Chillsoft is fully committed to the General Data Protection Regulation (GDPR) and equivalent data protection laws globally. This page details our compliance framework, the measures we implement, and how we protect the rights of every data subject whose information flows through our platform.
The General Data Protection Regulation (EU) 2016/679 — effective 25 May 2018 — is the most comprehensive data protection regulation in the world. It grants EU residents fundamental rights over their personal data and imposes stringent obligations on organisations that process it. Chillsoft serves enterprise customers across the EU, UK, US, and globally, and takes GDPR compliance as a baseline standard that extends to all our customers and users, regardless of geography.
The UK GDPR (retained post-Brexit under the UK Data Protection Act 2018) mirrors the EU GDPR in most material respects, and Chillsoft applies the same compliance standards to UK customers and data subjects.
Understanding the distinction between data controller and data processor is fundamental to GDPR compliance. The roles determine who bears primary responsibility for each processing activity.
When your organisation deploys the Chillsoft platform and loads employee, payroll, candidate, or HR data — your organisation is the data controller and Chillsoft is the data processor acting on your instructions. We process that data only as documented in our Data Processing Agreement (DPA) and your configuration of the platform. We do not use employee data for our own purposes.
Chillsoft acts as a data controller for: website visitor data (contact forms, analytics, cookies), prospect and customer account data (CRM), and platform security/fraud monitoring data. In these cases, Chillsoft determines the purposes and means of processing and bears full GDPR controller obligations.
| Data Type | Controller | Processor |
|---|---|---|
| Employee HR records, payroll, attendance | Your Organisation | Chillsoft |
| Job candidate data (via Recruitment module) | Your Organisation | Chillsoft |
| Performance reviews, OKR data | Your Organisation | Chillsoft |
| Website visitors & demo requests | Chillsoft | — |
| Customer account / contact data | Chillsoft | — |
| Platform security logs | Chillsoft | — |
Every processing activity must have an identified, documented lawful basis under Article 6 GDPR. As a processor, we rely on the lawful basis established by the controller (your organisation). As a controller, we rely on the following:
Processing necessary for the performance of our Master Service Agreement with enterprise customers, including provisioning platform access, processing payroll data, and delivering the contracted HCM services.
Processing required to comply with applicable laws including employment regulations, tax obligations, statutory reporting requirements, and court orders in the jurisdictions we operate.
Security monitoring, fraud prevention, service improvement through anonymised analytics, and business development outreach to existing contacts — where these interests are not overridden by the rights of the data subject (LIA documented).
Marketing email communications to website visitors and prospects; placement of non-essential cookies. Consent is granular, recorded with timestamp and IP, and withdrawable at any time via unsubscribe or cookie preference centre.
Chillsoft has built technical capabilities into the platform to enable both controllers (employers) and data subjects (employees) to exercise GDPR rights efficiently. Our target response time is within 30 days, extendable to 90 days for complex requests.
Employees: Contact your organisation's HR administrator or DPA contact first, as they are the data controller.
Website visitors / prospects: Email reachus@chillsoft.in with subject "DSR — [Your Name]" — response within 30 days.
Identity verification is required before processing any request to protect against unauthorised access.
Article 28 GDPR requires that every controller-processor relationship be governed by a binding Data Processing Agreement. Chillsoft provides a comprehensive DPA to all enterprise customers as a standard component of our Master Service Agreement.
Our DPA covers:
The subject matter, duration, nature, and purpose of processing; the type of personal data processed; the categories of data subjects whose data is processed by Chillsoft on the customer's behalf.
Technical and organisational security measures implemented by Chillsoft, including encryption standards, access controls, backup procedures, and incident response obligations.
Conditions under which Chillsoft may engage sub-processors (e.g. cloud infrastructure providers), with advance notification rights and the requirement that sub-processors are bound by equivalent DPA terms.
Chillsoft's obligations to assist the controller in responding to data subject requests through appropriate technical and organisational measures.
Customers may audit Chillsoft's data processing activities, with reasonable notice. We provide SOC 2 Type II reports and security documentation to fulfil audit obligations without requiring on-site visits.
Upon termination of the MSA, Chillsoft will return or destroy all customer data within 30 days, with a certified deletion confirmation. Customer data is removed from all systems including backups within the contractual period.
To request a copy of Chillsoft's standard Data Processing Agreement or to discuss a custom DPA for your organisation, contact reachus@chillsoft.in. Our legal team typically responds within 3 business days.
Chillsoft operates a globally distributed cloud infrastructure to serve enterprise customers across multiple geographies. We ensure that all cross-border data transfers comply with Chapter V GDPR requirements through the following mechanisms:
| Transfer Mechanism | When Used | Safeguard |
|---|---|---|
| EU Standard Contractual Clauses (SCCs) | EU/EEA → India, Singapore, UAE data flows | 2021 EU SCCs (Controller-to-Processor and Controller-to-Controller modules) |
| UK International Data Transfer Agreements (IDTA) | UK → Third countries | ICO-approved IDTA addendum to SCCs |
| Adequacy Decisions | Intra-EEA transfers | Transfers within EEA require no additional mechanism |
| Data Localisation | Customers requiring in-country storage | Data confined to customer-specified region (e.g., EU-only for German customers) |
| Transfer Impact Assessment (TIA) | All third-country transfers | Documented TIA on file assessing local law impact on SCC effectiveness |
Chillsoft's customer support team is based in Chennai, India. Support personnel access customer data only through encrypted, role-based, MFA-protected channels. All support access is logged in immutable audit trails. Support staff never store, copy, or remove customer data. This access model has been reviewed and documented in our Transfer Impact Assessment.
Article 30 GDPR requires organisations processing personal data at scale to maintain a Record of Processing Activities (ROPA). Chillsoft maintains detailed ROPA documentation covering all processing activities conducted both as controller and processor.
Our ROPA includes, for each processing activity: the name and contact details of the controller; the purposes of processing; the categories of data subjects; the categories of personal data; categories of recipients; international transfer details and safeguards; envisaged time limits for erasure; and a general description of technical and organisational security measures.
Chillsoft's ROPA is available to competent supervisory authorities upon request, as required by Article 30(4) GDPR. Enterprise customers may also request a copy of the processor-side ROPA relevant to their data as part of their audit rights under the DPA.
GDPR Article 32 requires that data processing includes, where appropriate, the ability to ensure ongoing integrity, availability, and resilience of systems, and the ability to restore availability and access to personal data in a timely manner. Our backup infrastructure is designed to exceed this requirement.
All customer data is backed up every 6 hours automatically. Critical payroll and financial data is snapshotted every 1 hour. This ensures an RPO of <6 hours for standard data and <1 hour for financial data, meeting or exceeding enterprise SLA requirements and GDPR's data availability obligations.
| Backup Tier | Frequency | Retention | Encryption | GDPR Relevance |
|---|---|---|---|---|
| Financial/Payroll Snapshot | Every 1 hour | 7 days rolling | AES-256 | Art. 32 — Availability & resilience |
| Full Incremental Backup | Every 6 hours | 30 days | AES-256 | Art. 32 — Restoration capability |
| Daily Differential Backup | Every 24 hours | 30 days | AES-256 | Art. 32 — Business continuity |
| Weekly Archive | Weekly | 12 months | AES-256 | Art. 5(1)(e) — Storage limitation |
| Monthly Compliance Archive | Monthly | 7 years | AES-256, write-once | Art. 17(3) — Legal retention exceptions |
| Geo-Redundant Replication | Continuous (≤15 min lag) | Mirrors primary | TLS 1.3 in-transit + AES-256 at rest | Art. 32 — Resilience against regional failure |
Backup data is subject to the same access controls, encryption, and audit logging as primary production data. Backup access is restricted to authorised infrastructure personnel only, logged, and reviewed quarterly. Upon a data erasure request that clears the applicable retention period, Chillsoft removes the data from all backup tiers on their next scheduled rotation or within 90 days for archived tiers, whichever is sooner — with documented confirmation provided.
Article 35 GDPR requires a DPIA for processing that is likely to result in a high risk to the rights and freedoms of natural persons. Chillsoft conducts DPIAs for all high-risk processing activities and makes DPIA methodology available to enterprise customers for their own assessment needs.
We have completed DPIAs for: AI-powered HR analytics (Theo AI); location-based attendance tracking (geo-fencing); payroll and financial data processing; large-scale employee data migration during onboarding; and cross-border data transfers to third countries.
Chillsoft's Theo AI assists HR processes by surfacing insights, recommendations, and predictions. Where AI outputs could significantly impact an employee (e.g. performance scoring, attrition risk flagging), human review is always required before any decision is taken. We do not make purely automated decisions with significant legal or similarly significant effects. Customers can configure the level of AI involvement in decisions to match their GDPR obligations.
In the event of a personal data breach, Chillsoft follows a documented Incident Response Plan aligned with Articles 33 and 34 GDPR:
Automated monitoring systems detect anomalies. Security team is immediately alerted. Affected systems are isolated to prevent further exposure. Forensic investigation begins.
Breach scope, severity, and affected data categories are assessed. Data subjects impacted are identified. Risk to rights and freedoms is evaluated. Decision on notification obligations is made by DPO and legal team.
Where the breach poses a risk to data subjects, the relevant supervisory authority is notified within 72 hours of becoming aware (Art. 33). Notification includes breach nature, categories and approximate number of affected records, contact details, likely consequences, and remediation measures.
Chillsoft notifies affected data controllers (enterprise customers) without undue delay. Where the breach poses a high risk to individuals and notification is required under Art. 34, controllers are supported in notifying affected data subjects promptly.
Technical vulnerabilities are patched. Security controls are strengthened. A full post-incident report is prepared. Lessons learned are incorporated into security processes. Regulatory correspondence is managed to closure.
Chillsoft engages the following categories of sub-processors to deliver our services. All sub-processors are bound by Data Processing Agreements with data protection obligations no less protective than those in our customer DPA. Customers receive advance notification (30 days) of any new sub-processor additions.
| Category | Sub-Processor(s) | Purpose | Data Location |
|---|---|---|---|
| Cloud Infrastructure | Microsoft Azure, AWS | Platform hosting, compute, storage | Customer-selected region (India / EU / Singapore / UAE / US) |
| Database Services | Azure SQL, AWS RDS | Managed database hosting | Same as cloud infrastructure region |
| Backup & Archive | Azure Backup, AWS S3 Glacier | Backup storage and long-term archiving | Primary + secondary geo-redundant region |
| Email Delivery | Configured SMTP (customer's or Chillsoft's) | Transactional notifications | In-transit only (TLS encrypted) |
| Live Chat | Tawk.to | Customer support chat | Tawk.to privacy policy applies; no HR data shared |
| Security Monitoring | Azure Sentinel / AWS GuardDuty | Threat detection, SIEM | Same region as cloud infrastructure |
| CDN & WAF | Cloudflare | Web application firewall, DDoS protection | In-transit (Cloudflare processes metadata only) |
A complete, up-to-date Sub-Processor List is available upon request. Contact reachus@chillsoft.in.
Chillsoft has designated a Data Protection Officer responsible for overseeing our GDPR compliance programme, serving as the primary point of contact for data subjects and supervisory authorities, and advising on data protection impact assessments.
Email: reachus@chillsoft.in (subject: "Attention: DPO")
Postal: Data Protection Officer, Chillsoft Private Limited, No. 82 (116), Velachery Main Road, Saidapet, Chennai — 600015, Tamil Nadu, India
Response: Within 2 business days for acknowledgement; substantive response within 30 days.
If you are unsatisfied with Chillsoft's response to a privacy concern, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:
| Jurisdiction | Authority | Website |
|---|---|---|
| 🇪🇺 European Union | Your member state's Data Protection Authority (e.g. CNIL for France, BfDI for Germany, DPC for Ireland) | edpb.europa.eu/about-edpb/about-edpb/members_en |
| 🇬🇧 United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| 🇮🇳 India | Data Protection Board of India (under DPDPA 2023) | meity.gov.in |
| 🇺🇸 United States | FTC (federal); State AG offices (CCPA: California Privacy Protection Agency) | ftc.gov / cppa.ca.gov |
| 🇸🇬 Singapore | Personal Data Protection Commission (PDPC) | pdpc.gov.sg |
Yes. GDPR applies to any organisation, regardless of location, that processes personal data of EU/EEA residents (Article 3(2) — extra-territorial scope). Since Chillsoft serves EU enterprise customers whose employees are EU residents, GDPR applies fully.
For data processed on your organisation's behalf, Chillsoft is the processor and you (the employer) are the controller. Employees should contact your HR/DPO first. Chillsoft will assist you in fulfilling their requests within the timeframes required by GDPR.
Upon termination, Chillsoft provides a complete data export within 7 days. All customer data is then securely deleted from production systems within 30 days and from backups within 90 days, with a certified deletion confirmation provided in writing.
No. Theo AI surfaces insights and recommendations that assist HR professionals — it does not make binding automated decisions about employees without human review. This is by design to comply with GDPR Article 22 and to ensure fair, accountable HR practices.
Email reachus@chillsoft.in with your company name and we'll send you our standard DPA within 3 business days. We also accommodate customer-specific DPA amendments where required for large enterprise or public sector customers.
Our Data Protection team responds to all GDPR queries within 2 business days. We're here to make compliance easy.
Contact DPO Team →