aiFind

Data Processing Addendum (DPA)

Status: January 9, 2026

Preamble

The client has commissioned the contractor to perform the services specified in § 3. Part of the performance of the contract specified therein involves the processing of personal data. In particular, Art. 28 GDPR imposes certain requirements on such contract processing. In order to comply with these requirements, the parties enter into the following agreement, the fulfillment of which shall not be remunerated separately, unless expressly agreed otherwise.

§ 1 DEFINITIONS

  1. “Controller” means the entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.

  2. “Processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

  3. „Personal data“ is defined in Art. 4 (1) GDPR as any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  4. „Special categories of personal data“ is personal data pursuant to Art. 9 GDPR, which reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and offenses or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR, and data concerning the sex life or sexual orientation of a natural person.

  5. ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  6. “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51

§ 2 Information on the competent data protection supervisory authority

  1. The competent supervisory authority for the contractor is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2-4, 40213 Düsseldorf.

  2. The client and the contractor and, if applicable, their representatives shall cooperate with the supervisory authority in the performance of its tasks upon request.

§ 3 Subject-matter and duration of the Agreement

  1. The contractor shall provide the client with SaaS services via the Internet in the area of software provision for personnel service providers on the basis of the main contract.

  2. In doing so, the contractor shall have access to personal data and shall process this data exclusively on behalf of and in accordance with the instructions of the client. The scope and purpose of data processing by the contractor shall be determined by the main contract (and the associated conditions, such as the service description and general terms and conditions). The client shall be responsible for assessing the permissibility of data processing.

  3. The parties enter into this agreement to specify their mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract.

  4. The provisions of this agreement apply to all activities related to the main agreement in which the contractor and its employees or agents come into contact with personal data originating from or collected for the client.

  5. The duration of this Agreement corresponds to the duration of the Service Agreement.

§ 4 Right to issue constructions

  1. The Processor shall process data solely within the scope of the main agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation. Where the Processor is required by European Union law or by the law of the Member States to which it is subject to carry out further processing, the Processor shall inform the Controller of such legal requirements prior to the processing, unless such information is prohibited by law.

  2. The instructions of the Controller are initially set out in this agreement and may thereafter be amended, supplemented or replaced by the Controller by individual instructions issued in written or text form (individual instructions). The Controller is entitled at any time to issue such instructions. This includes, in particular, instructions relating to the rectification, erasure and restriction of data.

  3. All instructions issued shall be documented by both the Controller and the Processor. Instructions that go beyond the services agreed under the main agreement shall be treated as a request for a change to the services.

  4. If the Processor is of the opinion that an instruction issued by the Controller violates applicable data protection law, the Processor shall inform the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is manifestly unlawful.

§ 5 Nature of the Processed Data, Categories of Data Subjects

  1. In the course of performing the main agreement, the Processor is granted access to the personal data specified in more detail in Annex 1.

  2. The categories of data subjects affected by the data processing are also set out in Annex 1.

§ 6 Technical and Organisational Measures of the Processor

  1. The Processor is obliged to comply with the statutory data protection provisions and shall not disclose to third parties, or permit access by third parties to, any information obtained from the Controller’s sphere of responsibility. Documents and data shall be protected against unauthorised access, taking into account the state of the art.

  2. Within its area of responsibility, the Processor shall organise its internal operations in such a manner as to meet the specific requirements of data protection. The Processor shall implement all necessary technical and organisational measures to ensure an appropriate level of protection for the Controller’s data in accordance with Article 32 GDPR, including, at a minimum, the measures set out in Annex 2, in particular:

    • physical access control (access to premises),
    • system access control,
    • data access control,
    • transfer control,
    • input control,
    • processing control,
    • availability control, and
    • separation control.

The Processor reserves the right to modify the security measures implemented at any time, provided that the contractually agreed level of protection is not undermined.

  1. Persons employed by the Processor who are involved in data processing are prohibited from processing personal data without authorisation. The Processor shall ensure that all persons engaged by it in the performance and fulfilment of this agreement (hereinafter referred to as “employees”) are bound by appropriate confidentiality obligations (confidentiality obligation pursuant to Article 28(3)(b) GDPR) and shall exercise due care to ensure compliance with such obligations. These obligations shall be designed to continue to apply even after termination of this agreement or the employment relationship between the employee and the Processor. Upon request, the Processor shall provide the Controller with appropriate evidence of such obligations.

§ 7 Information Obligations of the Processor

  1. In the event of disruptions, suspected personal data breaches or breaches of the Processor’s contractual obligations, suspected security-relevant incidents or other irregularities in the processing of personal data by the Processor, by persons employed by the Processor in the performance of the assignment, or by third parties, the Processor shall inform the Controller without undue delay in written or text form. The same shall apply to any audits or investigations of the Processor conducted by a data protection supervisory authority.

  2. A notification of a personal data breach shall include, at a minimum, the following information: a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; a description of the measures taken or proposed by the Processor to remedy the breach and, where applicable, measures to mitigate its possible adverse effects.

  3. The Processor shall without undue delay take the necessary measures to secure the data and to mitigate any possible adverse effects for the data subjects, shall inform the Controller thereof and shall request further instructions.

  4. Furthermore, the Processor shall be obliged at all times to provide the Controller with information insofar as the Controller’s data are affected by a breach within the meaning of the first paragraph.

  5. Should the Controller’s data held by the Processor be endangered by attachment or seizure, by insolvency or composition proceedings, or by other events or measures taken by third parties, the Processor shall inform the Controller thereof without undue delay, unless the Processor is prohibited from doing so by a court or administrative order.

  6. In this context, the Processor shall immediately inform all competent authorities that decision-making authority with respect to the data lies exclusively with the Controller as the “controller” within the meaning of the GDPR.

  7. The Processor shall inform the Controller without undue delay of any material changes to the security measures pursuant to Section 6(2) of this agreement.

  8. The Processor and, where applicable, its representative shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing all information required pursuant to Article 30(2) GDPR. Such record shall be made available to the Controller upon request.

  9. The Processor shall reasonably assist the Controller in the preparation of the Controller’s own record of processing activities and shall provide the Controller with the necessary information in an appropriate manner.

§ 8 Audit and Inspection Rights of the Controller

  1. The Controller shall have the right, in coordination with the Processor, to conduct audits or to have such audits conducted by an auditor to be designated on a case-by-case basis. The Controller shall be entitled to verify the Processor’s compliance with this agreement at the Processor’s business premises by means of spot checks, which shall generally be announced in advance in due time.

  2. The Processor undertakes, upon the Controller’s oral or written request, to provide within a reasonable period all information and evidence necessary to carry out an audit of the Processor’s technical and organisational measures. The Processor shall ensure that the Controller is able to verify compliance with the Processor’s obligations pursuant to Article 28 GDPR.

  3. Evidence of such measures which do not relate exclusively to the specific assignment may be provided in the form of an overview of the technical and organisational measures or a data protection concept.

  4. The Processor may be entitled to claim reasonable remuneration for enabling audits by the Controller.

§ 9 Engagement of Sub-processors

  1. The contractually agreed services and/or the partial services described below shall be performed with the involvement of sub-contractors.

  2. Within the scope of its contractual obligations, the Processor shall be entitled at any time to establish (additional) sub-processing relationships with sub-contractors (“sub-processing relationship”), provided that the Processor informs the Controller thereof in advance and the Controller does not object to the intended outsourcing in writing or in text form by the time the data are transferred to the Processor.

    SubprocessorsData regionService
    Textkernel B.V.EuropeCV-Parser
    Google Ireland Ltd.Europa (Germany)Hosting aiFind
    Posthog, Inc.EuropeInApp Analytics
    Ziggy Creative Colony AEEuropa (Athen)External development service provider
    MongoDB, Inc.EuropeDatabase
    Mailgun by Sinch Sweden ABEuropeEmail Provider
    Productboard, Inc.EuropeFeedback Management Tool
    Novu, Noti-Fire Apps Ltd.EuropeIn-App notifications
    Formbricks GmbHEuropeInApp Umfragedienst
    OpenAI OpCo, LLCEuropeAI (processing of non-personal data)
    Nylas, Inc.EuropeEmail and calendar integration

  3. A sub-processing relationship within the meaning of these provisions shall not exist where the Processor engages third parties to provide services that are to be regarded as purely ancillary services. Such ancillary services include, for example, postal, transport and shipping services, cleaning services, telecommunications services without a specific connection to the services provided by the Processor for the Controller, and security services. Maintenance and inspection services shall constitute sub-processing relationships requiring consent insofar as such services are provided for IT systems that are also used in connection with the provision of services for the Controller.

  4. Consent to existing sub-processors: The Controller consents to the engagement of the sub-processors designated in § 9 Engagement of Sub-processors, subject to the condition that a contractual arrangement in accordance with Article 28(2)–(4) GDPR is concluded with the respective sub-processor.

  5. Where a sub-processor provides the agreed services outside the EU/EEA, the Processor shall ensure the lawfulness of the data processing under data protection law by implementing appropriate measures.

§ 10 Requests and Rights of Data Subjects

  1. The Processor shall, where possible, support the Controller by means of appropriate technical and organisational measures in fulfilling the Controller’s obligations pursuant to Articles 12–22 as well as Articles 32 and 36 GDPR.

  2. If a data subject asserts rights, such as the right of access, rectification or erasure, directly vis-à-vis the Processor, the Processor shall not respond independently but shall without undue delay refer the data subject to the Controller and await the Controller’s instructions.

§ 11 Termination of the Main Agreement

  1. Upon termination of the main agreement, or at any time upon the Controller’s request, the Processor shall return to the Controller any documents, data and data carriers provided to it or – at the Controller’s option and unless there is an obligation to retain the personal data under Union law or the law of the Federal Republic of Germany – erase such data. This shall also apply to any backups held by the Processor. The Processor shall provide documented evidence of the proper erasure of any remaining data.

  2. The Controller shall have the right to verify, in an appropriate manner, the complete and contract-compliant return or erasure of the data by the Processor.

  3. The Processor shall be obliged to treat all data that became known to it in connection with the main agreement as confidential even after termination of the main agreement. This agreement shall remain valid beyond the termination of the main agreement for as long as the Processor retains personal data that were provided by the Controller or collected on behalf of the Controller.

§ 12 Liability

  1. The limitation of liability set out in the main agreement underlying this agreement shall apply.

  2. With regard to compensation for damage suffered by a data subject as a result of unlawful or incorrect processing or use of data under data processing on behalf, the Controller alone shall be responsible vis-à-vis the data subject in the internal relationship with the Processor.

  3. The Controller shall indemnify and hold the Processor harmless, upon first demand, from an economic perspective, against monetary claims asserted by third parties in connection with the processing of data on behalf. This shall not apply insofar as the Processor has failed to comply with its obligations specifically imposed on processors under the GDPR, or has acted contrary to, or in disregard of, the Controller’s lawfully issued instructions, and the monetary claim is based thereon. Articles 82(2) to (4) GDPR shall remain unaffected.

  4. The parties shall each indemnify the other from liability where a party proves that it is not in any way responsible for the event giving rise to the damage suffered by a data subject.

§ 13 Final Provisions

  1. Amendments and supplements to this agreement must be made in writing. This shall also apply to any waiver of this formal requirement. The precedence of individual contractual agreements shall remain unaffected.

  2. Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, the validity of the remaining provisions shall not be affected thereby. Statutory provisions shall replace any provisions that are not incorporated or are invalid. If such statutory provisions are not available in the relevant case (regulatory gap) or would lead to an unacceptable result, the parties shall enter into negotiations in order to agree on a valid provision to replace the non-incorporated or invalid provision, which comes as close as possible to the economic intent of the original provision.

  3. This agreement shall be governed by the laws of the Federal Republic of Germany.

  4. If the Controller is a merchant (Kaufmann), a legal entity under public law, or a special fund under public law, the exclusive place of jurisdiction for all disputes arising out of or in connection with this agreement shall be the registered office of the Processor.

Annexes

Annex 1 – Description of the Types of Personal Data Processed / Data Subjects / Categories of Data Subjects

Annex 2 – Technical and Organisational Measures of the Processor

Annex 3 – Data Protection Information Sheet

Annex 1

Types of Personal Data Processed

  • Master data (employer and applicant master data, such as names, addresses, date of birth, name suffixes such as academic degrees/titles, nationality), and
  • Contact data (postal address, email address, telephone numbers),
  • Content data (information on education and training, vocational education, qualifications, photographs),
  • Usage data (e.g. interest in content, access times),
  • Meta and communication data (e.g. device information, IP addresses).

Kategorien betroffener Personen

  • Headhunter
  • Arbeitgeber
  • Bewerber
  • Arbeitnehmer
  • Interessenten

Annex 2

Technical and Organisational Measures (TOMs) within the Meaning of Article 32 GDPR

1. Confidentiality (Article 32(1)(b) GDPR)

  • Physical access control Measures designed to prevent unauthorised persons from gaining access to data processing facilities in which personal data are processed or used.

  • System access control Measures designed to prevent unauthorised persons from using data processing systems.

  • Data access control Measures ensuring that authorised users of a data processing system can access only the data subject to their access rights and that personal data cannot be read, copied, modified or deleted without authorisation during processing, use or after storage.

  • Separation Measures ensuring that data collected for different purposes can be processed separately.

  • Pseudonymisation (Article 32(1)(a) GDPR) Measures to process personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to appropriate technical and organisational measures.

2. Integrity (Article 32(1)(b) GDPR)

  • Transfer control Measures ensuring that personal data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on data carriers, and that it is possible to verify and establish to which recipients the transfer of personal data by data transmission facilities is intended.

  • Input control Measures ensuring that it can subsequently be verified and established whether, by whom and when personal data have been entered into, modified in or deleted from data processing systems.

3. Availability and Resilience (Article 32(1)(b) GDPR)

  • Availability control Measures ensuring that personal data are protected against accidental destruction or loss.
  • Recoverability Measures ensuring that systems used can be restored in the event of a disruption.

4. Procedures for Regular Testing, Assessment and Evaluation (Article 32(1)(d) GDPR)

  • Data protection management Policies, guidelines, work instructions and security concepts.

  • Data protection by default (Article 25(2) GDPR) Regular audits, documentation and, where necessary, optimisation.

  • Processing control Measures ensuring that personal data processed on behalf of the Controller are processed solely in accordance with the Controller’s instructions.

5. Technical and Organisational Measures Relating to the Specific Performance of the Services

  • With regard to the technical and organisational measures implemented by Dr. Glinz COViS, reference is made to the COViS Data Protection Concept [UD_Data Protection Concept] attached hereto.

Anlage 3

Datenschutzhinweisblatt

Hinweise zur Datenverarbeitung aiFind- core application

1. Name und Kontaktdaten des für die Verarbeitung Verantwortlichen

Dr. Glinz COVIS GmbH

Heerdter Sandberg 32

40549 Düsseldorf

Deutschland

Tel: 0211 - 55726-0

Fax: 0211- 55726-26

[email protected]

2. Processing of Personal Data as well as Type, Purpose and Use

If you, as a headhunter, enter into a contract with us for the use of the aiFind-core application, we collect the following data:

Information arising from the contractual relationship (first name, last name, telephone numbers, postal address, email address, bank details).

The collection of these data is carried out in order to perform our contractual relationship with you, in particular to provide you with all SaaS services via the internet, to correspond with you, and to issue invoices.

The data processing is carried out based on your interest in our services and is necessary pursuant to Article 6(1) sentence 1 lit. (b) GDPR for the purposes stated above, namely for the successful performance of the contract and for the mutual fulfilment of contractual obligations.

If you have consented to receive our newsletter, we will use your email address to provide you with up-to-date information. The legal basis for this processing is Article 6(1) sentence 1 lit. (a) GDPR. You may revoke your consent to the storage of your data, the email address and its use for sending the newsletter at any time. Revocation may be effected via the link contained in the newsletters themselves or by sending an email to [email protected].

The personal data collected by us will generally be stored after termination of the contractual relationship until the expiry of the statutory regular limitation period of three years (Section 195 of the German Civil Code – BGB) and will be deleted upon expiry of this period, unless we are required to retain the data for a longer period pursuant to Article 6(1) sentence 1 lit. (c) GDPR due to statutory retention and documentation obligations under tax or commercial law (in particular under the German Commercial Code (HGB), the German Criminal Code (StGB) or the German Fiscal Code (AO)), or unless you have consented to further storage pursuant to Article 6(1) sentence 1 lit. (a) GDPR.

Profiling or automated decision-making does not take place.

3. Disclosure of Data to Third Parties

No transfer of your personal data to third parties shall take place for purposes other than those listed below.

Insofar as this is necessary pursuant to Article 6(1) sentence 1 lit. (b) GDPR for the performance of the contract, your personal data will be disclosed to third parties. This includes, in particular, employees of the service provider. Furthermore, your personal data may be disclosed to public authorities or other third parties, such as debt collection agencies, lawyers and courts, if outstanding claims are not settled despite repeated reminders. The legal basis for such disclosure is Article 6(1) sentence 1 lit. (f) GDPR.

The data disclosed may be used by the respective third party exclusively for the purposes stated above.

4. Rights of Data Subjects

You have the right:

  • pursuant to Article 7(3) GDPR, to withdraw your consent given to us at any time. This shall have the effect that we may no longer continue the data processing based on such consent for the future;
  • pursuant to Article 15 GDPR, to request information about your personal data processed by us. In particular, you may request information about the purposes of the processing, the categories of personal data concerned, the categories of recipients to whom the data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if these were not collected from you, as well as the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved;
  • pursuant to Article 16 GDPR, to request without undue delay the rectification of inaccurate personal data concerning you or the completion of your personal data stored by us;
  • pursuant to Article 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;
  • pursuant to Article 18 GDPR, to request the restriction of processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful but you oppose erasure, we no longer need the data but you require them for the establishment, exercise or defence of legal claims, or you have objected to the processing pursuant to Article 21 GDPR;
  • pursuant to Article 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format, or to request the transmission of those data to another controller; and
  • pursuant to Article 77 GDPR, to lodge a complaint with a supervisory authority. As a rule, you may contact the supervisory authority of your habitual residence or place of work or of our registered office. The supervisory authority responsible for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2-4, 40213 Düsseldorf.

5. Right to Object

Where your personal data are processed on the basis of legitimate interests pursuant to Article 6(1) sentence 1 lit. (f) GDPR, you have the right, pursuant to Article 21 GDPR, to object to the processing of your personal data on grounds relating to your particular situation.

If you wish to exercise your right to object, it is sufficient to send an email to: [email protected]