Data Processing Agreement

Effective date: 9 June 2025  ·  This DPA forms part of the Kore Business Terms of Service.

This Data Processing Agreement ("DPA") is entered into between Kore Business Limited ("Processor") and you, the subscribing customer ("Controller"), and governs the processing of personal data by Kore on your behalf in connection with the Kore Business platform.

1. Definitions

"Personal Data" has the meaning given in UK GDPR Article 4. "Processing" has the meaning given in UK GDPR Article 4. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates (e.g. your employees, customers, or contacts).

2. Roles

You are the Data Controller: you determine the purposes and means of processing Personal Data. Kore is the Data Processor: we process Personal Data solely on your documented instructions and for the purposes of providing the Services.

3. Subject matter and nature of processing

Kore will process personal data categories including: employee names, contact details, national insurance numbers, salary information, bank account details, performance records, leave records, CRM contact records, and inventory-related contact data — as inputted by you into the Platform for the purpose of providing payroll, HR, CRM, and ERP services.

4. Processor obligations

Kore agrees to:

• Process Personal Data only on your documented instructions, unless required to do so by UK law
• Ensure persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (Article 32 UK GDPR)
• Assist you in responding to Data Subject rights requests
• Delete or return all Personal Data on termination of the Services
• Provide all information necessary to demonstrate compliance, and cooperate with audits
• Notify you without undue delay (and in any case within 72 hours) of any personal data breach

5. Sub-processors

You authorise Kore to engage the following sub-processors, each bound by equivalent data protection obligations:

• Cloud infrastructure provider — UK-based hosting and database services
• Stripe, Inc. — Payment processing (limited to billing data)
• SendGrid / email provider — Transactional email delivery

Kore will notify you of any intended addition or replacement of sub-processors, giving you 30 days to object.

6. International transfers

Personal Data is stored and processed exclusively in the UK. No international transfers of Personal Data are made. If this changes, Kore will notify you and implement appropriate safeguards (UK Addendum to Standard Contractual Clauses or equivalent).

7. Security measures

Technical measures include: AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, multi-factor authentication, audit logging, annual CREST-certified penetration testing, and automated vulnerability scanning.

8. Data retention and deletion

On termination, Kore will, at your election, return or securely delete all Personal Data within 30 days, except where retention is required by applicable law (e.g. HMRC record-keeping obligations of up to 7 years for payroll data).

9. Audit rights

Kore will provide all information reasonably necessary to demonstrate compliance and will permit, and contribute to, audits conducted by you or a mandated auditor, subject to reasonable notice and confidentiality obligations.

10. Governing law

This DPA is governed by the laws of England and Wales and forms part of the Terms of Service.

Contact

Data Protection enquiries: privacy@korebusiness.co.uk