Trust Center

Data Processing Addendum

Last updated: May 28, 2026 · Version 1 · Effective May 28, 2026

This DPA is incorporated into your Master Subscription Agreement by reference and is binding on Hirex and the customer without separate signature. For a separately countersigned copy, email [email protected].

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement, Terms of Service, or other written or electronic agreement between Hirex HR, Inc. ("Hirex") and the customer entity that is a party to such agreement ("Customer") for the provision of Hirex's Services (the "Agreement").

This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Hirex on behalf of Customer in connection with the Services, in accordance with the requirements of Data Protection Laws.

In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given to them in the Agreement.

  • "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.
  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor", and "Supervisory Authority" have the meanings given to them in Article 4 of the GDPR.
  • "Customer Personal Data" means Personal Data Processed by Hirex on behalf of Customer pursuant to the Agreement, including data relating to Customer's job candidates, applicants, employees, hiring managers, and end users of the Services.
  • "Data Protection Laws" means all applicable laws relating to the Processing of Personal Data, including, where applicable, the GDPR, the UK GDPR, the Swiss FADP, the CCPA, and the data protection laws of any other jurisdiction in which Customer Personal Data is Processed under this DPA.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), together with any national implementing or supplementary legislation.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data Processed by Hirex.
  • "Services" means the Hirex applicant tracking and recruiting platform and related services provided by Hirex to Customer under the Agreement.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to GDPR adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, as updated or replaced from time to time.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018.

2. Roles of the Parties

2.1 For purposes of Data Protection Laws, in respect of Customer Personal Data, Customer is the Controller and Hirex is the Processor. Where Customer acts as a Processor on behalf of a third-party Controller, Hirex acts as a Sub-processor.

2.2 For Personal Data relating to Customer's billing contacts, account administrators, and other Customer personnel that Hirex Processes for its own purposes (account administration, billing, support, security, product analytics in respect of Customer's use of the Services), Hirex acts as Controller. Such Processing is governed by the Hirex Privacy Policy at gethirex.com/trust/privacy-policy and not by this DPA.

2.3 Under the CCPA, Hirex acts as a Service Provider to Customer in respect of Customer Personal Data. Hirex will not Sell or Share Customer Personal Data, and will not retain, use, or disclose Customer Personal Data for any purpose other than the specific business purpose of providing the Services, as further described in Annex 1.

3. Subject Matter and Duration of Processing

3.1 The subject matter, nature, purpose, duration of Processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1 (Details of Processing).

3.2 Hirex will Process Customer Personal Data only for the duration of the Agreement and as required to provide the Services, plus the additional period set out in clause 13 (Deletion or Return).

4. Customer Instructions and Compliance

4.1 Hirex will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Hirex is subject. In such a case, Hirex will inform Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest.

4.2 The Agreement (including this DPA), Customer's use of the Services in accordance with the Agreement, and any further written instructions given by Customer to Hirex constitute Customer's complete documented instructions.

4.3 Hirex will notify Customer without undue delay if, in its opinion, an instruction from Customer infringes Data Protection Laws.

4.4 Customer is responsible for ensuring that it has all necessary lawful bases, consents, and authorisations to provide Customer Personal Data to Hirex for Processing under the Agreement, and that its instructions to Hirex comply with Data Protection Laws.

5. Confidentiality of Personnel

Hirex will ensure that any person authorised to Process Customer Personal Data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality, and is granted access to Customer Personal Data only on a need-to-know basis.

6. Security Measures

6.1 Hirex will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, as set out in Annex 3 (Technical and Organisational Measures).

6.2 Hirex regularly reviews and, where appropriate, updates its security measures. Hirex may update Annex 3 from time to time provided that the updates do not materially reduce the level of security afforded to Customer Personal Data.

7. Sub-processors

7.1 Customer provides general authorisation for Hirex to engage Sub-processors to Process Customer Personal Data in connection with the Services. The current list of authorised Sub-processors is published at gethirex.com/trust/sub-processors and is incorporated into this DPA by reference.

7.2 Hirex will notify Customer at least thirty (30) days before any intended change concerning the addition or replacement of a Sub-processor that Processes Customer Personal Data. Notification will be made by updating the list at gethirex.com/trust/sub-processors and, where the Customer has subscribed to the Hirex sub-processor notification list, by email.

7.3 Customer may object to a new Sub-processor on reasonable data protection grounds by notifying Hirex in writing within the 30-day notice period. The parties will work together in good faith to resolve the objection. If the parties cannot reach a resolution within thirty (30) days of Customer's objection, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services without penalty by providing written notice to Hirex. Customer remains responsible for fees accrued through the date of termination.

7.4 Hirex will impose data protection terms on each Sub-processor that provide at least the same level of protection for Customer Personal Data as set out in this DPA. Hirex remains liable to Customer for the performance of any Sub-processor's obligations.

8. Assistance with Data Subject Rights

8.1 Taking into account the nature of the Processing, Hirex will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

8.2 The Services provide functionality for Customer to access, export, correct, and delete Customer Personal Data directly via the Services interface. To the extent Customer cannot fulfil a Data Subject request through the Services, Hirex will, upon Customer's written request and at Customer's reasonable expense, provide commercially reasonable assistance.

8.3 If Hirex receives a request from a Data Subject in respect of Customer Personal Data, Hirex will, without undue delay, notify Customer and will not respond to the request directly other than to confirm receipt and refer the Data Subject to Customer.

9. Personal Data Breach Notification

9.1 Hirex will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.

9.2 The notification will, to the extent reasonably available at the time, describe: (a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Hirex's Data Protection Officer or other contact point from whom more information can be obtained; (c) the likely consequences of the Personal Data Breach; and (d) the measures taken or proposed to be taken by Hirex to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Where it is not possible to provide all of the information at the same time, Hirex may provide it in phases without further undue delay.

9.4 Hirex's notification of or response to a Personal Data Breach under this clause is not an acknowledgement by Hirex of any fault or liability with respect to the Personal Data Breach.

10. DPIA and Prior Consultation Assistance

Taking into account the nature of the Processing and the information available to Hirex, Hirex will provide Customer with reasonable assistance in: (a) carrying out data protection impact assessments under Article 35 GDPR; and (b) consultations with Supervisory Authorities under Article 36 GDPR, where Customer reasonably considers such assistance is required by Data Protection Laws, and at Customer's reasonable expense for assistance beyond the standard Services.

11. International Transfers

11.1 To the extent Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred by Customer to Hirex in a third country that has not received an adequacy decision under Article 45 GDPR, the parties agree that the Standard Contractual Clauses (Module 2: Controller-to-Processor) are hereby incorporated into this DPA by reference and apply to such transfers, as further specified in Annex 4.

11.2 For transfers from the United Kingdom, the UK Addendum is hereby incorporated into this DPA by reference and applies to such transfers in addition to the SCCs.

11.3 For transfers from Switzerland, the SCCs apply with the modifications set out in the FDPIC's guidance, namely that (i) references to the GDPR are interpreted as references to the Swiss FADP, (ii) the term "Member State" must not be interpreted in a way that excludes Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence, and (iii) the FDPIC is the competent Supervisory Authority for transfers originating in Switzerland.

11.4 Onward transfers by Hirex to Sub-processors in third countries are governed by data protection terms between Hirex and the relevant Sub-processor that ensure the same level of protection as required by the SCCs.

11.5 Hirex has performed and documented Transfer Impact Assessments in respect of its onward transfers to non-EU Sub-processors and will make a summary available to Customer on reasonable written request, subject to confidentiality obligations.

12. Audits

12.1 Hirex will make available to Customer all information necessary to demonstrate compliance with this DPA and the obligations laid down in Article 28 GDPR.

12.2 At Customer's written request not more than once per twelve (12) month period (except where required by a Supervisory Authority or following a Personal Data Breach), Hirex will provide: (a) the most recent third-party audit reports and certifications Hirex holds (such as ISO 27001 or SOC 2 reports, when issued), under a non-disclosure agreement; and (b) responses to Customer's reasonable written security questionnaire.

12.3 If the information made available under clause 12.2 is not sufficient to demonstrate compliance, Customer may, at its own expense and subject to thirty (30) days' written notice, conduct or mandate a qualified third-party auditor to conduct an audit of Hirex's relevant Processing activities. Any such audit will: (a) be conducted during normal business hours; (b) not unreasonably interfere with Hirex's business operations; (c) be subject to a written non-disclosure agreement; (d) be limited in scope to what is reasonably necessary to verify compliance with this DPA; and (e) exclude access to Hirex's other customers' data, Hirex's source code, and any data subject to legal privilege.

13. Deletion or Return of Customer Personal Data

13.1 On termination or expiry of the Agreement, Hirex will, at Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless Union or Member State law requires storage of the Personal Data.

13.2 Customer may request a copy of Customer Personal Data via the data export functionality in the Services at any time during the Agreement and for up to thirty (30) days following termination.

13.3 Unless Customer requests otherwise in writing, Hirex will delete Customer Personal Data from production systems within fifteen (15) days of termination or expiry of the Agreement and from backup systems within forty-five (45) days, in accordance with the NIST SP 800-88 standard for secure data destruction.

13.4 Hirex may retain Customer Personal Data to the extent and for the period required by applicable law, provided that Hirex ensures the confidentiality of such Personal Data and Processes it only for the purpose required by the applicable law.

14. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability to the other for fraud or fraudulent misrepresentation, or any liability that cannot be limited or excluded by applicable law.

15. Order of Precedence

In the event of any conflict between (a) this DPA, (b) the SCCs (where applicable), and (c) the Agreement, the order of precedence is: (i) the SCCs; (ii) this DPA; (iii) the Agreement.

16. Governing Law and Jurisdiction

16.1 This DPA is governed by and construed in accordance with the governing law of the Agreement, except that where the SCCs apply, they are governed by the law of the EU Member State specified in Annex 4.

16.2 Any dispute arising out of or in connection with this DPA is subject to the jurisdiction provisions of the Agreement, except that disputes arising under the SCCs are subject to the jurisdiction specified in Annex 4.

17. General

17.1 This DPA, together with the Annexes, supersedes any prior data processing addendum between the parties in respect of the Services.

17.2 Hirex may update this DPA from time to time to reflect changes in Data Protection Laws or its Processing activities. Material changes will be notified to Customer at least thirty (30) days in advance. Continued use of the Services after the effective date of any update constitutes acceptance.

Signatures

This DPA is incorporated into and forms part of the Agreement and is binding on the parties without separate signature. If Customer requires a separately signed copy, please contact [email protected].

For Hirex: Hirex HR, Inc. 8 The Green STE D, Dover, Delaware 19901, USA Data Protection Officer: Burak Yılmaz, [email protected] Article 27 EU Representative: appointment in process; in the interim, contact [email protected] for EU matters

For Customer: [Customer entity name, address, authorised signatory]

ANNEX 1, Details of Processing

A. List of Parties

Data Exporter (Controller): Customer (as identified in the Agreement)

Data Importer (Processor): Hirex HR, Inc., 8 The Green STE D, Dover, Delaware 19901, USA. Contact: Burak Yılmaz, Data Protection Officer, [email protected].

B. Subject Matter and Nature of Processing

Hirex Processes Customer Personal Data to provide the Services, namely a cloud-based applicant tracking and recruiting platform that allows Customer to: (a) publish job postings and source candidates; (b) collect, review, and manage candidate applications and curricula vitae; (c) communicate with candidates; (d) evaluate candidates through structured scorecards, assessments, and (where enabled) AI-assisted analysis and one-way video interview transcription; (e) schedule and coordinate interviews via calendar integration; and (f) generate reports and analytics in respect of Customer's hiring activities.

C. Purpose of Processing

The Processing is performed solely for the purpose of providing the Services to Customer in accordance with the Agreement and Customer's instructions.

D. Duration of Processing

The Processing continues for the duration of the Agreement and for the periods specified in clause 13 of this DPA following termination.

E. Categories of Data Subjects

  • Customer's job candidates and applicants
  • Customer's employees, hiring managers, recruiters, and other Customer personnel who use the Services
  • Third parties named by Data Subjects (e.g., references provided by a candidate)

F. Categories of Personal Data

  • Identification and contact data: name, email address, postal address, phone number, photo
  • Professional data: CV/résumé content, work history, education, qualifications, certifications, skills, language proficiency
  • Application data: cover letters, application responses, custom field responses defined by Customer
  • Communication data: email correspondence between Customer and candidate, interview notes, comments, evaluations
  • Interview data: scheduled meeting details, attendees, calendar event metadata; where enabled, one-way video interview recordings and transcripts
  • Assessment data: results of skills assessments and scoring rubrics where Customer enables third-party assessment integrations
  • Account data: username, authentication credentials, access logs, audit logs of actions taken in the Services
  • Technical data: IP address, device identifier, browser information, session data
  • Any other Personal Data that Customer or Data Subjects choose to upload to the Services

G. Special Categories of Personal Data

The Services are not designed to require or solicit special categories of Personal Data within the meaning of Article 9 GDPR. However, Data Subjects may voluntarily disclose such data (for example, health information relating to accommodation requests, or information revealing trade union membership). Where Customer enables background-check integrations, the relevant third-party provider may Process special categories of data and criminal-conviction data pursuant to a separate controller-to-controller or controller-to-processor relationship.

H. Frequency of Transfers

Continuous, for the duration of the Agreement.

I. Retention

Customer Personal Data is retained for the duration of the Agreement and deleted as set out in clause 13.

ANNEX 2, Sub-processors

The current list of Sub-processors authorised to Process Customer Personal Data is published at gethirex.com/trust/sub-processors and is incorporated into this DPA by reference. Hirex updates the list as Sub-processors are added or replaced, in accordance with clause 7 of this DPA.

ANNEX 3, Technical and Organisational Measures

Hirex implements and maintains the following technical and organisational measures designed to ensure the security of Customer Personal Data.

1. Hosting and infrastructure

  • Production environment hosted on Amazon Web Services (AWS) in the Ireland region (eu-west-1), via Heroku Platform-as-a-Service.
  • Enterprise tenants are deployed on isolated infrastructure: a dedicated Heroku application, a dedicated PostgreSQL database, and dedicated Redis instances per tenant.
  • Network ingress is protected by Cloudflare Web Application Firewall (WAF) with OWASP managed rules, L3/L4/L7 DDoS protection, bot management, and (for enterprise tenants) tenant-specific IP allowlists.

2. Encryption

  • All data in transit is encrypted using TLS 1.2 or TLS 1.3.
  • Customer Personal Data at rest in PostgreSQL is encrypted using AES-256.
  • File storage (résumés, documents, interview recordings) is encrypted at rest using AES-256.
  • Redis connections require TLS.

3. Access controls

  • Access to production systems is restricted to a limited number of authorised personnel on the principle of least privilege.
  • All personnel access requires multi-factor authentication.
  • Privileged access is granted on a just-in-time basis, logged, and reviewed.
  • Customer Personal Data is not accessed by Hirex personnel except as necessary to provide support, investigate security events, or comply with legal obligations. All such access is logged.
  • Customer-side access is governed by role-based access controls configurable by the Customer's administrators, supports SSO via Azure AD/Entra ID, Google Workspace, or any SAML-compliant identity provider, and supports two-factor authentication (TOTP).

4. Backups and disaster recovery

  • Continuous protection and regular backups of the production PostgreSQL database via Heroku Postgres.
  • Backups are encrypted and stored in a separate region for redundancy.
  • Documented disaster recovery procedures with defined recovery objectives.

5. Monitoring and incident response

  • 24×7 application and infrastructure monitoring (Sentry for error tracking, Scout APM for application performance, BetterStack for log aggregation).
  • Documented Incident Response Policy with defined roles, severity classifications, and notification procedures.
  • Security events are logged and reviewed.

6. Secure development lifecycle

  • Documented Secure Development Policy aligned with OWASP Top 10 and industry best practice.
  • Mandatory code review prior to deployment.
  • Automated testing in CI/CD pipeline.
  • Static Application Security Testing (SAST) integrated into the CI pipeline.
  • Annual third-party penetration testing with findings tracked to remediation.
  • Vulnerability disclosure programme; reports accepted at [email protected].

7. Personnel

  • All personnel sign confidentiality agreements as a condition of employment.
  • Security awareness training on hire and at least annually.
  • Background checks for personnel with production access where permitted by law.

8. Sub-processor management

  • Each Sub-processor is evaluated for security posture before engagement and is bound by a written data processing agreement.
  • Sub-processor list maintained and published at gethirex.com/trust/sub-processors; changes notified at least thirty (30) days in advance.

9. Data segregation

  • Logical separation between tenants in shared infrastructure.
  • Physical separation (dedicated app + database + Redis) for enterprise tenants.

10. Data deletion

  • On termination, Customer Personal Data is deleted from production systems within fifteen (15) days and from backup systems within forty-five (45) days, in accordance with NIST SP 800-88 secure data destruction standards.

11. AI processing

  • AI features (CV evaluation, candidate matching, content generation, video interview transcription) are powered by third-party model providers (OpenAI, Anthropic, Google, Deepgram) under written data processing agreements.
  • Customer Personal Data is not used to train any AI provider's models.
  • AI providers operate on a zero-data-retention basis to the extent supported by their enterprise tier.
  • All AI providers process data subject to the SCCs and Hirex's documented Transfer Impact Assessments.
  • Hirex does not use AI to make solely automated decisions about candidates producing legal or similarly significant effects within the meaning of Article 22 GDPR. All AI outputs inform human decisions.

12. Certifications

Hirex is working toward ISO 27001 certification. Underlying infrastructure providers hold ISO 27001, SOC 2, and other industry certifications as published by those providers.

ANNEX 4, Standard Contractual Clauses

For transfers of Customer Personal Data subject to the GDPR from the EEA to a third country that has not received an adequacy decision under Article 45 GDPR, the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to GDPR, as adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"), apply between Customer (as data exporter) and Hirex (as data importer), with the following completions:

  • Module: Module Two (Controller to Processor)
  • Clause 7 (Docking Clause): does not apply
  • Clause 9(a) (Sub-processors): Option 2 (general written authorisation) applies; the time period for prior notice of Sub-processor changes is thirty (30) days
  • Clause 11(a) (Independent dispute resolution): the optional language is omitted
  • Clause 17 (Governing law): the laws of the Republic of Ireland apply
  • Clause 18(b) (Forum and jurisdiction): the courts of the Republic of Ireland have jurisdiction
  • Annex I.A (List of Parties): as set out in Annex 1.A of this DPA
  • Annex I.B (Description of transfer): as set out in Annex 1.B-I of this DPA
  • Annex I.C (Competent supervisory authority): the Irish Data Protection Commission, by reason of clause 13(a) of the SCCs and Customer's primary EU place of establishment (or, where Customer has no EU establishment, the supervisory authority of the EU Member State in which Data Subjects whose Personal Data is transferred are located)
  • Annex II (Technical and organisational measures): as set out in Annex 3 of this DPA
  • Annex III (List of sub-processors): as set out in Annex 2 of this DPA

For transfers from the United Kingdom, the UK Addendum applies with the following completions:

  • Table 1 (Parties): as set out in Annex 1.A of this DPA
  • Table 2 (Selected SCCs, Modules and Selected Clauses): the EU SCCs as completed above
  • Table 3 (Appendix Information): as set out in the Annexes to this DPA
  • Table 4 (Ending the Addendum when the Approved Addendum Changes): neither party may end the UK Addendum on this basis

End of Data Processing Addendum.

Unlock your
recruitment potential!

Hirex is the only recruitment platform you need.

Get a demo

© Hirex HR, Inc.