Data Processing Agreement
Last updated: 4/2/2026
This Data Processing Agreement ("DPA") forms an integral part of the Employer Terms of Service between Jobs Europe AB ("Jobs Europe") and the Employer, as defined in the Employer Terms of Service (collectively, the "Agreement"). This DPA governs the processing of personal data by Jobs Europe on behalf of the Employer.
1. Definitions
Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement or, if not defined there, the GDPR.
- GDPR — General Data Protection Regulation (EU) 2016/679.
- Personal Data — Any information relating to an identified or identifiable natural person ("data subject").
- Processing — Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.
- Controller — The natural or legal person which determines the purposes and means of processing. In this DPA, the Employer.
- Processor — A natural or legal person which processes Personal Data on behalf of the Controller. In this DPA, Jobs Europe.
- Sub-processor — Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and Purpose of Processing
2.1. The subject-matter of the processing is Personal Data submitted by candidates and employers through the Jobs Europe platform as part of the Service.
2.2. The duration of the processing shall be for the term of the Agreement and thereafter only for as long as necessary to comply with applicable law or documented retention policies.
2.3. The nature and purpose of the processing is to provide the Service, including storing and transmitting application data, managing job listings, and facilitating recruitment processes.
2.4. Types of Personal Data processed include, but are not limited to:
- Candidate data: names, contact details, CVs, cover letters, employment history, education, skills, screening responses
- Employer data: names, contact details, company information, job listings
- Technical data: IP addresses and basic usage data related to use of the Service
2.5. Categories of data subjects include job applicants, candidates, and employer representatives/users.
3. Obligations of Jobs Europe (Processor)
Jobs Europe shall:
3.1. Process Personal Data only on documented instructions from the Employer, unless required to do so by Union or Member State law. The Agreement and this DPA constitute the Employer's documented instructions. Jobs Europe shall not be required to follow instructions that violate applicable data protection law.
3.2. Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
3.3. Implement appropriate technical and organisational measures in accordance with Article 32 GDPR, including, where appropriate:
- access control and authentication mechanisms
- encryption of data in transit and at rest
- system monitoring and logging
- backup and recovery procedures
- incident detection and response processes
3.4. Engage Sub-processors in accordance with Article 28 GDPR.
| Provider | Purpose |
|---|---|
| Supabase (AWS Frankfurt) | Database, authentication, storage, and system logs |
| Vercel | Hosting & infrastructure |
| SendGrid | Transactional and marketing email; user contact details synced for segmentation |
| Authentication (OAuth) | |
| Plausible Analytics | Privacy-focused analytics |
| Twilio | SMS notifications |
| Axiom | Application logging and operational monitoring |
| Upstash Redis | Rate limiting (ephemeral IP address processing) |
| Kombo | ATS integration middleware for routing applications to external systems |
| Fortnox | Accounting and invoicing for employer subscriptions |
| Pipedrive | CRM for managing employer relationships |
The Employer provides general authorisation for the use of Sub-processors. Jobs Europe will inform the Employer of material changes to Sub-processors. The Employer may object within fourteen (14) days of notification. If the parties cannot resolve the objection, the Employer may terminate the affected Service.
3.5. Assist the Employer, where reasonably possible, in fulfilling obligations related to data subject rights.
3.6. Assist the Employer, where reasonably possible, in ensuring compliance with Articles 32–36 GDPR.
3.7. Upon termination of the Agreement, delete or return Personal Data at the Employer's choice within sixty (60) days, unless retention is required by law.
3.8. Make available information necessary to demonstrate compliance with Article 28 GDPR and allow for audits, subject to the following:
- audits must be conducted with reasonable prior notice
- no more than once per year unless required by law
- conducted in a manner that does not disrupt normal operations
- costs are borne by the Employer
Jobs Europe shall inform the Employer if it believes an instruction infringes applicable data protection law.
4. Obligations of the Employer (Controller)
The Employer shall:
- 4.1. Comply with applicable data protection laws, including GDPR.
- 4.2. Ensure a lawful basis for processing and for sharing Personal Data with Jobs Europe.
- 4.3. Handle data subject rights requests.
- 4.4. Maintain records of processing where required.
- 4.5. Conduct data protection impact assessments where required.
- 4.6. Remain responsible for the lawfulness of Personal Data and indemnify Jobs Europe as set out in the Agreement.
5. Breach Notification
Jobs Europe shall notify the Employer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a Personal Data breach. The notification shall include relevant information as required under Article 33 GDPR, to the extent available.
6. Sub-processors
Jobs Europe may engage Sub-processors and shall ensure they are bound by equivalent data protection obligations. Jobs Europe remains fully liable for their performance.
7. Data Transfer
Jobs Europe may process Personal Data outside the EU/EEA. Where required, appropriate safeguards will be implemented, including standard contractual clauses adopted by the European Commission.
8. Liability
Liability under this DPA is subject to the limitations set out in Section 20 of the Employer Terms of Service.
9. Governing Law and Jurisdiction
This DPA is governed by the same law and jurisdiction as the Employer Terms of Service.