Data Processing Addendum

Version 1.0 · Effective 21 May 2026 · Last updated 21 May 2026

This Data Processing Addendum ("DPA") forms part of the Terms of use between JustParent Ltd (company number 14338607) ("Processor", "Harriet", "Company") and the customer ("Controller", "Customer").

Where this DPA conflicts with an executed Order Form on data protection matters, the Order Form prevails.

Related documents: Terms of use · Privacy policy · Sub-processors

1. Scope and roles

1.1 This DPA applies where Company processes Personal Data on behalf of Customer in providing the Harriet platform and related services (the "Services").

1.2 Customer is the Data Controller and Company is the Data Processor for that processing.

1.3 The subject matter, duration, nature, and purpose of processing, and the types of Personal Data and categories of data subjects, are described in Annex I below.

2. Processing instructions

2.1 Company shall process Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services — unless required to do so by UK, EU, or Member State law, in which case Company shall inform Customer of that legal requirement before processing (unless prohibited).

2.2 Customer instructs Company to process Personal Data as necessary to provide, maintain, secure, and support the Services, including hosting, backup, support, analytics on aggregated/de-identified usage, and integration with services Customer enables.

2.3 Customer is responsible for ensuring it has a valid lawful basis (and, where applicable, Art. 9 condition) for all Personal Data it submits to the Services.

3. Confidentiality and personnel

3.1 Company ensures that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.

4. Security

4.1 Company shall implement appropriate technical and organisational measures as described in Annex II and our Trust Center.

5. Sub-processors

5.1 Customer provides general written authorisation for Company to engage sub-processors listed on our Sub-processors page.

5.2 Company shall give Customer at least 30 days' notice before adding or replacing a sub-processor by updating the Sub-processors page and, where Customer has provided a contact for DPA notices, by email.

5.3 Customer may object to a new sub-processor on reasonable grounds relating to data protection by notifying legal@harriethq.com within the notice period. If the parties cannot resolve the objection within a reasonable time, Customer may terminate the affected Services on written notice and receive a pro-rata refund of pre-paid unused fees for those Services.

5.4 Company shall impose data protection obligations on sub-processors that are no less protective than those in this DPA.

5.5 Current sub-processors are listed in Annex III and on the Sub-processors page.

6. Data subject rights

6.1 Company shall, taking into account the nature of processing, assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to data subject requests.

6.2 If Company receives a request from a data subject relating to Personal Data processed on Customer's behalf, Company shall promptly notify Customer and shall not respond directly except on Customer's instructions or as required by law.

7. Personal data breaches

7.1 Company shall notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer's Personal Data, providing information reasonably available to assist Customer in meeting its breach notification obligations.

8. Data protection impact assessments

8.1 Company shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities where required by applicable law, taking into account the nature of processing and information available to Company.

9. Deletion and return of data

9.1 On termination or expiry of the Services, Company shall, at Customer's choice, delete or return Customer's Personal Data within 30 days, and delete existing copies unless retention is required by law.

9.2 During the 30-day period following termination, Company shall make Customer Data available for export in a documented format on request.

10. International transfers

10.1 Personal Data may be transferred to sub-processors outside the UK and EEA only where appropriate safeguards are in place, including:

  • adequacy decisions;
  • the UK International Data Transfer Agreement (IDTA);
  • EU Standard Contractual Clauses with the UK Addendum; and/or
  • the EU-US Data Privacy Framework, where applicable.

10.2 Details of transfer mechanisms per sub-processor are on the Sub-processors page.

11. Audits

11.1 Company shall make available information necessary to demonstrate compliance with this DPA.

11.2 Customer may audit Company's compliance once per calendar year on reasonable notice, during business hours, subject to an NDA, and at Customer's expense — provided that Customer may satisfy this requirement by reviewing Company's current third-party audit reports (such as SOC 2 or ISO 27001), if available, upon request.

12. AI processing

12.1 Company uses third-party LLM providers as sub-processors to deliver AI features within the Services. Relevant Customer Data is transmitted to those providers as necessary to generate responses.

12.2 Customer Data is not used to train Harriet's AI models, and Company contractually requires LLM sub-processors not to use Customer Data to train their models. Sub-processors may retain inputs and outputs for a limited period for service delivery, abuse prevention, safety monitoring, and legal compliance, as permitted under those agreements.

13. Liability

13.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement, except where prohibited by applicable data protection law.

Annex I — Details of processing

Item Description
Subject matter Provision of the Harriet AI assistant platform, including chat, knowledge base, ticketing, workflow automation, and related integrations.
Duration For the term of the Agreement plus the deletion period in Section 9.
Nature and purpose Hosting, storage, retrieval, analysis (including AI-assisted analysis), display, transmission, backup, support, and security monitoring of Personal Data submitted through the Services.
Categories of data subjects Customer's employees, contractors, and other personnel authorised to use the Services; individuals whose data Customer uploads or syncs (for example via HRIS integrations).
Types of Personal Data Identifiers and contact details (name, email, employee ID); employment and role information; communications and ticket content; chat logs; documents and files uploaded to the knowledge base; usage and audit logs; integration metadata. May incidentally include special category data if submitted by users (for example health-related leave information).

Annex II — Technical and organisational measures

Company maintains measures appropriate to the risk, including:

  • encryption of Personal Data in transit (TLS) and at rest where applicable;
  • access controls and role-based permissions;
  • logging and monitoring;
  • vulnerability management and security testing;
  • business continuity and backup procedures (rolling backups, typically 30 days);
  • staff security training and confidentiality obligations;
  • incident response procedures.

Current details and certifications: Trust Center.

Annex III — Sub-processors

The current list of sub-processors, including their function, location, and transfer mechanism, is maintained at /sub-processors/ and incorporated by reference into this DPA.

To receive email notifications of sub-processor changes, contact legal@harriethq.com.

Contact

Data protection enquiries: legal@harriethq.com · privacy@harriethq.com

Postal address: JustParent Ltd, 17 Baalbec Road, London, N5 1QN, United Kingdom.