Data processing agreement

JOIN has set itself the mission of connecting job seekers and companies worldwide. Companies can use the JOIN platform at https://join-dev.com/ (hereinafter referred to as “Platform”) to advertise vacancies and manage applications received in one central location. Our services are designed to make the recruiting process easier for companies and employees alike, especially for the allocation of suitable candidates and simplifying the job application procedure.

The Company can publish job listings and manage related application procedures on the platform using a web-based management tool (“Applicant Management Tool“). In this context, personal data generated by the Company for the respective application process is processed by JOIN acting as the processor for the Company as the controller as defined by the current data protection laws. The Company aims to recruit candidates for such job listings and is using JOIN’s Platform to do so.

As for JOIN’s other services, such as the allocation of suitable candidates or offers for candidates, personal data is processed by JOIN as the controller as defined by the current data protection laws. Please refer to JOIN’s privacy policy for more information.

This DPA serves to protect the parties against the improper use of the personal data processed in the applicant management tool, to ensure data protection by JOIN due to personal data that the Company has made known to them, and to comply with the legal requirements in the event that the business relationship between the Company and JOIN should be deemed as data processing. This DPA shall form part of every service agreement between the parties, unless otherwise expressly agreed in a contract to be concluded after the conclusion of this DPA. This document, including all appendices, also specifies the data protection obligations of the parties from the underlying service agreement as follows:

1. The following provisions only apply to JOIN services that qualify as data processing within the framework of the service agreement, in particular the Applicant Management Tool, and any related services provided by JOIN to the Company.
2. Where the term “data processing” or “processing” of data is used in this agreement, this generally refers to the use of personal data. Data processing or the processing of data means any operation or series of operations performed upon personal data, with or without the aid of automated processes.

1. Under this DPA, JOIN shall process personal data exclusively on behalf of and in accordance with the Company’s instructions. This includes in particular those processing services that JOIN provides for the Company via the applicant management tool in accordance with the service agreement. In this service agreement and in Section 4, the parties have specified the details in accordance with Article 28 (3) and (4) of the EU General Data Protection Regulation (“GDPR”) and Article 9 of the Swiss Federal Act on Data Protection (“FADP”), in particular the subject and duration of the data processing, as well as the handling, nature and purpose of the intended data processing, the type of data and those affected.
2. The data processing by JOIN on behalf of the Company is carried out in accordance with Art. 28 GDPR and Art. 9 of FADP, with respect to each law only if and to the extent applicable to the respective processing activity. 9. The Company always remains the entity responsible for data processing.

The provisions of this DPA are an integral part of the service agreement between the parties and take precedence over the other contractual agreements of the parties regarding data protection, in particular other contracts that contain provisions that deviate from those of this DPA to the detriment of the Company. Clause 1.1. remains unaffected.

The provisions of this DPA do not apply to the processing of personal data that JOIN, as the controller, provides to the Company or any other individual user as part of the service agreement.

The parties hereby agree that the purpose of the data processing is the fulfilment of the contractual purposes according to the service agreement, in particular the implementation and management of specific application processes, which can be accessed by the Company via the applicant management tool on the JOIN platform. The scope and nature of data collection, processing and/or use of personal data are determined by the provisions of the service agreement as well as the services actually used by the Company.

The data subjects affected by the handling of personal data within the framework of the service agreement include:

• candidates for positions published by the Company via the platform; and
• Company employees using the Platform.

The following types of data are particularly affected by order processing:

• Personal data of the candidates (e.g. name, title, academic degree, date of birth, telephone number, email address), the data transmitted by the applicants (applicant data; curriculum vitae, references, certificates, etc.), all information related to the application process recorded in the applicant management tool, such as messages sent via the platform, information about the application process and a candidate’s progress in the application process recorded on our platform, or questions, which are asked as part of the application process and are recorded on our platform,
• data generated through the use of the applicant management tool, such as metadata, this includes information about how long an application process takes, how many candidates have applied and how far a candidate has come in the application process,
• data generated through interactions with the applicant management tool, such as the answers provided to questions asked by candidates,
• data recorded by the Company itself that has not been deleted in the applicant management tool and contact establishing messages to the candidates or JOIN,
• Personal data (e.g. name, job title, email address, telephone number, business address) and access data (e.g. username and password) of Company employees.

If this data is processed as part of other JOIN services, such as the allocation of suitable candidates or services for candidates, this does not take place within the scope of this DPA. In such cases, JOIN shall process this data as the controller as defined by the current data protection laws. Reference is made to JOIN’s privacy policy.

1. The Company alone is responsible for assessing the admissibility of the data processing carried out by JOIN on behalf of the Company and for safeguarding the rights of data subjects. The Company is particularly, but not exclusively, responsible for (1) fulfilling the data protection information obligations with regard to the candidates, (2) obtaining the necessary consent from the candidates for the processing of the data by the Company or JOIN, if this is absolutely required according to the current data protection laws, and (3) to comply with the deletion deadlines applicable to the respective application process.
2. As the data controller, the Company is entitled at any time to issue instructions on the nature, scope and procedure of the data processing carried out on behalf of the customer. Verbal instructions must be confirmed by the Company in writing (including email). JOIN shall promptly confirm receipt and execution of such instructions and inform the Company if, in its opinion, an instruction infringes applicable data protection law.
3. If the Company deems it necessary, persons authorised to issue instructions may be named. The information must be provided in writing by the Company. In the event that there is a change in the persons authorised to issue instructions at the Company, the Company shall inform JOIN of this in good time, naming the new person or persons in each case.
4. The Company shall inform JOIN if errors or irregularities are detected in connection with the processing of personal data by JOIN.
5. The Company is entitled to check the compliance of the technical and organisational data security measures taken by JOIN in accordance with Section 9 before the start of data processing and then at regular intervals, but no more than once a year, after timely prior notification of at least 30 days during normal business hours and taking into account the interests of JOIN. The Company can also have this check carried out by a third party, provided they have previously concluded a confidentiality agreement. The Company is obliged to pay the remuneration to the persons entrusted implementing these measures.
6. The Company is obliged to inform JOIN about data protection incidents or other breaches of the current data protection laws affecting JOIN’s processing activities.
7. The Company shall inform JOIN promptly if it becomes aware of specific measures taken by the supervisory authorities affecting the Company, in particular investigative measures by the authorities, provided that this affects data processing for the Company and the Company is not obliged to maintain confidentiality.

1. Data processing. JOIN is obliged to process personal data under this DPA solely in accordance with this agreement and/or the underlying service agreement and the instructions of the Company.

2. Rights of data subject. JOIN will support the Company as far as possible in fulfilling the rights of data subjects, in particular with regard to correction, restriction of processing and deletion, notification and provision of information.

   JOIN shall, on the Company’s instructions, rectify, delete or restrict the processing of the personal data processed on behalf of the Company. This obligation does not apply to personal data that JOIN processes as controller as part of the services it offers via the platform.

   If a data subject contacts JOIN directly to request correction, deletion or restriction of processing of his or her personal data, JOIN shall forward this request to the Company immediately upon receipt. The Company shall remain responsible for the execution of the requests.

3. Internal control obligations. JOIN shall implement the appropriate control measures, e.g. internal audits, data protection concept, etc., to ensure that the personal data processed under this DPA is processed in accordance with this agreement and the corresponding instructions.

4. Duty to inform. JOIN, as the processor, shall inform the Company if, according to its own assessment, an instruction violates legal regulations. JOIN shall then be entitled to suspend the execution of the corresponding instruction until it is amended by the Company. This does not hereby justify JOIN’s obligation to check or notify.

   JOIN shall notify the Company of any breach of data protection regulations, no later than 48 hours after becoming aware of it, of the regulations made in the service agreement and the agreement and/or the instructions issued, which occurs in the course of the processing of data by it, persons employed by it or other third parties entrusted with the processing, if this triggers the current data protection reporting obligations. Such notice shall include, at a minimum:

   • a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and data records concerned);
   • the likely consequences of the breach; and
   • measures taken or proposed to address the breach and mitigate possible adverse effects.

   If access to the personal data that the Company has transmitted to JOIN for data processing is endangered by measures taken by third parties (e.g. measures taken by an insolvency administrator, confiscation by tax authorities, etc.), JOIN is obliged to notify the Company of this. JOIN shall only pass on information to a party requesting information after prior agreement with the Company, unless JOIN is obliged to provide information by government measures or court decisions.

5. Creation of a processing log. Upon request, JOIN shall support the Company in compiling a list of processing activities within the scope of the DPA and the data processing that is taking place and provide the necessary information in a suitable manner. JOIN shall also maintain its own log of all categories of processing activities carried out on behalf of the Company in accordance with the provisions of the current data protection laws.

6. Reporting and cooperation obligations. JOIN shall support the Company upon request in:

   • fulfilling its reporting obligations;
   • the obligation to carry out Data Protection Impact Assessments;
   • the obligations to notify and communicate personal data breaches;
   • any prior consultation with supervisory authorities.

7. Place of data processing. Unless otherwise agreed between the parties, the processing and use of the data by JOIN takes place in Switzerland, the European Union or in another treaty state of the Agreement on the European Economic Area. Any relocation of JOIN’s data processing activities to a third country is only permitted if the special requirements of Chapter V of the GDPR or Section 2 of the FADP are observed. Company hereby authorizes JOIN to engage a sub-processor in accordance with this agreement for carrying out specific processing activities (on behalf of the Company) in a third country and those processing activities involve transfer of personal data within the meaning of the GDPR or the FADP, as applicable, JOIN and the sub-processor may use standard contractual clauses adopted by the Commission on the basis of Article 46(2) GDPR in order to comply with the requirements of Chapter V of the GDPR, provided the conditions for the use of those clauses are met and provided that an internal assessment concluded that such transfer meets the level of data protection of the GDPR and the FADP.

8. Deletion of personal data after termination of the agreement. After the termination of the service agreement, JOIN is obliged at the request of the Company to hand over to the Company all personal data, documents and processing and usage results that are subject to this DPA and that are related to the contractual relationship as well as delete in compliance with data protection and data security guidelines and in accordance with the Company’s instructions that which JOIN is not contractually or legally entitled or obliged to continue processing. This obligation to delete does not apply to personal data that JOIN processes as controller as part of the services it offers via the platform.

1. JOIN hereby agrees that the Company is entitled, after prior mutual agreement, to conduct checks for compliance with data protection regulations and contractual agreements to the necessary extent, either itself or through third parties who have previously concluded a confidentially agreement, in particular by obtaining information and inspecting the stored data and systems. Company’s audit, access, and inspection rights under this clause are limited to JOIN’s records only (including inter-alia the registers of personal data processing activities, the registers of recipients of personal data) and does not apply to JOIN’s physical premises. Any audit and request for information shall be limited to information necessary for the purposes of this DPA and shall give due regard to JOIN’s confidentiality obligations and legitimate interest to protect business secrets.
2. JOIN shall support the Company in carrying out checks to the best of its ability and shall provide swift and complete clarification where necessary.
3. JOIN shall accept any control measures by the data protection supervisory authority if there is a legal or obligation to do so. It shall inform the Company in accordance with Section 8.4 after notification or becoming aware of the implementation of the control measure and other enquiries or investigations by the data protection supervisory authority, insofar as the measures or inquiries may affect data processing that JOIN provides for the Company and JOIN is not legally obliged to maintain confidentiality.
4. Upon request, JOIN shall confirm in writing compliance with the technical and organizational measures specified in Appendix 1.

1. JOIN is entitled to commission subcontractors with data processing in accordance with the following provisions:

   • JOIN carefully selects subcontractors based on their suitability and reliability and ensures that the respective subcontractor guarantees an appropriate level of data protection. If subcontractors are commissioned, a level of protection must always be guaranteed that is comparable to that of this agreement.
   • JOIN is obliged to draft the contractual agreements with the subcontractors in accordance with current agreements in the relationship between the Company and JOIN, and to ensure that any supplementary instructions from the Company also apply to the subcontractors.
   • JOIN shall inform the Company in good time, i.e. no later than 30 days before the start of the planned subcontracting, of any intended change in relation to the involvement or replacement of other processors. If the Company does not object to the subcontracting within two weeks of receiving the information, it is deemed to have been approved.
2. JOIN shall provide the Company with a copy of the subcontracted processing agreement upon request, provided and insofar as this is not contrary to JOIN’s interests.
3. JOIN shall, at the time of the conclusion of the agreement, cooperate with the subcontractors named in Appendix 2 in the fulfilment of the agreement, the commissioning of which the Company expressly agrees.

1. JOIN is obliged to maintain confidentiality and data secrecy when processing data for the Company.
2. JOIN shall only use employees or other vicarious agents to fulfil the agreement who are sufficiently committed to data secrecy or confidentiality when handling personal data provided and who have been properly briefed on the data protection requirements.

1. JOIN implements the technical and organisational measures outlined in Appendix 1.
2. JOIN guarantees the contractually agreed and legally prescribed data security measures outlined in Appendix 1. For the duration of the contractual relationship, JOIN shall take all necessary measures to secure the data and the security of the processing, in particular taking into account the current technology standards, as well as to reduce possible disadvantageous consequences for the data subjects. In order to always be able to guarantee an appropriate level of security for data processing, JOIN shall ensure that the measures implemented are regularly reviewed and, if necessary, upgraded. JOIN is free to make such changes to the technical and organisational measures that increase the agreed level of security. JOIN shall inform the Company of changes made to these measures in good time.

1. JOIN may, from time to time, amend this DPA. JOIN shall notify the Company at least 30 days before such change applies to the Company.
2. All declarations by the parties, in particular notifications, announcements, statements and other information to be transmitted to the other party, must be in writing to be effective. For the avoidance of doubt, ‘in writing’ includes e-signature and other text communications.

1. The sole place of jurisdiction, also internationally, for all disputes arising directly or indirectly from this DPA shall be the court having jurisdiction for JOIN’s registered office. The agreement on the place of jurisdiction does not apply if the dispute relates to claims other than pecuniary claims or if a sole place of jurisdiction has already been established for the dispute in accordance with the statutory provisions.
2. JOIN is entitled to take legal action against the Company at its general place of jurisdiction.

1. In the event of any inconsistency between the provisions of this agreement and the provisions of the service agreement, the provisions of this agreement shall prevail.
2. This agreement is governed by Swiss law to the exclusion of the UN Convention on Contracts for the International Sale of Goods and conflict of laws. For customers based in the European Union, the law of the member state in which the Company has its registered office applies.

Measures to ensure confidentiality

1.1 Access control

Measures that physically prevent unauthorised persons from accessing IT systems and data processing systems that process personal data, as well as confidential files and data carriers.

• The area for data processing is adequately secured by an appropriate construction method
• All possible entrances have been secured against unauthorised access
• An access control system with chip card reader and transponder locking system is set up
• There is a controlled key allocation, chip card, etc.
• Documentation of key and chip card allocation
• Door security (electronic door opener, etc.)
• Obligation of employees to data secrecy according to BDSG (German Data Privacy Act), esp. §5, §43
• Password policy
• Digital certificates
• Two-factor user login (for critical services)
• Encryption of communication/data processing
• Use of software firewalls (for Windows devices)
• Automatic screen lock/employee policy
• Up-to-date user management
• Encryption of data carriers in laptops/notebooks
• Assignment of user rights (where possible, set up especially for critical services)

1.2 Access control: unauthorised persons

Measures to prevent unauthorised persons from processing or using data protected by data protection law.

• Obligation of employees to data secrecy according to BDSG (German Data Privacy Act), esp. §5, §43
• Authorisation concepts (profiles, roles, etc.)
• No on-site server storage (cloud only)
• Password procedure, i.e. personal and individual user log-in when registering on the system (including special characters, minimum length, regular change of password)
• A password generator for random passwords is used
• The transmission of the confidential authentication details via the network is encrypted
• Access passwords and/or form inputs are not stored on the client or in its environment (e.g. storage in the browser or Post-Its)
• Access authorisations are always assigned individually (personally)
• The circle of authorised persons is minimised to the number deemed operationally necessary
• A person responsible for issuing access authorisations has been appointed
• Management of rights by system administrator
• ID card reader, controlled key allocation, chip card, etc.
• Door security (electronic door opener, etc.)
• Manual locking system
• Security locks
• Access control systems with chip card readers and transponder locking systems
• There is a secure procedure for resetting access blocks, e.g. reassigning a user ID
• Limiting the number of authorised employees
• Access lists
• Encapsulation of sensitive systems through separate network areas (since no sensitive systems are hosted on site)
• Authentication procedure
• Installation of antivirus and spyware filters that are regularly updated
• Transmission of data via encrypted data networks or tunnel connections (VPN — this is partly the case with sensitive data)
• Password policy
• Use of software firewalls
• Installation of anti-virus and spyware filters that are regularly updated (for the devices and services used, this is partly done on the service side, otherwise automatically on the device side)

1.3 Access control: authorised persons

Measures that ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation, so that data cannot be read, copied, amended or removed without authorisation during processing, use and storage.

• Authorisation concepts (profiles, roles, etc.)
• Access authorizations are always assigned individually (personally)
• Management of rights by system administrator
• The circle of authorised persons is minimised to the number deemed operationally necessary
• The number of administrators is limited to the number deemed essential.
• A person responsible for issuing access authorisations has been appointed
• Each person with access authorisation can only access the data that they specifically need to process the current process in accordance with their assignment and that are set up in their individual authorisation profile.
• Authorisations are linked to a personal user ID and an account.
• Automatic screen lock/employee policy
• Password policy
• Allocation of user rights
• Logging of login attempts and termination of the login process after a specified number of unsuccessful attempts (dependent on whether this is included in the service)
• Logging of access and attempted misuse (dependent on whether this is included in the service)
• Physical erasure of media before reuse
• Use of document shredders or service providers (if possible with data protection seal and/or certification)

1.4 Separation requirement

Measures to ensure that data collected for different purposes is processed separately and is separated from other data and systems in such a way that this data cannot be inadvertently used for other purposes.

• Customer separation, software-side
• Separation of test and production systems: separation into development server, staging server and production server
• Separate databases and services (for example, in the sales database only the company ID is stored, but not other information about the company (stored in another database). Likewise, performance data for a specific product per customer is separated from both the aforementioned databases.

1.5 Pseudonymisation

Measures that reduce personal data being directly attributed to a specific data subject during processing in such a way that the identification of a specific data subject is only possible with the inclusion of additional information. This additional information must be stored separately from the pseudonym using suitable technical and organisational measures.

• Generalisation
• Encryption of sensitive data when stored in database (e.g. Blowfish encryption for stored passwords)
• Use of HTTPS throughout the site and particularly sensitive information transfers
• Tokens for transmitting the payment data
• App and database communication via OAuth
• Separate databases and services (for example, in the sales database only the company ID is stored, but not other information about the company (stored in another database). Likewise, performance data for a specific product per customer is separated from both the aforementioned databases.

Measures to ensure integrity

2.1 Transfer control

Measures to ensure that personal data cannot be read, copied, amended or removed without authorisation during electronic transmission or during their transport or storage on data carriers, as well as measures that can be used to check and determine where personal data is to be transmitted.

• Appropriate segregation of duties
• Assignment of personal user accounts
• Password policy
• Limited allocation of administrator rights
• Limited allocation of access rights to data
• Deactivation of unused user accounts
• Unauthorised persons are prevented from gaining access to processing facilities
• Unauthorised access to personal data is prevented
• Unauthorised modification or deletion of personal data is prevented
• Personal data will only be processed on the instructions of the company
• Transmission of data via encrypted data networks or tunnel connections (VPN)
• Data transmission between clients and servers is encrypted (SSL, SSH or SFTP)
• The connection to the backend systems is protected. Data with high protection requirements are encrypted.
• Handling processes with individual responsibility
• Management of rights by system administrator
• Storage of access and/or log files
• Hardware components or documents are destroyed in such a way that recovery is not possible at all or only possible with disproportionate effort (depends on the document)
• Use of software firewalls
• The firewalls are always activated
• Mutual authentication using cryptographic methods (human-machine authentication) — 2-Factor Auth via additional app, regardless of position for all critical systems

2.2 Data entry control

Measures that ensure whether and by whom personal data has been accessed, amended or removed in the IT systems can be subsequently checked and determined.

• Traceability of persons who have accessed, amended and deleted data through the use of individual usernames (not user groups)
• Allocation of rights to access, amend and delete data based on an authorisation concept
• Logging of all system activities and retention of these logs for at least three years

Measures to ensure availability and reliability

3.1 Availability control

Measures to ensure that personal data is protected against accidental destruction or loss.

• Recovery and backup concepts (RAID, hard drive mirroring, etc.)
• Backups carried out regularly
• Checks are regularly conducted to determine whether it is possible to restore a backup (data recovery)
• Fire and smoke detection systems
• Fire extinguishing system/fire extinguishers in or in front of the electronics rooms
• Air conditioning in electronics rooms
• Electronics rooms not situated under sanitary/water-bearing systems
• No server rooms in the building, all data and tools run via the cloud

3.2 Rapid recoverability

Measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.

• Regular testing of data recovery
• Recovery and backup concepts (RAID, hard drive mirroring, etc.)
• Backups carried out on a regular basis
• Checks are regularly conducted to determine whether it is possible to restore a backup (data recovery)
• Backups are stored in a secure, off-site location

Measures to regularly evaluate data processing security

Measures to ensure data protection-compliant and secure processing.

• Data protection management
• General data protection concept
• Deletion concept
• Company instructions are documented
• Formalised contract management

Measures to ensure reliability: system functions

Measures to ensure that all functions of the system(s) are available and that any malfunctions that occur are reported.

• Availability monitoring of relevant services
• System redundancies
• System monitoring
• Monitoring via automated network management system (NMS)
• Backup plans
• Use of test/pre-staging systems
• Use of a version management system for operating systems
• Alerts

Measures to ensure reliability: purpose separation

Measures to ensure that personal data collected for different purposes can be processed separately.

• Data protection concept
• Authorisation concepts (profiles, roles, etc.) and their documentation
• Definition of database rights
• Creation of data categories with different storage locations
• Internal multi-client capability
• Logical client separation
• Internal earmarking concept
• The data of different JOIN customers is stored in separate files and in separate directories depending on the content and is not merged
• Access concepts
• Isolation of data sets, systems (e.g. UAT, staging and production) and processes
• Physical separation of data categories
• Separation of particularly sensitive data

Questions on this agreement, our subprocessors, or a data-subject request? Reach our legal team at [email protected] or via join-dev.com/contact.