Teamtailor Reseller Terms and Conditions

Dernière mise à jour :

Teamtailor (“us”, “we”, “our”) welcomes you, our Customer (“you”), to the Teamtailor service (“Service”), an applicant tracking system and employer branding platform provided by Teamtailor AB (Sweden), available at app.teamtailor.com.

Important: As you have purchased or otherwise accessed the Service through an authorized reseller of Teamtailor (the “Reseller”), all payment-related obligations and other commercial terms (billing cycles, refunds, etc.) are governed by your agreement with the Reseller (the “Reseller Agreement”) and not directly with Teamtailor. 

Nevertheless, these Teamtailor Terms (including the DPA below) apply to your use of the Service and govern your relationship with Teamtailor as the provider of the Service.

These Teamtailor Terms consist of:

  1. These terms and conditions
  2. The Data Processing Agreement (DPA)

Appendix 1 - Description of the processing 

Appendix 2 - Technical and organisational measures

If there is any conflict or ambiguity between the terms of any of the documents listed above, a term contained in a document higher up in the list will prevail. If the conflict or ambiguity relates to data processing of personal data, the DPA will prevail.

For the avoidance of doubt, in these Teamtailor Terms, references to “Teamtailor” or “we/us” are to Teamtailor AB as the service provider. References to “Customer” or “you” are to the party receiving the Service. References to “Reseller” are to the entity that is your direct contracting party for the purchase of the Service and to whom you pay fees.

If you get access to the Service prior to the start date outlined in your agreement with the Reseller, the terms below will apply to your use of the Service starting from the date of first access.

Terms and conditions

1. Service

Our Service is a recruitment software and employer branding platform, allowing you (our customers and users) to manage your recruitment process, available on app.teamtailor.com.

The features available in the Service are described here: https://www.teamtailor.com/en/all-features/.

Except for the fact that you are acquiring the Service via a Reseller, your use of the Service is otherwise the same as for a direct customer of Teamtailor, you receive the same scope of features, updates, and improvements as any other Teamtailor customer.

2. Use of the Service

The Customer and its representatives (including employees) (“Users”) are granted a non-exclusive, non-transferable, non-sublicensable, revocable licence to use the Service in accordance with these Teamtailor Terms.

You may add other companies within your corporate group as so-called “Authorised Users” by listing them in the relevant documentation. Employees of such companies can then use the Service in accordance with these Reseller Terms. Both “Users” and “Authorised Users” are collectively referred to as “Users” in this Agreement.

Your usage rights and restrictions remain unchanged from Teamtailor’s standard practice, even though the contract is through a Reseller.

3. Customer Obligations

Users must use the Service in accordance with applicable laws and these Teamtailor Terms. You are responsible for all activities, actions, omissions, and content provided by any Users when using the Service.

You confirm that when using the Service, your Users will respect third-party intellectual property, privacy, and other rights. For example, do not upload or publish material that is inappropriate, infringing, obscene, or otherwise unlawful.

You agree not to:

  1. Publish or post content that is inappropriate, defamatory, infringing, obscene, pornographic, racist, terrorist, politically slanted, or otherwise unlawful;
  2. Copy, reproduce, alter, or create derivative works of any part of the Service or the information you receive through the Service;
  3. Monitor the Service’s availability or performance for competitive purposes, or to develop or operate a competitive product or service;
  4. Bypass or circumvent any technical limitations of the Service, use any tool to enable features or functionalities that are otherwise disabled, or decompile or reverse engineer the Service.

3.4 Consequences of Breach

You remain responsible at all times for your Users’ conduct and use of the Service. Teamtailor reserves the right to disable or suspend your access if you breach this Section, but we will provide written notice thereof. Access may be re-enabled if you rectify the breach, unless we exercise termination rights under Section 17.

4. Our Obligations

Teamtailor undertakes that the Service will be provided with reasonable skill and care and in accordance with industry standards. 

If the Service does not comply with the above statement, Teamtailor will, at its own cost, use all reasonable commercial efforts to promptly correct any deviation or provide the Customer with a replacement to meet the desired performance.

Furthermore, the Customer acknowledges that: 

  • Teamtailor does not warrant that the Customer’s use of the Service will be uninterrupted or error-free;
  • Teamtailor does not warrant that the Service or information obtained by it will meet any Customer requirements or expectations not included in this Agreement; and 
  • Teamtailor is not responsible for any delays, delivery failures or any other loss or damage resolution from the transfer of data over a communication network (such as the internet) out of Teamtailor’s control. 

5. User Accounts

You, as the company registering for the Service, are solely responsible for the security of your passwords or any other access protocols that have been provided and for any use of your account. Customers shall use commercially reasonable efforts to prevent unauthorised access to or use of the Services. If you become aware of any unauthorised use of your password or your account, you agree to notify us immediately. 

You must ensure that your Users provide accurate and complete registration information anytime registering to the Service.

6. Customer Service

You can contact Teamtailor for questions and support through:

Teamtailor’s support obligations to you remain the same as if you were a direct customer. However, you may also contact the Reseller for commercial or billing issues, as Teamtailor does not handle payment-related queries directly in a reseller scenario.

7. Service Level

We will use all commercially reasonable efforts to provide you the Service continuously. However, we cannot guarantee that the Service will be free from interruptions, delays or errors caused by our systems or other third party service providers, general internet disruptions or force majeure events. 

From time to time, we may perform maintenance and upgrades to the Service, which may result in interruptions, delays or errors in the Service. We will use all commercially reasonable efforts to notify you in advance of any planned maintenance, by subscribing to https://status.teamtailor.com, where we also notify about unplanned downtime and our historical availability. We will try to ensure that maintenance is scheduled outside of normal business hours. 

8. Fees and Payment

All payment obligations (invoicing, fees, payment schedules, currency, and any refunds) are governed by your Reseller Agreement, not by Teamtailor. 

9. Data Protection

When you sign up for and use the Service, we collect and use a limited amount of personal data about your business representatives and Users for our own purposes, i.e. as a so-called data controller under the GDPR. 

Our Privacy Policy contains information about the different purposes for which we use this personal data, the personal data that is collected, what rights the affected individuals have in relation to our use of their personal data, etc. 

All other processing of Customer Personal Data (as defined in the DPA) will be performed as described in the DPA. 

10. Intellectual Property

All copyrights, trademarks, trade names, logos and other intellectual property rights held and used by us, as part of the Service (including graphics, icons, scrips, source codes etc), are our property or our third party licensors’ property. The Service and other information, including associated intellectual property rights, provided and made available by us, remain our exclusive property. You or your Users may not use the property for commercial purposes or any other purpose without our prior written consent. 

Each party shall without delay notify the other party of any suspected or actual intellectual property infringement related to the Service. Neither party shall be obligated to defend such intellectual property rights, but if a party decides to do so, the other party shall, to a reasonable extent, assist the defending party. . 

Any content added by you or your Users to the Service, will remain your property. You warrant that you own or have the right to use such property.

11. Limitation of Liability

To the maximum extent permitted by law, we will not be liable for any indirect, consequential, or special losses (e.g., lost contracts, goodwill, profits, or revenues).

Our total liability to you, for all other losses arising under or in connection with this Agreement, including indemnification, under or in connection with these Teamtailor Terms is limited to the total sums paid for the Service in the twelve (12) months preceding the claim.

In a reseller context, “sums paid for the Service” refers to amounts you actually paid the Reseller for your subscription to the Service, and any recourse for refund or damages (beyond Teamtailor’s liability for Service delivery) typically lies with the Reseller.

Nothing in these Teamtailor Terms limit our liability in case of fraud, gross negligence, willful misconduct, or death/personal injury caused by negligence, or where such limitation is prohibited by law.

12. Indemnification

You agree to defend, indemnify, and hold us and our respective directors, agents, affiliates and representatives harmless from and against any claim (including all third-party claims), and expense (including without limitation reasonable attorneys’ fees) arising out of or relating to: 

(a) your or Users wrongful or improper use of the Service in breach of Section 3; 

(b) your or Users violation of any third party right, including but not limited to any right of privacy, publicity rights or intellectual property rights; and 

(c) your or Users breach of the Confidentiality provisions in the Agreement. 

We agree to defend, indemnify, and hold you and your respective directors, agents, affiliates and representatives harmless from and against any claim (including all third-party claims), and expense (including without limitation reasonable attorneys’ fees) arising out of or relating to: 

  1. our violation of any third party right, including but not limited to any right of privacy, publicity rights or intellectual property rights; and 
  2. our breach of the Confidentiality provisions in the Agreement.

Our indemnification towards you shall not apply to in the event that you are using the Service in a modified form in combination with materials or software not provided by us, nor for any content, information or data provided by you, your Users or candidates when using the Service.

A party that wants to seek indemnification under this section, shall follow the below: 

  • Prompt notify the other party in writing about the claim 
  • Provide the indemnifying party all reasonable cooperation in defence and settlement of such claim; and 
  • Provide the indemnifying party with sole authority to settle the claim. 

13. Confidentiality

In the context of this Agreement “Confidential Information” refers to any information that is proprietary or confidential to the disclosing party or that the disclosing party needs to keep confidential, e.g under an obligation towards a third party. Confidential Information may be of technical, business or other nature. However, Confidential Information does not include any information that: (i) was known to the receiving party before receiving the same from the disclosing party in connection with this Agreement; (ii) is independently developed by the receiving party; (iii) is acquired by the receiving party from another source without restriction as to use or disclosure; or (iv) is or becomes part of the public domain through no fault or action of the receiving party. 

The recipient of Confidential Information will not disclose, share or otherwise make available Confidential Information to any third party, without the express written consent of the disclosing party, except for when required by law. You hereby accept and confir to our disclosure of your Confidential Information to the subprocessors used in the provision of the Service, as described in the DPA. 

Both parties shall treat the Confidential Information with the same degree of care as they would their own confidential information and must take all reasonable measures to protect the confidential information from unauthorised access or disclosure. 

The confidentiality undertaking as described above will remain in force three (3) years after the termination of the Agreement, except for trade secrets which must be kept confidential as long as they qualify as trade secrets.

14. Third-Party Service

Our Service may be integrated with other third-party technologies and services (“Third-Party Services”). In case you integrate towards such Third-Party Services, you expressly instruct us to share data with and give access to such third-party. Any use of such Third-Party Service is subject to the terms and conditions between you and such third party. 

With the exception of our subprocessors, we are not responsible or liable to you or any third party service provider with respect to the functionality or availability of any Third-Party Service or any data obtained through the use of any Third-Party Services. We do not provide any warranty with respect to any integration with a Third-Party Service. 

15. Changes to the Service

Teamtailor can make changes to the Service whenever required to improve, maintain or for other business critical purposes. These changes may include upgrades, bug fixes, patches, error corrections, modifications, enhancements, improvements, or new features called “Updates”. 

We will not make intentional changes that significantly harm the Service’s features and functionality. If Teamtailor makes a change that significantly harms the Customer’s operations, Teamtailor will inform the Customer in writing thirty (30) days in advance of such change. Teamtailor and the Customer shall in good faith try to find an alternative solution to solve the harm. If not possible within thirty (30) days from the written notice of the Customer, the Teamtailor Terms shall be terminated with immediate effect.

16. Term and Termination

Your subscription period is as agreed with the Reseller (“Initial Contract Period” as well as potential renewals). These Teamtailor Terms remain in effect so long as you have an active subscription.

Either party may terminate if the other commits a material breach and fails to rectify within 30 days of notice, or if the other becomes insolvent or ceases business. In a reseller arrangement, notice should also involve or be communicated via the Reseller.

If you terminate early, you may not be entitled to a refund of fees paid to the Reseller, depending on your Reseller Agreement. Teamtailor will not be directly liable for refunds of amounts paid to the Reseller.

Upon termination, your and Users right to access the Service will be revoked. Regarding returning or erasure of Customer Personal Data, see more details in the DPA.

17. Force Majeure

Neither party shall be responsible for delays and defects outside of their control. If either party is delayed by an event outside its control, they must inform the other party as soon as possible and take steps to minimise the effect of the delay. In such cases, the affected party will not be held liable for any resulting defects or delays.

18. Governing Law

These Teamtailor Terms are governed by and construed in accordance with Swedish law, without regard to conflict-of-law provisions. Any dispute related to these Reseller Terms shall be settled by Swedish courts.

19. Assignment

You may not assign, transfer or delegate any rights or obligations under these Teamtailor without our written consent, which shall not be unreasonably withheld.

20. Entire Agreement

These Reseller Terms, together with the DPA and attachments, constitute the entire agreement between you and Teamtailor concerning your use of the Service under the reseller arrangement, superseding all prior discussions or agreements on that subject. For avoidance of doubt, your separate contractual or payment obligations are governed by your Reseller Agreement with the Reseller.

21. Updates

Teamtailor may amend these Terms at any time by (i) posting the updated version on its website or (ii) otherwise notifying the Reseller or you. If an amendment constitutes a material change, Teamtailor will give the Reseller or you reasonable prior notice — not less than 30 calendar days before the change takes effect. Non‑material changes become effective immediately upon posting (or on any later effective date stated in the notice).

Your continued use of the Service after the applicable effective date constitutes acceptance of the updated Terms.

Except for modifications made by Teamtailor under this Clause 21, no addition, deletion or other change to these Terms is binding on Teamtailor unless set out in a written document signed by an authorised representative of Teamtailor.

Data Processing Agreement (DPA)

About and Summary

This DPA is part of and subject to these Reseller Terms. It describes the responsibilities of you (the “Controller”) and Teamtailor (the “Processor”) regarding the personal data processed under the Agreement. Even in a reseller setup, Teamtailor acts as your processor, not a sub-processor for the Reseller.

In sum, it states that:

  • We can only use Customer Personal Data to provide the Service to you, as described in the Agreement.
  • You are responsible for your own compliance with Applicable Data Protection Law when using the Service, and Teamtailor for complying with the parts of Applicable Data Protection Law that apply to a processor / service provider. 
  • We will help you comply with many aspects of Applicable Data Protection Law. You have assessed how Teamtailor will be doing this, and are satisfied with the measures Teamtailor will take. 
  1. These definitions are used: 

Applicable Data Protection Law means any law about protecting information about physical persons, which applies to a party’s processing of Customer Personal Data under the Agreement. This can for example include: EU Regulation 2016/679 (GDPR); the UK General Data Protection Regulation (UK GDPR); the UK Data Protection Act of 2018; and/or the California Consumer Privacy Act (CCPA). 

Customer Personal Data means data that is (i) subject to Applicable Data Protection Law; (ii) added to the Service by or on behalf of you under the Agreement; and (iii) which Teamtailor is only allowed to process on your behalf.

Data Subject Requests means requests from individuals whom Customer Personal Data refers to, to exercise their rights under Applicable Data Protection Law. 

EU SCCs means the sets of standard contractual clauses published by the EU Commission on June 4, 2021. 

Subprocessor means any processor that Teamtailor uses to process Customer Personal Data. 

Subprocessor Change Date means the date when Teamtailor intends to start using a new subprocessor, or replace an existing one. 

Supervisory Authority means a public authority that investigates and enforces compliance with an Applicable Data Protection Law.

Third Country Transfer means (i) where the GDPR applies, a transfer of Customer Personal Data to a country, territory or international organization outside of the EU/EEA; (iii) where the UK GDPR applies, a transfer of Customer Personal Data from the UK to another country, territory or international organization.

TOMS means the technical and organizational measures that we maintain to make sure that Customer Personal Data is secure when processed in the Service. The TOMS are described in Appendix 2. 

UK Transfer Addendum means the International Data Transfer Addendum to the EU SCC, published by the UK Information Commissioner’s Office on March 21, 2022.

Other terms have the meaning given to them in Applicable Data Protection Law. For example, the terms controller, processor, processing, data subject, and personal data breach have the meaning given to them in the GDPR. The terms sell, share, and service provider have the meaning given to them in the CCPA. 

2. Your responsibilities

You decide and control which type of Customer Personal Data is processed in the Service, for which purposes and for how long. For this reason, you are the sole controller of the Customer Personal Data. As the sole controller, you are responsible for:

  • Making all contractual arrangements necessary for you to be able to act as the sole controller, for example with other entities in your company group. 
  • Ensuring that there is a legal basis for all processing of the Customer Personal Data. 
  • Ensuring that the data subjects get all information they are entitled to under Applicable Data Protection Law, for example through appropriate privacy notices. 
  • Ensuring that the processing of Customer Personal Data otherwise fulfills the requirements in Applicable Data Protection Law. 
  • Providing us with documented instructions on how to process the Customer Personal Data. You have done so by way of this DPA, and the rest of the Agreement. 

3. Our responsibilities 

We will act as your processor / service provider, and will not process, sell, retain, use, or disclose Customer Personal Data for any other purpose than providing the Service in accordance with your instructions, as described in this DPA and in the rest of the Agreement.

We will inform you if, in our opinion, instructions given by you infringe Applicable Data Protection Law. 

The parties acknowledge and agree that our access to Customer Personal Data is not part of the payment exchanged by the parties under the Agreement.

4. Security and confidentiality

You have assessed the risks involved with the processing of the Customer Personal Data in the Service, and concluded that the TOMS ensure a level of security that is appropriate to the risks involved. 

We will make sure that all our employees (and similar representatives) who have access to Customer Personal Data commit to keep it confidential. 

5. Personal data breaches

We will notify you about any personal data breach affecting the Customer Personal Data. The notice will be sent without undue delay, and at least within 48 hours of Teamtailor becoming aware of the personal data breach. 

The notice will be sent to the email address that you have provided for your “privacy manager” in the Service. If you haven’t provided an email address for your “privacy manager” in the Service, the notice will be sent to the email address for your “career site manager” in the Service.

If this information is available to us when sending the notice, the notice will include a description of: 

  • The nature of the breach, i.e. what has happened to the Customer Personal Data. 
  • What parts/type of Customer Personal Data is affected by the breach. 
  • Which categories of data subjects, and approximate number of data subjects, are affected by the breach. 
  • Our assessment of the likely consequences of the breach. 
  • The measures that we have already taken and, if applicable, still plan to take to investigate and address the breach.

If we don’t have all of this information when first notifying you, we will execute the notification in phases - as relevant information becomes available. 

If you decide to notify a personal data breach affecting the Customer Personal Data to a Supervisory Authority, to the data subjects, or the public, you will make reasonable efforts to provide us with advance copies of the notice(s), and give us an opportunity to provide any clarifications or corrections to them.

6. Subprocessors

The Teamtailor group uses subprocessors when providing the Service. A continuously up to date overview of the subprocessors we use, the function they perform in the Service, etc. is available:

  • In the list of subprocessors for our EU Region - if you have selected to have the Customer Personal Data processed in our EU Region. 
  • In the list of subprocessors for our US Region - if you have selected to have the Customer Personal Data processed in our US Region. (Available on request)

You are aware of and instruct us to use the current subprocessors. You generally authorise us to use subprocessors when providing the Service, provided that we notify you before starting to use a new subprocessor or replacing an existing one, so that you can object to the change. 

We will notify you about our intention to start using a new subprocessor or replace an existing one, at least fourteen (14) calendar days before the Subprocessor Change Date. The notice will be sent to the email address that you have provided for your “privacy manager” in the Service. If you haven’t provided an email address for your “privacy manager” in the Service, the notice will be sent to the email address for your “career site manager” in the Service.

You can object to the change by sending an email to legal@teamtailor.com stating that you object, and the reason(s) for objecting. We will assess whether we can reasonably satisfy the objection, for example by taking any steps that you request. If we aren’t able to solve the issue, the change will take effect, and either party can, for a period of fourteen (14) calendar days after the Subprocessor Change Date, terminate these Teamtailor Terms without any cost, penalty or liability. 

When engaging a subprocessor, we will make sure that the data protection obligations in this DPA are imposed on the subprocessor. If the subprocessor fails to fulfill these obligations, we will be liable towards you, in accordance with and subject to the limitations in this DPA.

7. Third Country Transfers

We are only allowed to make Third Country Transfers of Customer Personal Data when the Third Country Transfer is based on your written instruction and is executed in line with the transfer requirements in Applicable Data Protection Law. The transfer can for example be based on:

  • That the country in which the data importer is based is subject to an adequacy decision recognized by Applicable Data Protection Law.
  • That the data importer is subject to an adequacy decision recognized by Applicable Data Protection Law,and has fulfilled all requirements needed to rely on the adequacy decision - when applicable.
  • That the data importer enters into the EU SCC or UK Transfer Addendum.

You are aware of and instruct us to perform the Third Country Transfers that take place, or may take place, when we use our current subprocessors. If we notify you of the use of a new subprocessor in accordance with Section 6 above, which involves or may involve a Third Country Transfer, your continued use of the Service will be considered an instruction on us to execute the relevant Third Country Transfer. 

8. Additional assistance 

Provided that we are able to do so, considering the information about and access to Customer Personal Data that we have in providing the Service, we will assist you in:

  • Providing information relevant for your data protection impact assessment of the Service and consultation with a Supervisory Authority.
  • Keeping a record of the processing activities that we do on your behalf.
  • Responding to Data Subject Requests. 

If we receive a Data Subject Request from the data subject him/herself, we will not act on it ourselves. Instead, we will encourage the data subject to contact you directly, by referring him/her to your career site or by submitting a Data Subject Request directly to you.

If you need our assistance with a Data Subject Request or any other process mentioned above, please contact our Customer Support and provide all information we need to understand the scope of the request, and assess what possibilities we have to assist you with it. 

9. Audits

We will allow you to audit our compliance with our obligations as your data processor / service provider under the Agreement. This will, as a first option, be done by providing the information and documentation that you reasonably ask for. 

If (i) the requested audit scope is addressed in our SOC 2 audit report issued by a third party auditor in the past twelve (12) months; and (ii) we provide such a report to you confirming there are no known material changes in the controls audited; you agree to accept the findings presented in the third party audit report, rather than requesting an audit of the same controls covered by the report.

If you think it is necessary, we will also allow you (or another party assigned by you, provided that the other party is accepted by us and keeps the information it accesses confidential) to inspect our processing of the Customer Personal Data. 

You can request an audit once per year, for which each party will cover its own costs. Additional audits (exceeding one per year) can also be requested, at your sole cost. 

Unless an audit is requested by a Supervisory Authority (in which case the circumstances will be adjusted to the Supervisory Authority’s request), you need to provide written notice thirty (30) days in advance of the audit. The audit will be conducted during our normal business hours. It will not involve physical access to the servers on which the Service is hosted; not involve disclosure of commercially sensitive parts of the agreements with our subprocessors; and must be performed so that it does not compromise the security of our systems or premises.

10. Erasure and return of Customer Personal Data 

When the Agreement is terminated, you should - within thirty (30) days of the termination of the Agreement - instruct us to return and/or destroy all Customer Personal Data from the Service. We will comply with this instruction as soon as reasonably practicable, and at least within sixty (60) days after the termination of the Agreement. 

If you have not requested erasure or return of the Customer Personal Data within those thirty (30) days, we will delete all Customer Personal Data as soon as reasonably practicable, and at least within sixty (60) days after the termination of the Reseller Agreement or these Teamtailor Terms.

Appendices

Appendix 1 - Description of the processing

What processing will happen, and for which purposes?

The purpose of the processing is to allow you to use the Service. We will also process Customer Personal Data for purposes that are necessary to enable and support your specific use of the Service, such as logging, troubleshooting and investigating and managing incidents. 

You fully control which features in the Service will be used and which information is to be collected from individuals. 

Who are the data subjects?

The Service is designed to be used for employer branding and recruitment purposes. For these purposes, a customer normally only needs to process personal data about: 

  • The customer's Users (usually employees, representatives, consultants, individuals referring a candidate)
  • Different types of candidates (e.g. individuals visiting the company’s career site, individuals connecting with the company, job applicants, referred and sourced candidates)
  • Individuals listed as a reference by a candidate

However, you fully decide and control what Customer Personal Data is actually processed in the Service. 

What type of Customer Personal Data will be processed?

A customer is expected to collect and process the personal data that is necessary to perform its employer branding activities and recruitment processes. 

This usually consists of personal data related to the candidates, such as:

  • Names
  • Emails
  • Photos and videos
  • Answers to questions part of the recruitment process
  • Messages with the recruiting User
  • CV
  • IP-number
  • Other information provided by the candidates and/or partners integrated to the Service.

A limited amount of personal data is also processed about the Users, such as:

  • Name
  • Company email address
  • Different actions taken in the Service. 

However, you fully decide and control what Customer Personal Data is actually processed in the Service. 

For how long will Customer Personal Data be processed?

The customer, as the data controller, decides how long different types of personal data will be stored, and for which purposes. A number of retention/deletion settings are offered in the Service for this purpose. 

If Customer Personal Data is deleted in the application, it is immediately deleted from your account and only maintained in our backups. Our backups are generally retained for 10 days.

However, for some features in the Service, we use subprocessors that retain the personal data they process on your behalf for up to 30 days after deletion.

A limited amount of data is also stored in logs. Teamtailor keeps application and infrastructure logs, that are stored for 365 days, and logs showing certain candidate-related events, that are stored for 30 days. You can also choose to activate an audit log functionality, to be able to keep track in detail of your users activities in the service.

Our processing of Customer Personal Data will stop after the termination of the Agreement, as described under “Erasure and return of Customer Personal Data” in section 10 of the DPA. 

Appendix 2 - TOMS

The following document contains TOMs as implemented by Teamtailor.

Measures to Ensure Confidentiality (Art. 32 para. 1 lit. b of the GDPR)

Physical access control

  • Personal Data is stored in physical data centres certified according to ISO 27001.
  • Physical access to the data centre facilities is strictly controlled and limited to selected staff at the hosting provider. 
  • Protection against environmental hazards such as heat, fire and water damage is in place. 
  • There is no unauthorised physical access to data centres.

Logical access control

  • Logical access controls are designed to manage access to information and system functionality based on authority levels and job functions (granting access on a need-to-know and least privilege basis). 
  • All users have unique IDs and passwords, MFA is used where possible. 
  • Granted system access is reviewed regularly and access is revoked/changed when employment terminates or changes in job functions occur. 
  • The Supplier’s staff do not access or interact with customer data as part of normal operations. Access is restricted to selected staff. 
  • All endpoint devices use strong passwords, local firewalls, automatic time based locking and encrypted storage. 

Separation of control

  • Personal Data is processed in dedicated systems that are not shared with other services, applications, or corporate entities.
  • Production and test environments are separated and do not share any data. 
  • Within individual databases, data is segregated with logical access control. 
  • Personal Data is not used for purposes other than what it has been collected for.

Human resource security

  • All employees and contractors are bound by confidentiality, non-disclosure provisions and undergo continuous security awareness training. 
  • Onboarding, offboarding procedures are in place.
  • Segregation of duties is applied where it is practically possible.

Measures to Ensure integrity (Art. 32 para. 1 lit. b of the GDPR)

Transfer control

  • All communication, over the internet and on internal networks, are encrypted with at least TLS version 1.2.
  • Data stored in Teamtailor’s application is encrypted at rest with at least file-system level encryption.

Change management

  • Change management procedures and tracking mechanisms are in place to test, approve and track all material changes to the Supplier’s platform. 
  • Code changes are automatically blocked if vulnerabilities in third party dependencies are identified or if static code analysis identifies unsafe patterns. 
  • All changes are peer reviewed.

System monitoring

  • Application and infrastructure events are logged, monitored and automatically analysed to record and detect divergent user access and system activity. 
  • Logs are protected from loss and manipulation.

Measures to Ensure Availability and Resilience (Art. 32 para. 1 lit. b of the GDPR)

Resilience

  • The Supplier’s infrastructure and components are designed to withstand intermittent and as well as high constant loads. 
  • Vulnerability screening, patch management and anti-malware protection are implemented to prevent, identify and mitigate against identified security threats, viruses and other malicious code.

Measures to Quickly Restore the Availability of Personal Data after a Physical or Technical Incident (Art. 32 para. 1 lit. c of the GDPR)

Disaster recovery plan

  • Disaster recovery plans are designed to maintain service and/or recovery from foreseeable emergencies or disasters. 
  • Backups are stored off-site and encrypted. 
  • Restore tests are done at least every 6 months.

Incident management

  • Incident management procedures are in place to ensure a systematic approach to identify, mitigate, learn and report incidents related to our technology and information assets. 

Procedures for periodical review, assessment, and evaluation (Art. 32 para. 1 lit. d of the GDPR; Art. 25 para. 1 of the GDPR)

  • Teamtailor runs an information security program with dedicated staff responsible for the development, implementation and maintenance of the program. 
  • Information risk assessments are used to systematically evaluate threats and vulnerabilities in terms of the impact they could imply and the probability to occur. Such assessments are performed at least annually or at major business changes.
Teamtailor AB www.teamtailor.com Östgötagatan 16 116 21 Stockholm Stockholms län +46 (0)10 330 22 22 support@teamtailor.com