Data Processing Addendum (DPA)
Effective Date: July 2, 2026
This Data Processing Addendum (“DPA”) forms part of and supplements any agreement (“Agreement”) between Howard Employee Services (“Processor,” “Service Provider,” “we,” “our,” or “us”) and the client receiving services (“Controller,” “Customer,” or “you”) where Howard Employee Services processes Personal Data on behalf of the Customer.
If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, the terms of this DPA shall govern with respect to such processing.
1. Purpose
The purpose of this DPA is to establish each party’s responsibilities regarding the processing of Personal Data in connection with services provided by Howard Employee Services, including but not limited to:
- Payroll administration
- Human resources administration
- Employee benefits administration
- Workers’ compensation administration
- Compliance support
- Risk management services
- Human capital management support
- Employer consulting services
- Related administrative services
2. Definitions
For purposes of this DPA:
Applicable Privacy Laws means all applicable data protection and privacy laws governing the processing of Personal Data, including, where applicable:
- General Data Protection Regulation (GDPR)
- UK GDPR
- California Consumer Privacy Act (CCPA), as amended by the CPRA
- Other applicable U.S. state privacy laws
- Other applicable international privacy laws
Controller means the entity that determines the purposes and means of processing Personal Data.
Processor means Howard Employee Services when processing Personal Data on behalf of the Controller.
Personal Data means information relating to an identified or identifiable natural person as defined under applicable privacy laws.
Processing includes collecting, recording, storing, organizing, using, transmitting, disclosing, deleting, or otherwise handling Personal Data.
Subprocessor means any third party engaged by Howard Employee Services to assist in providing contracted services.
3. Scope
This DPA applies whenever Howard Employee Services processes Personal Data solely on behalf of the Customer under the Agreement.
This DPA does not apply when Howard Employee Services acts as an independent Controller under applicable law.
4. Roles of the Parties
The parties acknowledge that:
- The Customer acts as the Controller (or Business, where applicable).
- Howard Employee Services acts as the Processor (or Service Provider/Contractor, where applicable).
- Each party remains responsible for complying with obligations imposed by applicable privacy laws.
5. Processing Instructions
Howard Employee Services shall process Personal Data only:
- In accordance with documented instructions from the Customer;
- As necessary to perform the contracted services;
- To comply with applicable law; or
- As otherwise permitted under the Agreement.
If Howard Employee Services believes an instruction violates applicable privacy laws, we may notify the Customer before carrying out the instruction, unless prohibited by law.
6. Categories of Personal Data
Depending upon the services provided, Personal Data processed may include:
- Employee names
- Employer information
- Contact information
- Email addresses
- Telephone numbers
- Mailing addresses
- Payroll information
- Compensation information
- Tax withholding information
- Benefits enrollment information
- Employment status
- Job titles
- Government-issued identification numbers, where necessary
- Banking information required for payroll processing
- Timekeeping information
- Emergency contact information
- Other employment-related information provided by the Customer
The Customer is responsible for determining which Personal Data is submitted for processing.
7. Categories of Data Subjects
Personal Data may relate to:
- Employees
- Former employees
- Job applicants
- Contractors
- Temporary workers
- Company representatives
- Dependents and beneficiaries, where applicable
- Other individuals identified by the Customer
8. Purpose of Processing
Howard Employee Services processes Personal Data solely for purposes such as:
- Payroll administration
- Benefits administration
- HR support
- Employment record management
- Regulatory compliance
- Workers’ compensation administration
- Tax reporting support
- Customer support
- Service delivery
- Other services requested by the Customer
9. Confidentiality
Howard Employee Services shall ensure that personnel authorized to process Personal Data:
- Are subject to confidentiality obligations;
- Receive appropriate privacy and security training;
- Access Personal Data only as necessary to perform assigned duties.
10. Information Security
Howard Employee Services maintains reasonable administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized:
- Access
- Disclosure
- Alteration
- Destruction
- Loss
- Misuse
Security measures may include, where appropriate:
- Access controls
- Role-based permissions
- Password management
- Encryption where appropriate
- Secure data transmission
- Security monitoring
- Employee training
- Vendor oversight
- Incident response procedures
- Data backup practices
Because no security system is completely secure, Howard Employee Services cannot guarantee absolute security.
11. Subprocessors
Howard Employee Services may engage Subprocessors to assist in delivering contracted services.
Examples include:
- Cloud hosting providers
- Payroll software providers
- Benefits administration platforms
- IT service providers
- Customer relationship management (CRM) providers
- Security vendors
- Document management providers
- Email service providers
Howard Employee Services shall require Subprocessors to maintain appropriate contractual obligations regarding confidentiality and data protection.
Howard Employee Services remains responsible for the performance of its Subprocessors as required by applicable law.
12. International Transfers
Where Personal Data is transferred internationally, Howard Employee Services will take reasonable steps to ensure appropriate safeguards are implemented when required under applicable law.
Such safeguards may include:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Other lawful transfer mechanisms
13. Assistance with Data Subject Requests
To the extent legally required and reasonably possible, Howard Employee Services will assist the Customer in responding to requests from individuals relating to:
- Access
- Correction
- Deletion
- Restriction
- Data portability
- Objection to processing
- Withdrawal of consent
- Other rights available under applicable law
Howard Employee Services may refer requests directly to the Customer when appropriate.
14. Security Incidents
Howard Employee Services will notify the Customer without undue delay after becoming aware of a confirmed Security Incident affecting Personal Data processed under this DPA, where notification is required by applicable law.
Notification may include:
- Nature of the incident
- Categories of affected information, if known
- Steps taken to investigate
- Mitigation efforts
- Recommended actions, if applicable
Howard Employee Services does not guarantee that every attempted unauthorized event constitutes a reportable Security Incident.
15. Customer Responsibilities
The Customer agrees to:
- Collect Personal Data lawfully.
- Provide required privacy notices.
- Obtain necessary consents where applicable.
- Ensure processing instructions comply with applicable law.
- Submit only Personal Data reasonably necessary for requested services.
- Respond to requests from data subjects unless otherwise agreed.
16. Data Retention and Deletion
Howard Employee Services shall retain Personal Data only as long as reasonably necessary to:
- Perform contracted services;
- Meet legal obligations;
- Resolve disputes;
- Enforce contractual rights; or
- Maintain appropriate business records.
Upon termination of services, Howard Employee Services may delete or return Personal Data in accordance with the Agreement, legal obligations, and standard record retention practices.
Backup copies retained through normal disaster recovery processes may remain until overwritten in the ordinary course of business.
17. Audits
Where required by applicable law and subject to reasonable confidentiality protections, Howard Employee Services may provide information reasonably necessary for the Customer to demonstrate compliance with this DPA.
Any audit rights shall:
- Be conducted upon reasonable notice;
- Occur during normal business hours;
- Avoid unreasonable disruption;
- Protect confidential information of other customers;
- Be subject to mutually agreed confidentiality obligations.
Howard Employee Services may satisfy audit requests by providing third-party security reports or certifications where appropriate.
18. Compliance with Applicable Privacy Laws
Each party shall comply with applicable privacy laws to the extent those laws apply to its activities under the Agreement.
Nothing in this DPA shall require either party to violate applicable law.
19. Limitation of Liability
The liability of each party under this DPA shall be subject to the limitations of liability contained in the underlying Agreement, unless prohibited by applicable law.
20. Term and Termination
This DPA becomes effective on the date Personal Data is first processed under the Agreement and remains in effect for as long as Howard Employee Services processes Personal Data on behalf of the Customer.
Termination of the Agreement shall automatically terminate this DPA, except for provisions that by their nature survive termination.
21. Governing Law
This DPA shall be governed by the governing law specified in the Agreement.
If no governing law is specified, this DPA shall be governed by the laws of the State of Florida, without regard to conflict of law principles.
22. Order of Precedence
If any conflict exists between this DPA and the Agreement concerning the processing of Personal Data, this DPA shall control with respect to those matters.
23. Amendments
Howard Employee Services may update this DPA as necessary to reflect:
- Changes in applicable privacy laws;
- Regulatory guidance;
- Industry best practices; or
- Changes in our services.
Material revisions will become effective in accordance with the Agreement or upon publication where applicable.
24. Contact Information
Questions regarding this Data Processing Addendum may be directed to:
Howard Employee Services
Website: https://www.howardemployeeservices.com/
Please use the contact information available on our Website for privacy or data protection inquiries.
Related Documents
This Data Processing Addendum should be read together with our:
- Privacy Policy
- Cookie Policy
- Terms of Use
- Accessibility Statement
- Acceptable Use Policy
- Copyright & DMCA Policy
- General Website Disclaimer
Where applicable, these documents collectively describe Howard Employee Services’ privacy, security, and website governance practices.
