Legal

Data Processing Agreement

Last updated: January 2025 · GDPR Article 28

Contents 1. Roles of the Parties 2. Subject Matter 3. Types of Data 4. Data Subjects 5. Purpose 6. Processor Obligations 7. Subprocessors 8. International Transfers 9. Data Breach 10. Retention & Deletion 11. Audit Rights 12. Liability 13. Governing Law

This Data Processing Agreement ("DPA") forms part of the agreement between HireHub ("Processor") and the Client ("Controller") and governs the processing of personal data in connection with HireHub's services.

1. Roles of the Parties

The Client acts as Data Controller — determining the purposes and means of processing personal data.

HireHub acts as Data Processor — processing personal data on behalf of and under the documented instructions of the Controller.

2. Subject Matter

This DPA covers the processing of personal data in connection with recruitment, candidate sourcing and workforce support services provided by HireHub to the Client.

3. Types of Data Processed

  • Name, email address and contact details
  • CV and professional experience data
  • Communication and correspondence data

4. Categories of Data Subjects

  • Candidates introduced by HireHub to the Client
  • Client representatives and authorised users

5. Purpose of Processing

  • Recruitment and candidate matching services
  • Communication and coordination between parties
  • Provision of ongoing workforce support services

6. Processor Obligations

HireHub as Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that all personnel with access to personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in responding to data subject rights requests
  • Assist the Controller with GDPR compliance obligations including security and breach notification
  • Delete or return all personal data upon termination of services, as instructed
  • Provide all information necessary to demonstrate compliance with this DPA

7. Subprocessors

HireHub may engage subprocessors (e.g. hosting providers, email service providers) to assist in the delivery of services. Appropriate contractual safeguards are in place with all subprocessors. HireHub will inform the Controller of any intended changes to subprocessors and provide opportunity to object.

8. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), HireHub will ensure that adequate safeguards are in place, including Standard Contractual Clauses or other mechanisms approved under GDPR.

9. Data Breach Notification

HireHub shall notify the Client without undue delay — and where feasible within 72 hours — after becoming aware of a personal data breach affecting data processed under this DPA. The notification shall include all information required by GDPR Article 33(3).

10. Data Retention and Deletion

Personal data will be retained only for as long as necessary for the provision of services or as required by applicable law. Upon termination of the service agreement or upon written request, HireHub will delete or return personal data as instructed by the Controller.

11. Audit Rights

The Client may request reasonable information from HireHub to verify compliance with this DPA. Where required, HireHub will support audits conducted by the Controller or an authorised auditor, subject to reasonable notice and confidentiality obligations.

12. Liability

Each party is responsible for its own obligations under GDPR and this DPA. HireHub as Processor is liable to the Controller in accordance with GDPR Article 82 for damages caused by processing in breach of documented instructions or this DPA.

13. Governing Law

This DPA is governed by the law applicable to the main service agreement between the parties. Where no governing law is specified, English law applies.

Contact for data protection matters: