1. Roles
The Controller determines purposes and means of processing candidate and account personal data. The Processor processes such data only on documented instructions from the Controller.
2. Scope of processing
- Subject matter: provision of the HireFlow360 ATS.
- Duration: term of the agreement plus retention window.
- Nature: hosting, screening, ranking, communication, storage.
- Data subjects: candidates, applicants, and customer users.
3. Processor obligations
We process only on instructions, ensure confidentiality of personnel, implement appropriate technical and organizational measures, and assist the Controller with data-subject requests and impact assessments.
4. Sub-processors
The Controller authorizes the use of sub-processors listed in our published register. We remain responsible for their compliance and will give notice of changes. [CONFIRM — sub-processor register pending vendor finalization.]
5. International transfers
Transfers outside the EEA/UK are made under Standard Contractual Clauses or another lawful mechanism. [CONFIRM — per hosting region.]
6. Security measures
Encryption in transit and at rest, role-based access control, audit logging, and incident response. Details available on request.
7. Breach notification
We notify the Controller without undue delay after becoming aware of a personal-data breach affecting their data.
8. Return and deletion
On termination we delete or return personal data at the Controller's choice, subject to legal retention requirements.
9. Audit
We make available information necessary to demonstrate compliance and allow for audits subject to reasonable notice and confidentiality.
10. Contact / DPO
Data protection contact: dpo@hireflow360.com.