Employee-relations records are among the most sensitive information an organisation holds. This page sets out, in plain English, what Evenhand stores, where it lives, the basis we hold it on, and the rights you and your people can exercise over it.
Evenhand is a UK data processor, hosting all data in the United Kingdom, built to meet UK GDPR and the Data Protection Act 2018.
Your organisation is the data controller for the case information you put into Evenhand; Evenhand is the processor, acting on your instructions under a data-processing agreement. The following is a plain-English summary and not a substitute for that agreement or our full privacy notice.
Evenhand only holds the data needed to run an employee-relations case and the account that manages it.
The facts, timeline, decisions, notes and outcomes of each disciplinary, grievance, performance, absence or investigation matter.
Names, job roles, locations, and contact details of the people involved in a case - the subject, witnesses and handlers.
Where a case involves it (for example health information in an absence matter, or data relating to a protected characteristic in a grievance), it is held only as part of that case record and treated with the additional care UK GDPR requires.
Letters, statements, evidence and uploaded files attached to a case. Hearing transcripts are stored; hearing audio is not retained.
The user accounts of your team, their roles and permissions, and the access logs that record who did what, and when.
All Evenhand data - including documents, backups and logs - is stored and processed in the United Kingdom. We do not move personal data outside the UK, and we do not rely on international transfer mechanisms for the core service.
Your organisation determines the lawful basis for processing employee-relations data, typically the legitimate interests of managing the employment relationship and compliance with employment law. Evenhand processes that data solely on your documented instructions, for no purpose of our own. We do not sell data, and we do not use your case data to train models for other customers.
Evenhand is built so that you can meet your obligations to employees without a scramble.
Role-based access is enforced at every layer: people see only the cases they are entitled to, and tiered handling keeps lower-level matters with local handlers and serious matters with named ER leads. Every view, download, edit and action is logged. Case notes, once entered, cannot be edited or deleted - the record is immutable, which is what makes it defensible.
You set retention rules that fit your policy and your legal obligations. Evenhand tracks them per case, surfaces records that are due for review or deletion, and keeps closed cases available for as long as you need them and no longer.
Data is encrypted in transit and at rest. Access is protected by individual accounts, role-based permissions and support for single sign-on. We keep a short, vetted list of sub-processors needed to run the service - all UK-based - and name them in our data-processing agreement.
Our team will answer within one working day.