Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms of Service ("Agreement") between:

This DPA sets out the terms under which Grove will process Personal Data on behalf of the Customer in connection with the provision of Grove's HR management platform and related services.

This DPA is effective as of 26 January 2026 and shall remain in effect for the duration of the Agreement.

In this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the UK GDPR.

3.1 Subject Matter

The subject matter of this DPA is the Processing of Personal Data by Grove in connection with the provision of the Grove HR management platform, including but not limited to:

• Employee information management and record-keeping
• Leave and absence tracking and management
• Performance review and appraisal management
• Document storage and management
• Reporting and analytics services
• Integration with third-party HR tools as configured by the Customer

3.2 Duration

This DPA shall remain in effect for the duration of the Customer's subscription to Grove services. The obligations and rights arising from this DPA shall survive termination to the extent necessary for the deletion or return of Personal Data as described in Section 7.8.

Grove processes Personal Data for the following purposes:

The nature of Processing includes collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction.

The types of Personal Data processed under this DPA may include, but are not limited to:

The Data Subjects whose Personal Data is processed under this DPA include:

Grove, as the Processor, agrees to:

7.1 Processing Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law. In such case, Grove shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification.

7.2 Confidentiality

Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3 Security Measures

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 11 of this DPA.

7.4 Sub-processor Management

Only engage Sub-processors with the prior written consent of the Controller (see Section 9). Grove shall ensure that any Sub-processor is bound by data protection obligations equivalent to those set out in this DPA.

7.5 Assistance with Data Subject Rights

Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under UK GDPR.

7.6 Assistance with Compliance

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32-36 of UK GDPR, taking into account the nature of Processing and the information available to Grove.

7.7 Data Breach Notification

7.8 Deletion or Return of Data

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data. Grove shall provide the Controller with the ability to export their data in a machine-readable format prior to deletion.

7.9 Audit Rights

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Grove may satisfy this obligation through:

• Provision of compliance certifications (e.g., ISO 27001, SOC 2)
• Third-party audit reports
• On-site audits (upon reasonable notice and at Controller's expense)

The Customer, as the Controller, agrees to:

• Lawfulness: Ensure that the Processing of Personal Data has a valid legal basis under applicable data protection law.
• Data Subject Information: Provide appropriate privacy notices to Data Subjects regarding the Processing of their Personal Data.
• Data Subject Rights: Handle and respond to Data Subject requests, with assistance from Grove where required.
• Documented Instructions: Provide clear, documented instructions for the Processing of Personal Data.
• Data Accuracy: Ensure the accuracy of Personal Data provided to Grove for Processing.
• Security Cooperation: Cooperate with Grove in implementing appropriate security measures and responding to security incidents.
• Impact Assessments: Conduct Data Protection Impact Assessments where required, with assistance from Grove where necessary.

9.1 Approved Sub-processors

The Customer authorises Grove to engage the following Sub-processors for the Processing of Personal Data:

9.2 Notification of Changes

Grove shall notify the Customer of any intended changes to Sub-processors by updating the list at grove.hr/legal/sub-processors and providing 30 days' notice before the engagement of any new Sub-processor.

9.3 Right to Object

The Customer may object to the engagement of a new Sub-processor within 14 days of notification. If the Customer raises a legitimate objection and Grove cannot accommodate the objection, either party may terminate the affected services without penalty.

10.1 Transfer Mechanisms

Where Personal Data is transferred outside the United Kingdom or European Economic Area, Grove shall ensure that appropriate safeguards are in place, including:

• Adequacy Decisions: Transfers to countries recognised by the UK as providing adequate protection.
• Standard Contractual Clauses: Use of UK-approved SCCs (International Data Transfer Agreement or International Data Transfer Addendum) for transfers to other countries.
• Supplementary Measures: Implementation of additional technical or organisational measures where required by transfer impact assessments.

10.2 Transfer Impact Assessments

Grove maintains transfer impact assessments for international data transfers and will provide these upon request. Grove shall inform the Controller if, in its opinion, an instruction for international transfer would infringe applicable data protection law.

Grove implements the following technical and organisational measures to protect Personal Data:

11.1 Technical Measures

• Encryption at Rest: AES-256 encryption for all stored Personal Data
• Encryption in Transit: TLS 1.3 for all data transmissions
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Multi-Factor Authentication: MFA required for all Grove personnel accessing production systems
• Logging and Monitoring: Comprehensive audit logging with 24/7 security monitoring
• Backup and Recovery: Automated daily backups with encryption and tested recovery procedures
• Vulnerability Management: Regular vulnerability scanning and penetration testing
• Network Security: Firewalls, intrusion detection, and DDoS protection

11.2 Organisational Measures

• Security Policies: Documented information security policies and procedures
• Employee Training: Regular security awareness training for all personnel
• Background Checks: Pre-employment screening for personnel with access to Personal Data
• Incident Response: Documented incident response plan with regular testing
• Vendor Management: Due diligence and ongoing monitoring of Sub-processors
• Business Continuity: Business continuity and disaster recovery plans

11.3 Certifications

Grove maintains the following security certifications and attestations:

• ISO 27001 Information Security Management (planned)
• Cyber Essentials Plus certification
• Annual third-party penetration testing