Trust Center

GDPR compliance

Last updated: May 28, 2026

Hirex is built for organisations that take GDPR seriously. This page explains how the platform supports your obligations as a data controller, where Hirex sits in the legal framework, and the documents you'll want for procurement.

For a copy of our Data Processing Addendum, see our DPA page. For our sub-processor list, see the Sub-processors page. For GDPR-specific questions, email [email protected].

Roles

Under GDPR, the customer is the data controller for candidate data, you decide what to collect, why, and for how long.

Hirex is the data processor. We process candidate data only on your documented instructions. This split is set out in our Data Processing Addendum, which is incorporated by reference into our Terms of Service.

Hirex acts as a data controller for the limited categories of personal data we collect about your billing contacts, account administrators, and product users for our own purposes (account management, billing, support, product analytics). Our Privacy Policy explains that scope.

Data subject rights, and how Hirex supports each

Candidates (and other data subjects) have eight rights under the GDPR. Each is supported in the platform.

Right to be informed (Articles 12-14)

  • Add your own privacy notice to the careers site and application form
  • Configure region-specific notices for jurisdictions that need different language
  • Track which version of which notice each candidate saw at the time they applied

Right of access (Article 15)

  • Export an individual candidate's full record from the application UI
  • Use the API to export structured data programmatically
  • Provide candidates with a self-serve portal to view what you hold about them

Right to rectification (Article 16)

  • Candidates can update their own profile through their self-serve portal
  • Recruiters can edit candidate records in the application
  • Audit log records who changed what and when

Right to erasure / right to be forgotten (Article 17)

  • Delete an individual candidate with a single action
  • Configurable automatic deletion based on retention rules (e.g., delete after 24 months in talent pool with no activity)
  • Region-specific retention policies, set different rules for EEA, UK, US, etc.
  • Deletion propagates through production within 15 days and backups within 45 days, per NIST SP 800-88 standards

Right to restrict processing (Article 18)

  • Flag a candidate's record as restricted; the record is preserved but not actively processed
  • Restricted records are excluded from AI scoring and matching

Right to data portability (Article 20)

  • Export a candidate's record in structured, machine-readable formats (CSV, JSON via API)
  • Includes all custom fields and uploaded files

Right to object (Article 21)

  • Candidates can object to the processing of their data at any time. On objection, the customer's recruiters can delete the candidate's profile from the application.
  • Outreach to sourced (not-yet-applied) candidates is sent by the customer directly, not by Hirex, so any opt-out or unsubscribe is handled through the customer's own outreach.

Rights related to automated decision-making (Article 22)

Hirex does not make solely automated decisions about candidates within the meaning of Article 22. AI match scores, summaries, and rankings inform human decisions. They never produce hire/reject outcomes on their own. See our Responsible AI page for the full posture.

When consent is the lawful basis (for example, joining a talent pool for future opportunities), Hirex captures it explicitly:

  • Configurable consent checkboxes on the application form
  • Version-tracked consent records, what was agreed, when, to which version of which notice

Lawful bases for processing

Hirex supports each of the GDPR lawful bases for the relevant customer activity:

  • Contract, assessing a candidate who has actively applied for a role
  • Legitimate interests, sourcing candidates from public profiles, with the appropriate balancing test
  • Consent, adding a candidate to a talent pool for future opportunities
  • Legal obligation, retaining records required by employment law

Each customer configures their own lawful basis per processing activity.

Retention

Retention periods are configurable per customer, per pipeline, per region:

  • Default retention rules apply to all candidate records unless overridden
  • Region-specific rules, different retention for EEA, UK, US candidates
  • Status-specific rules, different retention for active applicants vs. talent pool vs. rejected candidates
  • Automatic deletion triggers when a record exceeds its retention window

The platform records what was deleted, when, and under which rule, providing an audit trail of your compliance posture.

International transfers

Hirex hosts customer data in AWS Ireland (eu-west-1), so primary storage remains in the EU.

Some sub-processors that Hirex engages (notably AI model providers, OpenAI, Anthropic, Google, Deepgram) are headquartered outside the EU. Transfers to these sub-processors are covered by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), incorporated into our Data Processing Addendum.

Hirex has performed and documented Transfer Impact Assessments in respect of these onward transfers, as required by the Schrems II decision. Summaries are available to customers on request under NDA.

For UK transfers, we apply the UK Information Commissioner's International Data Transfer Addendum to the EU SCCs. For Swiss transfers, the SCCs apply with the adjustments specified by the Swiss FDPIC.

Sub-processors

The complete list of sub-processors is on our Sub-processors page. Customers are notified at least 30 days before any new sub-processor is added to the list. Customers may object during the notice period; if the parties cannot resolve the objection, the customer may terminate the affected portion of the Services without penalty.

Data Processing Addendum

Our DPA is incorporated by reference into our Terms of Service and is binding on Hirex and the customer without separate signature. A copy is on our DPA page for customers that require a separately signed instrument.

The DPA includes:

  • The full GDPR Article 28 processor obligations
  • Standard Contractual Clauses (Module 2: Controller-to-Processor) for international transfers
  • UK Addendum for UK transfers
  • Annexes describing the processing, sub-processors, and our technical and organisational measures

Breach notification

Hirex will notify affected customers without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting their data. The notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken to mitigate it.

Data Protection Officer

Burak Yılmaz, [email protected]

EU Representative

Hirex is in the process of appointing an EU Representative under Article 27 of the GDPR. In the interim, EU data subjects and supervisory authorities may contact our Data Protection Officer at [email protected] for all matters that an EU Representative would otherwise handle.

Right to lodge a complaint

If you believe your GDPR rights have been infringed, you may lodge a complaint with the data protection supervisory authority in the EU Member State where you reside, where you work, or where the alleged infringement took place.

Contact

Unlock your
recruitment potential!

Hirex is the only recruitment platform you need.

Get a demo

© Hirex HR, Inc.