Data Processing Addendum

Last updated on January 13, 2025

Introduction

  • This Data Processing Addendum (“DPA”) details how we, Soigné B.V., process personal data on behalf of you (the Customer) when providing our services. We act as a Processor, and you act as either a Controller or Processor under GDPR.
  • This DPA forms an integral part of our agreement.
  • We will interpret this DPA in the light of the provisions of the GDPR. In the event of a contradiction between this DPA and other parts of the agreement with you, this DPA shall prevail.

General Obligations

  • We both commit to fulfilling our corresponding obligations under the GDPR
  • We shall process personal data only on your documented instructions, including those laid down in the agreement and this DPA (such as Annex 1), unless required by Union or Member State law.
  • If legally required to process beyond these instructions, Soigné shall inform you beforehand unless prohibited by law on public interest grounds. You may provide additional (to be documented) instructions during the term of our agreement, including through your use of the services.
  • We will immediately notify you if, in our opinion, your processing instructions infringe the GDPR.

Use of Sub-Processors

  • We need your permission to use sub-processors, but you already authorize us to use our EEA-based affiliates, sub-processors named in our agreement, and those listed in Annex 2 of this DPA.
  • We will notify you 30 days before adding or changing sub-processors via email or through our services. You can object during this period, and if you do, we'll try to find alternatives. If we can't resolve your objection, you can terminate the agreement.
  • When we use sub-processors, we ensure they follow the same data protection rules as we do through our contracts with them, and we remain fully responsible for their compliance with these obligations.

International Transfers

  • We will only transfer personal data outside the EEA based on your documented instructions or when required by EU law, and always in compliance with GDPR international transfer rules.
  • You agree that when we use sub-processors that (requires) transfer personal data internationally, we can ensure GDPR compliance by using the EU Commission's standard contractual clauses.

Security

  • We have implemented security measures detailed in Annex 3 of this DPA to protect personal data against unauthorized access, loss, alteration and other unlawful processing.
  • You approve these measures and agree we can update them without notice, as long as they meet GDPR requirements, including Article 32 GDPR.
  • You are responsible for periodically reviewing Annex 3 to stay informed about our current security measures.

Confidentiality

  • We limit data access strictly to staff members who need it to perform our services. All these staff members are bound by confidentiality obligations, either through written agreements or legal requirements.
  • We may only disclose personal data in three cases: when you explicitly authorize it, when reasonably necessary to perform our services and follow your instructions, or when required by law. When legally possible, we'll notify you before any such disclosure.

Assistance

  • If an individual (data subject) requests to exercise their privacy rights (like access, deletion, or correction) through us, we'll forward this request to you to handle. We may inform the individual about this process. When you receive such requests directly and need our help, we'll cooperate as reasonably as possible.
  • We'll help you comply with your GDPR obligations for data protection impact assessments (DPIAs) and consulting with supervisory authorities. Specifically, we'll assist when processing activities might result in high risks to individuals' rights and freedoms, and when DPIA results indicate you need to consult authorities.
  • We'll help ensure data accuracy by promptly informing you if we discover any personal data we're processing is inaccurate or outdated. We'll also assist with implementing appropriate security measures as required by GDPR Article 32.
  • If we believe any requested assistance goes beyond reasonable industry standards or becomes overly burdensome, we'll discuss in good faith additional fees for such extensive support. We'll always aim to find a reasonable solution that works for both parties.

Data Breach

  • In case of a data breach affecting personal data we process, we'll promptly inform you of the breach, conduct an investigation, and provide you with detailed information as soon as possible. We'll take reasonable steps to minimize damage and cooperate with your communication efforts about the breach.
  • If the data breach is primarily our fault or occurs within our processing activities (and isn't caused by following your instructions), we'll bear all our costs related to handling and fixing the breach, including investigation and mitigation measures.
  • In all other cases of data breaches (for example, when caused by your instructions or circumstances outside our control), we may charge you reasonable costs for the activities we perform to handle the breach and implement required measures.

Audit

  • You can audit our compliance with this DPA once per year, or more often if you suspect non-compliance. You can use your internal certified auditor or an external certified auditor, who must sign our confidentiality agreement. Before starting an audit, you must review our existing audit reports and show legitimate reasons for needing additional auditing.
  • Audits must be conducted during business hours with reasonable advance notice, and you must minimize disruption to our operations. We'll provide reasonable assistance to your auditors, and you must share the preliminary audit report with us for review. We'll work together to address any findings, and all audit reports remain confidential unless both parties approve sharing them.
  • You'll pay all audit costs, including our reasonable expenses, unless the audit reveals material non-compliance by us (excluding non-compliance caused by following your instructions). If material non-compliance is found, each party will bear its own costs for the audit.

Termination

  • When our agreement ends, you can choose whether we should delete or return all your personal data. If you request deletion, we can provide certification that we've done so. We'll keep your data until it's deleted or returned, unless EU law requires us to retain it.
  • If you don't tell us what to do with your personal data within 30 days after our agreement ends, we may delete all of it, including any copies.

Annex 1 - Processing Details

The annex describes in detail the nature, purposes and categories of personal data and data subjects relevant for the services we provide to you under the agreement.

Nature and Purposes of Processing

  • Managing job applications and candidate data
  • Facilitating communication between you and your candidates
  • Managing automated notifications and updates
  • Tracking application status and progress
  • Generating and managing employment contracts
  • Maintaining user accounts for your team to use the service

  • Storing documents and correspondence

  • Collection, storage and processing of user support request to resolve user issues

Categories of Data Subjects

  • (Hired) Candidates
  • Your team members that have a user account for our services

Categories of Personal Data

For (hired) candidates:

  • Identity and Contact Information (name, address, email, phone number, date of birth, nationality)
  • Government Identifiers (copy of national ID/passport, BSN number)
  • Professional information (CV/resume, work history, qualifications, job search details, references)
  • Recruitment Data (applications, interview notes, assessments)
  • Employment & Contract details (employment contract, salary, IBAN, working location, hours, etc.)

For your team members that have an account:

  • Account credentials (email and hashed password)
  • Contact information (name, email, phone number)
  • Device information (IP-adress, email, unique identifiers such as Soigné ID)

Duration of Processing

  • In accordance with your retention settings within the services, or else for the duration of our agreement

Annex 2 - Sub-Processors

We may engage the following Sub-Processors:

Sub-ProcessorProcessing Activities of Sub-ProcessorProcessing Location
Microsoft B.V. Evert van de Beekstraat 354 1118 CZ Amsterdam The Netherlands Hosting, storage and processing Customer Data Cloud infrastructure and services provider supporting data processing activities on behalf of SoignéTHE NETHERLANDS
MongoDB Limited Building Two, Number One Ballsbridge, Ballsbridge, Dublin 4 Ireland Database storage and cachingTHE NETHERLANDS
ActiveCampaign, LLC (Postmark) 1 North Dearborn St, 5th Floor Chicago, IL 60602 United States of America Email delivery Email delivery services for individual emails and/or automated email campaigns initiated from Soigné’s services UNITED STATES OF AMERICA
Bird B.V. Keizersgracht 268 1016 EV Amsterdam The Netherlands Whatsapp messaging Whatsapp message delivery services for individual messages initiated from Soigné’s services EUROPE
Intercom R\&D Unlimited Company 124 St Stephen's Green Dublin 2 Co. Dublin D02 N960 Ireland Chat support If users initiate a chat in the Soigné chatbot, Intercom receives basic info related to your case (e.g., name, email, phone number, company, country, Soigné ID). If a user includes other personal data in the support chat , this information would also be processed by Intercom. UNITED STATES OF AMERICA
Auth0 by Okta 100 1st Street, Suite 600 San Francisco, California 94105 United States of America Authentication services Auth0 receives and stores basic information in the course of authenticating into the service via federated single sign in (e.g, first and last name, business contact info, email). EUROPE

Annex 3 - List of Security Measures

We have currently implemented the following technical security measures:

Technical Measures

Data Encryption and Protection

  • Transport Layer Security: Implementation of TLS 1.3 or higher for all data in transit, ensuring secure communication between clients and servers
  • Data-at-Rest Protection: Employment of encryption for all stored data, including databases, backups, and file storage systems
  • Secure Key Management: Utilization of dedicated key management service with secure storage of encryption keys

Access Control

  • Role-Based Access: Implementation of granular role-based access control with principle of least privilege, regularly reviewed and updated
  • Session Management: Automatic session termination after period of inactivity and secure session handling with encrypted tokens
  • Access Logging: Comprehensive logging of all access attempts, successful or failed, with detailed user and action information

System Security

  • Infrastructure Protection: Implementation of DDoS protection, Rate limiting, Input validation and Routing contraints
  • Patch Management: Automated system for deploying security updates across all infrastructure components with minimal service disruption
  • Monitoring Systems: Real-time monitoring of system health, performance metrics, and security events with automated alerting