| Please contact us at [email protected] if you have any questions about our Priva | | Please contact us at [email protected] if you have any questions about our Priva |
| cy Policy. | | cy Policy. |
| Employer Data Processing Addendum | | Employer Data Processing Addendum |
| Version | | Version |
| n | Version 2.0 (Current) | n | Version 3.0 (Current) |
| | | Version 2.0 |
| Version 1.0 | | Version 1.0 |
| n | | n | Effective April 14th 2026 |
| | | Download |
| | | Table of Contents |
| | | Last updated September 17, 2025 |
| | | This Data Processing Addendum (“Addendum”) forms part of and is subject to the t |
| | | erms and conditions of either (i) the Embedded Payroll Service Agreement for use |
| | | rs of Embedded Payroll Services offered by a third-party Platform Provider or (i |
| | | i) the Employer Terms of Service (each of (i) and (ii) individually a “Base Agre |
| | | ement”) and this Addendum together with the applicable Base Agreement forms an “ |
| | | Agreement” by and between the Employer or Company (as defined in the applicable |
| | | Base Agreement) (“Company”) and Gusto, Inc. and its subsidiaries and affiliates |
| | | (“Service Provider”). |
| | | Subject Matter and Duration. |
| | | Subject Matter. This Addendum reflects the parties’ commitment to abide by Data |
| | | Protection Laws concerning the Processing of Company Personal Data in connection |
| | | with Service Provider’s execution of the Agreement- but, only to the extent tha |
| | | t Employer is subject to Data Protection Laws and they apply to the Processing o |
| | | f Company Personal Data. All capitalized terms that are not expressly defined in |
| | | this Addendum will have the meanings given to them in the applicable Base Agree |
| | | ment. If and to the extent language in this Addendum or any of its Exhibits conf |
| | | licts with the applicable Base Agreement, this Addendum shall control. |
| | | Duration and Survival. This Addendum will become legally binding upon the effect |
| | | ive date of the Agreement or upon the date that the parties sign this Addendum i |
| | | f it is completed after the effective date of the Agreement. Service Provider wi |
| | | ll Process Company Personal Data until the relationship terminates as specified |
| | | in the Agreement. |
| | | Definitions. |
| | | For the purposes of this Addendum, the following terms and those defined within |
| | | the body of this Addendum apply. |
| | | “Company Personal Data” means any Employer Data or Company Data that is Personal |
| | | Data Processed by Service Provider on behalf of Company. |
| | | “Data Protection Laws” means the applicable data privacy, data protection, and c |
| | | ybersecurity laws, rules, and regulations to which the Company Personal Data are |
| | | subject. “Data Protection Laws” may include, but are not limited to, the Califo |
| | | rnia Consumer Privacy Act of 2018 (“CCPA”), the Virginia Consumer Data Protectio |
| | | n Act, the Colorado Privacy Act, Connecticut’s Act Concerning Data Privacy and O |
| | | nline Monitoring, and the Utah Consumer Privacy Act (in each case as supplemente |
| | | d by implementing regulations and as amended, adopted, or superseded from time t |
| | | o time). |
| | | “Personal Data” has the meaning assigned to the term “personal data” or “persona |
| | | l information” under applicable Data Protection Laws. |
| | | “Process” or “Processing” means any operation or set of operations which is perf |
| | | ormed on Personal Data or sets of Personal Data, whether or not by automated mea |
| | | ns, such as collection, recording, organization, structuring, storage, adaptatio |
| | | n or alteration, retrieval, consultation, use, disclosure by transmission, disse |
| | | mination, or otherwise making available, alignment or combination, restriction, |
| | | erasure, or destruction. |
| | | “Security Incident(s)” means the breach of security leading to the accidental or |
| | | unlawful destruction, loss, alteration, unauthorized disclosure of, or access t |
| | | o Company Personal Data attributable to Service Provider. |
| | | “Services” means the services that Service Provider performs under the Agreement |
| | | . |
| | | “Subprocessor(s)” means Service Provider’s authorized vendors and third-party se |
| | | rvice providers that Process Company Personal Data. |
| | | Processing Terms for Company Personal Data. |
| | | Documented Instructions. Service Provider shall Process Company Personal Data to |
| | | provide the Services in accordance with the Agreement, this Addendum, any appli |
| | | cable Statement of Work, and any instructions agreed upon by the parties. Servic |
| | | e Provider will, unless legally prohibited from doing so, inform Company in writ |
| | | ing if it reasonably believes that there is a conflict between Company’s instruc |
| | | tions and applicable law or otherwise seeks to Process Company Personal Data in |
| | | a manner that is inconsistent with Company’s instructions. |
| | | Authorization to Use Subprocessors. To the extent necessary to fulfill Service P |
| | | rovider’s contractual obligations under the Agreement, Company hereby authorizes |
| | | Service Provider to engage Subprocessors. |
| | | Service Provider and Subprocessor Compliance. Service Provider shall (i) enter i |
| | | nto a written agreement with Subprocessors regarding such Subprocessors’ Process |
| | | ing of Company Personal Data that imposes on such Subprocessors data protection |
| | | requirements for Company Personal Data that are consistent with this Addendum; a |
| | | nd (ii) remain responsible to Company for Service Provider’s Subprocessors’ fail |
| | | ure to perform their obligations with respect to the Processing of Company Perso |
| | | nal Data. |
| | | Confidentiality. Any person authorized to Process Company Personal Data must con |
| | | tractually agree to maintain the confidentiality of such information or be under |
| | | an appropriate statutory obligation of confidentiality. |
| | | Personal Data Inquiries and Requests. Where required by Data Protection Laws, Se |
| | | rvice Provider agrees to provide reasonable assistance and comply with reasonabl |
| | | e instructions from Company related to any requests from individuals exercising |
| | | their rights in Company Personal Data granted to them under Data Protection Laws |
| | | . |
| | | Prohibited Uses of Personal Data. Service Provider shall not (i) sell or share C |
| | | ompany Personal Data as the terms "sell" or “share” are defined by the CCPA; or |
| | | (ii) retain, use, combine, or disclose Company Personal Data for any purpose oth |
| | | er than as described in this Addendum, the Agreement, or permitted under Data Pr |
| | | otection Laws. |
| | | Data Protection Impact Assessment and Prior Consultation. Where required by Data |
| | | Protection Laws, Service Provider agrees to provide reasonable assistance at Co |
| | | mpany’s expense to Company where, in Company’s judgement, the type of Processing |
| | | performed by Service Provider requires a data protection impact assessment and/ |
| | | or prior consultation with the relevant data protection authorities. |
| | | Demonstrable Compliance. Upon Company’s reasonable request Service Provider agre |
| | | es to provide information reasonably necessary to demonstrate compliance with th |
| | | is Addendum and permit Company to take reasonable steps to stop and remediate un |
| | | authorized use of Company Personal Data. |
| | | Service Optimization. Where permitted by Data Protection Laws, Service Provider |
| | | may Process Company Personal Data: (i) for its internal uses to build or improve |
| | | the quality of its services; (ii) to detect Security Incidents; and (iii) to pr |
| | | otect against fraudulent or illegal activity. |
| | | Aggregation and De-Identification. Service Provider may: (i) compile aggregated |
| | | and/or de-identified information in connection with providing the Services provi |
| | | ded that such information cannot reasonably be used to identify Company or any d |
| | | ata subject to whom Company Personal Data relates (“Aggregated and/or De-Identif |
| | | ied Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful bus |
| | | iness purposes.Information Security Program. |
| | | Security Measures. Service Provider shall use commercially reasonable efforts to |
| | | implement and maintain reasonable administrative, technical, and physical safeg |
| | | uards designed to protect Company Personal Data. |
| | | Security Incidents. |
| | | Notice. Upon becoming aware of a Security Incident, Service Provider agrees to p |
| | | rovide written notice without undue delay and within the time frame required und |
| | | er Data Protection Laws to Employer Account or Administrator. Where possible, su |
| | | ch notice will include all available details required under Data Protection Laws |
| | | for the Company to comply with its own notification obligations to regulatory a |
| | | uthorities or individuals affected by the Security Incident. |
| | | Audits. |
| | | Company Audit. Where Data Protection Laws afford Company an audit right, Company |
| | | (or its appointed representative) may carry out an audit of Service Provider’s |
| | | policies, procedures, and records relevant to the Processing of Company Personal |
| | | Data. Any audit must be: (i) conducted during Service Provider’s regular busine |
| | | ss hours; (ii) with reasonable advance notice to Service Provider; (iii) carried |
| | | out in a manner that prevents unnecessary disruption to Service Provider’s oper |
| | | ations; and (iv) subject to reasonable confidentiality procedures. In addition, |
| | | any audit shall be limited to once per year, unless an audit is carried out at t |
| | | he direction of a government authority having proper jurisdiction. |
| | | Company Personal Data Deletion. |
| | | Data Deletion. At the expiry or termination of the Agreement, Service Provider w |
| | | ill retain and delete Company Personal Data in accordance with the Agreement. |
| | | Company’s Obligations. |
| | | Company represents and warrants that: (i) it has complied and will comply with D |
| | | ata Protection Laws; (ii) it has provided data subjects whose Company Personal D |
| | | ata will be Processed in connection with the Agreement with a privacy notice or |
| | | similar document that clearly and accurately describes Company’s practices with |
| | | respect to the Processing of Company Personal Data; (iii) it has obtained and wi |
| | | ll obtain and continue to have, during the term, all necessary rights, lawful ba |
| | | ses, authorizations, consents, and licenses for the Processing of Company Person |
| | | al Data as contemplated by the Agreement; and (iv) Service Provider’s Processing |
| | | of Company Personal Data in accordance with the Agreement will not violate Data |
| | | Protection Laws or cause a breach of any agreement or obligations between Compa |
| | | ny and any third party. |
| | | Processing Details. |
| | | Subject Matter and Business Purpose. The subject matter and business purpose of |
| | | the Processing is the Services pursuant to the Agreement, including payroll serv |
| | | ices. |
| | | Duration. The Processing will continue until the expiration or termination of th |
| | | e Agreement. |
| | | Categories of Data Subjects. Data subjects whose Company Personal Data will be P |
| | | rocessed pursuant to the Agreement, including Company employees and workers. |
| | | Nature and Purpose of the Processing. The purpose of the Processing of Company P |
| | | ersonal Data by Service Provider is the performance of the Services, including p |
| | | ayroll services. |
| | | Types of Company Personal Data. Company Personal Data that is Processed pursuant |
| | | to the Agreement, including payroll information of Company workers. |
| Effective September 17th 2025 | | Effective September 17th 2025 to April 14th 2026 |
| Download | | Download |
| Table of Contents | | Table of Contents |
| Last updated September 17, 2025 | | Last updated September 17, 2025 |
| Last updated January 13, 2026 | | Last updated January 13, 2026 |
| Referee Terms: To qualify, you must sign up for Gusto between January 15th, 2026 | | Referee Terms: To qualify, you must sign up for Gusto between January 15th, 2026 |
| and April 15th, 2026 and run one or more paid payrolls. You will receive a $100 | | and April 15th, 2026 and run one or more paid payrolls. You will receive a $100 |
| Visa gift card within thirty (30) days of your first paid invoice. Additionally | | Visa gift card within thirty (30) days of your first paid invoice. Additionally |
| , if you qualify pursuant to these terms AND you onboard ten (10) or more employ | | , if you qualify pursuant to these terms AND you onboard ten (10) or more employ |
| ees prior to the first payroll run and invoice paid, the incentive offered above | | ees prior to the first payroll run and invoice paid, the incentive offered above |
| will increase to $200. You cannot participate in pay-per-click advertising on t | | will increase to $200. You cannot participate in pay-per-click advertising on t |
| rademarked terms, including any derivations, variations or misspellings thereof, | | rademarked terms, including any derivations, variations or misspellings thereof, |
| for search or content-based campaigns on Google, MSN, or Yahoo. For the purpose | | for search or content-based campaigns on Google, MSN, or Yahoo. For the purpose |
| s of these terms, trademarked terms include Gusto, Gusto Payroll, Gusto HR, Gust | | s of these terms, trademarked terms include Gusto, Gusto Payroll, Gusto HR, Gust |
| o Benefits, ZenPayroll, Gusto Coupon, Gusto.com and Buy Gusto (all keywords appl | | o Benefits, ZenPayroll, Gusto Coupon, Gusto.com and Buy Gusto (all keywords appl |
| y as broad match). | | y as broad match). |
| Pricing | | Pricing |
| n | Starting at just $55 per month | n | Starting at just $46 per month |
| Built for you | | Built for you |
| Starting a business | | Starting a business |
| Switching to Gusto | | Switching to Gusto |