Skip to main content
Empuls formally executes Data Privacy Agreements with every sub-processor and cloud service provider that handles customer data, ensuring contractual privacy obligations flow unbroken through the entire data supply chain.
Empuls executes Data Processing Agreements (DPAs) with every sub-processor and cloud service provider that handles customer data on its behalf. This contractual chain ensures that the privacy and security commitments Empuls makes to its customers are not diluted at any point downstream. When a company integrates Empuls with tools like Slack, Microsoft Teams, Workday, SAP SuccessFactors, or Darwinbox, data may pass through multiple cloud services as part of normal platform operations. Empuls maps this flow and binds each vendor in the chain to equivalent standards — covering data retention limits, access controls, breach notification timelines, and deletion requirements aligned with the original customer agreement. Sub-processor DPAs are a formal requirement under frameworks like GDPR, which mandates that controllers and processors ensure downstream vendors operate under equivalent data protection obligations. Empuls meets this standard as an operational commitment that enterprise customers can rely on during their own compliance audits, not merely as a legal checkbox. In practice, if Empuls uses a cloud infrastructure provider to store engagement data or process reward transactions, that provider must sign a DPA mirroring what Empuls has accepted from its customers. These agreements specify the purpose of processing, geographic boundaries of data storage, security controls consistent with ISO 27001 and SOC 2 Type II requirements, and procedures for handling data subject access or erasure requests. Customers conducting vendor risk assessments or third-party security reviews can request details about Empuls’s sub-processor list and the corresponding agreements in place. This transparency supports organizations maintaining compliance with GDPR, CCPA, PDPA, and other regional data protection laws — without requiring them to independently validate each vendor in the chain. The sub-processor DPA framework Empuls maintains is not static. It is reviewed and updated whenever new sub-processors are onboarded or existing agreements change. Customers receive advance notice of material changes to the sub-processor list, giving them the opportunity to raise objections before new processing begins. This approach reflects Empuls’s commitment to privacy by design — where contractual obligations, technical controls, and operational processes work together to protect employee data across the full platform lifecycle. Learn more: Empuls Help Centre — General

GDPR & Data Processing Agreements

Understand how Empuls structures its Data Processing Agreements to meet GDPR and regional privacy law requirements for enterprise customers.

Security Certifications: ISO 27001 & SOC 2

Learn about the security standards Empuls holds and how ISO 27001 and SOC 2 Type II certifications apply to data handling across the platform.