Data processing agreement DPA

Data processing agreement

This Data Processing Agreement (hereinafter “DPA”) is a part of Recruitment Software OÜ (registry code 14936047) Terms of Use, i.e., the Agreement. The DPA is entered into between the Client (as the Controller) and Recruitment Software OÜ (as the Processor) automatically with the conclusion of the Agreement (see the Terms of Use Clause 3).

The Controller and the Processor together referred to as Parties.

The Parties have agreed as follows:




1.1 Objective. The objective of this DPA is to ensure legitimate and purposeful processing of Personal data in adherence to the EU General Data Protection Regulation (2016/679) (hereinafter “GDPR”) and Personal data protection rules prescribed by national legislation in Estonia.

1.2 Agreement. Before commencing with the processing of Personal data, this DPA is concluded and signed between the Parties and it includes the confirmations of the Parties concerning Personal data processing requirements provided in the DPA.

1.3 Relationship Between Controller and Processor. In providing its services, i.e., recruitment software and connected services, the Processor acts as the Processor. Processor is a data controller in case of independently developing its service – information about which is made available to Data Subjects via Processor’s Privacy Policy.



2.1 Unless otherwise specified, definitions are used in the meaning provided for them in the GDPR. For convenience most used terms are brought out below.

2.2 “Data Subject” means an identified or directly or indirectly identifiable natural person whose Personal data is processed by the Parties within the framework of the DPA and the Agreement.

2.3 “Personal data” means any information relating to the Data Subject. Personal data processed by the Processor within the framework of this DPA is more precisely defined in Annex 1 to this DPA.

2.4 “Controller” means the Personal data processor which determines the purposes and scope of the processing of Personal data. The Controller for processing Personal data under the DPA and Agreement is indicated in the head of the DPA.

2.5 “Processor” means the Personal data processor which processes Personal data only on behalf of and as instructed by the Controller according to the DPA and the Agreement. The Processor for processing Personal data under the DPA and Agreement is indicated in the head of the DPA.

2.6 “User” as defined in the Terms of Use of the Processor.

2.7 “Client” as defined in the Terms of Use of the Processor.

2.8 “Sub-processor” means a processor authorized by the Processor.




3.1 Basis for Processing. The Controller ensures an appropriate basis for processing by the Controller and the Processor. The Controller makes available to the Processor and inserts to/transmits to the Processor’s service and systems, only such Personal data for the processing of which, the Controller has a legal basis. Controller also ensures that there is legal basis for processing any Personal data inserted by the Users under the Controller (i.e., employees and other persons who use the service of the Processor under the Controller).

3.2 Performance of Obligation to Provide Information. The Controller ensures the performance of the obligation to provide information regarding Personal data processed on the basis of the Agreement in adherence to Articles 13 and 14 of the GDPR, among other things, where required, providing information on the processing done by the Processor.

3.3 Processing in Adherence to the GDPR. The Controller declares that it processes Personal data in adherence to requirements of the GDPR and only gives the Processor such instructions on the processing of Personal data which are in compliance with requirements of the GDPR.

3.4 Instructions and Contact Information. The Controller provides instructions for processing Personal data in a format enabling written reproduction, either via email or via Processor’s service/preferred channel.

Controller’s contact information: [name; e-mail]

Processor’s contact information: Recruitment Software OÜ (registry code 14936047),

Instruction provided by Controller’s other representatives or different channels than stated in the DPA would still be followed as long as the instruction is in adherence with the GDPR.

3.5 Control of Data Protection Measures. The Controller confirms that it will make reasonable effort to ensure that the Processor can fulfil its obligations under this DPA thanks to the implementation of appropriate technical and organizational measures. The Controller confirms that descriptions provided in Annex 3 satisfy the data protection needs of the Controller in terms of the processing Personal data under the Agreement and the DPA.




4.1 Processing by the Processor in Adherence to the GDPR. The Processor and its Sub-processors adhere to the requirements of the GDPR. The Processor complies with the following conditions:

4.1.1 Processing in Adherence to the Agreement and the DPA. The Processor processes Personal data only in the extent and in such a manner which is required to provide services set out in the DPA and the Agreement and in adherence to instructions from time to time provided by the Controller.

4.1.2 Assistance to the Controller. The Processor provides reasonable assistance to the Controller in connection with the processing of Personal data, i.e., the following:

(a) The Processor helps the Controller fulfil the obligation to respond to requests for the exercise of the Data Subject’s rights provided for in Chapter III of the GDPR. For this purpose, the Processor informs the Controller about the Data Subject’s requests and forwards them to the Controller. The Processor helps to respond to the Data Subject’s requests upon receiving such instructions from the Controller if the request is connected to the processing done by the Processor.

(b) The Processor helps to fulfil the obligations set forth in Articles 32-36 of the GDPR.

The Processor has the right to request a fee for the assistance provided in accordance with the separate agreement between the Parties, except in cases where the need of such assistance is caused by the actions or omissions of the Processor and/or Sub-processor(s) in violation of the requirements of the Agreement or the DPA.

4.1.3 Return and/or Deletion of Personal data. Upon a respective request by the Controller, the Processor returns to the Controller or deletes all Personal data in the Processor’s power, possession, or control, unless retention of a copy is required by law. Returns and/or deletions are undertaken within a reasonable period of time.

4.2 Data Processing Agreement with Sub-processor. The Processor undertakes to conclude a data processing agreement with its Sub-processor if the Sub-processor has access to the Personal data processed based on the Agreement. The respective data processing agreement protects the rights of the Data Subject and Personal data at least as much as this DPA.

4.3 Responding to the Controller’s Personal Data Related Inquiries. The Processor responds to the Controller’s inquiries related to the processing of Personal data within seven (7) working days at the latest (except for situations listed in Section 8.1.3).  If it is a voluminous request, the Processor may extend the deadline for submitting a response to a reasonable extent, but not more than additional twenty (20) days.

4.4 Non-adherence to the GDPR. Where the Processor identifies the following situations:

(a) that it is for some reason unable to perform the obligations arising from this DPA and it cannot remedy such non-performance; or

(b) the Processor learns of any circumstance or change in applicable data protection legislation that is likely to materially impair the ability of the Processor to perform its obligations under this DPA;

(c) the Processor notifies the Controller thereof, after which both Parties have the right to temporarily suspend processing until the processing is reorganized in a manner that allows the non-compliance to be remedied. If such reorganization is not possible, the Processor will have the right to terminate the processing, including right to extraordinarily terminate the Agreement.

4.5 Change of Role of the Processor to Controller. If the Processor processes Personal data, which processing conditions are not regulated by the DPA and Annex 1, then the Processor is considered a separate Controller within the scope of the specific processing activity. Also, in the case of processing for different purpose(s) than indicated in the DPA and the Agreement, the Parties may be separate Controllers, if the requirements of the GDPR are met.




5.1 Right to Use Sub-processors. The Controller allows the use of Sub-processors (i.e., subcontractors) provided that the Processor only uses Sub-processors who comply with the GDPR and other applicable data protection requirements.

5.2 General authorization. The Controller allows the use of Sub-processors set forth in the Sub-processor list Processor in Annex 2 and later on as indicated in an online list. By entering into the DPA, the Controller agrees to the use of the Sub-processors listed in Annex 2. If the Sub-processors change, the Processor shall provide to the Controller information about the new Sub-processors in a form that can be reproduced in writing (e.g., e-mail). Up-to-date list of Sub-processors will be held in an online environment available at If the Controller does not object to the use of the new Sub-processor(s) within three (3) workdays in a form that can be reproduced in writing, then the Controller shall be deemed to have agreed to the changes in the list of Sub-processors. In the event of an objection, the respective Sub-processor may not be used, unless the circumstances on which the objection is based have ceased to exist and the Controller gives its permission.

5.3 Processor and Sub-processors. The Processor ensures that its Sub-processors comply with the binding requirements of this DPA as applicable to the Processor, including ensuring that all Sub-processors used by the Processor comply with the same confidentiality obligations under essentially the same terms and conditions (and not less restrictive) than those set forth in this DPA.

5.4 The Liability for the Sub-processors. The Processor shall remain liable to the Controller for the acts and omissions of the Sub-processors used by the Processor.

5.5 Contact Point with the Sub-processors. The Processor remains the Controller’s sole point of contact with the Sub-processors in all matters falling within the scope of this DPA.




6.1 Access. The Processor ensures that access to Personal data within the Processor’s area of responsibility is granted only:

6.1.1 to duly authorized officials, employees, agents, and contractors, including Sub-processors (hereinafter “Processor’s employees“), that need access to Personal data in order to perform their obligations under the Agreement and this DPA; and

6.1.2 for the part or parts of Personal data which are strictly necessary for the performance of the obligations of the Processor’s employee.

Access by Users to Personal data in the service is dependent on the functions of the service.

Access may also be granted to authorities if the Processor is required to do so by law or relevant official authorities.

6.2 Confidentiality. The Processor keeps Personal data confidential. Confidentiality is ensured to reasonable extent considering the service offered. The Processor refrains from using or disclosing such Personal data for purposes other than permitted by this DPA or necessary for fulfilling the Agreement. Responding to Personal data related inquiries by the Data Subject or authorities is not deemed to constitute a breach of confidentiality nor is making Personal data available to co-operation partners that are covered with confidentiality obligation. The Processor ensures that all of the Processor’s employees are aware:

(a) of the confidential nature of Personal data and keep the Personal data confidential;

(b) of the obligations and tasks arising from applicable data protection legislation and this DPA.




7.1 The Processing of Personal Data Generally Takes Place in the European Economic Area (EEA). The Parties do not transfer Personal data to any country outside of the EEA that does not comply with Personal data protection requirements or make Personal data available in any country that does not comply with Personal data requirements, except on grounds provided for in the GDPR. Information about possible transfers outside EEA is available in the Sub-processor list.

7.2 Transfer Outside the EEA. If Personal data is transferred outside EEA by the Processor then the Processor ensures that there is a valid grounds for processing and relevant suitable option from GDPR Chapter V is used. The allowed transfer mechanisms are:

7.2.1 Personal data are forwarded to a country subject to a decision on adequacy of protection in accordance with the GDPR Article 45;

7.2.2 the third party ensures appropriate protection measures in other ways in accordance with the GDPR Articles 46 or 47 for the processing in question (e.g., use of EU SCC);

7.2.3 forwarding is necessary for the preparation, presentation or defence of legal claims in certain administrative, regulatory or judicial proceedings;

7.2.4 forwarding is necessary to protect the vital interests of the Data Subject or another natural person or

7.2.5 forwarding is permitted on other grounds arising from Chapter V of the GDPR.




8.1 Notification to the Controller. The Processor notifies the Controller immediately if the Processor:

8.1.1 receives an inquiry or a request from an official authority related to the Personal data processed under the DPA, unless the law prohibits the Processor from giving such notification;

8.1.2 receives a request from a third party, including a Data Subject, for the disclosure of Personal data or information related to the processing of Personal data;

8.1.3 confirms or has reasonable grounds to suspect that a Personal data breach has occurred in the Processor’s systems and Personal data processed under the Agreement is influenced by the incident. Generally, the Processor gives notice of a Personal data breach without undue delay or at the latest within sixty (60) hours of becoming aware of the breach. If it has not yet been possible to collect the information required by the DPA and legislation, the Processor provides relevant available information and supplements the notification to the Controller at first opportunity;

8.1.4 believes an instruction from  the Controller to be in conflict with the requirements of the GDPR.

8.2 Personal Data Breach in the Processor’s Area of Responsibility. In the event of a Personal data breach in the Processor’s systems/area of responsibility, the Processor takes without undue delay reasonable remedial action, including informing the Controller of the reason for the breach, conducting an investigation, and submitting a report and corrective action proposals upon the Controller’s request.

8.3 Cooperation in Case of a Personal Data Breach. The Processor and the Controller cooperate in developing and implementing a response plan in the event of a Personal data breach. The Parties employ all reasonable efforts at their disposal to mitigate the effects of the personal data breach.

8.4 Communication of a Personal Data Breach. The Processor provides the Controller without undue delay with the information required by Article 33 (3) or Article 34 (3) of the GDPR on a personal data breach if the information is collected from the Processor’s/Sub-processor’s systems and is not directly available to the Controller. The Controllers allows the Processor to review and modify, if necessary, notices to authorities and Data Subject’s about incidents related to the Processor’s service/systems. This is to ensure the correctness of incident description.




9.1 Prohibition on Causing Damage. The Party shall not do anything that damages or leave anything undone that, if left undone, damages or could be reasonably expected to damage the other Party’s systems or Personal data.

9.2 Security and Other Measures

9.3 Appropriate Technical and Organizational Measures. The Processor takes appropriate technical and organizational measures to protect Personal data against unauthorized or unlawful processing, accidental loss or destruction, or damage. The Processor takes the measures required for data processing in accordance with Article 32 of the GDPR. The Parties have agreed on a set of technical and organizational measures set out in Annex 3, which contains the minimum permissible level of measures at the time of concluding the DPA.

9.4 Audit. The Processor allows an employee or an authorized representative of the Controller to check and assess the Processor’s compliance with the obligations set forth in this DPA. Prior to exercising the right of inspection (audit), the Controller must coordinate with the Processor the time of the inspection (at least 30 days prior notice) and the scope of the inspection. The Processor has the right to demand that a confidentiality agreement be concluded beforehand of the inspection (audit). Information obtained by the Controller or its authorized representative during the audit shall be confidential unless the relevant information has been made publicly available by the Processor or is available from public registers. Confidentiality obligation does not apply to use of audit results for defence and proof of claims in and for legal proceedings, incl. with supervisory authority. Information obtained in the course of the inspection may not be used for purposes other than the performance of the audit and if necessary for legal proceedings. The Controller shall be responsible for fulfilling the obligation of confidentiality by its authorized representatives unless otherwise agreed in writing. The Controller shall pay for the performance of the inspection, including any directly related costs to the Processor.




10.1 Separate Liability. The Parties confirm that they are aware that each Party is liable for its own processing of Personal data.

10.2 Liability and Restriction of Liability. A Party indemnifies the other Party for direct material damage resulting from the former Party’s breach of the DPA. With regard to other damage, the Parties exclude their liability to the maximum extent permitted by law, being liable only if the violation has been committed intentionally or through gross negligence. This restriction does not extend to Data Subject’s claims.




11.1 Upon Termination of the Agreement, the Processor returns or destroys the Controller’s Personal data as requested by the Controller within a reasonable time. The Processor stops processing the Controller’s Personal data. The Processor does not destroy or stop the processing of Personal data for which the processing obligation arises from applicable law.

11.2 Right to Terminate the Agreement upon Prohibition of the Use of a Significant Sub-Processor. The Processor has the right to terminate the DPA and the Agreement immediately, extraordinarily (incl. without observing the notice period and without any penalties), if the Controller prohibits the use of a Sub-processor essential for the Processor’s processes.

11.3 Lasting Rights and Obligations. Rights and obligations that due to their nature need to last after the termination of the DPA stay in force for a reasonable time period – i.e., confidentiality obligation.




12.1 Invalid Provision. The invalidity of any provision or a part of a provision of the DPA does not affect the validity, legality, or enforceability of other provisions of this DPA. If any provision or a part thereof proves to be invalid, the Parties employ their best efforts to replace the provision or a part thereof with a provision that is similar in content and meaning and is in compliance with the law and objectives of this DPA.

12.2 Applicable law. The DPA is subject to Estonian law.

12.3 Jurisdiction. Disputes arising from the DPA are resolved by way of negotiations. If an agreement is not reached, the dispute is resolved in Harju County Court under the laws applicable in Estonia.

12.4 Headings. The headings of the provisions do not have legal effect and are intended to facilitate the reading of the DPA.

12.5 Entering into the DPA. This DPA enters into force automatically together with the Agreement and is updated from time-to-time if deemed necessary by the Processor. The Processor makes a prior notice about updates to the Controller. The Controller is deemed to have agreed with the updates if the Controller continues the use of the Processor services.

12.6 Online DPA and Separately Signed DPA. If the Parties have concluded a separate DPA (i.e., different from this DPA made available online and entered into automatically with the Terms of Use/Agreement) then this online DPA is not applicable. Separate DPA is only entered into with enterprise plan Clients on request; otherwise, this online DPA applies.






1.1 The Processor may process the following categories of Data Subjects:

1.1.1 the Controller’s employees, including persons in a working relationship with the Controller based on another contract;

1.1.2 the Controller’s cooperation partners’ representatives that are natural persons;

1.1.3 the Controller’s customers and potential customers that are natural persons;

1.1.4 other categories of Data Subjects whose data the Controller transmits to the Processor or enters in the Processor’s systems;

1.1.5 the same categories of Data Subjects related to companies that belong to the same group with the Controller.




2.1 The Processor may process the following Personal data:

2.1.1 Identification data (e.g., names, personal identification code, date of birth, picture);

2.1.2 Contact information (address, email, phone nr);

2.1.3 Employment data and other related data (company information, position, CV information);

2.1.4 Communication data (e-mails, messages);

2.1.5 Information about the use of The Processor’s systems and services (incl. web and technical data);

2.1.6 other information that the Controller has transmitted to the Processor or entered into the Processor’s systems;

2.1.7 other information necessary for performance of the Agreement concluded with the Controller;

2.1.8 other information necessary for the service provision.




3.1 The Processor may process Personal data for the following objectives:

3.1.1 provision of services based on the Agreement;

3.1.2 performance of obligations arising from the law;

3.1.3 performance of instructions given by the Controller;

3.1.4 other legitimate objectives if applicable requirements of the GDPR are adhered to.


Annex 2: List of Sub-processors


  1. The Controller is aware and allows the use of Sub-processors listed at: The Controllers is aware that the list of the Sub-processor may changes and how the use of Sub-processors is regulated in the Section 5 of the DPA. Up-to-date list of Sub-processors is available online


Annex 3: Appropriate technical and organizational measures



1.1 The Processor uses following measures when processing Personal data:

DOCUMENT/INSTRUCTION/ASSESSMENT/CONFIRMATION OF THE EXECUTION OF THE ACTIVITY In use or not (Filled in by the Processor) Explanation (Filled in if there is an extra question in the box or if clarification is deemed necessary)
Has a data protection audit been carried out? Audit finds out why, where and what data is stored and processed in the company. In use Data Protection audit is done in the 2022 autumn
An up-to-date register of personal data processing operations (Art. 30 GDPR; registry is the basis for all GDPR compliance activities. The register provides an overview of activities with personal data, basis, retention, etc.) In use
Privacy Policy that covers processing done under the Agreement (which meets the requirements of the GDPR; published on the website) In use
The terms and conditions and use of cookies and other web technologies (if the company has a website that uses cookies or similar technologies, it must be ensured that the website visitor is notified of the use of cookies and asks for consent) In use
There is an internal information and guidance document on how personal data is processed and how it should be processed (including an overview of mandatory organizational measures – e.g., screen lock, VPN, empty table policy, etc.) In use
Internal procedures in place to ensure data security (e.g., information security policy) In use
Assessments of legitimate interest have been carried out for processing operations where the processing is carried out on the basis of a legitimate interest N/A For processing as a Processor under the Agreement and the DPA legal basis are the same as the Controllers.
GDPR compliant data processing agreements with (sub)processors have been concluded In use
There is a guide for handling security incidents/breaches related to Personal data and the breaches are registered in the breach register. In use
Data protection impact assessments have been carried out if the processing requires it N/A The Processor has evaluated its service and concluded that there is no need for the DPIA.
The Processor monitors the GDPR principles in the processing of Personal data to the maximum extent possible, i.e.,: legality, fairness and transparency; purpose limitation; data minimization; ensuring correctness; storage limitation; integrity and confidentiality. In use
MEASURE In use or not (Filled in by the Processor) Explanation (Filled in if there is an extra question in the box or if clarification is deemed necessary)
Encryption In use
Pseudonymisation (In the case of pseudonymisation, additional information enabling the personal data to be associated with a specific data subject remains, where possible, under the control of the Controller) In use
System of access levels (Personal data can only be accessed by entitled persons, i.e., limited employees who need the data from the performance of the Agreement and the DPA AND the data can be accessed through a personal account protected by a strong password AND access is taken away from the person immediately when they no longer have the respective need/right) In use
Physical safeguards for access (Personal data can be physically accessed only by entitled persons, incl. personal data storage areas locked) In use
Logging (it is possible to determine from the system logs who, when and what did with the Personal Data) In use
Protection against malware (antivirus software(s) and firewall that meet market standards are in use) In use
Back-ups In use
VPN or other similar measures to access data Not in use Access security ensured via private key (encryption).
Maintenance and upgrades (software in use is updated and hardware is maintained periodically) In use
Organisational safeguards (including confidentiality agreements with staff) N/A
Trainings (The processor’s employees and other persons processing Personal data are trained in the most important requirements of the GDPR and the most important requirements of data security) In use
The employees of the Processor or other persons who access the Personal data are aware of and implement the most important physical and organisational security measures, e.g.: Screen locking and automatic locking; If the Personal data is available from a mobile or similar device, locking the respective device (password protected) and automatic locking; If Personal data is processed on paper, careful handling of the respective paper media (does not leave them in a place where they are visible to third parties) In use
There are procedures for notifying and handling personal data breaches within the organisation and employees are trained in the relevant situation In use


Data Processing Agreement is updated on the 8th of November, 2022 and are valid from the 8th of December, 2022.