Data Processing Agreement

Valid from 14 February 2025

Appendix “Personal Data Processing Agreement” to Terms and Conditions.

The Personal Data Processing Agreement forms an integral part of the Terms and Conditions and sets out the principles for the processing of Users’ personal data by the Service Provider on behalf of the Service Recipient via the tomHRM application. This Agreement constitutes the entirety of obligations and conditions for the entrustment of personal data processing between the Service Provider and the Service Recipient in connection with the Service and supersedes all previous agreements, understandings and arrangements in this regard.

1. Definitions

• Controller — means the Service Recipient who, alone or jointly with others, determines the purposes and means of processing Personal Data,
• Processor — means the Service Provider.

2. Subject matter of personal data processing

1. In connection with the implementation of the agreement for the provision of electronic services for the SaaS service regulated in the Terms and Conditions (hereinafter referred to as the “Main Agreement”) concluded between the Parties, the Controller entrusts the Processor, pursuant to Article 28 of the Regulation, with personal data for processing on behalf of and for the Controller, on the terms and for the purpose specified in Section 3 of this Agreement.
2. The Controller declares that it is a controller of personal data within the meaning of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter: the “Regulation”), which it entrusts to the Processor.
3. The conclusion of the Agreement constitutes a documented instruction from the Controller for the processing of Personal Data by the Service Provider, including the Transfer of Personal Data to Third Countries, as referred to in Article 28(3)(a) of the Regulation.

3. Scope and purpose of data processing

1. The personal data entrusted by the Controller shall be processed by the Processor solely for the purpose of providing the services described in the Main Agreement referred to in Section 2(1) and in a manner consistent with this Agreement and applicable laws.
2. Category of data subjects: employees and associates of the Controller, job candidates, users of the tomHRM application.
3. The Processor undertakes to process the entrusted personal data within the following scope:
   • Identification data (e.g., name, surname, identification number, date of birth)
   • Image data – photograph uploaded to the tomHRM application
   • Business contact details (e.g., email address, telephone number)
   • Private contact details (e.g., email address, telephone number, street, city, country)
   • Employment data (e.g., position, form of employment)
   • Candidate data related to the recruitment process (e.g., candidate’s name, surname, email address, telephone number, residence data, education history)
4. Processing activities: Collection, recording, organisation, structuring, storage, retrieval, consultation, transmission, adaptation, erasure.
5. Form of processing: electronic.

4. Obligations of the Processor and the Controller

1. The Processor undertakes to process the personal data entrusted to it in accordance with this Agreement and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. When processing personal data referred to in Section 3, the Processor undertakes to implement all measures required by the Regulation, in particular those specified in Article 32 of the Regulation, including appropriate technical and organisational measures to ensure a level of security of personal data processing appropriate to the risk of infringement of the rights and freedoms of natural persons. In implementing appropriate measures, the Processor shall take into account the state of technical knowledge, implementation costs, and the nature, scope, context and purposes of processing as well as the risk referred to in the preceding sentence. Appropriate technical and organisational measures include at least the measures specified in Appendix No. 2 to this Agreement. The Service Provider may change or introduce technical and organisational measures other than those specified in Appendix No. 2 to the Agreement, provided that they meet the requirements specified in this paragraph.
3. The Processor undertakes to authorise all persons who will process the entrusted data for the purpose of implementing this Agreement to process personal data.
4. Taking into account the nature of the processing, the Processor shall, to the extent possible, assist the Controller through appropriate technical and organisational measures to fulfil the obligation to respond to requests from data subjects in the exercise of their rights set out in Chapter III of the Regulation.
5. Taking into account the nature of the processing and the information available to it, the Processor shall assist the Controller in complying with the obligations set out in Articles 32-36 of the Regulation.
6. The Processor undertakes to ensure that the confidentiality (referred to in Article 28(3)(b) of the Regulation) of the processed data is maintained by persons authorised to process personal data for the purpose of implementing this Agreement, both during their employment by the Processor and after its termination.
7. After the completion of the services related to data processing, the Processor shall delete all data entrusted by the Controller after the expiry of the period specified in the Main Agreement.
8. The Processor shall, upon discovering a personal data breach, notify the Controller without undue delay, no later than within 36 hours of discovering the breach. The notification should be sent to the email address entered in the tomHRM application settings in the “GDPR Contact” field.
9. The Controller is responsible for familiarising itself with the information provided by the Processor regarding data security and undertakes to conduct an independent assessment to verify whether the service under the Main Agreement meets its requirements and legal obligations arising from personal data protection law. The Controller acknowledges that the Processor may from time to time update or modify the Application’s security standards, provided that such updates and modifications do not deteriorate the overall security of the Application purchased by the Controller.
10. The Controller confirms that it has notified and received all necessary consents and authorisations in accordance with data protection law to enable the Processor to process personal data transferred by the Controller and provide the Services.
11. The Controller is responsible for controlling personal data and must comply with its obligations as a Controller under data protection law, in particular with regard to justifying any transfer of personal data to the Processor and its decisions and actions regarding the processing and use of personal data.

5. Right to audit processing

1. In accordance with Article 28(3)(h) of the Regulation, the Controller has the right to audit whether the measures applied by the Processor in the processing and protection of entrusted personal data meet the provisions of the Agreement. In this regard, the Processor shall enable the Controller (directly or through an external auditor subject to written confidentiality obligations) to conduct an audit of the Processor’s procedures relevant to the protection of the Controller’s personal data to verify the Processor’s compliance with the obligations under this Agreement. In such case:
   • The Controller shall notify the Processor in writing of its intention to conduct an audit at least 14 calendar days before each intended audit,
   • The Controller shall conduct an audit no more than once in a 12-month period, except when required by a competent supervisory authority or if the audit is required due to a breach of the Controller’s data,
   • The Controller shall conduct each audit in a manner designed to minimise disruption to the Processor’s normal business operations.
2. Any costs of conducting the audit shall be borne by the Controller.
3. The auditor appointed by the Controller may not be an entity conducting business competitive to the Processor, nor an entity affiliated with it, an employee or a cooperating entity, regardless of the basis of employment or cooperation. Before commencing the verification activities, the auditor is obliged to provide a written assurance of confidentiality of the obtained information to the Processor.
4. The audit of processing, to the extent that it concerns personal data processing areas, may not last longer than 3 business days.
5. The processing audit shall be concluded with the signing by both Parties of a processing audit protocol. The protocol will contain the findings of the processing audit and the scope of any changes in the processing of Personal Data by the Processor agreed by both Parties.
6. The Processor undertakes to comply with the recommendations of the Controller or an entity authorised by it, regarding the improvement of the quality of personal data protection and the manner of their processing or the removal of deficiencies found during the inspection or audit within the period specified by the Controller, which shall not be less than 30 calendar days.

6. Sub-processing of data

1. The Processor may sub-process personal data processed by it in connection with the provision of the service covered by the Main Agreement referred to in Section 2(1) of the Agreement to other processors (hereinafter referred to as “Sub-processors”), in accordance with the conditions for using the services of Sub-processors set out in the Regulation. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.
2. The Controller consents to the sub-processing of data entrusted to the Processor for processing under the Agreement to those indicated in Appendix No. 1 to the Agreement.
3. The Sub-processor referred to in paragraph 1 of this section shall provide the same guarantees and obligations as those imposed on the Processor in this Agreement.
4. The Processor shall be fully liable to the Controller for any failure of the Sub-processor to fulfil its personal data protection obligations.
5. The entities to which the Processor has entrusted personal data for further processing are specified in Appendix No. 1 to the Agreement.
6. Rules for informing about new Sub-processors: a) The Processor shall inform the Controller about the addition of new Sub-processors by electronic means, by sending information to:
   • the email address of the Account Administrator, and
   • the email address entered in the “GDPR Contact” field in the tomHRM application to which the Main Agreement relates.

   b) Changes to Sub-processors, including the addition of a new Sub-processor, do not constitute an amendment to this Agreement. c) The Controller has the right to object to a new Sub-processor within 21 days of receiving information about it. d) In the event of an objection to a new Sub-processor, raised by the Controller within 21 days of receiving information about the new Sub-processor, and the simultaneous impossibility of using the Service without the participation of said Sub-processor – this Agreement shall be terminated upon receipt of the objection. The moment of receipt of the objection is the date of delivery of the email message to the Processor. e) Failure to raise an objection within 21 days of receiving information about a new Sub-processor shall be deemed as consent to entrust it with the processing of personal data.

7. Location of processing and transfer of personal data

1. The Processor may not transfer the entrusted personal data to a third country located outside the European Economic Area (“EEA”), unless the Controller gives prior consent allowing for such transfer and subject to paragraph 3 of this section. The list of processors to which the Controller grants consent, as referred to above, is contained in Appendix No. 1.
2. If the Controller gives the Processor prior consent to transfer personal data to a third country, the Processor may transfer such personal data only if one of the following conditions is met: 2.1. processing is carried out by a Sub-processor in a third country in respect of which an adequacy decision has been issued, as referred to in Article 45 of the Regulation, 2.2. processing is carried out by a Sub-processor within the framework of binding corporate rules, as referred to in Article 4(20) and Article 47 of the Regulation, 2.3. processing is carried out by a Sub-processor on the basis of standard data protection clauses concluded between the Processor and the Sub-processor in order to provide appropriate safeguards in accordance with Article 46(2) and (3) of the Regulation, and after verifying – where applicable – in cooperation with the Sub-processor, whether the law of the destination third country provides appropriate protection of personal data transferred on the basis of standard data protection clauses in light of European Union law, providing additional safeguards to those provided in these clauses if necessary. 2.4. the Sub-processor’s compliance with an approved code of conduct (in accordance with Article 40 of the Regulation) or an approved certification mechanism (in accordance with Article 42 of the Regulation) together with binding and enforceable commitments of the Controller or Sub-processor in the third country to apply appropriate safeguards, including with regard to the rights of data subjects.
3. The legal basis for the transfer of data outside the European Economic Area to the United States by the Processor may be the European Commission’s decision of 10 July 2023 establishing the adequate level of protection of personal data provided by the so-called “EU-US Data Privacy Framework”. By virtue of this decision, the European Commission has determined that the changes introduced by the United States of America (hereinafter abbreviated as “USA”) in its legislation provide an adequate level of protection for personal data transferred by private and public entities from the territory of the European Economic Area to organisations in the USA that ensure compliance with the new “EU-US Data Privacy Framework”. The list of these organisations has been published by the US Department of Commerce. The transfer of data to these organisations is possible without the need to obtain additional authorisations or apply legal instruments such as standard contractual clauses. With regard to entities from the United States that are not registered in the Data Privacy Framework Program, the legal basis for the transfer is the application of the provisions of the standard data protection clauses referred to in paragraph 2 point 2.3 above.

8. Breach reporting

1. The Processor is obliged to implement and apply procedures for detecting personal data breaches and implementing appropriate remedial measures. The Processor is obliged to make the procedures referred to in the preceding sentence available at each request of the Controller, no later than within 14 business days from the submission of such a request.
2. Upon finding a breach of the personal data entrusted to it by the Controller, the Processor shall, without undue delay, report it to the Controller. The notification should contain at least information about:
   • the date, duration and location of the personal data breach;
   • the nature and scale of the breach, i.e. in particular the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data entries concerned, and if possible, also the identification of the data subjects affected by the breach;
   • the information system in which the breach occurred (if the breach occurred in connection with the processing of data in an information system);
   • the estimated time needed to repair the damage caused by the breach;
   • the nature and scope of personal data affected by the breach;
   • possible consequences of the breach, taking into account the consequences for the data subjects;
   • measures taken to minimise the consequences of the breach and proposed preventive and remedial actions;
   • contact details of the person who can provide further information about the breach.
3. If the Processor is unable to provide the Controller with all the information referred to in paragraph 2 at the same time, it should provide it successively, without undue delay.
4. Until instructions are received from the Controller, the Processor shall take all reasonable actions aimed at limiting and repairing the negative effects of the breach.

9. Liability of the Processor

1. The Processor shall be liable for damages incurred by the Controller or third parties, caused by the processing of personal data only when a) it processed personal data in a manner inconsistent with this Agreement, b) it failed to fulfil obligations imposed on processors by the Regulation or other provisions concerning the protection of personal data, or when c) it acted contrary to lawful written instructions of the Controller or outside these instructions.
2. Subject to mandatory provisions of law, the Processor shall be liable to the Controller for non-performance or improper performance of this Agreement only to the extent of the Controller’s documented actual damage (damnum emergens), limited to the amount of the last paid Fee for the Subscription Period as remuneration due to the Processor from the Controller, in accordance with the provisions of the Main Agreement.
3. The limitation of liability referred to in paragraph 2 shall not apply to liability towards data subjects and in a situation where the damage is caused by intentional action of the Processor.
4. A Party that has paid compensation for all damage resulting from a breach of this Agreement or the provisions of the Regulation has the right to demand from the other Party that participated in the same processing, the return of part of the compensation corresponding to the damage for which the other Party is liable, on the basis of the right of recourse described in Article 82(5) of the Regulation. The recourse claims referred to in the preceding sentence are subject to the limitation of liability specified in paragraph 2 of this section, unless the damage was caused intentionally or concerns liability towards data subjects.
5. The Processor shall be liable for the actions or omissions of the Sub-processor, regarding the processing of entrusted personal data, as for its own actions or omissions, whereby the provisions regarding the liability of the Processor under the conditions described above also cover the liability of the Processor for the actions or omissions of its Sub-processors.
6. The limitations of liability specified in this Agreement apply only to contractual liability between the parties and do not violate administrative liability resulting from the Regulation, in particular from Article 83 of the Regulation.

10. Duration of the agreement

1. This Agreement shall be valid from the date of its conclusion for a fixed period related to the validity of the Main Agreement referred to in Section 2(1).
2. The Processor may process personal data entrusted on the basis of this Agreement only for the period of validity of the Main Agreement, unless the Controller and the Processor agree on another period of personal data processing by way of a separate agreement, for a separate remuneration, or this Agreement is terminated in the cases specified in Section 11 of this Agreement.
3. The Agreement shall also be terminated in the event that the processing of personal data transferred to the Processor by the Controller is no longer necessary for the performance of the Main Agreement.
4. The Parties may terminate this Agreement with a 1-month notice period or by entering into an appropriate agreement, bearing in mind that termination of this Agreement may make it impossible to perform the Main Agreement, and thus result in its termination.

11. Termination of the agreement

1. The Controller may terminate this Agreement with immediate effect when the Processor:
   • despite being obliged to remove the deficiencies found during the inspection, does not remove them within the specified period,
   • processes personal data in a manner inconsistent with this Agreement,
   • has entrusted the processing of personal data to another entity without the Controller’s consent.
2. The Processor acknowledges that the termination of this Agreement may affect the inability to continue the Main Agreement referred to in Section 2(1). In the event that this Agreement is terminated for the reasons indicated in paragraph 1, the Main Agreement referred to in Section 2(1) shall be deemed to be terminated for reasons attributable to the Processor.

12. Final provisions

1. The Controller ensures that the decision to agree to the terms of this Agreement, which constitutes an Appendix to the Terms and Conditions, has been made legally by the Controller, in the case where the Controller is a natural person, or by the Controller’s director, authorised representative or other person with the authority to represent, in the case where the Controller is a legal entity.
2. All information obtained by the Parties during the term of the Agreement constituting a business secret within the meaning of the Act of 16 April 1993 on combating unfair competition (Journal of Laws of 1993, No. 47, item 211), may be used solely for the purpose of proper implementation of the Agreement by each of the Parties, unless the other Party releases it from the obligation of confidentiality or the obligation to disclose it results from applicable law.
3. The remuneration for the services provided by the Processor under the Main Agreement also includes remuneration for the implementation of this Agreement.
4. In matters not regulated, the provisions of the Civil Code and the Regulation shall apply.

Appendix No. 1 — list of Sub-processors

Sub-processor	Region	Legal basis for data transfer	Scope of data processing
Amazon, Luxembourg	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Storage of databases and backups. Provision of the application on the server environment.
OVH S.A., Poland	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Storage of databases and backups. Provision of the application on the server environment.
Positive Group Polska Sp. z o.o. (former: UserEngage Sp. z o.o, Poland)	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Name, surname, email of the person, IP address, name of the organisation establishing the account or contacting via chat.
Google Ireland Limited, Ireland	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	1. Storage of databases and backups. 2. Provision of the application on the server environment. 3. Additional Services are used in the scope of: – login (Google Sign-in) – adding entries from tomHRM to the calendar 4. The scope of data transferred to calendars depends on the Modules held on the account – Training: information about the training, name, surname of the trainer – Meetings with candidates: name, surname of the candidate, candidate’s email – 1-1 Meetings: name, surname of the employee – Holidays: name, surname of the employee – Employment anniversaries: name, surname of the employee – Birthdays: name, surname of the employee, date in the form of month and day
Microsoft, Ireland	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Services are used in the scope of: – logging into the application – transferring entries from tomHRM to the calendar The scope of data transferred to calendars depends on the modules held on the account: – Training: information about the training – Task: title, content of the task – Meetings with candidates: name, surname of the candidate, candidate’s email. – 1-1 Meetings: name, surname of the employee – Holidays: name, surname of the employee – Employment anniversaries: name, surname of the employee – Birthdays: name, surname of the employee, date in the form of month and day
Braintree Payment Services (Paypal Sàrl et Cie, SCA, a limited liability partnership registered), Luxembourg	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Payment operator handling online payments. Stores the account owner’s data: name, surname, email, IP address, company data for invoicing.
Sendgrid Denver, Colorado, USA	Outside EU	Certification of the service provider in accordance with the Data Privacy Framework (DPF) program	SMTP services used to send email messages from the tomHRM application to the recipient (tomHRM user or email address provided in the recipient field in the tomHRM application, candidate). Scope of data: email, IP address
Twilio Inc., San Francisco, CA, USA	Outside EU	Certification of the service provider in accordance with the Data Privacy Framework (DPF) program	Service used for – sending SMS messages from the tomHRM application; scope of data: mobile phone number provided in the employee profile, candidate, – enabling video connections between meeting participants (data is not stored).
Chargebee Inc. USA	Outside EU	Certification of the service provider in accordance with the Data Privacy Framework (DPF) program	Billing system used to manage information about the Service Recipient’s subscription and process online payments. Stores contact information for the person setting up the account: name, surname, email, IP address, company data for invoicing.
MailerLite Limited	Ireland	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Mass email sending services, e.g. newsletter to customers, important notifications about the scope of service provision. Scope of data: email, IP address.
Pipedrive Inc.	Outside EU	Certification of the service provider in accordance with the Data Privacy Framework (DPF) program	CRM for storing and managing contacts with the tomHRM account owner, contact persons on the side of the Service Recipient or potential Service Recipient. Scope of data: business contact details (including email address, phone number, position)
Cordnet OU, Estonia (operator of Featurebase.app)	EU	Provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council	Application for creating a portal that collects feedback from users, publication of development plan and changes in the application. Scope of data: name, surname, email address of the Account Owner, user with the role of Module administrator.
FrontApp, Inc. USA	Outside EU	Certification of the service provider in accordance with the Data Privacy Framework (DPF) program	Customer ticket handling system. Scope of data: email, name, surname, company name.

 

Appendix No. 2 — Personal data security

1. Physical safeguards in the hosting centre
   1. Security measures such as physical protection and access control are applied.
   2. The application and data are stored in a hosting centre with ISO27001, SOC 2, SOC 3 certificates, meeting the requirements of GDPR 2016/679.
2. IT safeguards applied by the Service Provider in the provision of the service:
   1. Backups are performed twice a day and one backup of backups. Backups are stored in two separate regions (within the EU) and with two different backup storage providers.
   2. Backup restoration tests are performed cyclically.
   3. Backups are used to restore data in case of the most serious failures.
   4. Connections to the server and services are made using the SSL/TLS protocol.
   5. Each person responsible on the part of the Service Provider for the processing of personal data has a named access account to the IT systems in which personal data is processed.
   6. Two-factor authentication (2FA) mechanisms are used where possible.
   7. A strong policy of access passwords to systems supporting Service management is applied, with cyclical password changes and account blocking.
   8. Protection against unauthorised access to systems and networks is applied, including through the use of a firewall, authorisation keys and/or other security mechanisms.
   9. Updates to systems and software used to manage and provide the Service are applied.
3. Organisational safeguards of the Service Provider
   1. Cyclical training for employees and associates in the field of personal data protection is conducted.
   2. Internal audits are conducted regarding compliance with the principles of personal data processing.
   3. Incident management policy is applied.