Legal

Data Processing Agreement

Applies to all Mellow customers. Sets out our obligations as a data processor under UK GDPR Article 28.

Plain English summary: Mellow acts as a data processor on your behalf when handling your employees' personal data. You remain the data controller. This agreement sets out our obligations under UK GDPR Article 28.

1. Definitions

“Controller” means the Mellow customer (you); “Processor” means Mellow, operated by Saltcore Group Ltd (ICO registration: ZC144145); “Personal Data” has the meaning given in UK GDPR; “Sub-processor” means any third party appointed by Mellow to process Personal Data on your behalf.

2. Scope of processing

Mellow processes employee personal data (names, addresses, NI numbers, bank details, salary, absence records, performance data, and similar employment records) on behalf of the Controller for the purpose of delivering HR and payroll software services as described in the Terms of Service.

3. Processor obligations

Mellow shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorised to process Personal Data are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist the Controller in meeting its data subject rights obligations; (e) delete or return all Personal Data on termination of services; (f) make available all information necessary to demonstrate compliance with UK GDPR Article 28; (g) notify the Controller without undue delay upon becoming aware of a Personal Data breach.

4. Sub-processors

Mellow uses the following categories of sub-processors to deliver the service: cloud infrastructure providers (EU-based), email delivery services, payment processors, and AI inference providers. A full list of current sub-processors is available on request. Mellow will provide at least 30 days' notice before engaging new sub-processors and imposes equivalent data protection obligations on all sub-processors.

5. International transfers

Mellow stores all employee Personal Data within EU-based infrastructure. Where sub-processors are located outside the UK or EEA, appropriate safeguards are in place (UK International Data Transfer Agreements or equivalent mechanisms).

6. Security measures

Mellow implements appropriate technical and organisational measures under UK GDPR Article 32, including: encryption of personal data at rest and in transit; access controls; audit logging; documented incident-response procedures; and regular security reviews and independent testing. Further detail is available to customers under NDA.

7. Data subject rights

Mellow provides functionality to assist the Controller in responding to data subject access, rectification, erasure, and portability requests. Mellow will forward any data subject requests received directly to the Controller without undue delay.

8. Termination and data deletion

Upon termination of the service agreement, Mellow will, at the Controller's election, return all Personal Data in a portable format or securely delete it within 30 days of termination, except where retention is required by applicable law (e.g. HMRC payroll record retention obligations).

9. Governing law

This DPA is governed by the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Questions about this DPA?

Get in touch at hello@mellowhr.com.

Saltcore Group Ltd — ICO ZC144145Privacy PolicyTerms of ServiceCookie Policy