Gusto | Online Payroll Services, HR, and Benefits
See demo
Create free account
How it works
Sign in
Gusto

Terms

Employer Data Processing Addendum

Last updated September 17, 2025

This Data Processing Addendum (“Addendum”) forms part of and is subject to the terms and conditions of either (i) the Embedded Payroll Service Agreement for users of Embedded Payroll Services offered by a third-party Platform Provider or (ii) the Employer Terms of Service (each of (i) and (ii) individually a “Base Agreement”) and this Addendum together with the applicable Base Agreement forms an “Agreement” by and between the Employer or Company (as defined in the applicable Base Agreement) (“Company”) and Gusto, Inc. and its subsidiaries and affiliates (“Service Provider”).

Subject Matter and Duration.

  1. Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Data in connection with Service Provider’s execution of the Agreement- but, only to the extent that Employer is subject to Data Protection Laws and they apply to the Processing of Company Personal Data. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the applicable Base Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the applicable Base Agreement, this Addendum shall control.

  2. Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Service Provider will Process Company Personal Data until the relationship terminates as specified in the Agreement.

Definitions.
  1. For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
    1. Company Personal Data” means any Employer Data or Company Data that is Personal Data Processed by Service Provider on behalf of Company.
    2. Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules, and regulations to which the Company Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut’s Act Concerning Data Privacy and Online Monitoring, and the Utah Consumer Privacy Act (in each case as supplemented by implementing regulations and as amended, adopted, or superseded from time to time).
    3. Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
    4. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    5. Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data attributable to Service Provider.
    6. Services” means the services that Service Provider performs under the Agreement.
    7. Subprocessor(s)” means Service Provider’s authorized vendors and third-party service providers that Process Company Personal Data.
Processing Terms for Company Personal Data.

  1. Documented Instructions. Service Provider shall Process Company Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Service Provider will, unless legally prohibited from doing so, inform Company in writing if it reasonably believes that there is a conflict between Company’s instructions and applicable law or otherwise seeks to Process Company Personal Data in a manner that is inconsistent with Company’s instructions.

  2. Authorization to Use Subprocessors. To the extent necessary to fulfill Service Provider’s contractual obligations under the Agreement, Company hereby authorizes Service Provider to engage Subprocessors.

  3. Service Provider and Subprocessor Compliance. Service Provider shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Company Personal Data that imposes on such Subprocessors data protection requirements for Company Personal Data that are consistent with this Addendum; and (ii) remain responsible to Company for Service Provider’s Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Data.

  4. Confidentiality. Any person authorized to Process Company Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

  5. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Service Provider agrees to provide reasonable assistance and comply with reasonable instructions from Company related to any requests from individuals exercising their rights in Company Personal Data granted to them under Data Protection Laws.

  6. Prohibited Uses of Personal Data. Service Provider shall not (i) sell or share Company Personal Data as the terms "sell" or “share” are defined by the CCPA; or (ii) retain, use, combine, or disclose Company Personal Data for any purpose other than as described in this Addendum, the Agreement, or permitted under Data Protection Laws.

  7. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Service Provider agrees to provide reasonable assistance at Company’s expense to Company where, in Company’s judgement, the type of Processing performed by Service Provider requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

  8. Demonstrable Compliance. Upon Company’s reasonable request Service Provider agrees to provide information reasonably necessary to demonstrate compliance with this Addendum and permit Company to take reasonable steps to stop and remediate unauthorized use of Company Personal Data.

  9. Service Optimization. Where permitted by Data Protection Laws, Service Provider may Process Company Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.

  10. Aggregation and De-Identification. Service Provider may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Company or any data subject to whom Company Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.Information Security Program.

Security Measures. Service Provider shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Company Personal Data.

Security Incidents.

Notice. Upon becoming aware of a Security Incident, Service Provider agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Employer Account or Administrator. Where possible, such notice will include all available details required under Data Protection Laws for the Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

Audits.

Company Audit. Where Data Protection Laws afford Company an audit right, Company (or its appointed representative) may carry out an audit of Service Provider’s policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit must be: (i) conducted during Service Provider’s regular business hours; (ii) with reasonable advance notice to Service Provider; (iii) carried out in a manner that prevents unnecessary disruption to Service Provider’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.

Company Personal Data Deletion.

Data Deletion. At the expiry or termination of the Agreement, Service Provider will retain and delete Company Personal Data in accordance with the Agreement.

Company’s Obligations.

Company represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Company Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Company’s practices with respect to the Processing of Company Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Company Personal Data as contemplated by the Agreement; and (iv) Service Provider’s Processing of Company Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Company and any third party.

Processing Details.

  1. Subject Matter and Business Purpose. The subject matter and business purpose of the Processing is the Services pursuant to the Agreement, including payroll services.

  2. Duration. The Processing will continue until the expiration or termination of the Agreement.

  3. Categories of Data Subjects. Data subjects whose Company Personal Data will be Processed pursuant to the Agreement, including Company employees and workers.

  4. Nature and Purpose of the Processing. The purpose of the Processing of Company Personal Data by Service Provider is the performance of the Services, including payroll services.

  5. Types of Company Personal Data. Company Personal Data that is Processed pursuant to the Agreement, including payroll information of Company workers.