What is CitoHR and who is it for?

CitoHR is a comprehensive HR software platform designed specifically for UK small to medium businesses and startups. It provides employee management, payroll processing, recruitment tools, and HR compliance features to help growing companies streamline their HR operations.

Is CitoHR compliant with UK regulations?

Yes, CitoHR is fully compliant with UK regulations including HMRC requirements for payroll and tax reporting, GDPR for data protection, and UK employment law. The platform is built specifically for UK businesses and includes all necessary compliance features.

How much does CitoHR cost?

CitoHR offers a free trial to get started. Pricing is transparent and scales with your business size, making it affordable for startups and SMEs. There are no hidden fees or long-term contracts required.

What features does CitoHR include?

CitoHR includes employee management, payroll processing, recruitment tools, leave management, document storage, performance reviews, AI-powered HR assistant, custom reports, and compliance tracking. All features are designed for UK businesses.

How quickly can I get started with CitoHR?

You can start using CitoHR immediately with our instant setup process. The platform is designed to be user-friendly and requires no technical expertise. You can import your existing employee data and begin managing your HR processes right away.

Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Citosoft Ltd ("Processor" or "we") and you ("Controller" or "Customer"). This DPA governs the processing of personal data by Citosoft Ltd on behalf of the Customer in connection with the provision of CitoHR services.

2. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data.
"Processor" means the entity that processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Subprocessor" means any third party engaged by the Processor to process personal data.

3. Scope and Purpose

This DPA applies to all processing of personal data by Citosoft Ltd in connection with the CitoHR platform, including:

Employee data management and HR records
Time tracking and attendance data
Performance and review information
Leave and absence records
Payroll and compensation data
Training and development records

4. Processing Obligations

Citosoft Ltd agrees to:

Process personal data only in accordance with the Customer's documented instructions
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational measures to ensure data security
Assist the Customer in responding to data subject requests
Notify the Customer without undue delay of any data breach
Assist the Customer in conducting data protection impact assessments when required
Delete or return all personal data upon termination of services, unless required by law to retain it

Citosoft Ltd will not process personal data for any purpose other than providing the CitoHR services unless required by applicable law.

5. Security Measures

Citosoft Ltd implements the following security measures to protect personal data:

Encryption of data in transit using TLS/SSL protocols
Encryption of data at rest using industry-standard encryption algorithms
Regular security assessments and penetration testing
Access controls and authentication measures, including multi-factor authentication
Regular backups with point-in-time recovery capabilities
Network security and intrusion detection systems
Employee training on data protection and security
Incident response and breach notification procedures

6. Subprocessors

Citosoft Ltd may engage subprocessors to assist in providing the CitoHR services. We maintain a list of current subprocessors, which is available at /subprocessors.

Before engaging any new subprocessor, Citosoft Ltd will:

Notify the Customer of the intended appointment
Ensure the subprocessor is bound by data protection obligations equivalent to those in this DPA
Maintain responsibility for the subprocessor's compliance with this DPA

7. Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, Citosoft Ltd ensures appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions by the European Commission
Other appropriate safeguards as required by GDPR

8. Data Subject Rights

Citosoft Ltd will assist the Customer in responding to data subject requests, including:

Right of access to personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing

Citosoft Ltd will provide reasonable assistance to enable the Customer to respond to such requests within the timeframes required by GDPR.

9. Data Breach Notification

In the event of a personal data breach, Citosoft Ltd will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include, to the extent possible:

A description of the nature of the breach
The categories and approximate number of data subjects affected
The likely consequences of the breach
The measures taken or proposed to address the breach

10. Audits and Compliance

Citosoft Ltd will:

Make available to the Customer all information necessary to demonstrate compliance with this DPA
Allow for and contribute to audits conducted by the Customer or its authorized representatives
Maintain records of all processing activities carried out on behalf of the Customer

Any audit will be conducted during normal business hours, with reasonable advance notice, and in a manner that does not interfere with Citosoft Ltd's business operations.

11. Data Retention and Deletion

Upon termination of the services or upon the Customer's request, Citosoft Ltd will:

Delete or return all personal data to the Customer, unless required by law to retain it
Delete existing copies of personal data unless storage is required by applicable law
Provide certification of deletion upon request

12. Liability and Indemnification

Each party's liability under this DPA will be subject to the limitations and exclusions set forth in the Terms of Service. Citosoft Ltd will be liable for any damages caused by processing where it has not complied with obligations specifically directed to processors under GDPR or where it has acted outside or contrary to lawful instructions of the Customer.

13. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact Information

For questions about this DPA or to exercise your rights, please contact:

Company: Citosoft Ltd
Address: Ipswich, Suffolk, UK
Email: legal@citosoft.co.uk
Data Protection Officer: Daniel Cherrington
ICO Registration Number: ZB995691

Related Documents: