Data Processing Addendum (DPA)

Updated 24.03.26

Data Processing Addendum (DPA)

Last modified: 24th of March 2026

0. Definitions

Unless otherwise defined herein, all capitalised terms in this DPA shall have the meaning given to them in the Terms. The following terms shall have the following meanings in this DPA:

‘Applicable Data Protection Law’: any applicable laws and regulations of the European Union, the member states of the European Union and the United Kingdom protecting the fundamental rights and freedoms of individuals, and in particular the right to privacy with respect to the Processing of Personal Data, including, but not restricted to the GDPR and the UK GDPR, as such laws and regulations are amended, extended and re-enacted from time to time;

'CCPA': California Consumer Privacy Act 2018;
‘GDPR’: Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
‘Controller’, ‘Data Subject’, ‘Personal Data’, ‘Process/Processing’, ‘Processor’, and ‘Supervisory Authority’: shall have the same meaning as in the GDPR; 

‘Security Breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

‘Standard Contractual Clauses’: any standard data protection clauses adopted or approved by the European Commission or another competent authority in accordance with Applicable Data Protection Law;

‘Sub-processor’: a Processor that has been engaged by HirePort to perform specific Processing activities on behalf of the Subscriber;

Terms’: the HirePort Terms & Conditions that the Parties have agreed to be applicable as made available in/on https://HirePort.com/terms (defined on the webpage as Terms);

Third Country’: any country outside of the European Economic Area (“EEA”);
'UK GDPR': the GDPR as incorporated into the law of the United Kingdom under the UK European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

1. General

1.1 This DPA is an addendum to the Terms and applies only in relation to any Processing of Personal Data by HirePort as a Processor on behalf of the Subscriber as Controller as described in DPA Appendix 1. This DPA modifies and supplements the Terms. This DPA may be modified by HirePort under the same terms and conditions that apply to modifications to the Terms.

1.2 The following documents form an integral part of this DPA: (i) this document and (ii) any document attached to this DPA that is labelled as a ‘DPA Appendix’. Any reference to the DPA shall be deemed to include a reference to said documents.

1.3 In the event of any inconsistency arising between the provisions of this DPA and the Terms, the provisions of this DPA shall prevail, unless explicitly mentioned otherwise in this DPA.

1.4 For the sake of clarity, this DPA will apply to any Processing of Personal Data by HirePort as Processor on behalf of the Subscriber as Controller as part of the Services under the Agreement, unless Parties have explicitly made other contractual arrangements relating to said Processing of Personal Data.

2. Processing of Personal Data

2.1 HirePort shall Process Personal Data on Subscriber’s behalf in accordance with the instructions of the Subscriber provided through the use of the Services and as set out in DPA Appendix 1. The details of the Processing of Personal Data are specified in DPA Appendix 1.

2.2 Subscriber shall ensure that HirePort may lawfully Process the Personal Data on Subscriber's behalf in accordance with this DPA for the performance of the Agreement. Where required under Applicable Data Protection Law, Subscriber shall ensure that the Data Subjects have given their consent for the Processing and have been informed. 

2.3 Subscriber's instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. If HirePort believes that any instruction of Subscriber infringes Applicable Data Protection Law, it will inform Subscriber without delay. HirePort shall be entitled to suspend performance on such instruction until Subscriber confirms or modifies such instruction. HirePort is not required to actively investigate whether instructions from the Subscriber are compliant with the Applicable Data Protection Law. 

2.4 HirePort may be legally required under applicable laws and regulations to disclose Personal Data that it Processes to third parties such as authorities. If this is the case, Subscriber will be informed by HirePort insofar as permitted by applicable laws and regulations.

3. Security & Confidentiality

3.1 HirePort will implement and maintain appropriate technical and organisational measures to protect the Personal Data against destruction, loss or unauthorized access or other forms of unauthorized or unlawful Processing of Personal Data. These measures will ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Data to be protected having regard to the state of the art and the cost of their implementation. These measures include, but are not limited to, the measures listed in DPA Appendix 2. Subscriber understands and agrees that these measures are subject to change and development and HirePort is therefore expressly allowed to implement alternative measures. 

3.2 Subscriber has the sole responsibility to ensure that End-Users use the Services in line with best security practices and in accordance with Applicable Data Protection Law. Such practices include but are not restricted to maintaining the confidentiality of any login or access credentials.

3.3 HirePort shall ensure that personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Third Country Data Transfers

4.1 If HirePort is HirePort NL B.V., then HirePort will not transfer Personal Data to any Third Country, unless HirePort has obtained a general or specific prior written consent of the Subscriber.

4.2 The Subscriber agrees that in case no appropriate adequacy decision or any other appropriate data transfer mechanism applies for transfer of Personal Data to a Third Country and such transfer requires such a decision or mechanism under Applicable Data Protection Law, HirePort will enter into Standard Contractual Clauses. Subscriber hereby expressly authorizes HirePort and its Sub-processors to enter into Standard Contractual Clauses, (also) on its behalf as far as necessary, and commissions HirePort and its Sub-processors to enforce these Standard Contractual Clauses on the Subscriber’s behalf where appropriate. For the sake of clarity, this article 4.3 does not provide any consent as potentially required under article 4.1 of this DPA.

4.3 Nothing in this DPA will be construed to prevail over any conflicting clause of any Standard Contractual Clauses that have been entered into by HirePort including Standard Contractual Clauses entered into on behalf of the Subscriber.

5. Rights of Data Subjects

5.1 Subscriber will inform Data Subjects that it is the Controller and how Data Subjects may contact the Subscriber with requests. HirePort will not be that contact point. HirePort shall make an effort, to the extent legally permitted, to immediately notify Subscriber, if it receives a request from a Data Subject for access to, inspection, data portability, correction (rectification) or deletion (erasure) of Data Subject’s Personal Data. HirePort shall not respond to any such requests of Data Subjects without Subscriber’s prior written consent.

5.2 HirePort shall provide Subscriber with cooperation and assistance to allow Data Subjects to exercise any rights they might have under Applicable Data Protection Law, such as access, correction, deletion and/or data portability. HirePort will provide such cooperation and assistance only on Subscriber’s request and only in so far as Subscriber cannot meet his obligations under Applicable Data Protection Law without HirePort’s cooperation and assistance.

6. Data Breach Notification

6.1 HirePort shall, to the extent permitted by law, notify Subscriber without undue delay of a Security Breach with regard to the Personal Data Processed on behalf of the Subscriber under this DPA. 

6.2 Such notification shall include at least: (a) a description of the nature of the Security Breach, including where possible, information that assists the Subscriber in determining the categories of and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) information available to HirePort that assists the Subscriber in determining the likely consequences of the Security Breach; and (c) a description of the measures taken or proposed to be taken by HirePort to address the security breach, including, where appropriate, measures to mitigate its possible adverse effects. 

6.3 Subscriber is solely responsible for complying with any Security Breach notification obligations applicable to Subscriber. The performance of HirePort's obligation to report or respond to a Security Breach under this article is not an acknowledgement by HirePort of any fault or liability with regard to the Security Breach. 

7. Sub-processors

7.1 HirePort may use Sub-processors to perform Processing of Personal Data, on behalf of Subscriber, as part of the Services provided by HirePort to Subscriber. The Subscriber hereby gives a general written authorisation to HirePort to engage any Sub-processor for the Processing of Personal Data. HirePort may only engage a Sub-processor if it has imposed, in writing, the necessary responsibilities and obligations on the Sub-processor as required by article 28 GDPR.  HirePort may remove or appoint other Sub-processors in accordance with this article. HirePort will give at least six weeks prior notice of any changes to the list of Sub-processors. The Subscriber can object to a Sub-processor by using its termination rights under the Agreement. If Subscriber does not terminate the Agreement within this timeframe, Subscriber is deemed to accept the respective Sub-processor. Where the Sub-processor fails to fulfil its data protection obligations, HirePort shall remain similarly liable to Subscriber for the performance of its obligations under this DPA.

8. Information & Audits

8.1 If Subscriber reasonably concludes that an audit or inspection of technical and organisational measures at HirePort’s premises is necessary to monitor the compliance with this DPA in an individual case, Subscriber shall have the right to carry out such an audit or inspection provided such audit or inspection will be conducted (i) during regular business hours, and (ii) without interfering with HirePort’s business operations, (iii) upon prior notice of at least 30 days in advance and further consultation with HirePort, (iv) all subject to (if not covered already by the Agreement) the execution of a confidentiality undertaking, and (v) at most once a year. Subscriber will bear its own expenses and compensate HirePort for the cost with regard to any internal resources required to conduct the audit. Such audit or inspection shall be carried out by the Subscriber or an inspection authority composed of independent persons in possession of the required professional qualifications, selected by the Subscriber. Subscriber will furnish immediately after the verification or inspection to HirePort a copy of the report of such audit.

8.2 Subscriber agrees that it will cooperate, together with HirePort, with Supervisory Authorities. HirePort will reasonably allow for and contribute to audits and inspections, conducted by Supervisory Authorities. Subscriber will notify HirePort immediately of any planned audits and inspections by Supervisory Authorities.

8.3 HirePort shall provide, upon written request, any such information and assistance the Subscriber may require for compliance with the Applicable Data Protection Law including to perform data protection impact assessments. HirePort will provide such information and assistance only in so far as Subscriber cannot meet its obligations under the Applicable Data Protection Law without HirePort’s information and assistance.

8.4 HirePort may require Subscriber to sign a reasonable confidentiality agreement before complying with its obligations under this article.

9. Return of Personal Data 

9.1 Upon termination of any Service, Subscriber’s right to access or use the respective Service immediately ceases, and HirePort shall have no obligation to maintain any associated Personal Data. The Parties agree that HirePort shall in such event at the choice of the Subscriber either return all Personal Data to the Subscriber or shall destroy/delete all the Personal Data, unless prohibited from doing so by any applicable laws and regulations. If Subscriber doesn’t make such a choice, then HirePort may delete Personal Data 30 days after the termination of the Service. The return of Personal Data by HirePort may take place by allowing the Subscriber access to the Personal Data through HirePort’s API.

9.2 HirePort will, upon request of Subscriber and after the termination of the Service, declare in writing towards Subscriber that all copies of Personal Data have been permanently destroyed or returned to Subscriber.

10. CCPA Compliance

10.1 HirePort understands that any personal information it receives under this DPA will be processed by HirePort in its role as a service provider as that term is defined under the CCPA.

10.2 HirePort is hereby prohibited from: (1) selling personal information it receives under this DPA; and (2) collecting, retaining, using, or disclosing such personal information for any purpose other than processing it as set out in this DPA.

DPA Appendix 1: Details of the Processing of Personal Data

1. Details of the Processing of HirePort SaaS Personal Data

1.1 General All details of the Processing of Personal Data under this Article 1 only relate to the HirePort SaaS and Services that are provided in relation to the HirePort SaaS.

1.2 Nature and Purpose of the Processing Subscriber agrees to use the HirePort SaaS and Services that are provided in relation to the HirePort SaaS only for recruitment and/or talent acquisition purposes. HirePort shall on behalf of Subscriber Process Personal Data as part of the HirePort SaaS and Services that are provided in relation to the HirePort SaaS and pursuant to the Agreement.

1.3 Data Subjects The Processing of Personal Data detailed in this Article 1 will relate to the following Data Subjects:

  • Subscriber’s applicants, potential applicants, candidates and potential candidates (hereinafter collectively referred to as: ‘Candidates’);

  • Visitors of the Subscriber’s careers website provided as part of Services (hereinafter referred to as: ‘Visitors’);

  • Anyone who visits Subscriber’s referral site, only if the referral site is provided as part of Services, or makes a referral for a Candidate through the Services (hereinafter referred to as: ‘Referrers’).

1.4 Categories of Personal Data HirePort shall on behalf of Subscriber Process the following categories of Personal Data relating to Candidates:

  • Contact details, including names

  • Resumes 

  • E-mail communications

  • Address 

  • Work history 

  • Motivation letter and other documents provided for an application

  • Information regarding Candidates gathered through integrations between the Services and services of third parties on request of the Subscriber or end-users

  • Notes about Candidates

  • Ratings

  • and other Personal Data relating to Candidates that is processed as part of the Services. For the sake of clarity, Personal Data that relates to Candidates and simultaneously to other Data Subjects will be considered to be processed on behalf of the Subscriber (e.g. email from a user to a Candidate).

HirePort shall on behalf of Subscriber Process the following categories of Personal Data relating to Visitors:

  • Traffic source

  • HTTP requests and responses

  • Cookies

  • Date and time of usage

  • and other Personal Data relating to Visitors that is processed as part of the Services.

HirePort shall on behalf of Subscriber Process the following categories of Personal Data relating to Referrers:

  • Contact details, including names

  • HTTP requests and responses

  • Cookies

  • Date and time of usage

  • Social and business connections

  • E-mail address and password

  • Referrals, including the status and associated rewards

  • E-mail communications

  • and other Personal Data relating to Referrers that is processed as part of the Services. For the sake of clarity, Personal Data that relates to Referrers and simultaneously to other Data Subjects will be considered to be processed on behalf of the Subscriber (e.g. email from a user to a Referrer).

2. Other

HirePort shall only Process the Personal Data listed in this appendix insofar as it falls under the Services, except when Personal Data has been anonymized and is used to improve the Services. The Subscriber or End-Users may provide HirePort with additional instructions regarding the Processing of Personal Data through their use of and within the limits of the Services. For example an end-user may choose in the HirePort SaaS to delete Personal Data relating to a Candidate. Subscriber is obliged to make sure that any instructions it gives including, but not limited to, those given on its behalf are compliant with applicable laws and regulations including, but not limited to, the GDPR.

DPA Appendix 2: Technical and Organisational Measures

The following is a non-exhaustive list of technical and organisational security measures taken and implemented by HirePort: 

Quality Assurance: HirePort has processes in place for quality assurance of the SaaS. Such processes include automated testing and pre-deployment manual testing of features and bug fixes.

Code review: All new code for the SaaS is reviewed by at least one senior developer before it’s released to a production environment. The review includes a check for the use of secure coding practices.

HTTPS: Encryption is used for all transfer of personal data by the SaaS over the web.
Storage of passwords: All passwords for the SaaS are stored using an industry standard hashing algorithm.

Penetration testing: A specialized third party penetration tester will regularly test the security of the SaaS provided under the Agreement.

Back-ups: All Personal Data in the SaaS is backed up daily or continuously in increments.

Access control: Employees only receive access rights to Personal Data in the SaaS in so far as such rights are required for their role. Access rights will be revoked when they no longer need it.

Secure data centers: The SaaS will only be hosted in data centers that have a high level of security and availability, such as ISO 27001 certified data centers.

DDOS protection: HirePort will have measures in place for the SaaS to protect its servers from Layer 4 (and below) (D)DOS attacks.
Firewall: The SaaS infrastructure will be protected by one or more firewalls.

 

DPA Appendix 3: Sub-processors

1. HirePort SaaS Sub-processors

The Subscriber agrees that HirePort engages the following parties as Sub-processors (‘HirePort SaaS Sub-processors’) for the HirePort SaaS and for Services that are provided in relation to the HirePort SaaS:

Amazon Web Services

Cloud provider

Data processing location: Frankfurt, Germany (aws: eu-central-1)

Provides cloud computing infrastructure including compute, storage, and database services that host our production environment and customer data.

Cloudflare Dashboard

CDN, DNS, and security services

Data processing location: EU

Provides content delivery network (CDN), DNS management, DDoS protection, and web application firewall services to secure and accelerate our application.

Google Workspace

Identity provider, email and productivity tools

Data processing location: EU

Provides identity, email, document collaboration, and productivity tools used for business operations and customer communications.

Cube Cloud

Data analytics and semantic layer

Data processing location: EU

Provides a semantic layer and API for data analytics, enabling consistent metrics and data access across our application.

GitLab

Source code management and CI/CD

Data processing location: EU

Provides source code repository hosting, version control, and continuous integration/deployment pipelines for software development.

Kombo

HR system integrations

Data processing location: EU

Provides unified API integrations for HR and applicant tracking systems, enabling data synchronization with various HR platforms.

Slack

Team communication

Data processing location: EU

Provides instant messaging and collaboration tools for internal team communication and customer support channels.

Linear

Project and issue tracking

Data processing location: EU

Provides project management and issue tracking for software development workflows and bug tracking.

Vanta

Security and compliance monitoring

Data processing location: EU

Provides automated security monitoring, compliance management, and evidence collection for SOC 2 and other security certifications.

HirePort

Entity names: HirePort NL B.V., 

Data processing location: The Netherlands

Other details: These are the entities other than the contracting (HirePort) entity used to provide the Services.

3. Clarification

For the sake of clarity:

  • This appendix does not give HirePort the right to use a Sub-processor for a Service if the Sub-processor is only listed as a Sub-processor for another Service;

  • If a Sub-processor is listed in this appendix as a Sub-processor for multiple Services, then for each Service this appendix only gives HirePort the right to use such Sub-processor within the data processing location that is listed for the respective Service, and;

  • Each Sub-processor listed in this appendix may engage every other Sub-processor, but only insofar as they are listed as Sub-processors for the same Service.

Imagine your ATS supports all hires.
Your customers already are.

4.7

1500+ reviews

"In an era where talent acquisition teams are expected to do more with less, our customers need to maximize the value of every hiring channel — including agencies. With HirePort's integration, we're providing the missing piece that makes Tellent Recruitee a truly comprehensive solution for modern recruiting teams."

Moritz Kothe

CEO at Tellent

Get in touch

Get in touch

Products

Portal

Company

About

News

Request a demo

More

Customer Stories

Case Studies

Contact

Privacy

Security

Logo

HirePort © 2026 all rights reserved.

Imagine your ATS supports all hires.
Your customers already are.

4.7

1500+ reviews

"In an era where talent acquisition teams are expected to do more with less, our customers need to maximize the value of every hiring channel — including agencies. With HirePort's integration, we're providing the missing piece that makes Tellent Recruitee a truly comprehensive solution for modern recruiting teams."

Moritz Kothe

CEO at Tellent

Get in touch

Get in touch

Products

Portal

Company

About

News

Request a demo

More

Customer Stories

Case Studies

Contact

Privacy

Security

HirePort © 2026 all rights reserved.

Imagine your ATS supports all hires.
Your customers already are.

4.7

1500+ reviews

"In an era where talent acquisition teams are expected to do more with less, our customers need to maximize the value of every hiring channel — including agencies. With HirePort's integration, we're providing the missing piece that makes Tellent Recruitee a truly comprehensive solution for modern recruiting teams."

Moritz Kothe

CEO at Tellent

Get in touch

Get in touch

Products

Portal

Company

About

News

Request a demo

More

Customer Stories

Case Studies

Contact

Privacy

Security

HirePort © 2026 all rights reserved.