1. Our GDPR Commitment
Dapplon (operated by Dapplon) is fully committed to GDPR compliance. We have implemented comprehensive technical and organisational measures to ensure the protection and privacy of personal data processed through our platform across 45+ countries.
For EU/EEA customers, Dapplon acts as a Data Processor when processing your employees' HR data on your behalf, and as a Data Controller for data collected directly from website visitors and for our own business operations. Our Data Processing Agreement (DPA) formalises this relationship.
At rest and TLS 1.3 in transit, with 90-day key rotation via AWS KMS.
RBAC, SSO/SAML 2.0, MFA enforced, and full audit logging.
Standard contractual clauses included for EU transfers on request.
Option to store all EU customer data within AWS Ireland (eu-west-1).
2. Our Role: Controller vs Processor
3. Data Subject Rights
All six GDPR rights are supported for employees and end users on the Dapplon platform. Submit requests to [email protected]. We respond within 30 days.
Request a copy of all personal data we hold about you as a data subject, including the purposes of processing and any third parties it has been shared with.
Request correction of inaccurate or incomplete personal data without undue delay. We will action verified rectification requests within 30 days.
Request deletion of your personal data where it is no longer necessary for the purpose collected, consent has been withdrawn, or processing is unlawful.
Receive a machine-readable copy of your personal data in a structured, commonly used format (JSON or CSV) and transmit it to another controller.
Object at any time to processing of your personal data for direct marketing, or where processing is based on legitimate interests or a public task.
Request that we limit how we use your personal data — for example, while you contest accuracy or object to erasure pending investigation.
4. Legal Bases for Processing
We identify a specific legal basis under Article 6 GDPR for each category of processing we carry out as Data Controller.
| Legal Basis | GDPR Article | When We Rely On It |
|---|---|---|
| Contract | Art. 6(1)(b) | Processing necessary to perform the HR SaaS subscription agreement with you (the Customer). |
| Legitimate Interest | Art. 6(1)(f) | Product improvement analytics, fraud prevention, and security monitoring for website visitors and trial users. |
| Legal Obligation | Art. 6(1)(c) | Retaining financial records, responding to court orders, complying with tax and employment regulations. |
| Consent | Art. 6(1)(a) | Marketing emails, optional product research participation, and placement of non-essential cookies on our website. |
5. Data Processing Agreement
Our DPA is compliant with GDPR Chapter IV requirements and incorporates the EU Commission's Standard Contractual Clauses (SCCs) for international transfers per Decision 2021/914.
The Dapplon DPA covers the subject-matter and duration of processing, the nature and purpose of processing, the type of personal data, categories of data subjects, and the obligations and rights of both parties. It includes our sub-processor list, technical and organisational security measures, data breach notification obligations, data subject rights assistance, audit rights, and data deletion on termination.
For customers who transfer EU/EEA personal data to Dapplon's infrastructure outside the EU, our DPA incorporates the EU Commission Standard Contractual Clauses (Decision 2021/914) in their Controller-to-Processor module. For UK transfers, we use the UK International Data Transfer Agreement (IDTA).
6. Sub-Processors
Dapplon maintains a transparent list of all sub-processors. Customers will be notified at least 30 days before any new sub-processor is added.
| Sub-Processor | Country | Purpose | Safeguard |
|---|---|---|---|
| Amazon Web Services (AWS) | Ireland (EU) | Primary cloud infrastructure and data storage | AWS DPA + SCCs |
| Google Ireland Limited | Ireland (EU) | Workspace productivity and analytics services | Google DPA + SCCs |
| Stripe, Inc. | United Kingdom | International payment processing | Stripe DPA + UK IDTA |
| Intercom, Inc. | United States | Customer support and in-app messaging | Intercom DPA + SCCs |
| Cloudflare, Inc. | United States | CDN, WAF, and DDoS protection | Cloudflare DPA + SCCs |
7. International Data Transfers
For transfers of EU/EEA personal data to third countries without an adequacy decision (including the United States), Dapplon relies on the EU Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) per Decision 2021/914. These are incorporated into our DPA and our sub-processor agreements. We conduct Transfer Impact Assessments (TIAs) for all third-country transfers.
EU/EEA customers may elect to have all their primary customer data stored exclusively in AWS's Ireland (eu-west-1) region. Disaster recovery and backup data remains within the EU. This option is available on Advance and Plus plans. Contact [email protected] to configure EU-only residency.
For transfers from the UK, Dapplon uses the UK International Data Transfer Agreement (IDTA), issued by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018. Our UK DPA addendum is available on request from [email protected].
8. Data Breach Notification
As your Data Processor, if Dapplon becomes aware of a personal data breach affecting your Customer Data, we will notify you without undue delay and in any event within 24 hours of becoming aware. Our breach notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
As Data Controller for your own employees' data, you (the Customer) are responsible for notifying your lead supervisory authority within 72 hours of becoming aware of a breach (GDPR Article 33). Dapplon will provide you with all information necessary to make this notification in a timely manner. Where a breach is likely to result in high risk to individuals, affected data subjects must also be notified without undue delay (Article 34).
9. Data Retention Periods
We only retain personal data for as long as necessary for the stated purpose or as required by law. The periods below apply to Dapplon as Data Processor acting on Customer instructions.
| Data Type | Retention Period |
|---|---|
| Employee HR Records | Duration of contract + 7 years |
| Payroll Data | Duration of contract + 7 years (statutory) |
| Audit Logs | 2 years from creation |
| Support Ticket Data | 3 years from ticket closure |
| Website Analytics | 26 months (anonymised after 13 months) |
| Marketing Contact Data | Until opt-out or 3 years of inactivity |
| Contract & Billing Records | 7 years (financial regulation) |
| Security Event Logs | 1 year from event date |
On termination of your subscription, Dapplon provides a 30-day data export window. Customer Data is securely deleted within 90 days of subscription end, unless legally required to retain it.
10. Contact Our DPO
Our Data Protection Officer is available to answer your GDPR questions and can provide a signed DPA for your records.
- Data Protection Officer: [email protected]
- Privacy enquiries: [email protected]
- Post: Data Protection Officer, Dapplon Private Limited, 5th Floor, WeWork Platina, C-59, G Block, Bandra Kurla Complex, Mumbai, Maharashtra 400051, India