Teamtailor (“us”, “we”, “our”) welcomes you, our Customer (“you”), to the Teamtailor service, an applicant tracking system and an employer branding platform provided by Teamtailor AB, available on app.teamtailor.com.
These terms and conditions constitute the entire agreement agreed between the parties and consist of the following documents and appendices, all of which together refer to as the Agreement.
the Order Form
the terms and conditions
the data processing agreement (“DPA”);
The following appendices:
Appendix 1 - Description of the Service
Appendix 2 - Description of the processing
Appendix 3 - Technical and organisational measures
If there is any conflict or ambiguity between the terms of any of the documents listed above, a term contained in a document higher in the list shall prevail. In the event the conflict or ambiguity relates to data processing of personal data, the DPA shall prevail.
If you get access to the Service prior to the start date of the Agreement as outlined in the Order Form, applicable terms of this Agreement will apply to your use of the Service.
Teamtailor and the Customer shall individually be referred to as “party” and collectively “parties”.
1. Service
Teamtailor develops a recruitment software and employer branding platform, allowing our customers and users to manage their recruitment process, (the “Service”), available on app.teamtailor.com.
We are constantly developing the Service, and our current features are further described and in Appendix 1.
2. Use of the Service
Our Service is intended to be used by the Customer and its employees (“Users”), for recruitment and employer branding related activities.
We grant the Customer and an unlimited number of Users, within the total number of employees as stated in the Order Form, a personal, non-exclusive and non-transferable right to use the Service for internal use in accordance with this Agreement, without the right to sublicense.
You are able to add and list other companies within your company group as Authorised Users in the Order Form. Employees of such companies would then be deemed as Authorised Users and be able to use the Service in accordance with this Agreement.
Both Users and Authorised Users will be referred to as Users in the context of this Agreement.
3. Customer obligations
Users may not use the Service for any illegal purpose, or in any way that violates this Agreement. You are responsible for all activities, actions, omissions and content provided by any Users when using the Service.
When using the Service, please ensure that all Users respect the rights of others, including any intellectual property, privacy or other rights of third parties who may have an interest in or right in connection with the content being uploaded.
We expect Users not to:
publish, post or - in any other way express - any material or information that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, indecent or in any other way unlawful;
copy, reproduce, alter, modify, create derivative works, publicly display, republish, upload, post, transmit, resell or distribute the Service, any part thereof or any material or information that you receive, or are granted access to, from us,
monitor the Service availability, performance or functionality for any competitive purpose or purpose beyond the intended purpose of the Service. For example,you agree not to access the Service for the purpose of developing or operating a competitive product or service or copying the Service features or user interface, or
violate the restrictions on the Service, work around, bypass or circumvent any of the technical limitations of the Service, use any tool to enable features or functionalities that are otherwise disabled in the Service, or decompile, disassemble or otherwise reverse engineer the Service.
We do expect Users to:
Provide Teamtailor with appropriate cooperation in relation to this Agreement; and
comply with all applicable laws and regulations with respect to the use of the Service under this Agreement.
The Customer shall at all times remain responsible for the Users use of the Service.
Teamtailor reserves the right to disable the Customer’s access to the Service in the event of breach of this Section 3, but will provide written notice thereof.
4. Our obligations
Teamtailor undertakes that the Service will be provided with reasonable skill and care and in accordance with industry standards.
If the Service does not comply with the above statement, Teamtailor will, at its own cost, use all reasonable commercial efforts to promptly correct any deviation or provide the Customer with a replacement to meet the desired performance. Any correction or replacement shall constitute the Customer’s only remedy for breach of this undertaking.
Furthermore, the Customer acknowledge that:
Teamtailor does not warrant that the Customer’s use of the Service will be uninterrupted or error-free;
Teamtailor does not warrant that the Service or information obtained by the Customer through the Service will meet the Customer’s requirements; and
Teamtailor is not responsible for any delays, delivery failures or any other loss or damage resolution from the transfer of data over a communication network (such as the internet) out of Teamtailor’s control.
Nothing in this Agreement prevents Teamtailor from entering into similar agreements with third parties or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this Agreement.
5. User accounts
You, as the company registering for the Service as well as any User, are responsible for providing us with complete and accurate information when creating a User account. We have the right to restrict access to the Service if we identify that you or any User provide us with inaccurate, incomplete or untrue information.
You are responsible for ensuring that the information provided to us is up to date and you need to follow standard security procedures for keeping your password information safe and secure.
6. Customer service
We offer customer support services during normal business hours, at least between 08:00 - 18:00 CET, and we are happy to help you and Users if you have any questions or complaints relating to our Service.
Customer support is available through a) email support@teamtailor.com and b) chat on www.teamtailor.com or when you are logged in to your account.
7. Service level
We will use all commercially reasonable efforts to provide you the Service continuously. However, we cannot guarantee that the Service will be free from interruptions, delays or errors caused by our systems or other third party service providers, general internet disruptions or force majeure events.
From time to time, we may perform maintenance and upgrades to the Service, which may result in interruptions, delays or errors in the Service. We will use all commercially reasonable efforts to notify you in advance of any planned maintenance, but we cannot guarantee that such notifications will always be provided. We will also try to ensure that such maintenance is scheduled outside of normal business hours. We recommend you to subscribe to https://status.teamtailor.com for any service level updates.
8. Fees and payment
The Service is provided on an annual basis for the Subscription Fee and any additional fees, if applicable, as stated in the Order Form and based on section 16 of this Agreement. The total amount payable is stated under Total contract value in the Order Form.
Invoices will be sent yearly in advance to the details as referred to in the Order Form, and in accordance with the payment details as provided in the Order Form. Interest on late payments may be levied in accordance with the Swedish Interest Act. If the actual interest rate is higher than the maximum allowed by mandatory legislation of the jurisdiction in which the payment is executed, the interest rate shall be reduced to the maximum allowed by such local mandatory legislation.
Each party is responsible for the fees and other charges their bank or other electronic transfer system may add to the payment of the Subscription Fee.
All prices mentioned in this Agreement do not include Value Added Tax (VAT) or any other applicable taxes. The Customer is responsible for making payments without withholding or deducting any taxes, unless required by mandatory law. If such withholding or deduction is required, the Customer must pay Teamtailor an additional amount to ensure that Teamtailor received the full payment it would have received without any withholding or deduction.
Teamtailor has the right to adjust the Subscription Fee before each renewal period, and will always provide the Customer with a written notice at least sixty (60) days in advance of any price adjustment. This Agreement will be considered amended with the updated Subscription Fee. The adjusted Subscription Fee will be applicable from the start of the upcoming renewal period.
The Customer has the right to adjust the number of Platforms as listed in the Order Form, which may result in a decrease or increase in the Subscription Fee for the upcoming renewal period, as detailed in Section 16. Any modifications to the number of platforms shall be in writing and agreed to by the parties.
If the Customer does not agree with the adjustment, either party may choose not to renew the Agreement as specified in section 16.
9. Personal data & data privacy
We take your business representatives’ and Users’ privacy and security seriously, and are committed to protecting your personal data in accordance with applicable laws and regulations.
When you sign up for and use the Service, we collect and use a limited amount of personal data about data subjects, such as your business representatives and Users for our own purposes, i.e. as a so-called data controller under the GDPR.
Our Privacy Policy contains information about the different purposes for which we use this personal data, the personal data that is collected, what rights the affected individuals have in relation to our use of their personal data, etc.
All other processing of Customer Personal Data (as defined in the DPA) will be performed as described in the DPA, which forms an integral part of this Agreement.
10. Intellectual property
All copyrights, trademarks, trade names, logos and other intellectual property rights held and used by us, as part of the Service (including graphics, icons, scrips, source codes etc), are our property or our third party licensors’ property. The Service and other information, including associated intellectual property rights, provided and made available by us, remain our exclusive property. You or your Users may not use the property for commercial purposes or any other purpose without our prior written consent.
Each party shall without delay notify the other party of any intellectual property suspected or actual related to the Service. Neither party shall be obligated to defend such intellectual property rights, but if a party decides to do so, the other party shall, to a reasonable extent, assist the defending party, at its own expense. This does not entail that a party is obligated to incur any external legal cost in relation to such assistance, but merely providing reason assistance from internal resources.
For any content added by you or your Users to the Service, shall remain your property, and you warrant that you own or have the right to use such property.
11. Limitation of liability
In no event will we, our subsidiaries, affiliates or any respective officers, employees, directors, agents or partners be liable for:
Loss of contracts;
Loss of goodwill or reputation;
Loss of profit, loss of revenue or loss of anticipated business or earnings; or
Any other indirect, consequential or special losses, damages or liabilities, arising out of or in connection with your or Users use of our Service, or obligation under these Terms.
Our total liability to you for all other losses arising under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, will be limited to the total sums paid by you for the Service during the period of 12 months preceding the claim.
Nothing in this Agreement, will limit our liability resulting from our fraud or fraudulent misrepresentation, gross negligence, wilful misconduct, for death or personal injury resulting from our negligence or to the extent such limitations or exclusions are not permitted by applicable law.
12. Indemnification
You agree to defend, indemnify, and hold us and our respective directors, agents, affiliates and representatives harmless from and against any claim (including all third-party claims), and expense (including without limitation reasonable attorneys’ fees) arising out of or relating to:
(a) your or Users wrongful or improper use of the Service in breach of Section 3;
(b) your or Users violation of any third party right, including but not limited to any right of privacy, publicity rights or intellectual property rights; and
(c) your or Users breach of the Confidentiality provisions in the Agreement.
We agree to defend, indemnify, and hold you and your respective directors, agents, affiliates and representatives harmless from and against any claim (including all third-party claims), and expense (including without limitation reasonable attorneys’ fees) arising out of or relating to:
our violation of any third party right, including but not limited to any right of privacy, publicity rights or intellectual property rights; and
our breach of the Confidentiality provisions in the Agreement.
Our indemnification towards you shall not apply to in the event that you are using the Service in a modified form in combination with materials or software not provided by us, nor for any content, information or data provided by you, your Users or candidates when using the Service.
A party that wants to seek indemnification under this section, shall follow the below:
Prompt notify the other party in writing about the claim
Provide the indemnifying party all reasonable cooperation in defence and settlement of such claim; and
Provide the indemnifying party with sole authority to settle the claim.
13. Confidentiality
We understand the importance of confidentiality in business matters.
As used in this Agreement, confidential information (“Confidential Information”) means any information that is proprietary or confidential to the disclosing party or that the disclosing party needs to keep confidential, e.g under an obligation towards a third party. Confidential Information may be of a technical, business or other nature. However, Confidential Information does not include any information that: (i) was known to the receiving party before receiving the same from the disclosing party in connection with this Agreement; (ii) is independently developed by the receiving party; (iii) is acquired by the receiving party from another source without restriction as to use or disclosure; or (iv) is or becomes part of the public domain through no fault or action of the receiving party.
Any Confidential Information that you provide to us or that we provide to you, including but not limited to trade secrets, proprietary information will be treated as confidential. The recipient will not disclose, share or otherwise make available Confidential Information to any third party, without the express written consent of the disclosing party, except for when required by law. You hereby consent to our disclosure of your Confidential Information to the sub processors used in the provision of the Service, as described in the DPA. Both parties shall take all reasonable measures to protect the confidential information from unauthorised access or disclosure.
This section supersedes all previous agreements, including any non-disclosure agreement entered into before entering into this Agreement.
The confidentiality undertaking as described above will remain in force three (3) years after the termination of the Agreement, except for trade secrets which must be kept confidential as long as they qualify as trade secrets.
14. Third Party Service
Our Service may be integrated with other third-party technologies and services (“Third-Party Services”). In case you integrate towards such Third-Party Services, as available from time to time, you expressly instruct us to share data with and give access to such third-party. You are responsible for any access or use of the Third-Party Services and any use of such Third-Party Service is subject to the terms and conditions between you and such third party.
We are not responsible or liable to you or any third party service provider with respect to the functionality or availability of any Third-Party Service or any data obtained through the use of any Third-Party Services. We make no representation or warranty with respect to any integration with a Third-Party Service or any data obtained through a Third-Part Service.
15. Changes to the Service
Teamtailor can make changes to the Service whenever necessary or helpful to improve it or for other reasons. These changes may include upgrades, bug fixes, patches, error corrections, modifications, enhancements, improvements, or new features called “Updates”.
We will not make intentional changes that significantly harm the Service’s features and functionality. If Teamtailor makes a change that significantly harms the Customer’s operations, Teamtailor will inform the Customer in writing thirty (30) days in advance of such change. Teamtailor and the Customer shall in good faith try to find an alternative solution to solve the harm. If not possible within thirty (30) days from the written notice of the Customer, the Agreement shall be terminated with immediate effect.
16. Term and termination
This Agreement shall be valid for a period as detailed in the Order Form, referred to as “Initial Contract Period”. The Agreement will be automatically renewed for successive periods of twelve (12) months each, known as “Renewal Period”, unless either party notifies the other party in writing of their intention not to renew the Agreement.
Each party has the right to choose not to renew the Agreement by providing written notice to the other party no less than one month prior to the expiration of the current contract period. If neither party terminates the Agreement, it will continue to be valid for the upcoming Renewal Period.
Either party may terminate this Agreement immediately under the following circumstances:
If the other party commits a material breach of this Agreement and fails to rectify the breach within thirty (30) days after receiving written notice to do so.
If the other party commits a material breach of any term of this Agreement that cannot be rectified.
If the other party becomes subject to bankruptcy proceedings, ceases to carry on business, or goes into liquidation.
Either party may terminate this Agreement by providing the other party with written notice. If you terminate this Agreement prior to the end of the subscription term, you will not be entitled to any refund of any fees paid.
Teamtailor reserves the right to immediately terminate these Terms or limit access to the Service if you or any User:
breach or otherwise violate any provision of these Terms;
use the Service in violation of applicable laws;
do not pay in accordance with the Fees and Payment section;
If any of the above scenarios occur, we may contact you and request that you remedy your breach of this Agreement before terminating or limiting the Service.
Termination under this section shall be made in writing, to you by sending an email to the contact details in the Order Form.
Upon termination, your and Users' right to access the Service will be revoked. Regarding returning or erasure of Customer Personal Data, see more details in the DPA.
17. Force Majeure
Neither party shall be responsible for delays and defects outside of their control. If we or our suppliers are delayed by an event outside our control, we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided that we do this we will not be liable for defects and delays caused by the event.
18. Governing law
This Agreement will be governed by and construed in accordance with the laws of Sweden, without giving effect to any choice of law or conflict of law provisions. Any dispute, controversy or claim arising out of or in connection with these Terms shall be settled by public courts in Sweden.
If local mandatory law that the Customer is subject to prohibits that disputes arising from agreements, being resolved by a foreign court, any dispute, controversy or claim arising out of this Agreement, or the breach, termination or invalidity therefore shall be settled by arbitration in accordance with International Chamber of Commerce in accordance with the arbitration rules in effect at the time of applying for arbitration. The seat of the arbitration shall be Sweden and the language used in the process shall be English.
19. Assignment
You may not assign, transfer or delegate any rights or obligations under this Agreement without our written consent.
20. Entire agreement
This Agreement constitutes the entire agreement between the parties, and supersedes all prior or contemporaneous agreements, understandings, negotiations and discussions, whether oral or written, relating to the subject matter of this Agreement. Any modifications or amendments to this Agreement must be in writing.
21. Variation
No modification or amendment to this Agreement shall be valid unless in writing and approved by both parties.
Data Processing Agreement
About and summary
This DPA is part of and subject to the terms of the Agreement. It describes what responsibilities you and Teamtailor have when it comes to processing of Customer Personal Data under the Agreement. In sum, it states that:
We can only use Customer Personal Data to provide the Service to you, as described in the Agreement.
You are responsible for your own compliance with Applicable Data Protection Law when using the Service, and Teamtailor for complying with the parts of Applicable Data Protection Law that apply to a processor / service provider.
We will help you comply with many aspects of Applicable Data Protection Law. You have assessed how Teamtailor will be doing this, and are satisfied with the measures Teamtailor will take.
1. Definitions
These definitions are used:
Applicable Data Protection Law means any law about protecting information about physical persons, which applies to a party’s processing of Customer Personal Data under the Agreement. This can for example include: EU Regulation 2016/679 (GDPR); the UK General Data Protection Regulation (UK GDPR); the UK Data Protection Act of 2018; and/or the California Consumer Privacy Act (CCPA).
Change Date means the date when you intend for a change in your instructions to us to have effect.
Customer Personal Data means data that is (i) subject to Applicable Data Protection Law; (ii) added to the Service by or on behalf of you under the Agreement; and (iii) which Teamtailor is only allowed to process on your behalf, except for such Personal Data for which we are data controller for, as described in section 9 in the terms and conditions.
Data Subject Requests means requests from individuals whom Customer Personal Data refers to, to exercise their rights under Applicable Data Protection Law.
EU SCCs means the sets of standard contractual clauses published by the EU Commission on June 4, 2021.
Subprocessor means any processor that Teamtailor uses to process Customer Personal Data.
Subprocessor Change Date means the date when Teamtailor intends to start using a new subprocessor, or replace an existing one.
Supervisory Authority means a public authority that investigates and enforces compliance with an Applicable Data Protection Law.
Third Country Transfer means (i) where the GDPR applies, a transfer of Customer Personal Data to a country, territory or international organization outside of the EU/EEA that is not subject to an adequacy decision by the European Commission; (iii) where the UK GDPR applies, a transfer of Customer Personal Data from the UK to a country, territory or international organization that is not the subject of adequacy regulations under section 17A of the UK Data Protection Act of 2018.
TOMS means the technical and organizational measures that we maintain to make sure that Customer Personal Data is secure when processed in the Service. The TOMS are described in Appendix 3.
UK Transfer Addendum means the International Data Transfer Addendum to the EU SCC, published by the UK Information Commissioner’s Office on March 21, 2022.
Other terms have the meaning given to them in Applicable Data Protection Law. For example, the terms controller, processor, processing, data subject, and personal data breach have the meaning given to them in the GDPR. The terms sell, share, and service provider have the meaning given to them in the CCPA.
2. Your responsibilities
You decide and control which type of Customer Personal Data is processed in the Service, which features and functionalities will be used, for which purposes and for how long. For this reason, you are the sole controller of the Customer Personal Data. As the sole controller, you are responsible for:
Making all contractual arrangements necessary for you to be able to act as the sole controller, for example with other entities in your company group.
Ensuring that there is a legal basis for all processing of the Customer Personal Data.
Ensuring that the data subjects get all information they are entitled to under Applicable Data Protection Law, for example through appropriate privacy notices.
Ensuring that the processing of Customer Personal Data otherwise fulfills the requirements in Applicable Data Protection Law.
Providing us with documented instructions on how to process the Customer Personal Data. You have done so by way of this DPA, and the rest of the Agreement.
3. Our responsibilities
We will act as your processor / service provider, and will not process, sell, retain, use, or disclose Customer Personal Data for any other purpose than providing the Service in accordance with your instructions, as described in this DPA and in the rest of the Agreement.
The parties acknowledge and agree that our access to Customer Personal Data is not part of the payment exchanged by the parties under the Agreement.
4. Security and confidentiality
You have assessed the risks involved with the processing of the Customer Personal Data in the Service, and concluded that the TOMS ensure a level of security that is appropriate to the risks involved.
We will make sure that all our employees (and similar representatives) who have access to Customer Personal Data need to keep it confidential.
5. Personal data breaches
We will notify you about any personal data breach affecting the Customer Personal Data. The notice will be sent without undue delay, and at least within 48 hours of Teamtailor becoming aware of the personal data breach.
The notice will be sent to the email address that you have provided for your “Privacy Manager” in the Service. If you haven’t provided an email address for your “Privacy Manager” in the Service, the notice will be sent to the email address for your Company Manager in the Service.
If this information is available to us when sending the notice, the notice will include a description of:
The nature of the breach, i.e. what has happened to the Customer Personal Data.
What parts/type of Customer Personal Data is affected by the breach.
Which categories of data subjects, and approximate number of data subjects, are affected by the breach.
Our assessment of the likely consequences of the breach.
The measures that we have already taken and, if applicable, still plan to take to investigate and address the breach.
If we don’t have all of this information when first notifying you, we will execute the notification in phases - as relevant information becomes available.
If you decide to notify a personal data breach affecting the Customer Personal Data to a Supervisory Authority, to the data subjects, or the public, you will make reasonable efforts to provide us with advance copies of the notice(s), and give us an opportunity to provide any clarifications or corrections to them.
6. Subprocessors
We use subprocessors when providing the Service. A continuously up to date overview of the subprocessors we use, the function they perform in the Service, etc. is available:
In the list of subprocessors for our EU Region - if you have selected to have the Customer Personal Data processed in our EU Region.
In the list of subprocessors for our US Region - if you have selected to have the Customer Personal Data processed in our US Region. (Available on request)
You are aware of and instruct us to use the current subprocessors. You generally authorise us to use subprocessors when providing the Service, provided that we notify you before starting to use a new subprocessor or replacing an existing one, so that you can object to the change.
We will notify you about our intention to start using a new subprocessor or replace an existing one, at least fourteen (14) calendar days before the Subprocessor Change Date. You can object to the change by sending an email to legal@teamtailor.com stating that you object, and the reason(s) for objecting. We will assess whether we can reasonably satisfy the objection, for example by taking any steps that you request. If we aren’t able to solve the issue, the change will take effect, and either party can, for a period of fourteen (14) calendar days after the Subprocessor Change Date, terminate the Agreement without any cost, penalty or liability.
In case of extraordinary circumstances, for example a subprocessor’s bankruptcy or irreparable material breach of contract, we reserve the right to replace the relevant subprocessor with a shorter notice period than described above, or without any prior notice to you - but without undue delay. In that case, you can object to the use of the new subprocessor within fourteen (14) calendar days of receiving our notice, as described above. If we aren’t able to solve the issue within fourteen (14) calendar days of your objection, either party can terminate the Agreement without any cost, penalty or liability.
When engaging a subprocessor, we will make sure that the data protection obligations in this DPA are imposed on the subprocessor. If the subprocessor fails to fulfill these obligations, we will be liable towards you, in accordance with and subject to the limitations in this DPA.
7. Third Country Transfers
We are only allowed to make Third Country Transfers of Customer Personal Data when the Third Country Transfer is based on your written instruction and is executed in line with the transfer requirements in Applicable Data Protection Law. The transfer can for example be established based on us ensuring:
That the data importer itself, or the country in which it is based, is subject to an adequacy decision recognized by Applicable Data Protection Law, and that the data importer has fulfilled all additional requirements needed to rely on the adequacy decision - when applicable.
That the data importer enters into the EU SCC or UK Transfer Addendum.
You are aware of and instruct us to perform the Third Country Transfers that take place, or may take place, when we use our current subprocessors. If we notify you of the use of a new subprocessor in accordance with Section 6 above, which involves or may involve a Third Country Transfer, your continued use of the Service will be considered an instruction on us to execute the relevant Third Country Transfer.
8. Additional assistance
Provided that we are able to do so, considering the information about and access to Customer Personal Data that we have in providing the Service, we will assist you in:
Providing information relevant for your data protection impact assessment of the Service and consultation with a Supervisory Authority.
Keeping a record of the processing activities that we do on your behalf.
Responding to Data Subject Requests.
If we receive a Data Subject Request from the data subject him/herself, we will not act on it ourselves. Instead, we will encourage the data subject to contact you directly, by referring him/her to the career site and submit a Data Subject Request directly to you.
If you need our assistance with a Data Subject Request or any other process mentioned above, please contact our Customer Support and provide all information we need to understand the scope of the request, and assess what possibilities we have to assist in responding to it.
9. Audits
We will allow you to audit our compliance with our obligations as your data processor / service provider under the Agreement. This will, as a first option, be done by providing the information and documentation that you reasonably ask for.
If the requested audit scope is addressed in our SOC 2 audit report issued by a third party auditor in the past twelve (12) months, and we provide such a report to you confirming there are no known material changes in the controls audited, you agree to accept the findings presented in the third party audit report rather than requesting an audit of the same controls covered by the report.
If you think it is necessary, we will also allow you (or another party assigned by you, provided that the other party is accepted by us and keeps the information it accesses confidential) to inspect our processing of the Customer Personal Data.
You can request an audit once per year, for which each party will cover its own costs. Additional audits (exceeding one per year) can also be requested, at your sole cost.
Unless an audit is requested by a Supervisory Authority (in which case the circumstances will be adjusted to the Supervisory Authority’s request), you need to provide written notice thirty (30) days in advance of the audit. The audit will be conducted during our normal business hours. It will not involve physical access to the servers on which the Service is hosted; not involve disclosure of commercially sensitive parts of the agreements with our subprocessors; and must be performed so that it does not compromise the security of our systems or premises.
10. Erasure and return of Customer Personal Data
When the Agreement is terminated, you should - within thirty (30) days of the termination of the Agreement - instruct us to return and/or destroy all Customer Personal Data from the Service. We will comply with this instruction as soon as reasonably practicable, and at least sixty (60) days after the termination of the Agreement.
If you have not requested erasure or return of the Customer Personal Data within those thirty (30) days, we will delete all Customer Personal Data as soon as reasonably practicable, and at least sixty (60) days after the termination of the Agreement.
APPENDICES
Appendix 1 - Service Description
The Service is constantly developed and this appendix therefore includes the main features in the Service, at the date hereof (and which shall form part of the Service as a minimum), as follows:
Candidate reach
- Free and paid job boards
- Social media integrations
- Email campaigns
- SEO
Convert candidates
- Career site
- Campaign pages
- Lead pages
- Customized application forms
Applicant tracking
Customized workflow
Drag and drop
Hiring teams
Internal chat
Candidate relationship
Automated talent pools
Nurture campaigns
Candidate NPS
Easy apply
Communication
Sms and email
Delayed emails
Candidate chat
Interview self scheduling
Analytics and reports
Audience and recruitment
Candidate experience
Team activities
Export of data
Sourcing and referrals
Employee referral system
Sourcing extension
Internal sharing of jobs
External recruiter access
Automation
Triggers for tasks
Email campaigns
Schedule rejection emails
Tests and surveys
Mobile app
Handle jobs
Communicate with candidates
Review and rate
Add notes
Compliance
Ability to comply with GDPR provisions
Legal templates and customization to templates
Candidate data & privacy
Documentation
Support and onboarding
Access to Support team
Guided by dedicated Customer Success Manager and/or digital onboarding
Free webinars
API and integrations
HR systems
Test assessments
Developer-friendly API
Third party applications
Appendix 2 - Description of the processing
What processing will happen, and for which purposes?
The purpose of the processing is to allow you to use the Service, as it is described in Appendix 1 of the Terms. We will also process Customer Personal Data for purposes that are necessary to enable and support your specific use of the Service, such as logging, troubleshooting and investigating and managing incidents.
The Service is designed to be used for employer branding and recruitment purposes. This can for example include allowing individuals to connect with your company; to apply to particular job postings; to source candidates; to refer candidates; and to manage the selection and assessment of candidates.
You fully control which features in the Service will be used, which information is to be collected from individuals and for how long it will be processed.
Who are the data subjects?
The Service is designed to be used for employer branding and recruitment purposes. For these purposes, a customer normally only needs to collect personal data about:
The customer's Users (usually employees, representatives, consultants, individuals referring a candidate)
Different types of candidates (e.g. individuals connecting with the company, job applicants, referred and sourced candidates)
However, you fully decide and control what Customer Personal Data is actually processed in the Service.
What type of Customer Personal Data will be processed?
The Service is designed to be used for employer branding and recruitment purposes. For these purposes, a customer normally collects and processes the personal data that is necessary to perform a recruitment process.
This usually consists of personal data related to the candidates, such as:
Names
Emails
Photos and videos
Answers to questions part of the recruitment process
Messages with the recruiting User
CV
IP-number
Other information provided by the candidates and/or partners integrated to the Service.
A limited amount of personal data is also processed about the Users, such as:
Name
Company email address
Different actions taken in the Service.
However, you fully decide and control what Customer Personal Data is actually processed in the Service.
For how long will Customer Personal Data be processed?
The customer, as the data controller, decides how long different types of personal data will be stored, and for which purposes. A number of retention/deletion settings are offered in the Service for this purpose.
If Customer Personal Data is deleted in the application, it is immediately deleted from your account and only maintained in our backups.
All our processing of Customer Personal Data will stop after the termination of the Agreement, as described under “Erasure and return of Customer Personal Data” in the main text of this DPA.
Where will Customer Personal Data be processed?
Customer Personal Data will be processed in the countries:
In the list of subprocessors for our EU Region - if you have selected to have the Customer Personal Data processed in our EU Region.
In the list of subprocessors for our US Region - if you have selected to have the Customer Personal Data processed in our US Region. (Available on request)
Teamtailor will only make Third Country Transfers of the Customer Personal Data as described under “Third Country Transfers” in the main text of this DPA.
Appendix 3 - TOMS
The following document contains TOMs as implemented by Teamtailor.
Measures to Ensure Confidentiality (Art. 32 para. 1 lit. b of the GDPR)
Physical access control
Personal Data is stored in physical data centres certified according to ISO 27001. Physical access to the data centre facilities is strictly controlled and limited to selected staff at the hosting provider. Protection against environmental hazards such as heat, fire and water damage is in place. There is no unauthorised physical access to data centres.
Logical access control
There is no unauthorised access to data processing systems. Logical access controls are designed to manage access to information and system functionality based on authority levels and job functions (granting access on a need-to-know and least privilege basis). All users have unique IDs and passwords, MFA is used where possible, granted system access is reviewed regularly and access is revoked/changed when employment terminates or changes in job functions occur. The Supplier’s staff do not access or interact with customer data as part of normal operations. Access is restricted to selected staff. All endpoint devices use strong passwords, local firewalls, automatic time based locking and encrypted storage.
Separation of control
Personal Data is processed in dedicated systems that are not shared with other services, applications, or corporate entities. Production and test environments are separated and do not share any data. Within individual databases, data is segregated with logical access control. Personal Data is not used for purposes other than what it has been collected for.
Human resource security
All employees and contractors are bound by confidentiality, non-disclosure provisions and undergo continuous security awareness training. Onboarding, offboarding procedures are in place. Segregation of duties is applied where it is practically possible.
Measures to Ensure integrity (Art. 32 para. 1 lit. b of the GDPR)
Transfer control
All communication, over the internet and on internal networks, are encrypted with at least TLS version 1.2. Data stored in Teamtailor’s application is encrypted at rest with at least file-system level encryption.
Change management
Change management procedures and tracking mechanisms are in place to test, approve and track all material changes to the Supplier’s platform. All changes are peer reviewed.
System monitoring
Application and infrastructure events are logged, monitored and automatically analysed to record and detect divergent user access and system activity. Logs are protected from loss and manipulation.
Measures to Ensure Availability and Resilience (Art. 32 para. 1 lit. b of the GDPR)
Resilience
The Supplier’s infrastructure and components are designed to withstand intermittent and as well as high constant loads. Vulnerability screening, patch management and anti-malware protection are implemented to prevent, identify and mitigate against identified security threats, viruses and other malicious code.
Measures to Quickly Restore the Availability of Personal Data after a Physical or Technical Incident (Art. 32 para. 1 lit. c of the GDPR)
Disaster recovery plan
Disaster recovery plans are designed to maintain service and/or recovery from foreseeable emergencies or disasters. Backups are stored off-site, immutable and encrypted. Restore tests are done at least every 6 months.
Incident management
Incident management procedures are in place to ensure a systematic approach to identify, mitigate, learn and report incidents related to our technology and information assets.
Procedures for periodical review, assessment, and evaluation (Art. 32 para. 1 lit. d of the GDPR; Art. 25 para. 1 of the GDPR)
Teamtailor runs an information security program with dedicated staff responsible for the development, implementation and maintenance of the program.
Information risk assessments are used to systematically evaluate threats and vulnerabilities in terms of the impact they could imply and the probability to occur. Such assessments are performed at least annually or at major business changes.