Total Reward
Sign In

Legal

Data Processing Agreement (DPA)

Last updated: 23 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Total Reward (the “Processor”) and the customer organization (the “Controller”) using the Total Reward platform. It governs the processing of personal data carried out by Total Reward on behalf of the Controller and is designed to comply with the Saudi Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR), as applicable.

1. Roles of the parties

The Controller determines the purposes and means of processing employee and HR personal data uploaded to the platform. Total Reward acts as a Processor and processes personal data only on documented instructions from the Controller, except where required by applicable law.

2. Subject matter and duration

Subject matter: provision of the Total Reward compensation management service. Duration: for the term of the subscription plus any retention periods set out in Section 8.

3. Nature and purpose of processing

Storing, displaying, computing, exporting, and otherwise processing compensation, role, and identity data necessary to deliver the Service: salary structures, allowances, merit cycles, bonuses, equity, analytics, approvals, audit, billing, and customer support.

4. Categories of data subjects and personal data

  • Data subjects: Controller's employees, contractors, candidates, and authorized users of the Service.
  • Personal data: identification (name, employee ID, work email), employment data (job title, grade, department, manager), compensation data (base pay, allowances, bonus, equity, currency), authentication metadata, audit logs.
  • Special categories: not requested by Total Reward. Customers must not upload health, religious, biometric, or other special-category data.

5. Sub-processors

The Controller authorizes Total Reward to engage the following sub-processors, each bound by data-protection obligations no less protective than this DPA:

  • Supabase (hosting, database, authentication, storage) — region selected by Total Reward (EU/AWS).
  • Cloudflare (CDN, edge runtime, DDoS protection) — global edge with EU-region routing where possible.
  • Mailgun (transactional email delivery) — for receipts, password resets, and lifecycle notices.
  • Paylink (payment processing — Saudi Arabia) — limited to billing data required for subscription payments. PAN data is tokenized; Total Reward never stores raw card numbers.
  • Google / OpenAI model providers (via Lovable AI Gateway) — only when the Controller invokes AI features; data sent on a per-request basis and not used to train models.

Total Reward will provide at least 30 days' prior notice via email to admin users before adding or replacing a sub-processor that handles personal data. The Controller may object on reasonable grounds and terminate the affected service.

6. Data location and international transfers

Primary storage is in the EU region (Frankfurt). Disaster-recovery backups remain within the EU. Where transfers outside the EU/KSA occur (e.g., AI inference, email delivery), Total Reward relies on Standard Contractual Clauses or equivalent safeguards.

7. Security measures

  • TLS 1.2+ for all data in transit; AES-256 for data at rest.
  • Row-Level Security (RLS) isolates each organization's data at the database layer.
  • Role-based access control with least-privilege defaults; production access restricted to authorized engineers and audit-logged.
  • Authentication: bcrypt-hashed passwords, leaked-password check (HIBP), optional MFA, JWT session tokens with rotation.
  • Daily encrypted backups; quarterly restore testing.
  • Security scanning of code and dependencies on every release.

8. Data retention and deletion

  • Active data: retained for the duration of the subscription.
  • Billing records and invoices: retained for 7 years (Saudi tax law requirement).
  • Audit logs: 24 months.
  • Suppressed-email records: indefinite (deliverability protection).
  • Account deletion: on written request or self-service from Settings, all employee and compensation records are permanently deleted within 30 days, except where law requires longer retention (billing).

9. Data-subject rights

Total Reward will assist the Controller in responding to data-subject requests for access, rectification, erasure, restriction, portability, and objection — typically through self-service tooling, or by manual action within 7 business days of receiving a verified Controller request.

10. Breach notification

Total Reward will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal-data breach affecting the Controller's data, providing the information needed to meet the Controller's own notification obligations to regulators and data subjects.

11. Audits

Total Reward will make available all information necessary to demonstrate compliance and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and frequency limits.

12. Return and deletion at end of services

On termination, the Controller may export all data via CSV from the platform for 30 days. After that period, Total Reward will delete the Controller's personal data from production systems, with backup deletion completing within 90 days.

13. Contact

Data Protection contact: privacy@totalreward.app.