The contract for handling employee data.
This addendum sits inside our Terms of Service and governs what we do with the personal data of your employees when you put it into People. Your organisation is the Controller. Kahloon, LLC is the Processor.
Roles and definitions
"Customer" means the organisation that has signed up for a workspace. "Kahloon" means Kahloon, LLC, the operator of People. "Customer Personal Data" means personal data that Customer (or its users) submits to or generates in the workspace. Terms such as "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the General Data Protection Regulation, used here as a common reference vocabulary regardless of which data-protection law applies.
The Customer is the Controller of Customer Personal Data. Kahloon, LLC is the Processor. The Master accepts this DPA on behalf of the Customer organisation when creating the workspace.
Scope, subject matter and duration
Kahloon processes Customer Personal Data only to provide and support People as described in the Terms of Service. The subject matter of processing is workforce-record management. Processing continues for the duration of the workspace and ends as described in Section 11 (Return or deletion).
Customer instructions
Kahloon will process Customer Personal Data only on documented instructions from Customer. The workspace's configuration (settings, user roles, uploaded content) and these Terms together constitute Customer's documented instructions. Customer may give further written instructions; Kahloon will follow them unless they would breach applicable law or these Terms, in which case Kahloon will tell Customer.
Confidentiality of personnel
Kahloon ensures that anyone authorised to process Customer Personal Data on its behalf is bound by a duty of confidentiality and is granted only the access needed for their role.
Security
Kahloon will implement and maintain the technical and organisational measures listed in Annex 3, which are appropriate to the risk presented by the processing.
Sub-processors
Customer grants Kahloon a general authorisation to engage sub-processors. The current list is in Annex 1. Kahloon will give Customer at least 14 days' notice of any intended addition or replacement of a sub-processor (in the product or by email to the Master). Customer may object on reasonable data-protection grounds within that notice period; if Kahloon cannot accommodate the objection, Customer may terminate the affected workspace and, to the extent any fees have been prepaid, receive a pro-rated refund.
Kahloon imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable to Customer for the acts and omissions of its sub-processors.
Data-subject requests
Where People provides self-service tools (e.g. employee record edit/delete by an admin), Customer should use those tools to fulfil data-subject requests. If a data subject contacts Kahloon directly with a request relating to Customer Personal Data, Kahloon will refer them to Customer without taking action on the request, unless the law requires otherwise.
Kahloon will provide reasonable assistance to Customer in responding to data-subject requests, taking into account the nature of the processing and the information available to Kahloon. Kahloon will also provide reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities, on the same basis.
Breach notification
Kahloon will notify Customer without undue delay, and in any event within 72 hours of confirming a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.
Audits
Once per 12-month period, Customer (or a mutually acceptable independent auditor bound by confidentiality) may audit Kahloon's compliance with this DPA on reasonable prior notice and during normal business hours. To minimise burden, Kahloon may satisfy this obligation by providing copies of relevant third-party certifications, attestations or recent audit reports. Customer bears its own audit costs.
International transfers
Customer Personal Data is hosted in Microsoft Azure's West US 3 region (United States). Where the transfer of Customer Personal Data to a country outside the data subject's jurisdiction requires an additional safeguard under applicable law, the parties will put one in place (for example, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent mechanism), and that safeguard will be deemed incorporated into this DPA upon execution.
Return or deletion
On termination of the workspace, Kahloon will, at Customer's choice, return Customer Personal Data via the in-product export tools or delete it. Active-tier deletion occurs within 30 days of termination, except to the extent retention is required by law. Customer Personal Data residing only in rolling cloud-platform backups (Azure point-in-time-recovery) ages out within a further 7 days; for that interval the data is not used to provide the Service and is subject to the same access controls as production data.
Liability and governing law
Each party's liability arising out of or relating to this DPA is subject to the limitation of liability in the Terms of Service. This DPA is governed by the laws of the State of Delaware, United States, and is subject to the same dispute-resolution and jurisdiction terms as the Terms of Service.
| Sub-processor | Processing activity & location |
|---|---|
Microsoft Corporation: Azure App Service, PostgreSQL Flexible Server, Blob Storage, Key Vault, Communication Services (transactional email from noreply@kahloon.com); Entra ID only for tenants that have opted in to Microsoft federated sign-in. |
Hosting, database, document storage, secret management, email delivery, and (where enabled) federated identity. Region: West US 3 (United States). |
| GitHub, Inc. (a Microsoft subsidiary) | Source-code hosting and CI/CD build pipelines. Repositories do not contain Customer Personal Data; build environments handle deployment secrets and build artefacts. |
| GoDaddy Operating Company, LLC | Domain registrar and authoritative DNS for kahloonfoundation.org and kahloon.com. Holds WHOIS administrative-contact records and DNS query metadata. |
| Categories of data subjects | Customer's employees, contractors, candidates, and former employees whose records are entered into the workspace; Customer's administrators and users of People. |
|---|---|
| Categories of Customer Personal Data (typical) | Name, work email, employee role, department, employee class, government identifier (e.g. CNIC), encrypted at rest, bank account / IBAN, encrypted at rest, salary & payroll computations, leave balances and records, attendance events, uploaded HR documents (policies, ID copies, employment contracts), and audit-log entries about access to the above. |
| Special categories of personal data | Customer should not upload special-category data (e.g. health, biometric, religious) unless Kahloon has agreed in writing in advance. |
| Frequency | Continuous for the duration of the workspace. |
| Nature & purpose | Hosting, storage, retrieval, computation, transmission and deletion in service of workforce administration. |
Access control
- Multi-tenant isolation enforced at the database layer using PostgreSQL row-level security, with the application connection role (
app_user) subject to RLS policies that key off the current tenant context (set per request and scoped to the transaction). - Least-privilege Postgres roles: session lookups use a dedicated
app_session_readerrole with SELECT-only access on sessions and app-users; the customer-admin role used for migrations is never used for runtime traffic. - Role-based access control inside People (Master, HR, Manager, Employee, External) with employee self-service permissions restricted to the data of the signed-in user and their direct reports.
Encryption
- Transport: HTTPS / TLS 1.2+ for all client-facing and inter-service traffic.
- At rest: full database encryption via Azure-managed keys; uploaded documents stored in Azure Blob Storage with server-side encryption.
- Application-level envelope encryption (Key-Vault-managed key) for selected identifier fields: CNIC, bank account number, IBAN.
- Magic-link tokens are stored only as SHA-256 hashes; raw tokens never persist to the database.
Pseudonymisation and minimisation
- Application APIs return redacted versions of encrypted identifiers by default (e.g. last-4 digits + a "has-value" flag); full decryption requires the user to hold the Master or HR role and is recorded in the audit log.
Operational security
- Per-IP rate-limiting on authentication and signup endpoints.
- The session cookie is
HttpOnly,Secure,SameSite=Lax; absolute 8-hour lifetime from sign-in (no sliding renewal). - Centralised audit log of sensitive data access and administrative actions, retained for the life of the workspace plus 1 year.
- Secrets stored in Azure Key Vault; the application reads secrets via managed identity, never via committed configuration.
Availability and resilience
- Managed Postgres with point-in-time-recovery enabled (Azure default 7-day window).
- Daily backups via the Azure platform; documented restore procedure.
- Infrastructure-as-code records (migration files, deployment configuration) maintained in source control with change history.
People and process
- Personnel with access to production are bound by confidentiality obligations.
- Production credentials are rotated on personnel changes.
- Vulnerability reports may be submitted via our contact form; coordinated disclosure is welcome.
Questions about this DPA?
Reach us via our contact form
Mail: Kahloon, LLC · 1111B S Governors Ave STE 21913 · Dover, DE 19904 · United States