Contact Sales
Request Demo

SalaryCube Data Processing Addendum

 

SalaryCube, Inc.

support@salarycube.com

May 1st, 2025

Data Processing Addendum

This Data Processing Addendum (“Addendum“) forms part of the SalaryCube Terms of Service (the “Agreement“) between SalaryCube, Inc., a California corporation (“Processor” or “SalaryCube“), and the entity that accepted the Agreement (“Controller” or “Customer“). This Addendum applies to the extent Processor Processes Personal Data on behalf of Controller in providing the Services.

1. Definitions

“Applicable Data Protection Laws” means all privacy and data protection laws and regulations that apply to the Processing, including the GDPR, UK GDPR, and CCPA/CPRA.

“GDPR” means EU Regulation 2016/679.

“UK GDPR” means the UK equivalent of the GDPR as incorporated into UK law.

“CCPA/CPRA” means the California Consumer Privacy Act (as amended by the California Privacy Rights Act).

“Personal Data,” “Controller,” “Processor,” “Process/Processing,” and “Data Subject” have the meanings given in the Applicable Data Protection Laws.

2. Scope & Roles

(a) Subject Matter & Duration. Processor will Process Personal Data solely to provide the Services for the Subscription Term (and any renewal) under the Agreement, and will delete or return Personal Data as described in Section 8.

(b) Nature & Purpose of Processing. Cloud-based salary benchmarking, compensation analytics, survey data normalization, reporting, aggregated market analysis, and related support services.

(c) Data Subjects. Customer’s employees, contractors, job applicants, and other personnel for whom compensation data is provided.

(d) Types of Personal Data. Job title/role, compensation elements (base salary, bonus, equity grants/bands), geographic region/location, department/function, experience level, and hashed or pseudonymized employee identifiers. Processor does not require or collect names, government-issued IDs, contact details, or other direct personal identifiers. Processor will not attempt to re-identify Data Subjects from hashed or pseudonymized identifiers.

(e) Data Minimization. Processor processes only the minimum Personal Data necessary for compensation benchmarking and market analysis purposes. Customer should avoid providing unnecessary personal identifiers.

(f) Roles. Controller is the data controller; SalaryCube is the data processor.

3. Processor Obligations

  1. Instructions. Processor will Process Personal Data only on documented instructions from Controller (including this Addendum and the Agreement), unless required by applicable law.
  2. Confidentiality. Processor ensures that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations.
  3. Security. Processor implements the technical and organizational measures described in Schedule 1 to protect Personal Data against unauthorized access, disclosure, alteration, or destruction.
  4. Sub-processors.
    • Current sub-processors are listed in Schedule 2.
    • SalaryCube may engage additional sub-processors with at least 30 days’ advance written notice to Customer via email.
    • Customer may object to new sub-processors within 15 days of notice. If Customer objects and the parties cannot resolve the objection, Customer may terminate the affected Services.
    • All sub-processors are contractually bound to data protection obligations substantially similar to this Addendum.
    • SalaryCube will audit sub-processors’ compliance with data protection requirements on a regular basis or upon Controller request if required by applicable law.
  5. Data Subject Rights. Processor will assist Controller by appropriate technical and organizational measures to respond to Data Subject requests under Applicable Data Protection Laws, including requests for access, rectification, erasure, restriction, and portability.
  6. Impact Assessments & Consultation. Processor will use reasonable commercial efforts to provide information reasonably required by Controller for data protection impact assessments or consultations with supervisory authorities.
  7. Breach Notification. Processor will notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controller’s Personal Data and will reasonably cooperate in breach response and remediation efforts.
  8. Audits. Processor will make available an independent third-party security assessment report covering the prior 12-month period or a penetration-test report annually upon reasonable request. Controller agrees to review the most recent independent assessment report and written responses before requesting an on-site audit. Controller may conduct additional audits of Processor’s compliance once per year (or more frequently if required by law) upon 30 days’ written notice, subject to reasonable confidentiality obligations and operational limitations.

4. Controller Obligations

Controller represents and warrants that it: (i) has a lawful basis for Processing Personal Data under Applicable Data Protection Laws; (ii) will not instruct Processor to violate Applicable Data Protection Laws; (iii) has provided appropriate notices to Data Subjects regarding the Processing; and (iv) has obtained any required consents from Data Subjects.

5. Cross-Border Transfers

Where Personal Data is transferred outside the European Economic Area or United Kingdom to a country without an adequacy decision from the European Commission or UK authorities, the parties shall automatically be deemed to have executed the Standard Contractual Clauses (Commission Decision 2021/914, Module Two: Controller to Processor) or UK International Data Transfer Addendum (UK IDTA), as applicable, upon accepting this Addendum. Controller acts as “Data Exporter” and Processor acts as “Data Importer.” The details in Sections 2-3 of this Addendum populate the required appendices to such transfer mechanisms. A countersigned copy of the SCCs/IDTA is available upon written request.

6. California-Specific Terms

For purposes of the CCPA/CPRA, Processor acts as a “Service Provider” or “Contractor” as defined therein. Processor will not: (i) sell, share, or use Personal Data for cross-context behavioral advertising; (ii) retain, use, or disclose Personal Data for any purpose other than providing the Services specified in the Agreement; or (iii) combine Personal Data with data received from another source, except as permitted under CCPA/CPRA. Processor certifies that it understands and will comply with the restrictions set out in Cal. Civ. Code §§ 1798.140(j)(1) and 1798.140(ag)(1).

7. Aggregated Data Rights

Subject to Applicable Data Protection Laws, Processor may create aggregated, anonymized datasets from Personal Data that cannot reasonably be used to identify Controller, any Data Subject, or any individual (“Aggregated Data“). Processor retains all rights to use, analyze, and commercialize such Aggregated Data for benchmarking, market research, product improvement, and similar business purposes. This Section survives termination of the Agreement.

8. Termination & Data Deletion

Upon termination of the Services or upon Controller’s written request, Processor will delete or return Personal Data within 30 days, unless longer retention is required by applicable law. Aggregated Data created in accordance with Section 7 is not subject to deletion requirements. Evidence of Personal Data deletion will be provided upon Controller’s written request.

9. Liability

The liability limitations and exclusions in the Agreement apply to this Addendum, except where prohibited by Applicable Data Protection Laws or where damages arise from Processor’s material breach of this Addendum.

10. Miscellaneous

This Addendum supplements and forms part of the Agreement. In case of conflict between this Addendum and the Agreement, this Addendum prevails with respect to Personal Data Processing matters. This Addendum may only be modified in writing signed by both parties, except that SalaryCube may update Schedules 1-2 with reasonable advance notice.

Schedule 1 – Technical and Organizational Security Measures

Data Security

  • Encryption: Personal Data encrypted in transit using TLS 1.2+ and at rest using AES-256 or equivalent
  • Access Controls: Role-based access with principle of least privilege and multi-factor authentication
  • Infrastructure: Production systems hosted on ISO 27001-certified cloud infrastructure with network segmentation

Organizational Measures

  • Policies: Information security policies and procedures aligned with ISO 27001 framework
  • Training: Regular security awareness training for personnel with access to Personal Data
  • Background Checks: Appropriate background screening for personnel handling Personal Data

Monitoring & Testing

  • Monitoring: 24×7 security monitoring with Security Information and Event Management (SIEM) systems
  • Vulnerability Management: At least quarterly vulnerability scans and annual penetration testing by qualified third parties
  • Logging: Comprehensive audit logging of system access and data processing activities. Logs retained for a minimum of 12 months.

Business Continuity

  • Backups: Automated daily backups with 30-day retention period
  • Disaster Recovery: Recovery Point Objective (RPO) ≤ 24 hours; Recovery Time Objective (RTO) ≤ 12 hours
  • Incident Response: Documented incident response procedures with defined escalation paths

Schedule 2 – Sub-processors

Sub-processor Service Location
Microsoft Azure Cloud Services, Inc. Cloud hosting and infrastructure United States
Google LLC Email and productivity services United States
[Additional sub-processors will be listed here as engaged]

Note: SalaryCube will update this Schedule with 30 days’ advance notice when engaging new sub-processors.

Acceptance

By entering into the Agreement, clicking to accept these terms, or continuing to use the Services on or after the “Last updated” date above, Customer agrees to be bound by this Data Processing Addendum. No separate signature is required for this Addendum to be legally binding.

If Customer’s procurement policies require a signed DPA, SalaryCube will provide an identical execution copy upon written request. Such signed copy will be deemed to supersede and replace this Addendum once executed by both parties.

Last Updated: May 1, 2025