Gusto updated their Employer Data Processing Addendum from Version 2.0 to Version 3.0, effective April 14, 2026. The new version adds detailed provisions about the subject matter, duration, and survival of data processing obligations, clarifying when and how long Gusto processes employer data. These additions provide clearer legal boundaries around data handling, which is relevant to businesses using Gusto's payroll and HR services.
Businesses using Gusto are now bound by a new version of the data processing addendum that explicitly defines the scope and duration of employee data processing, which may affect their own GDPR Art. 28 compliance and US state privacy law obligations. The new clause stating this Addendum controls over the Base Agreement in conflicts is a material legal change that shifts risk allocation.
This change affects businesses (employers) using Gusto's payroll and HR platform, not individual employees directly. The updated addendum now explicitly defines the scope and duration of how Gusto processes company employee data, and states that Gusto will continue processing data until the business relationship ends. If you are an employer using Gusto, you should review the updated Data Processing Addendum to ensure your own privacy notices and vendor agreements remain aligned.
Gusto has released a new version (v3.0) of its Employer Data Processing Addendum, effective April 14, 2026, adding explicit subject matter, duration, survival, and definitions provisions. This touches GDPR Art. 28 (processor obligations), CCPA/CPRA vendor contract requirements, and general data governance frameworks. Organizations using Gusto as a payroll/HR processor should verify their existing DPA references are updated to v3.0 and review whether the new language aligns with their own privacy obligations. Action is likely required to update internal vendor records and possibly amend downstream privacy notices.
1. GDPR Art. 28(3) — Processor agreements must specify subject matter, duration, nature and purpose of processing, type of personal data, and obligations of parties. The new clauses on subject matter and duration directly address these requirements.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000494.
ConductAtlas Policy Archive Entity: Gusto | Document: Gusto Privacy Policy | Record: CA-C-000494 Captured: 2026-04-16 06:06:16 UTC URL: https://conductatlas.com/change/2026-04-16-gusto-gusto-privacy-policy-494/ Accessed: April 18, 2026
Subscribe to Watcher for $9.99/mo to get email alerts the moment Gusto updates their policies. Or try Professional free for 14 days.