Data Processing Agreement

“Main Agreement” means the HireNote Terms of Service agreed to by the Customer upon registration.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

“Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by HireNote or its Sub-processors.

“Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, transmission, or deletion.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data. In the context of this DPA, the Customer is the Controller.

“Processor” means the entity that Processes Personal Data on behalf of the Controller. In the context of this DPA, HireNote is the Processor.

“Services” means the interview recording, transcription, and scorecard generation services provided by HireNote as described in the Main Agreement.

“Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and personal data, including without limitation: the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the GDPR as incorporated into Czech and EU law; and any other applicable data protection legislation in force from time to time.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission under Commission Implementing Decision (EU) 2021/914, Module Two (Controller-to-Processor), as may be amended or replaced from time to time.

“Sub-processor” means any third party engaged by HireNote to Process Personal Data on behalf of the Customer in connection with the Services.

“Technical and Organisational Measures” or “TOMs” means the security and organisational measures implemented by HireNote to protect Personal Data, as described in Annex 2 of this DPA.

2.1 This DPA applies to all Processing of Personal Data by HireNote on behalf of the Customer in connection with the Services.

2.2 As between the parties, the Customer is the Controller and HireNote is the Processor with respect to Personal Data Processed under this DPA. The Customer determines the purposes and means of Processing. HireNote Processes Personal Data only as a data processor, strictly on behalf of and in accordance with the documented instructions of the Customer.

2.3 In the event of any conflict between this DPA and the Main Agreement with respect to the Processing of Personal Data, this DPA shall prevail.

2.4 All limitations on liability set out in the Main Agreement apply to this DPA. HireNote’s total aggregate liability under this DPA shall not exceed the liability cap set out in the Main Agreement (fees paid in the 12 months preceding the claim, or $60, whichever is greater). Nothing in this clause limits either party’s liability to Data Subjects or supervisory authorities under applicable Data Protection Laws.

This DPA takes effect upon the Customer’s registration for the Service and remains in force for the duration of the Main Agreement. Termination of the Main Agreement automatically terminates this DPA. HireNote’s obligations to protect Personal Data and to delete or return all Personal Data survive termination until all Personal Data has been securely deleted or returned.

4.1 Subject Matter

Processing of Personal Data to provide interview recording, transcription, and AI-powered scorecard generation services.

4.2 Nature and Purpose of Processing

• Recording and storing audio of recruitment-related conversations.
• Generating transcripts from recorded audio using AI.
• Generating structured scorecards from transcripts using AI.
• Delivering transcripts and scorecards to the Customer by email and dashboard.
• Storing transcripts and scorecards on behalf of the Customer.

4.3 Types of Personal Data

• Names and contact information of interview participants.
• Voice recordings (temporary — deleted immediately after transcription).
• Transcripts of interview conversations.
• AI-generated scorecards containing information about candidates.
• Any other personal data incidentally present in interview conversations.

4.4 Categories of Data Subjects

• The Customer’s authorised users (recruiters, HR professionals).
• Job candidates participating in interviews conducted through the Service.

4.5 Duration of Processing

For the term of the Main Agreement and any renewal periods, and thereafter until secure deletion or return of all Personal Data in accordance with Section 10.

HireNote shall:

5.1 Process Personal Data only on the documented instructions of the Customer, as set out in this DPA and the Main Agreement, and for no other purpose. HireNote will promptly inform the Customer if, in HireNote’s opinion, an instruction violates applicable Data Protection Laws.

5.2 Ensure that all personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations.

5.3 Implement and maintain the Technical and Organisational Measures described in Annex 2.

5.4 Assist the Customer in fulfilling its obligations to respond to Data Subject rights requests under applicable Data Protection Laws, taking into account the nature of the Processing and the information available to HireNote. HireNote will respond to Customer requests for such assistance within 30 days.

5.5 Notify the Customer without undue delay, and in any case within 48 hours, after becoming aware of a Personal Data Breach. Such notification shall include, to the extent known: the nature of the breach, the categories and approximate volume of Personal Data and individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

5.6 Make available to the Customer all information reasonably necessary to demonstrate HireNote’s compliance with this DPA and applicable Data Protection Laws, upon the Customer’s written request.

5.7 Delete or return all Personal Data upon termination of the Main Agreement or upon the Customer’s written request, in accordance with Section 10.

5.8 Not engage new Sub-processors without providing prior notice to the Customer in accordance with Section 6.

6.1 The Customer provides a general authorisation for HireNote to engage the Sub-processors listed in Annex 1 to process Personal Data in connection with the provision of the Services.

6.2 HireNote shall impose on each Sub-processor data protection obligations that are at least as protective as those set out in this DPA, through a written agreement.

6.3 HireNote remains liable to the Customer for the performance of each Sub-processor’s obligations under this DPA.

6.4 HireNote will notify the Customer at least 14 days before engaging any new Sub-processor or replacing an existing Sub-processor. The Customer may object to such changes on reasonable data protection grounds within 7 days of notice. If no objection is raised within this period, the new Sub-processor shall be deemed approved.

6.5 If the parties cannot resolve a reasonable objection, the Customer’s sole remedy is to terminate the portion of the Services that cannot reasonably be provided without the use of the objected-to Sub-processor.

The Customer, as Controller, is solely responsible for:

7.1 Ensuring it has a lawful basis under applicable Data Protection Laws for instructing HireNote to Process candidate Personal Data, including interview recordings and transcripts.

7.2 Informing interview candidates that their interviews will be recorded and processed using AI, prior to any recording taking place.

7.3 Obtaining all necessary consents, or establishing another appropriate legal basis, for recording under applicable laws in the Customer’s jurisdiction.

7.4 Complying with all applicable data protection, employment, and recording consent laws.

7.5 Ensuring that instructions given to HireNote are lawful and do not require HireNote to violate applicable Data Protection Laws.

7.6 Failure to comply with any obligation in this Section 7 constitutes a material breach of this DPA and the Main Agreement. In the event of such breach, HireNote reserves the right to immediately suspend processing of the relevant Personal Data without liability to the Customer or any third party, until the breach is remedied to HireNote’s reasonable satisfaction.

HireNote uses AI to generate transcripts and scorecards from interview recordings. This processing is automated. However, HireNote does not make automated decisions with legal or similarly significant effects about candidates.

Scorecards are delivered to the Customer as a tool to assist — not replace — the Customer’s professional judgement. All hiring and employment decisions are made exclusively by the Customer.

The Customer, as Controller, is responsible for ensuring compliance with Article 22 GDPR with respect to any automated processing of candidate data, including informing candidates of their rights where required. This includes, for example, ensuring candidates are informed that AI tools are used to generate structured assessments of their interview performance prior to or at the start of the interview.

9.1 HireNote will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA upon written request.

9.2 Where existing documentation does not reasonably satisfy the Customer’s audit requirements, HireNote shall allow for and contribute to reasonable audits conducted by the Customer or a mandated third-party auditor, provided that:

• Audits are limited to once per calendar year.
• The Customer provides at least 45 days’ advance written notice.
• Audits are conducted during normal business hours and in a manner that minimises disruption.
• The Customer and any appointed auditor are bound by appropriate confidentiality obligations.
• The Customer bears all costs associated with such audits.

10.1 Upon termination of the Main Agreement, or at any time upon the Customer’s written request, HireNote shall promptly and securely delete or return all Personal Data in its possession or control, and shall securely delete all existing copies, unless retention is required by applicable law.

10.2 Residual copies in encrypted backups will be deleted within 30 days of the deletion or termination event.

10.3 Upon the Customer’s reasonable request, HireNote will provide written confirmation that all Personal Data has been deleted in accordance with this Section.

11.1 Where Personal Data is transferred to countries outside the European Economic Area (EEA) that are not subject to an adequacy decision by the European Commission, HireNote relies on Standard Contractual Clauses (Module Two: Controller-to-Processor) as approved by the European Commission under Commission Implementing Decision (EU) 2021/914 as the appropriate safeguard under Article 46 GDPR.

11.2 This applies to transfers to the following Sub-processors: OpenAI (US), Resend (US), Stripe (US), Vercel (US infrastructure), and Google (US).

11.3 HireNote acts as data exporter and each relevant Sub-processor acts as data importer under the applicable SCCs.

11.4 A copy of the applicable Standard Contractual Clauses is available upon request by contacting info@hirenote.app.

11.5 HireNote implements supplementary measures to support international transfers, including the technical and organisational measures described in Annex 2, and contractual commitments with Sub-processors regarding government access requests and data minimisation.

12.1 Where Personal Data is subject to the California Consumer Privacy Act (CCPA/CPRA), HireNote acts as a “Service Provider” and the Customer acts as a “Business.”

12.2 HireNote shall not sell or share Personal Data processed under this DPA. HireNote shall not retain, use, or disclose Personal Data for any purpose other than providing the Services as described in the Main Agreement.

12.3 To the extent Personal Data is subject to other US state privacy laws that impose obligations on processors or service providers, HireNote will act in that capacity and shall not use or disclose Personal Data other than as permitted under this DPA.

This DPA is governed by the laws of the Czech Republic, consistent with the governing law of the Main Agreement, unless otherwise required by applicable Data Protection Laws.

By registering for HireNote, the Customer agrees to be bound by this DPA. The person registering on behalf of an organisation represents and warrants that they have authority to bind that organisation to this DPA.

The following Sub-processors are authorised to Process Personal Data on behalf of the Customer in connection with the Services:

HireNote will notify the Customer at least 14 days before adding or replacing any Sub-processor.

HireNote implements the following technical and organisational measures to protect Personal Data:

Encryption

All Personal Data is encrypted in transit using TLS and encrypted at rest. Audio recordings are deleted as soon as reasonably practicable after transcription is complete, and are not retained beyond what is strictly necessary to provide the transcription service.

Access Controls

Access to Personal Data is restricted to authorised personnel only, on a need-to-know basis. Access rights are reviewed regularly.

Confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations.

Data Minimisation

HireNote collects and processes only the Personal Data necessary to provide the Services. Audio recordings are not retained after transcription is complete.

Retention and Deletion

Personal Data is retained only for the periods set out in the Privacy Policy and this DPA. Secure deletion procedures are applied upon termination or upon Customer request.

Incident Response

HireNote maintains an incident response process. In the event of a Personal Data Breach, HireNote will notify the Customer within 48 hours of becoming aware of the breach.

Sub-processor Management

All Sub-processors are bound by data processing agreements imposing data protection obligations at least equivalent to those in this DPA.

AI Processing

Personal Data processed through AI features (transcription and scorecard generation) is used solely to provide the Services. HireNote does not use Customer data to train AI models. Data sent to OpenAI via API is processed in accordance with OpenAI’s API data usage policy and is not used by OpenAI to train its models.

Infrastructure Security

HireNote uses cloud infrastructure providers (Supabase, Vercel) that maintain their own security certifications and controls. HireNote regularly reviews the security practices of its Sub-processors.