Skip to main content
QuoHR

Legal

GDPR Compliance

How QuoHR protects your data under EU regulations

QuoHR is committed to complying with the General Data Protection Regulation (GDPR). This page explains how we handle personal data of individuals within the European Economic Area (EEA) and the rights available to data subjects.

Our Role

When your organization uses QuoHR, we act as a Data Processor on behalf of your employer (the Data Controller). We process personal data only as instructed by the Data Controller and in accordance with our Data Processing Agreement (DPA).

Lawful Basis for Processing

We process personal data under one or more of the following legal bases:

  • Contractual necessity — to provide the HRMS service to your organization
  • Legitimate interest — to improve and secure our platform
  • Legal obligation — to comply with applicable laws and regulations
  • Consent — where required, such as for location tracking in attendance features

Your Rights Under GDPR

If you are located in the EEA, you have the following rights:

  • Right of Access — request a copy of the personal data we hold about you
  • Right to Rectification — request correction of inaccurate or incomplete data
  • Right to Erasure — request deletion of your personal data (“right to be forgotten”)
  • Right to Restrict Processing — request limitation of how we process your data
  • Right to Data Portability — receive your data in a structured, machine-readable format
  • Right to Object — object to processing based on legitimate interest

To exercise any of these rights, contact your organization's HR administrator or email us directly at privacy@quohr.app.

Data Security Measures

  • 256-bit AES encryption for data at rest and TLS 1.3 for data in transit
  • Role-based access controls with audit logging
  • Regular penetration testing and vulnerability assessments
  • Automated daily backups with disaster recovery procedures
  • SOC 2 Type II certification

Data Transfers

When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. We do not transfer data to countries without adequate data protection unless proper mechanisms are implemented.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by your organization's data retention policy. Upon termination of service, we provide a data export period followed by secure deletion within 90 days.

Data Processing Agreement

We offer a GDPR-compliant Data Processing Agreement (DPA) to all customers. To request a copy of our DPA, contact us at privacy@quohr.app.

Contact Our Data Protection Team

For any GDPR-related inquiries, contact us at privacy@quohr.app.