Compliance

Data Protection & Compliance

How MRHRM handles data subject requests, data residency, sub-processors, and email-sending compliance.

Effective January 1, 2026Questions? Email compliance@mrhrm.com

Our approach

MRHRM treats compliance as ongoing engineering work. We design for the strictest jurisdiction we operate in, document our practices, and apply them uniformly so customers do not have to negotiate baseline protections.

This page describes how we handle data subject requests, data residency, and the compliance frameworks we align with.

Applicable frameworks

  • GDPR — for users in the European Economic Area and the United Kingdom.
  • CCPA / CPRA — for California residents.
  • CAN-SPAM Act — for transactional and commercial email sent through the platform.
  • AWS SES sending policies — every category of outbound email is classified, opt-in where required, and immediately suppressible.

Data subject rights

You can exercise the following rights:

  • Access — request a copy of your data.
  • Rectification — correct inaccurate or outdated data.
  • Deletion — request that we erase your data.
  • Restriction — limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interests.

Most rights are self-service from Edit Profile or Settings. For requests that require human review, write to privacy@mrhrm.com. We respond within 30 days.

Sub-processors

We use a small set of trusted vendors to operate the platform. Each is evaluated for security, reliability, and data protection posture before onboarding.

  • Amazon Web Services — hosting, storage, email delivery (SES).
  • Google — optional single sign-on.
  • Stripe — payment processing for paid plans.
  • MongoDB Atlas — managed database tier.

A current sub-processor list is available on request from compliance@mrhrm.com.

Data residency and transfers

Production data is hosted in regional cloud zones. Where data is transferred internationally, we rely on Standard Contractual Clauses, vendor-published transfer impact assessments, and where available, the EU-US Data Privacy Framework.

Incident response

We maintain a documented incident response procedure. If a security incident affects your data, we notify you without undue delay and within the timelines required by applicable law (typically 72 hours under GDPR).

For privacy and compliance escalation, contact us directly from this page or via our Contact page.

Email-sending compliance

MRHRM's outbound email is intentionally limited and split into two clear categories (transactional and optional product). Operational practices include:

  • SPF, DKIM, and DMARC alignment on every sending domain.
  • List-Unsubscribe and List-Unsubscribe-Post headers on optional email.
  • Continuous monitoring of bounce and complaint rates against AWS SES thresholds.
  • Automatic suppression of soft and hard bounces.
  • Clear sender identification and physical address in every applicable email.
  • No purchased lists, no scraped contacts, no shared sending IPs with unrelated tenants.

Data Processing Agreement

Customers acting as data controllers can request our Data Processing Agreement (DPA), which incorporates GDPR Standard Contractual Clauses. Email compliance@mrhrm.com to receive the current version.

Contact

For data protection matters, email privacy@mrhrm.com. For broader compliance requests, use compliance@mrhrm.com.