Between

HireData B.V., Keizersgracht 520H, 1017 EK Amsterdam, The Netherlands (Chamber of Commerce: 37125140) (“Processor”, “HireData”)

and

The customer as defined in the HireData Terms of Service (“Controller”, “Customer”)

1. Roles & Scope

• The Customer is the data controller for all personal data uploaded to or processed via HireData.
• HireData acts as the data processor, processing personal data only on documented instructions from the Customer and in accordance with this DPA and applicable law, including GDPR.

If we believe an instruction would result in a GDPR violation, we will promptly notify you and not execute the instruction until resolved.

2. Processing Details

• Purpose: Execution of services provided via the HireData platform (automation, communication, workflow management, AI-assisted functions).
• Duration: As long as the Customer uses the services.
• Categories of Data Subjects: Candidates, clients, employees, or other contacts of the Customer.
• Types of Personal Data: Typically name, contact details, job data, conversation history, and custom fields (depending on Customer configuration).

3. Processor Obligations

HireData will:

• Process personal data only on documented instructions from the Customer.
• Implement appropriate technical and organisational security measures, including (at a minimum): Encryption in transit and at rest; Role-based access control; Audit logging; Regular vulnerability assessments; Secure development practices.
• Ensure staff are bound by confidentiality obligations
• Assist the Customer in responding to data subject rights requests via platform tools or APIs.
• Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach.
• Cooperate with supervisory authorities as required by law.
• Delete or return all personal data at the end of service provision unless legally required to retain it, providing written confirmation upon request.

4. Sub-processors

We use sub-processors to deliver our services. The current list (including locations) is available here:

• We may update this list from time to time. Updates will be notified via email or website.
• You authorise us to appoint sub-processors, provided we impose equivalent data protection obligations on them.

5. International Transfers

We will only transfer personal data outside the EEA:

• To countries with a European Commission adequacy decision, or
• Under Standard Contractual Clauses (SCCs) or other valid GDPR transfer mechanisms.

We are authorised to enter into SCCs with sub-processors on your behalf.

6. Audit Rights

You may audit our compliance with this DPA once per year on at least 30 days’ notice, provided it:

• Does not disrupt our operations
• Is conducted by an independent third party under NDA
• Is at your expense

7. Liability & Indemnity

Each party remains liable for its own breach of this DPA or applicable data protection laws. HireData remains liable for the acts and omissions of its sub-processors.

8. Governing Law

This DPA is governed by Dutch law, and disputes are subject to the exclusive jurisdiction of the courts of Amsterdam, The Netherlands. This DPA forms part of the HireData Terms of Service and prevails over them in case of conflict on data protection matters.