LAST UPDATED: 1 December, 2025
This Data Processing Addendum (“DPA”) governs the rights and obligations arising when a company within the Cinode group of companies (“Cinode”, the “Processor”) provides a SaaS Service or an ancillary service to the entity that has entered into a legally binding agreement (the “Controller”) for Cinode’s SaaS Services (the “Agreement”), which involves the processing of Controller’s Personal Data on behalf of Controller. This DPA, the Agreement and any appendices constitutes the Parties’ Agreement.
This DPA applies on Agreements from 22 May 2024.
1.1. This DPA shall form an integral part of the Agreement and applies to all Processing activities performed by the Processor or any third party acting on behalf of the Processor (a “Sub-processor”) of Cinode’s SaaS services.
1.2. This DPA replaces any existing data processing agreement in place between the Parties. In case of any inconsistencies, this DPA will take precedence over the provisions of the Agreement. Upon the Controller’s written request, the Processor will provide the Controller with a signed version of this DPA.
1.3. When Cinode Process Personal Data in the course of providing the Service, Cinode will:
Process the Personal Data as your Data Processor, only for the purpose of providing the Services in accordance with your documented instructions and as may be agreed with you.
If Cinode is required by law to Process the Personal Data for other purposes, we will notify you, unless we are prohibited by law to do so.
You acknowledge that Cinode acts as a service provider and is an independent Data Controller with regards to support, security of our systems and the Service and improvement of service performance and operation of service infrastructure. Our privacy practices and how we use Personal Data can be read in our Privacy Notice, available on our website.
2.1. “Appropriate Technical and Organisational Measures”, “Controller and Processor”, “Data Subject”, “Non-adequate Country”, “Personal Data”, “Personal Data Breach”, “Processing”, “Sub-Processor” shall have the meaning given to it in the relevant Data Protection Laws;
2.2. “Data Protection Laws” means
a) in EU countries, the General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR);
b) in non-EU countries, any similar or equivalent laws, regulations or rules relating to Personal Data;
c) any enforceable guidance and codes of practice issued by any local regulatory authority responsible for administering Data Protection Laws; and/or
d) any amendments, re-enactments or changes to the items described in (a) to (c) above, from time to time.
2.3.“Services” shall mean the SaaS services and other ancillary services provided by the Processor concerning the Processing of Controller’s Personal Data as described in the Agreement.
2.4. “SCCs” refers to the standard contractual clauses for the transfer of Personal Data to processors established in third countries, set forth in the European Commission Decision of 4 June 2021, or any such standard contractual clauses amending or replacing the SCCs.
3.1. The Controller is responsible for ensuring that the Processing of Personal Data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable Data Protection Laws and this DPA.
3.2. The Controller has the right and obligation to make decisions about the purposes and means of the processing of the Personal Data.
3.3. The Controller shall be responsible, among other, for ensuring that the Processing of Personal Data, which the Processor is instructed to perform, has a legal basis and a valid purpose. The Controller is responsible for ensuring that personal data is collected and used in accordance with Data Protection Legislation, and in accordance with this Agreement.
4.1. The Processor undertakes to Process Personal Data in accordance with this DPA and the Controller’s written instructions solely for purposes of providing the Services under the Agreement. Personal Data may not in any way be Processed for any other purposes.
4.2. The nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects covered under this DPA are specified in Appendix 1, Controller’s Instructions to the Processor.
4.3. The Processor shall without undue delay, provide access to the Personal Data it has in its possession and make requested rectifications, erasures, restrictions or transfers of the Personal Data. Necessary measures to prevent recovery of Personal Data shall be taken after the Controller or the Processor has deleted Personal Data.
4.4. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes on Data Protection Laws. The Controller understands that the Processor is not required to provide legal advice to the Controller regarding the responsibilities of the Controller.
4.5. The Processor shall assist the Controller in its contacts with the supervisory authority. The Processor may not disclose Personal Data or any information on the Processing of Personal Data without explicit instructions from the Controller. The Processor is entitled to reasonable compensation for the costs for such measures from the Controller.
4.6. If a Data Subject requests information from the Processor concerning the Processing of Personal Data, the Processor shall forward the request to the Controller and assist the Controller in responding to such requests in accordance with Data Protection Laws.
4.7. The Processor shall assist the Controller to ensure appropriate technical and organisational measures, taking into account the nature of the Processing.
4.8. The Processor shall take steps to ensure that any person who performs work under the supervision of the Processor and who has access to the Personal Data, only processes the Personal Data in accordance with the Controller’s instructions, unless otherwise required by Data Protection Laws.
4.9. The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations under Data Protection Laws, e.g. insofar as this is possible, assist with security measures, fulfil data subject requests, data protection impact assessments (“DPIA”) (including prior consultation), and in situations involving a Personal Data breach, notify the Controller and assist the Controller in notifying the supervisory authority and the data subjects involved as set out in section 5.2.1.
The Processor is entitled to reasonable compensation for the costs from the Controller for such measures.
4.10. The Processor shall maintain a record of all Processing activities carried out on behalf of the Controller. Upon the Controller’s request, the Processor shall make a readable transcript available to the Controller in a generally readable electronic format, including, as a minimum the following information:
a) the name and contact details of the Controller and, where applicable, the joint controller, the Controller’s representative and the data protection officer;
b) a description of the categories of processing carried out on behalf of the Controller.
c) where applicable, transfers of Personal Data to a third country, including the identification of that third country and suitable safeguards employed to ensure an adequate level of protection of the Data Subject;
d) a general description of the technical and organisational measures employed to ensure an appropriate level of security.
5.1. The Processor shall implement appropriate technical and organisational security measures to protect Personal Data in accordance with Data Protection Laws and this Data Processing Addendum. The Processor shall observe relevant codes of conduct, industry best practice, and guidelines issued or approved by supervisory authorities where applicable.
5.2. The Processor shall notify the Controller without undue delay after the Processor has become aware of any accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, Personal Data.
5.2.1. In the event of a Personal Data Breach, the Processor shall, taking into account the type of Processing and the information available to the Processor, provide the Controller with a written description of the Personal Data Breach. The notice will be sent to the appointed contact person in accordance with Section 21.2 in the Terms of Service. Each Party is responsible for ensuring that the contact details of its appointed contact person are accurate and up to date.
5.2.2. The description shall give an account of:
a. The nature of the Personal Data Breach and, if possible, the categories and number of Data Subjects affected and the categories and number of Personal Data records affected,
b. the likely impact of the Personal Data Breach, and
c. measures taken or proposed and measures to mitigate the potential negative effects of the Personal Data Breach.
5.2.3 If it is not possible for the Processor to provide the full description at the same time, according to item 5.2.2 of this Agreement, we will execute the notification in phases as relevant information becomes available.
5.3. Confidentiality. The Processor is responsible for ensuring that Processor’s and its Sub-Processors’ personnel who Process Personal Data shall maintain secrecy, have received suitable training on Personal Data and are bound by non-disclosure agreements. The obligation of confidentiality shall remain in force even after this DPA has otherwise ceased to be in force. Otherwise, what is stated in the Agreement shall apply to the Processor’s obligation of confidentiality.
5.4. Restricted access. The Processor is responsible for ensuring that only the personnel of the Processor and the Sub-Processor who need the Personal Data to fulfil the Processor’s commitment under the Agreement shall have access to the Personal Data.
6.1. Use of Sub-Processors. The Processor may engage Sub-Processors for the Processing of Personal Data. The Processor is responsible for ensuring that all Processing of Personal Data performed by a Sub-Processor is governed by a written agreement with the Sub-Processor that corresponds to the requirements of this Data Processor Agreement. The Processor is fully liable for the performance of any Sub-Processors Processing of Personal Data.
6.2. Change of Sub-Processor. The Processor has the right to change a Sub-Processor or engage other appropriate and reliable Sub-Processors, provided that the rules in this Section are applied. Before engaging a new Sub-Processor, the Processor shall notify the Controller in writing of the new Sub-Processor, and upon receipt of the notice, the Controller has a right to object to the new Sub-Processor in writing within ten (10) days from receipt of the Processor’s notice. Such objections shall not be deemed valid unless the Controller can prove a reasonable cause.
6.3. Resolution of objections. If the Controller has objected to a Sub-Processor, the Parties shall discuss various activities to resolve the reason for the Controller’s objection together. If the Parties cannot agree on any solution within a reasonable period of time, which shall not exceed thirty (30) days, the Controller may terminate the agreement by notifying the Processor in writing. During the termination period, the Processor is not allowed to transfer any Personal Data to the Sub-Processor.
6.4. List of Sub-Processors. Upon the Controller’s acceptance of this DPA, the Controller has pre-approved the existing sub-processors as listed on the Processor’s website. During the term of the Agreement, the Processor shall maintain an updated list of all Sub-Processors who process Personal Data in connection with the Agreement and shall send a copy of the list to the Controller upon the Controller’s request.
6.5. Processing by our technology providers. Concide uses third party service providers to provide the AI-assisted Services. You acknowledge that any Input you provide in the AI-assisted Service, including any personal data, will be shared with third party service providers. By using the AI-assisted Services you consent to personal data being transferred to third parties. The Customer is solely responsible to ensure that Personal Data submitted to the AI-assisted Services is collected and used in accordance with applicable Data Protection Legislation.
7.1. If the Processing carried out by the Processor includes the transfer of Personal Data to a country outside of the EU/EEA not granted an adequacy decision, the Processor shall enter into a supplementary agreement containing the then current European Commission’s Standard Contractual Clauses (“SCC”), in so far as the SCC provides a lawful transfer mechanism. The Processor shall, upon the Controller’s request, provide the Controller with a copy of such a signed SCC agreement. If, and to the extent that, this DPA and the SCC are inconsistent; the SCC provisions shall prevail.
7.2. In the cases mentioned above, the Processor must enter into a supplementary written agreement with the sub-processor containing the SCC, before the Processor transfers any Personal Data to the sub-processor. The Processor shall, upon the Controller’s request, provide the Controller with a copy of such a signed SCC agreement. If, and to the extent that, this DPA and the SCC are inconsistent; the SCC provisions shall prevail.
7.3. The Parties undertake to monitor developments concerning regulatory pronouncements or any court rulings and, if necessary, to make adjustments to the Processing of Personal Data and this DPA insofar as this can serve the requirements for a legally secure data transfer to a third country.
7.4. The Processor shall forward to the Controller if it receives from its sub-processors a legally binding request by a public authority under the laws of the country of destination for disclosure of Personal Data transferred under the SCCs. The Processor and its sub-processors shall, to the largest extent possible, refuse all requests that would include access to the Controller’s data by a public authority that are not legally binding. The Processor shall forward the most possible amount of relevant information on the requests received from its sub-processors to the Controller.
7.5. Concide uses third party service providers, as listed in Appendix 1, to provide the AI-assisted Services. By using the AI-assisted Services your personal data is transferred outside of EU/EES. You may not use the AI-assisted Services if you do not consent to your data being processed outside of EU/EES.
8.1. Performance of an audit. The Processor shall provide the Controller and Controller’s independent auditors with access to such information and Processor’s premises as may reasonably be necessary for the Controller to be able to verify that the Processor is fulfilling its obligations according to the DPA. The Controller may only conduct audits once a year, or, when a material violation of this DPA and Data Protection Laws are suspected for good reasons, to ensure that the Processor is complying with this DPA and Data Protection Laws. The Controller shall, within a reasonable period of time (at least thirty [30] days), notify the Processor before such an audit unless otherwise required by a government authority, or the Controller has reason to suspect that the Processor or a Sub-Processor is not fulfilling its obligations according to the DPA.
The Processor may satisfy audit obligations by providing current third party audit reports or certifications (e.g. ISO 27001) that demonstrates compliance with applicable Data Protections Laws. Where such evidence is sufficient to demonstrate compliance, no additional on-site audit shall be required.
8.2. Audit results. The Processor shall be allowed within a reasonable time period to read and provide comments to the audit report before it is made final to resolve any potential misunderstandings or minor issues. If an audit has shown that the Processor or a Sub-Processor has not fulfilled its obligations according to the DPA, the Processor shall promptly manage and correct this. Such corrective action does not affect the Controller’s other possible claims and rights under this DPA.
8.3. Costs. The Controller can request an audit once per year, for which each party will cover its own costs. The Controller shall always carry the cost for any third party appointed for the audit. Additional audits (exceeding one per year) can also be requested, at your sole cost.
9.1. This DPA shall become effective on the date of both Parties’ e-signature.
9.2. This DPA shall apply for the duration of the provision of Personal Data Processing services. For the duration of the provision of Personal Data Processing services, the Agreement cannot be terminated unless other Agreement governing the provision of Personal Data processing services have been agreed between the Parties.9.3. Upon termination or expiry of the Services, the Processor shall, without undue delay and within thirty (30) days, return to the Controller all Personal Data processed under this Agreement, in accordance with Section 17 in the Terms of Services. The Processor shall thereafter delete or irreversibly anonymise all such Personal Data from its systems and those of any Sub-processers, unless continued storage is required by applicable law.
The Processor shall within thirty (30) days anonymize all Usage Data in such a way that the individual is no longer identifiable. The Processor shall thereafter ensure that no Personal Data is remaining with the Processor or any of its Sub-processors unless continued storage of the personal data is required by applicable law. This DPA is applicable from the date of its execution and until all Personal Data is returned, erased or made anonymous in accordance with this section.
9.3. Within ninety (90) days of the Agreement’s expiration, the Processor shall delete all Personal Data that the Processor processed under the Agreement, including Personal Data stored in backups or other media, unless otherwise agreed in writing or required by applicable law.
10.1. The Parties agree that where the Data Protection Laws changes as a result of legislative, regulatory or judicial developments, thereby altering the Parties’ legal rights and/or obligations, or impacting either party’s ability to perform its rights and/or obligations under this DPA, the Parties will negotiate in good faith the terms of this DPA to comply with the new developments with the goal to continue the commercial relationship between the Parties. No change of this DPA shall be valid unless made in writing.
11.1. The DPA shall be applied and interpreted in accordance with the law stated in the Agreement. Notwithstanding this, the Parties must at all times process Personal Data in accordance with Data Protection Laws.
11.2. Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision in the Agreement.
1.1. The Processor shall Process Personal Data hereunder exclusively within the scope of providing the Cinode SaaS Service in accordance with the Parties’ Agreement.
2.1. The purpose of the Personal Data processing is to provide contracted Services offered by Cinode at any given time to offer the applicable service modules
Competence & CV management,
Sales & Resourcing,
Utilization and
Partner & Sub-Processor Management.
3.1. The processing of Personal Data under the DPA applies to the following categories of data subjects:
The Controller’s employees (incl. current and former employees, trainees and interns, pre-hires and applicants)
The Controller’s business partners (Processors, and subcontractors incl. its employees)
The Controller’s recruitment candidates
The Controller’s customers and contacts
The Controller’s partner contacts (“Users”)
The Controller’s users of Cinode’s Services
The Controller’s external agents, representatives, consultants, advisors, auditors
4.1. Personal data is categorized by the following: Employee, Recruitment Candidate, Sub-contractor Partner Consultant, Personal information such as name, address, age, and gender, and skills and experience according to the Profile features.
4.2. The Cinode Service does not process any special category Personal Data (such as health data, biometric data, trade union memberships, ethnic origin etc.) If you are considering submitting this type of Personal Data, contact your Cinode representative.
Identification information (note that the personal identification number is voluntary to submit)
Employment Information (note that salary information and payment history is voluntary to submit)
Skills, Education, Certifications, Experience (note that evaluations are voluntary to submit)
CVs (we recommend not to include personal identification number or profile picture in the submission)
Availability & Utilization
5.1. The Processor shall process the Personal Data as necessary to provide the Services to the Controller during the term of the Agreement, subject to the terms of the Agreement.
5.2. The Processor shall delete, limit or restrict its processing upon the Controller’s written instruction as possible and as soon as practically possible.
6.1. The Cinode SaaS Service is based on the use of the following Sub-Processors, which may be updated from time to time:
| Processor | Service Delivered | Location of processing |
|---|---|---|
| Amazon Web Services | Hosting & Communication Services | EU (Frankfurt, Stockholm) |
| Optional | ||
| Nylas | Email, Contacts & Calendar Synchronization Services, and Online Meeting Transcriptions for Optional Add-on | EU (Ireland) |
| Textkernel B.V | Document Parsing & Matching Services | EU (Netherlands) |
| Microsoft Ireland Operations Ltd | Interpretation of text inputs and generating text output, used for enhancing textual content and skills extraction for searching and matching capabilities. CV parsing. | EU - Azure OpenAI (West Europe region) |
| Prismatic Inc. | Build and maintain integrations with a wide range of applications, including Microsoft Teams, Slack, Time/Reporting, CRM, Reporting & Analytics platforms, and more. Cinode will use the EU instance for these services. | Europe (Ireland) |
Organizational Measures
