Data Processing Agreement

Hire HRAI Oy

Last updated: December 13, 2024

1 Introduction and Purpose

This Data Processing Agreement ("Agreement" or "DPA") forms part of the main Terms and Conditions or other written contract between Hire HRAI Oy ("Processor") and the customer organization ("Controller") that uses the Hire HRAI platform and related services ("Service").

The purpose of this DPA is to ensure that the processing of personal data by Hire HRAI on behalf of the Controller is conducted in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and all applicable data protection laws.

This Agreement governs the processing of personal data carried out by Hire HRAI in connection with the Service and defines the rights and obligations of both parties regarding data protection and security.

2 Definitions

For the purposes of this DPA:

  • "Controller" means the legal entity that determines the purposes and means of processing personal data.
  • "Processor" means Hire HRAI Oy, which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
  • "Processing" means any operation performed on personal data, such as collection, storage, analysis, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by the Processor to assist in processing personal data.
  • "Data Subject" means an individual whose personal data is processed through the Service (e.g., job applicants).
  • "Technical and Organizational Measures" (TOMs) means the security controls implemented by the Processor to protect personal data.
  • "Applicable Law" means the GDPR and other EU or national data protection legislation.

3 Roles and Responsibilities

3.1 Data Controller (Customer)

The Controller is responsible for determining the purposes and legal bases for processing personal data and for ensuring that such processing complies with Applicable Law.

The Controller must:

  • Obtain all necessary consents or other legal grounds for processing candidate data;
  • Provide Data Subjects with appropriate privacy information;
  • Ensure that data uploaded to the Service is accurate, lawful, and necessary for the stated purpose;
  • Retain responsibility for all decisions made based on insights or outputs generated by the Service.

3.2 Data Processor (Hire HRAI)

The Processor shall process personal data only on documented instructions from the Controller and only for the purposes described in this Agreement.

Hire HRAI must:

  • Ensure that all personnel authorized to process personal data are bound by confidentiality obligations;
  • Implement appropriate technical and organizational measures to protect personal data;
  • Notify the Controller without undue delay of any data breach;
  • Assist the Controller in fulfilling data protection obligations, including Data Subject requests;
  • Maintain records of processing activities;
  • Engage Sub-processors only under the terms set out in this Agreement.

The Processor shall not use personal data for its own purposes or disclose it to third parties except as authorized by the Controller or required by law.

4 Subject Matter and Duration of Processing

Subject Matter

The Processor provides recruitment technology services that enable the Controller to manage job postings, receive applications, and analyze candidate data through AI-driven tools. In doing so, the Processor may store, analyze, and transmit personal data on behalf of the Controller.

Duration

This Agreement remains in effect for the duration of the Controller's use of the Service and continues until all personal data processed on behalf of the Controller has been deleted or returned in accordance with Section 16 ("Return or Deletion of Data").

5 Nature and Purpose of Processing

The Processor shall process personal data solely for the purpose of delivering, maintaining, and improving the Hire HRAI platform and its related services on behalf of the Controller.

Specifically, the Processor may process personal data to:

  • Host and store candidate applications and job postings;
  • Analyze application content for skills, experience, and suitability;
  • Generate automated insights, reports, and analytics based on recruitment data;
  • Provide technical support and system maintenance;
  • Monitor and secure the platform against unauthorized access or misuse;
  • Ensure service reliability and performance optimization.

No personal data shall be processed for purposes other than those explicitly stated in this Agreement or the Controller's documented instructions.

6 Categories of Data Subjects

The personal data processed under this Agreement concerns the following categories of Data Subjects:

  • Job Applicants (Candidates) – individuals applying for employment opportunities managed by the Controller.
  • Customer Representatives and Users – employees or contractors of the Controller who have access to the Service.
  • Other Related Individuals – persons whose data may appear incidentally in uploaded documents (e.g., referees mentioned in CVs).

7 Types of Personal Data

The Processor may process the following types of personal data on behalf of the Controller, depending on the Controller's configuration and use of the Service:

Candidate Data

  • Name, contact details, and professional identifiers;
  • Employment history, education, and qualifications;
  • Skills, competencies, and portfolio information;
  • Job preferences and motivation statements;
  • AI-generated evaluations or scoring results;
  • Feedback or annotations made by the Controller's users.

Customer User Data

  • Name, email address, role, and organizational affiliation;
  • Login credentials (stored securely and hashed);
  • Usage logs, permissions, and access history.

The Processor does not intentionally process special categories of personal data as defined in Article 9 of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, or health information). If such data is uploaded by the Controller, it is the Controller's responsibility to ensure lawful processing.

8 Obligations of the Data Processor

The Processor shall comply with all obligations imposed by Article 28 of the GDPR and shall, in particular:

  • Process data only on documented instructions from the Controller, including regarding international transfers;
  • Ensure confidentiality — all persons authorized to process personal data shall be under a binding duty of confidentiality;
  • Implement appropriate technical and organizational measures ("TOMs") to ensure data security in line with Article 32 of the GDPR;
  • Assist the Controller in responding to requests from Data Subjects (access, rectification, erasure, restriction, portability, or objection);
  • Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIA, and consultation);
  • Notify the Controller without undue delay after becoming aware of a personal data breach;
  • Maintain records of processing activities carried out on behalf of the Controller;
  • Ensure Sub-processors are engaged only under written agreements imposing the same data protection obligations as set out in this DPA;
  • Make available all information necessary to demonstrate compliance with this Agreement and allow for reasonable audits or inspections (see Section 15);
  • Return or delete all personal data upon termination of the Service, as described in Section 16.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes applicable data protection law.

9 Obligations of the Data Controller

The Controller shall comply with all applicable obligations under the GDPR and other data protection laws. In particular, the Controller agrees to:

  • Determine the lawful basis for processing all personal data entered into the Service;
  • Provide all required privacy notices to Data Subjects before processing begins;
  • Ensure that all personal data uploaded to the Service is accurate, relevant, and limited to what is necessary;
  • Use the Service only for lawful and ethical recruitment purposes;
  • Obtain consent or other legal grounds from Data Subjects where required by law;
  • Respond to Data Subject requests that are addressed directly to the Controller;
  • Maintain internal policies and records demonstrating compliance with the GDPR.

The Controller remains solely responsible for the accuracy, quality, and legality of the personal data provided and for ensuring that its use of the Service complies with all applicable laws.

10 Sub-processors and Authorizations

The Processor may engage Sub-processors to assist in providing the Service.

Authorization

The Controller grants general authorization for the Processor to engage Sub-processors, provided that:

  • Each Sub-processor is bound by a written contract imposing the same data protection obligations as this DPA;
  • The Processor remains fully liable for the actions and omissions of its Sub-processors; and
  • The Processor maintains an up-to-date list of authorized Sub-processors, available upon request.

Notification

The Processor shall inform the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object on reasonable data-protection grounds. If no objection is raised within that period, the engagement is deemed accepted.

Typical categories of Sub-processors include:

  • Cloud infrastructure providers (e.g., hosting and storage);
  • Email and communication service providers;
  • Analytics or performance monitoring tools.

11 International Data Transfers

The Processor will not transfer or allow access to personal data outside the European Economic Area (EEA) without prior written authorization from the Controller, unless such transfer complies with applicable data protection laws.

Where transfers occur, the Processor will ensure that one of the following safeguards is in place:

  • Adequacy Decision – the destination country is recognized by the European Commission as providing adequate protection;
  • Standard Contractual Clauses (SCCs) – approved by the European Commission and incorporated into contracts with the relevant recipient;
  • Binding Corporate Rules (BCRs) or equivalent approved mechanisms.

The Processor shall make documentation of such safeguards available to the Controller upon request.

12 Data Security and Confidentiality

The Processor shall implement and maintain appropriate technical and organizational measures (TOMs) to protect personal data against unauthorized access, alteration, disclosure, or destruction.

These measures include, at a minimum:

  • Encryption of data in transit and at rest;
  • Role-based permissions and least-privilege principles;
  • Regular security audits, penetration testing, and system monitoring;
  • Backup and disaster-recovery procedures;
  • Employee training and confidentiality agreements;
  • Secure data-center operations with physical safeguards.

The Processor shall ensure that all personnel authorized to access personal data are bound by confidentiality obligations that survive termination of their employment or engagement.

In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach, providing sufficient information to allow the Controller to meet its notification obligations under Articles 33 and 34 of the GDPR.

13 Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of the incident.

The notification shall include, to the extent available:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects; and
  • Contact details for further information.

Where it is not possible to provide all information at once, the Processor shall supply the details in phases as they become available.

The Processor shall cooperate fully with the Controller to investigate, mitigate, and document the breach and to assist in fulfilling the Controller's obligations under Articles 33 and 34 of the GDPR, including notification to supervisory authorities or Data Subjects, if required.

14 Data Subject Requests and Assistance

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including access, rectification, erasure, restriction, portability, and objection.

If a Data Subject submits a request directly to the Processor, the Processor shall promptly forward it to the Controller and shall not respond independently unless authorized in writing by the Controller.

The Processor shall provide the Controller with necessary technical or organizational support to fulfill such requests, taking into account the nature of the processing and the information available to the Processor.

Any assistance provided under this clause may be subject to reasonable administrative fees where legally permitted and proportionate.

15 Audit Rights

The Controller has the right to verify the Processor's compliance with this Agreement and applicable data protection laws.

The Processor shall make available all information reasonably necessary to demonstrate such compliance and shall allow for audits or inspections to be carried out by the Controller or an independent auditor appointed by the Controller, provided that:

  • Audits are conducted with reasonable notice (at least 30 days);
  • They do not unreasonably interfere with the Processor's business operations; and
  • The parties agree on scope, duration, and confidentiality in advance.

Alternatively, the Processor may provide relevant third-party audit certifications or security assessments (e.g., ISO 27001, SOC 2) as sufficient evidence of compliance.

All audit findings and related information shall be treated as confidential.

16 Return or Deletion of Data

Upon termination or expiration of the Agreement, or upon the Controller's written request, the Processor shall:

  • Delete all personal data processed on behalf of the Controller; or
  • Return such data to the Controller in a structured, commonly used, and machine-readable format, unless legal obligations require its retention.

Deletion shall include all copies from active systems, backups, and logs within a reasonable timeframe, following secure erasure practices.

The Processor shall provide written confirmation once data deletion or return has been completed.

If the Controller fails to request return or deletion within 60 days of termination, the Processor may permanently delete the data at its discretion, provided that this does not contravene legal obligations.

17 Liability and Indemnification

Each party shall be liable for the damages it causes through acts or omissions that violate this Agreement or applicable data protection laws.

The Processor's liability for any claims related to personal data processing shall be limited to the total amount paid by the Controller for the Service during the twelve (12) months preceding the incident giving rise to the claim.

The Processor shall not be liable for:

  • Processing performed in accordance with the Controller's lawful instructions;
  • Any loss or damage resulting from the Controller's failure to comply with its obligations under this Agreement or the GDPR.

Both parties agree to indemnify and hold each other harmless from any losses, damages, or expenses arising from non-compliance with this DPA or applicable data protection law, to the extent that such losses are directly attributable to the indemnifying party.

18 Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of Finland, excluding its conflict of law provisions.

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the District Court of Helsinki, Finland, unless otherwise required by mandatory applicable law.

Nothing in this Agreement shall limit either party's right to seek injunctive relief or to bring proceedings before a competent supervisory authority under the GDPR.

Annex 1: List of Sub-processors

As of the effective date of this Agreement, the Processor engages the following categories of Sub-processors to support Service delivery:

CategoryPurposeData LocationProvider
Cloud infrastructure and database hostingSecure data storage, authentication, and platform operationEU region (Supabase EU instance)Supabase Inc.
AI processing servicesText and data analysis to generate skill matrices and compatibility scoresEU/EEA or GDPR-compliant regionOpenAI Ireland Limited
Payment processingSecure handling of customer payments and billing dataEU/EEA or GDPR-compliant regionStripe Payments Europe Ltd.
Email deliveryTransactional and system notificationsEU/EEAResend, Inc.
Development and CI/CD operationsContinuous integration and deployment (no personal data processed)EU/EEA or GDPR-compliant regionCircle Internet Services, Inc. (CircleCI)

The Processor shall maintain an up-to-date list of active Sub-processors, available upon request or via the Service website.

Annex 2: Technical and Organizational Security Measures (TOMs)

Hire HRAI implements and maintains the following controls to ensure the confidentiality, integrity, and availability of personal data:

Organizational Controls

  • Designated Data Protection Officer or privacy lead responsible for compliance oversight;
  • Regular employee training and awareness on data protection and security practices;
  • Access control policies ensuring least-privilege and role-based permissions;
  • Formal incident response procedures and breach notification workflows;
  • Vendor risk assessments and Sub-processor due-diligence reviews.

Technical Controls

  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+);
  • Logging and monitoring: Continuous audit logs for system access and data operations;
  • Network security: Firewalls, intrusion detection, and DDoS protection;
  • Backup and recovery: Daily backups with verified restoration testing;
  • System hardening: Regular patching and vulnerability management;
  • Data minimization: Automatic purging and anonymization of obsolete records.

The effectiveness of these measures is reviewed periodically, and improvements are applied as part of Hire HRAI's ongoing security and compliance program.