Legal

Data Processing Agreement

Last updated: July 2026

Template document. This data processing agreement is executed per customer together with an order form or subscription agreement. It does not take effect until signed by both parties. Have it reviewed by your legal adviser before signature.

1. Parties and roles

This agreement is made between the customer named in the applicable order form (the “Customer”) and Pro Outsource LTD, a company registered in England and Wales with company number 16166040, trading as Payzava (“Payzava”, “we”, “us”).

For personal data processed within the Payzava application on the Customer's behalf, the Customer is the data controller and Payzava is the data processor. The Customer remains responsible for the lawfulness of the personal data it submits and the instructions it gives.

2. Scope and purpose of processing

Payzava processes personal data solely to provide payroll and HR services under the subscription agreement. Categories of data typically include:

  • Employee identity data: names, national ID or passport numbers, dates of birth, contact details.
  • Employment data: job titles, grades, start and end dates, leave records, disciplinary and contract records where the Customer uses those modules.
  • Payroll and financial data: salaries, allowances, deductions, loans, bank account details, statutory registration numbers (e.g. NSSA), and tax calculations.

Data subjects are the Customer's employees, contractors, and payroll administrators. The duration of processing is the term of the subscription agreement plus the agreed deletion period.

3. Documented instructions

Payzava processes personal data only on the Customer's documented instructions, which are set out in the subscription agreement, order form, and the Customer's configuration and use of the application. Payzava will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

4. Confidentiality

Payzava ensures that personnel authorised to process personal data are bound by confidentiality obligations. Support access to customer data is time-limited, granted only where needed to resolve an issue, and recorded in the audit log.

5. Security measures

Payzava implements the following technical and organisational measures:

  • AES-256 field-level encryption for sensitive data at rest, and TLS 1.3 for data in transit.
  • Role-based access permissions and multi-factor authentication for user accounts.
  • Immutable, field-level audit logs on every payroll and employee action.
  • Database backups with point-in-time recovery capability.
  • Rate limiting and brute-force protection on authentication endpoints.

6. Sub-processors

The Customer authorises Payzava to engage sub-processors for hosting and supporting infrastructure. Payzava maintains a list of current sub-processors, available on request, and will give the Customer prior notice of any intended change so the Customer can object on reasonable data protection grounds. Payzava remains responsible for its sub-processors' performance.

7. Personal data breach notification

Payzava will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide the information reasonably required for the Customer to meet its own notification obligations, including the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed.

8. Assistance with data subject rights

Taking into account the nature of the processing, Payzava will assist the Customer in responding to requests from data subjects (access, rectification, erasure, restriction, portability, and objection), and in meeting the Customer's obligations regarding security, breach notification, and data protection impact assessments.

9. Retention, return, and deletion

On termination or expiry of the subscription agreement, Payzava will, at the Customer's choice, return the Customer's personal data in a structured, commonly used format or delete it, unless retention is required by applicable law. The Customer may export its payroll and employee data before the deletion date, and Payzava will provide reasonable exit assistance as described in the subscription agreement.

10. Hosting location and international transfers

The Payzava application is cloud-hosted on dedicated infrastructure with encrypted storage. The hosting location and any cross-border transfer arrangements are recorded in the order form for each customer. Where personal data protected by the Zimbabwe Data Protection Act, UK GDPR, or equivalent legislation is transferred internationally, the parties will put in place appropriate safeguards required by that legislation.

11. Audit and information rights

Payzava will make available to the Customer information reasonably necessary to demonstrate compliance with this agreement, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice, frequency, and confidentiality requirements.

12. Contact

Questions about this agreement or data protection at Payzava: [email protected]. Commercial questions: [email protected]. See also our privacy policy and subscription agreement.