This Data Processing Agreement ("DPA") forms part of the Terms of Service between QV Technologies OPC and each subscribing company. By subscribing to Kinsweldo, you ("Controller") accept the terms of this DPA. This agreement applies to all personal data processed by QV Technologies OPC ("Processor") on your behalf in the course of providing the Kinsweldo payroll and HRIS service.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Processor: QV Technologies OPC, a corporation registered under the laws of the Republic of the Philippines, operating the Kinsweldo payroll and HRIS platform at https://kinsweldo.com ("Processor"); and
- Data Controller: The company or legal entity that has subscribed to the Kinsweldo service ("Controller"), identified by the company name and registration details provided upon account creation.
This DPA shall be effective from the date the Controller first subscribes to the Service and shall remain in effect for the duration of the subscription and thereafter as required by applicable law.
2. Purpose
The Processor shall process personal data solely for the purpose of providing the Kinsweldo payroll and HRIS service to the Controller, including:
- Computing employee compensation, statutory deductions, and net pay
- Generating payslips, BIR Form 2316, SSS R3, PhilHealth RF-1, and Pag-IBIG remittance reports
- Operating the employee self-service portal
- Processing attendance records and leave applications
- Maintaining payroll history and audit trails
- Providing customer support to the Controller
The Processor shall not process personal data for any other purpose without the prior written consent of the Controller, except as required by applicable law.
3. Scope of Processing
The Processor shall process the following categories of personal data on behalf of the Controller:
| Category | Data Elements |
| Identity data | Full name, date of birth, home address, contact number, email address |
| Government IDs | SSS number, PhilHealth number, Pag-IBIG (HDMF) number, Tax Identification Number (TIN) — all encrypted at rest using AES-256-GCM |
| Employment data | Position, department, employment type, hire date, separation date, salary grade, pay schedule |
| Payroll data | Basic salary, allowances, overtime, deductions (statutory and voluntary), net pay, 13th month pay, tax withheld |
| Attendance records | Time-in, time-out, overtime hours, late and undertime, absences, leave applications and approvals |
Data subjects covered by this DPA are: employees, contractors, and other personnel of the Controller whose data is submitted to the Service.
4. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, except where required by applicable Philippine law
- Ensure that all personnel with access to personal data are bound by enforceable confidentiality obligations
- Implement and maintain the technical and organizational security measures specified in Section 7 of this DPA
- Not engage any sub-processor without prior notice to the Controller (current sub-processors listed in Section 6)
- Assist the Controller in fulfilling data subject rights requests under RA 10173, including rights to access, correction, deletion, and portability
- Notify the Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach, as required by NPC Circular No. 16-03
- Provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA
- Delete or return all personal data to the Controller upon termination of the service, unless continued retention is required by applicable law
5. Controller Obligations
The Controller shall:
- Ensure that there is a lawful basis for processing the personal data submitted to the Service (e.g., employment contract, legal obligation under the Labor Code, employee consent)
- Ensure that data subjects (employees) have been informed of the processing activities as required by RA 10173, Sec. 13
- Ensure that all personal data submitted to the Service is accurate, complete, and up to date
- Not instruct the Processor to process personal data in a manner that would violate RA 10173 or any applicable law
- Comply with all applicable laws in relation to the personal data processed on the Controller's behalf
- Promptly notify the Processor of any data subject rights requests received directly by the Controller
- Fulfill NPC notification obligations in the event of a personal data breach under RA 10173, Sec. 20
6. Sub-processors
The Controller provides general authorization for the Processor to engage the following sub-processors. The Processor shall impose data protection obligations equivalent to those in this DPA on all sub-processors:
| Sub-processor | Purpose | Location |
| Supabase, Inc. | Database hosting, authentication, and file storage (hosted on AWS) | United States (AWS ap-southeast-1) |
| Resend, Inc. | Transactional email delivery (payslip notifications, alerts) | United States |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance tracing (anonymized; no payroll data transmitted) | United States |
The Processor shall notify the Controller of any changes to the sub-processor list (additions or replacements) with at least 14 days' advance notice, providing the Controller with an opportunity to object on reasonable data protection grounds.
7. Security Measures
The Processor implements and maintains the following technical and organizational security measures, consistent with the standards required under RA 10173 and NPC Circular No. 16-01:
- Encryption at rest — all government-issued ID numbers are encrypted using AES-256-GCM before storage; database volumes are encrypted at the storage layer
- Encryption in transit — all data transmitted between clients and servers is protected by TLS 1.2 or higher; HSTS enforced
- Access controls — role-based access control (RBAC) enforced at the application layer; database-level row-level security (RLS) ensures strict data isolation between tenants
- Authentication — multi-factor authentication (MFA) available for administrator accounts; session tokens are short-lived and rotated
- Audit logging — every sensitive mutation (payroll runs, employee record changes, permission changes) is recorded in an immutable audit log with before/after state, actor identity, and timestamp
- Vulnerability management — regular dependency updates; security advisories monitored via automated tooling
- Incident response — documented incident response procedure; breach notification within 72 hours as required by NPC rules
- Personnel controls — access to production systems limited to essential personnel; confidentiality obligations enforced contractually
8. Data Breach Notification
In the event of a personal data breach (as defined under RA 10173 and NPC Circular No. 16-03), the Processor shall:
- Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach
- Provide the Controller with sufficient information to fulfill the Controller's own NPC notification obligations, including: (a) the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of records affected; (d) the likely consequences of the breach; and (e) measures taken or proposed to address the breach
- Cooperate fully with the Controller during any NPC investigation or audit
The Controller is responsible for notifying the NPC of personal data breaches in accordance with RA 10173, Section 20, and NPC Circular No. 16-03. The Processor's notification to the Controller does not relieve the Controller of this obligation.
9. Data Subject Rights
The Processor shall provide reasonable assistance to the Controller in fulfilling data subject rights requests under RA 10173, including:
- Right of access — the Service allows data subjects (employees) to view their own payslips, personal data, and leave records via the self-service portal
- Right to correction — the Controller's HR administrators may correct employee records at any time through the platform
- Right to erasure or blocking — upon the Controller's request, the Processor will delete or block personal data not subject to mandatory retention, within 30 calendar days
- Data portability — the Controller may export all employee and payroll data in machine-readable formats (CSV, Excel) at any time via the platform
The Processor shall respond to requests for assistance within 30 calendar days of receipt.
10. Retention and Deletion
Upon termination of the subscription, the following applies:
- The Controller's data will remain accessible for export for 30 days following the termination date
- After 30 days, personal data not subject to mandatory legal retention will be permanently and irreversibly deleted from all production systems and backups within a reasonable period not exceeding 90 days
- Mandatory retention exception: payroll and financial records required to be retained under BIR Revenue Regulations No. 17-2013 (10-year retention period for tax records) will be retained for the legally required period, after which they will be permanently deleted
- The Processor will, upon written request, provide the Controller with a written confirmation of deletion
11. Audit Rights
The Controller may audit the Processor's compliance with this DPA subject to the following conditions:
- Audits may be conducted no more than once per calendar year, except where a personal data breach has occurred
- The Controller shall provide the Processor with at least 30 days' advance written notice of any audit
- Audits shall be conducted during business hours and in a manner that minimizes disruption to the Processor's operations
- The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor
- The Processor may satisfy audit requirements by providing the Controller with its current NPC registration, third-party security assessment reports, or equivalent documentary evidence of compliance
12. Governing Law
This DPA shall be governed by the laws of the Republic of the Philippines, including:
- Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations
- NPC Circular No. 16-01 (Security of Personal Data in Government Agencies) — applied by analogy to private sector processors
- NPC Circular No. 16-03 (Personal Data Breach Management)
- NPC Advisory Opinion and issuances as applicable
Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the appropriate courts of Quezon City, Metro Manila, Philippines, or the NPC as may be applicable under RA 10173.
Questions about this DPA?
Contact our Data Protection Officer at admin@kinsweldo.com.
QV Technologies OPC — Republic of the Philippines