RecruitMail provides infrastructure and services (candidate aliases, feedback forms, dashboards) to recruiters. Processing begins with acceptance of the Terms and continues until termination.
2. Roles and Responsibilities
Recruiter (Controller)
• Determines purposes and means of processing
• Must ensure lawful basis
• Must provide privacy notices
• Responsible for GDPR compliance
RecruitMail (Processor)
• Processes data on instructions only
• Implements technical safeguards
• Assists with GDPR compliance
• Reports data breaches
3. Categories of Data
Candidate Data:
CVs, contact details, aliases, interview feedback
Client Data:
Hiring manager names, emails, feedback
Communication Metadata:
Emails routed via aliases
4. Processor Obligations
RecruitMail shall:
• Process data only on documented instructions
• Ensure confidentiality
• Apply technical and organisational measures (TOMs)
• Assist with Data Subject Access Requests (DSARs)
• Assist with Data Protection Impact Assessments (DPIAs)
• Notify breaches within 72 hours
• Delete/return data within 30 days of termination
• Maintain records of processing activities
5. Subprocessors
RecruitMail may use subprocessors (hosting, email, payments). Subprocessors are bound by equivalent GDPR obligations.
Current Subprocessors Include:
• Cloud hosting providers (AWS, Google Cloud, etc.)
• Analytics providers (with consent where required)
6. International Transfers
Transfers outside EEA/UK rely on Standard Contractual Clauses (SCCs) or adequacy decisions as approved by the European Commission.
7. Audit and Demonstration
RecruitMail will provide documentation for GDPR compliance and permit audits with reasonable notice.
8. Liability and Indemnity
Each party is liable for its own GDPR breaches. Recruiters indemnify RecruitMail for claims from lack of lawful basis or misuse (spam, unlawful sharing). RecruitMail's liability is limited as per the Terms of Service.
9. Termination
Upon termination, RecruitMail deletes or anonymises data within 30 days unless legally required otherwise. Confirmation of deletion can be provided upon request.
10. Governing Law
This DPA is governed by the laws of Germany and forms an integral part of the Terms of Service.
Annex 1 – Technical and Organisational Measures (TOMs)
Security Measures:
• Access control and authentication
• Encryption (TLS in transit, AES-256 at rest)
• Monitoring and logging
• Regular security backups
Organisational Measures:
• Data minimisation practices
• Staff training on data protection
• Incident response procedures
• Regular compliance reviews
Questions about this DPA?
For questions about data processing or to request audit documentation, contact us at dpa@recruitmail.com