Skip to main content
← Back to home

Data Processing Agreement

Last updated: 15 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Leavely ("Processor", "we", "us") and the customer organisation ("Controller", "you", "your") that uses the Leavely platform.

This DPA is governed by the laws of England and Wales and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Leavely platform.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • "Data Subject" means the individual to whom the Personal Data relates, typically employees of the Controller.
  • "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller to provide the Leavely leave management platform, including leave request management, balance tracking, approval workflows, document storage, and related HR functions.

2.2 Categories of Data Subjects

  • Employees of the Controller
  • Managers and administrators designated by the Controller

2.3 Types of Personal Data

  • Names and email addresses
  • Job titles, departments, and organisational roles
  • Leave requests, approvals, and balances
  • Uploaded documents
  • Audit log entries (actions, timestamps, IP addresses)

2.4 Duration

Processing continues for the duration of the Controller's subscription. Upon termination, data is handled in accordance with Section 9 of this DPA.

3. Obligations of the Processor

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
  2. Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 5)
  4. Not engage another processor (Sub-Processor) without prior written authorisation of the Controller (see Section 6)
  5. Assist the Controller in responding to Data Subject requests (see Section 7)
  6. Assist the Controller in ensuring compliance with its obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities
  7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by law
  8. Make available to the Controller all information necessary to demonstrate compliance with these obligations and allow for audits (see Section 8)

4. Obligations of the Controller

The Controller shall:

  1. Ensure it has a lawful basis for processing the Personal Data and has provided appropriate notices to Data Subjects
  2. Provide documented instructions to the Processor regarding the processing of Personal Data
  3. Comply with its obligations under applicable data protection legislation

5. Security Measures

The Processor implements the following technical and organisational measures to protect Personal Data:

  • Encryption in transit: all data is encrypted using TLS 1.2 or higher
  • Encryption at rest: database storage is encrypted at rest using AES-256
  • Authentication: passwords are hashed using bcrypt; session tokens are secured with iron-session
  • Access controls: role-based access control (RBAC) with four permission levels (Owner, Admin, Manager, Employee)
  • Multi-tenancy isolation: all database queries are scoped by tenant ID, preventing cross-tenant data access
  • Audit logging: all data modifications are recorded in an audit trail
  • DDoS protection: provided by Cloudflare
  • Incident response: documented breach notification procedures (see Section 7)

6. Sub-Processors

6.1 Authorised Sub-Processors

The Controller authorises the use of the following Sub-Processors:

Sub-ProcessorPurposeLocation
Cloudflare, Inc.Application hosting, CDN, and securityGlobal (EU region available)
Neon, Inc.PostgreSQL database hostingEU (AWS eu-west-1)
Resend, Inc.Transactional email deliveryUSA
Stripe, Inc.Payment processingUSA / EU

6.2 Changes to Sub-Processors

The Processor will notify the Controller at least 30 days before adding or replacing a Sub-Processor. The Controller may object to the change by providing written notice within 14 days. If the objection cannot be reasonably resolved, the Controller may terminate the agreement.

7. Data Subject Requests and Breach Notification

7.1 Data Subject Requests

The Processor will promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under the UK GDPR. The Processor will assist the Controller in responding to such requests, including requests for access, rectification, erasure, data portability, and restriction of processing.

Organisation administrators can manage most Data Subject requests directly through the Leavely platform, including exporting employee data and deleting employee records.

7.2 Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

8. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor will:

  • Make available all information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
  • Provide reasonable notice (at least 30 days) for on-site audits, which shall be conducted during normal business hours and no more than once per year

9. Termination and Data Return

Upon termination of the subscription or this DPA:

  • The Controller may request export of all Personal Data in a structured, machine-readable format (CSV or JSON) within 30 days of termination
  • After the 30-day recovery period, the Processor will delete all Personal Data from its systems, including backups, within a further 30 days
  • The Processor will provide written confirmation of deletion upon request
  • Data that must be retained for legal or regulatory purposes will be securely stored and isolated from further processing

10. International Data Transfers

Where Personal Data is transferred outside the United Kingdom, the Processor ensures that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
  • Adequacy decisions where available

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law where such limitation is not permitted.

12. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

For questions about this DPA, please contact us at dpo@leavely.online.

See also our GDPR Compliance, Privacy Policy, and Terms of Service pages.