, or such other supervisory authority as may have competent jurisdiction. |
| Security Incident | means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
| SCCs | means the Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) GDPR for international data transfers, including, where applicable, the UK International Data Transfer Addendum and any equivalent mechanism recognised under the Swiss FADP. |
Any capitalised terms not defined herein shall have the meaning given under the GDPR.
3. Roles of the Parties
The Customer acts as the Data Controller. Dhi ADT acts as the Data Processor and shall process Personal Data solely on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless otherwise required by applicable law – in which case Dhi ADT shall inform the Customer of that legal requirement before processing, unless that law prohibits such notice.
4. Nature and Purpose of Processing
Dhi ADT processes Personal Data solely for the purpose of providing:
- Employer of Record (EOR) services
- Global Payroll services
- Immigration and work permit support
- Workforce administration
- HR and employee lifecycle management
- Compliance and reporting services
Categories of Data Subjects may include employees, contractors, job applicants, client representatives, and dependants or beneficiaries where applicable.
Categories of Personal Data may include identification information, contact information, employment information, payroll and compensation information, immigration documentation, tax and social security information, and benefits-related information.
Special categories of Personal Data, such as health data relating to sick leave, or nationality and immigration status data, are processed only where strictly necessary for the Services and with appropriate additional safeguards.
5. Confidentiality
Dhi ADT shall ensure that all personnel authorised to process Personal Data are subject to a binding duty of confidentiality, whether by contract or statutory obligation, and receive appropriate privacy and security training.
6. Security Measures
Dhi ADT maintains appropriate technical and organisational measures, in accordance with Article 32 GDPR, designed to protect Personal Data against unauthorised access, disclosure, alteration, loss, or destruction.
| Encryption | Personal Data is encrypted at rest (AES-256) and in transit using TLS 1.2 or higher. |
| Access Control | Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), and least-privilege access principles are implemented. |
| Infrastructure Security | Services are hosted on secure cloud infrastructure within the European Union, with network monitoring, firewalls, and intrusion detection in place. |
| Data Minimisation | Only Personal Data necessary to deliver the Services is collected and processed. |
| Backup & Recovery | Encrypted backups are performed regularly and recovery procedures are maintained. |
| Incident Response | Documented procedures exist for identifying, managing, and reporting Security Incidents within 72 hours of awareness. |
| Staff Training | Personnel receive regular privacy, GDPR, and information security awareness training. |
| Vendor Management | Sub-processors undergo due diligence and are subject to contractual data protection obligations no less protective than this DPA. |
| Pseudonymisation | Applied where appropriate and technically feasible. |
Dhi ADT periodically reviews and updates these measures to reflect industry standards and regulatory requirements, provided any such update does not reduce the overall level of protection of Personal Data.
7. Sub-processors
The Customer provides general written authorisation for Dhi ADT to engage Sub-processors for the purposes described in this DPA.
Dhi ADT shall:
- Conduct appropriate due diligence prior to engaging any Sub-processor.
- Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA.
- Remain fully liable to the Customer for the performance of its Sub-processors' obligations.
- Maintain a current list of Sub-processors, available at adtsolution.com/sub-processors or on request.
- Give the Customer at least 30 days' prior written notice of any new Sub-processor or replacement Sub-processor.
The Customer may object to a new Sub-processor within 14 days of notice, on reasonable grounds relating to data protection. If the parties cannot resolve the objection in good faith, Dhi ADT shall either not engage the Sub-processor or, where this is not possible, either party may terminate the affected Services on 30 days' written notice, in which case Dhi ADT shall refund any prepaid fees covering the remainder of the term for the terminated Services.
8. International Data Transfers
Personal Data is primarily hosted and processed within the European Economic Area (EEA). Where Personal Data is transferred outside the EEA, the United Kingdom, or Switzerland – including to the United States – Dhi ADT shall ensure appropriate safeguards are in place, including one or more of:
- The Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated by reference into this DPA, with the Customer as "data exporter" and Dhi ADT as "data importer".
- The UK International Data Transfer Addendum, for transfers subject to the UK GDPR.
- Equivalent safeguards recognised under the Swiss FADP, for transfers subject to Swiss law.
- Adequacy decisions issued by the European Commission, UK government, or Swiss Federal Council, where applicable.
- Binding Corporate Rules, where applicable.
Where required, Dhi ADT shall conduct and document Transfer Impact Assessments prior to transferring Personal Data to third countries and make these available to the Customer upon request. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.
9. Data Subject Rights
Dhi ADT shall provide reasonable assistance to enable the Customer to respond to requests from Data Subjects relating to access, rectification, erasure, restriction, portability, and objection. Upon receiving a Data Subject request relating to Personal Data processed under this DPA, Dhi ADT shall forward the request to the Customer without undue delay, and shall not respond directly except where legally required to do so.
10. Personal Data Breaches
Dhi ADT shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA. Such notification shall include, to the extent available:
- The nature of the breach, including the categories and approximate number of Data Subjects and records affected.
- The likely consequences of the breach.
- Mitigation measures taken or proposed.
- Contact details for further information.
The Customer is responsible for notifying the Autoriteit Persoonsgegevens (AP), or other competent supervisory authority, of any Security Incident as required under Article 33 GDPR. Dhi ADT shall provide all reasonable assistance to the Customer in preparing such notification.
contact_support
Autoriteit Persoonsgegevens (AP)
PO Box 93374, 2509 AJ The Hague, Netherlands
Tel: +31 (0)70 888 85 00
autoriteitpersoonsgegevens.nl
11. Return and Deletion of Data
Upon termination or expiry of the Main Agreement, Dhi ADT shall, at the Customer's choice, securely delete or return all Personal Data within 30 days, and shall provide written confirmation of deletion upon request, unless retention is required by applicable law. Obligations of confidentiality and security under this DPA shall survive termination for a period of 5 years.
12. Audit and Compliance
Upon the Customer's written request, with at least 30 days' prior notice, Dhi ADT shall make available information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits conducted by the Customer or a third-party auditor bound by appropriate confidentiality obligations. Audits shall be conducted during normal business hours and shall minimise disruption to Dhi ADT's operations. The Customer shall bear all reasonable costs of any audit unless it reveals material non-compliance by Dhi ADT.
13. Liability
Liability arising out of or in connection with this DPA, including the SCCs where applicable, shall be governed by the limitation of liability provisions in the applicable Services Agreement, except to the extent such limitations are not permitted under Data Protection Laws or the SCCs. Nothing in this DPA or the Services Agreement limits or excludes either party's liability towards a Data Subject under the SCCs or Data Protection Laws.
14. Order of Precedence
In the event of a conflict between this DPA and the Services Agreement with respect to the processing of Personal Data, this DPA shall prevail. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.
15. Governing Law and Jurisdiction
This DPA is governed by the laws of the Netherlands, and the parties submit to the exclusive jurisdiction of the competent courts of the Netherlands, except where the SCCs designate a different governing law or forum, in which case the SCCs prevail on that point.
16. Severability and Amendments
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect. No amendment to this DPA is effective unless in writing and signed by both parties, except that Dhi ADT may update its Sub-processor list and security measures in accordance with Sections 6 and 7 above, provided this does not reduce the overall level of protection of Personal Data.