Gusto updated its Data Processing Addendum on April 16, 2026, adding 60 sentences that clarify how the company handles employer data under data protection laws. The new language specifies the scope of the addendum (it applies only to employers subject to data protection laws), defines key terms, establishes when the agreement becomes binding, and clarifies that the addendum takes precedence over the base service agreement if there is a conflict. For employers, this means clearer rules about how their employee and payroll data is processed and protected.
The updated addendum provides employers with clearer rules about when data protection obligations apply and how Gusto will process payroll and employee data. The new language establishes that the addendum only applies to employers subject to data protection laws (such as GDPR or UK GDPR), and specifies that the addendum takes precedence over the base service agreement if there is a conflict. Employers subject to data protection laws should review the full updated addendum to confirm it aligns with their legal obligations regarding employee data handling.
The updated addendum clarifies Gusto's data protection obligations and under what legal circumstances they apply. For employers subject to GDPR, UK GDPR, or state privacy laws, this update refines the contractual framework governing how employee and payroll data is processed, which is critical for regulatory compliance and vendor accountability.
→ Confirm whether your organization is subject to applicable data protection laws (GDPR, UK GDPR, state privacy laws, etc.)
→ Retrieve the full Addendum Version 3.0 from Gusto and review it against your jurisdiction's data processing agreement requirements
→ If required provisions are missing, request amendments or supplemental agreements from Gusto
→ Data processing compliance gaps may go undetected if the addendum lacks required terms for your jurisdiction
→ Regulatory exposure may increase if your data protection obligations are not fully addressed in the updated contract
Addendum applies only to employers subject to applicable data protection laws; clarifies that commitment is conditional on legal applicability.
Addendum takes precedence over base service agreement in case of conflict, establishing hierarchy of contract terms.
Clarifies addendum becomes binding on agreement effective date or later signing; data processing continues until relationship terminates per base agreement.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Gusto introduced Version 3.0 of its Data Processing Addendum on April 16, 2026, adding substantial clarifying language on scope, duration, definitions, and data handling commitments. The new text explicitly conditions the addendum's application to employers subject to applicable data protection laws and establishes that the addendum governs the processing of 'Company Personal Data' in connection with Gusto's services. The update also clarifies contractual precedence (addendum over base agreement) and the timing of binding effect. For organizations using Gusto as a payroll processor, this change likely requires review to confirm alignment with internal data protection compliance frameworks, vendor management policies, and any applicable data processing agreements (DPAs) or contractual requirements under GDPR, UK GDPR, state privacy laws, or industry standards.
GDPR (EU General Data Protection Regulation), UK GDPR, CCPA (California Consumer Privacy Act), state privacy laws (Colorado, Connecticut, Virginia, Utah, Montana, Delaware, etc.), industry-specific regulations (HIPAA if health data is processed, FINRA if financial services context applies)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001284.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherGusto's privacy policy was updated on May 9, 2026 to add two new document references in its table of contents: …
Gusto updated its Terms of Service on May 9, 2026 with five technical corrections. The changes include updating contact email …
Gusto updated two email addresses in their Terms of Service contact sections on May 6, 2026. The opt-out form submission …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.