Skip to main content

data-processing-agreement

Data Processing Addendum

This Data Processing Agreement (this “DPA” or “Addendum”) is entered into by and between EdTech Plus B.V. (“ORFI” or “the Processor”), having its legal seat in Amsterdam at Gustav Mahlerlaan 300, 1082 ME, Amsterdam, the Netherlands, and the Customer (the “Customer”), in connection with ORFI’s provision of Services under the applicable customer agreement (the “Agreement”).

Both parties shall be referred to as the “Parties” and each, a “Party”.

In consideration of their mutual obligations, the Parties agree that the terms of this Addendum shall form an integral part of the Customer Agreement entered into by the Customer via https://docs.orfi.ai/customer-agreement/.

In the event of any conflict between certain provisions of this DPA and the provisions of the Customer Agreement, the provisions of this DPA shall prevail with respect to the Processing of Personal Data.

1. Definitions

1.1. The terms used in this Addendum have the same meaning as those used in the Agreement unless explicitly provided otherwise in this Addendum. Capitalized terms not defined herein shall have the meaning assigned to such terms in the Agreement.
1.2. “Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this Addendum, including, where applicable: (a) GDPR; (b) UK GDPR; (c) FADP; (d) CCPA; and (e) and any other laws, regulations, or legally binding rules (including sector-specific or state-specific legislation) in any jurisdiction that apply to the collection, use, disclosure, retention, or other processing of Personal Data.
1.3. The terms, “Controller”, “Member State”, “Processor”, “Processing”, “Supervisory Authority”, “Data Subject”, “Personal Data”, “Personal Information”, “Sub-Processor”, “Personal Data Breach” shall have the same meaning as in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”). The terms “Business”, “Business Purpose”, and “Consumer” shall have the same meaning as in the CCPA.
1.4. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., as may be amended from time to time, including the California Privacy Rights Act.
1.5. “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
1.6. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, and as revised on 25 September 2020, the “Revised FADP”.
1.7. “Services” means the services provided to the Customer by ORFI in accordance with the Agreement.
1.8. “Security Documentation” means the Security Documentation applicable to the Services purchased by the Customer as made available by ORFI.
1.9. “Standard Contractual Clauses” shall mean the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles

2.1. When processing Personal Data, under Applicable Data Protection Law, the parties agree that with regard to the Processing of Personal Data, ORFI acts as Processor on behalf of the Customer, which may act either as a Controller or a Processor, and that ORFI or members of the ORFI Group will engage Sub-processors pursuant to the requirements of this DPA. Under the terms of the CCPA ORFI will take the role of the "Service Provider" and the Customer will take the role of the "Business".

3. ORFI obligations and compliance with Law

3.1. When processing Personal Data, ORFI (i) complies with the provisions of Applicable Data Protection Law, (ii) acts only on the documented instructions from Customer, and (iii) acts only for the purposes authorized by the Customer. If ORFI is required to process Personal Data in compliance with the law of the European Union or a Member State to which ORFI is subject, it will inform the Customer of such legal requirement prior to such processing, unless a law of the European Union or Member States to which ORFI is subject prohibits it from doing so. Taking into account the nature of the processing and the information available to it, ORFI shall assist the Controller with the obligations pursuant to Articles 32 to 36 of the GDPR, insofar as this is possible.
3.2. Security Measures. ORFI implements and duly maintains appropriate technical and organizational security measures to protect Personal Data. An overview of the applicable security measures is enclosed as Annex 3 to this Addendum.
3.3. Confidentiality. ORFI ensures that all employees authorized to process Personal Data on our behalf are subject to appropriate confidentiality obligations with respect to that Personal Data.
3.4. Personal Data Breaches and cooperation with Customer. ORFI will notify the Customer without undue delay after it becomes aware of any Personal Data Breach and will provide the necessary information and necessary support to the Customer.
3.5. Deletion or Return of Personal Data. ORFI will delete or return, at the choice of the Customer, the Personal Data processed on behalf of the Customer, on termination or expiration of the Services. As a sole exception, ORFI will retain (part of) the Personal Data in case and within the limit such is required by applicable law.
3.6. Data Subject Requests. When a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is received directly by ORFI, it will promptly redirect the request to the Customer. The Customer will be solely responsible for addressing and responding to any such Data Subject Requests. ORFI shall provide reasonable support to the Customer in handling Data Subject Requests, insofar as this is possible.
3.7. Use of sub-processors. When engaging Sub-Processors, ORFI will impose terms providing at least the equivalent level of protection for Personal Data as those contained in this document. Customer hereby agrees ORFI may engage Sub-Processors to Process Personal Data on its behalf; a list of the current Sub-Processors is to be found on ANNEX 1.
3.8. Changes. Any change of Sub-Processors will be notified to the Customer at least 10 (ten) days prior to any such change as specified in Annex 1. The Customer will be given the opportunity to object to the engagement of new Sub-Processors on reasonable grounds related to the protection of Personal Data. If – within this period- Customer notifies Provider in writing of an objection to Provider’s appointment of such new Sub-Processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith. If no such solution can be reached, Customer will be allowed to terminate the Service without prejudice to any fees incurred by Customer prior to suspension or termination, but without liability to either party.

3.9. Personal Data Breaches and cooperation with Customer. ORFI will notify the Customer without undue delay by e-mail as specified in Annex 3 and in any case within twenty-four (24) hours after becoming aware of any Personal Data Breach and will provide the necessary information and necessary support to the Customer.

3.10. Deletion or Return of Personal Data. ORFI will delete or return, at the choice of the Customer, the Personal Data processed on behalf of the Customer, on termination or expiration of the Services. As a sole exception, ORFI will retain (part of) the Personal Data in case and within the limit such is required by applicable law.

4. Customer’s obligations

4.1. Compliance with Laws. The Customer is responsible for complying with all requirements that apply to it under Applicable Data Protection Law with respect to its Processing of Personal Data and the Instructions issued to ORFI. The Customer will, moreover, inform ORFI without undue delay if it is not able to comply with its responsibilities under Applicable Data Protection Law.

4.2. Security. The Customer is responsible for the secure use of the Services offered by ORFI, and it is responsible for independently determining whether the data security provided adequately meets the obligations under Applicable Data Protection Law.

5. Controls, audits and reports

5.1. Reports. Upon the Customer’s request, ORFI shall assist Customer, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR. Also, upon written request made by Customer and limited to once a year, ORFI will provide Customer with a self-assessment report demonstrating ORFI's compliance with its obligations under this DPA and Applicable Law. This self-assessment will cover all processing activities performed by ORFI in the previous calendar year.
5.2. Audits. ORFI will allow an independent and suitably qualified auditor appointed by the Customer to conduct inspections to verify ORFI’s compliance with its obligations under this Addendum, provided a minimum of 30 (thirty) days' notice and not more than once per calendar-year.
5.3. Costs. All additional costs and expenses incurred by ORFI in the performance of the activities listed in this paragraph 5 may be charged to the Customer.

6. Cross-border data transfers and processing location

6.1. ORFI processes Customers’ Personal Data within the region according to the choice of the Customer.
6.2. Personal Data may be transferred from EU and EEA Member States, the United Kingdom (“UK”) and Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.

6.3. Transfers from the EEA, the United Kingdom and Switzerland to countries that offer no adequate level of data protection. ORFI will only transfer personal data to non-adequate countries with the approval of the Customer and with an adequate transfer mechanism, such as the EU Standard Contractual Clauses.

The Standard Contractual Clauses are incorporated by reference and form part of this Agreement and added as Annex 2; these are applicable if Customer is located in a non-Adequate third country.

7. General Provisions

7.1. Severability. If any individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

7.2. Limitation of Liability. Each party and each of their Affiliates' liability, arising out of or related to this DP,A will be subject to the limitations and exclusions of liability set out in the Agreement

7.3. Governing Law and Jurisdiction. This Addendum is governed by and construed in accordance with the Laws of the Netherlands and subject to the exclusive jurisdiction of the courts of Amsterdam.

ANNEX 1 - Details of the Processing

Nature and Purpose of Processing

  1. Providing the Services to the Customer;
  2. Performing the Services under the Agreement, and this DPA and processing possible requests of the Customer;
  3. Collecting Candidates' responses to the interview questions you set and your requests for information about Candidates' qualifications and experience, for us to then provide recommendations (Candidate Reports) to you for you to determine a Candidate's suitability for a position;
  4. Acting upon the Customer’s written instructions in accordance with the Agreement;
  5. Complying with applicable laws and regulations and with the provisions of this Addendum

Duration of Processing

Processor will Process Personal Data pursuant to the Addendum and Agreement for the duration as set by the Customer in the Account, and will keep it for 30 days after, unless otherwise agreed upon in writing. EdTech Plus will keep backups for 7 days following the deletion of the Customer Content initiated by the Customer.

Categories of Data Subjects and Categories of Personal Data

Categories of personal data processed

Customer’s Employee/Representative referred in the CustomerAgreement as User (Hiring manager, Recruiter, or a Team member is being referred to as a User)

  • User’s Full Name
  • E-mail, the User’s email address used for login or communication, the Customer’s corporate email domain (used for matching or validation)
  • Company Name, the name of the User’s company
  • Acceptance of the Agreement
  • User’s Sessions. The User’s active or historic session data
  • The manager’s position/title within the Customer’s organization
  • Approximate size of the manager’s company (e.g., number of employees)
  • The manager’s role or level within a specific team (administrator, User without admin rights)
  • The timestamp and logs regarding the creation or modification of the User Account
  • Indication whether the User has opted in to marketing emails
  • A list/count of invites the manager has sent to potential team members, the e-mail address of the person invited to a team, and the timestamp regarding when the team invite was accepted
  • The manager details who sent the team invite, date/time when the team invite expires
  • The team’s name, as designated by the User within the product/application
  • The transcription of an interview/meeting call
  • Metadata about the call
  • Full name (username) of participants who spoke during the call
  • Activity logs regarding the recording of shared screens during the call

Candidates interviewed by the Customer’s Hiring manager, Recruiter, or a Team member

  • Work authorization or visa status, if discussed during the call
  • Right-to-work documents (e.g., work permits, residency cards), if discussed during the call
  • Expected salary or rate if discussed during the call
  • Previous salary details (if provided), if discussed during the call
  • Any additional information voluntarily provided by the candidate (e.g., personal interests, hobbies, or reasons for applying) if discussed during the call
  • The transcription of an interview/meeting call
  • Metadata about the call
  • Full names of participants who spoke during the call
  • Information or recording of shared screens during the call
  • Any information that the Candidate voluntarily brings up for discussion during the call

Sub-Processors

Processor may engage with the following Sub-Processors to provide the Services: 

Name of the Sub-processorServicesLocationDPA/SCCs executed
Nebius B.V.LLM-as-a-service (Token Factory)EUYes
AssemblySpeech transcriptionEUYes
AWSCloud ServicesEUYes
Google WorkspaceProductivity & CollaborationEUYes
MailgunE-mail distributionEUYes
RecallIntegration with the Company's video conferencing solutionEUYes
HubSpot Netherlands B.V.Communication with Clients, email marketing & Support ChatEUYes
AnthropicClaude AI ModelEUYes

The Processor will communicate changes in sub-processors to the Customer’s administrator registered email 10 (ten) calendar days prior to changes taking effect.

ANNEX 2 Standard Contractual Clauses

EEA Cross-Border Transfers

  1. The Parties hereby agree to the Standard Contractual Clauses as outlined in the Annex of the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (“SCC”).
  2. Module Four (processor to controller) of the SCC shall apply where ORFI is a processor of the Personal Data and Customer is a controller of the personal data.
  3. Module Three (processor to processor) of the SCC shall apply where Customer is a processor of the personal data and ORFI acts as a Sub-Processor.
  4. Clause 7 of the SCC (Docking Clause) shall not apply.
  5. For the purposes of Clause 9 of the SCC (concerning Module Three transfers), the Parties choose the option 2 “General Written Authorisation” in Clause 9 of the SCC shall apply, and specify that the processor shall inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex 1 to this DPA and may be amended from time to time as agreed in this clause.
  6. For the purposes of Clause 11 of the SCC, the optional language will not apply.
  7. For the purpose of Clause 17 of the SCC, option 1 shall apply, and the Parties agree that the SCC shall be governed by the laws of the Netherlands.
  8. For the purpose of Clause 18(b), disputes shall be resolved before the courts of the Netherlands.
  9. Annex I.A of the SCC shall be completed as indicated in Annex 1.
  10. Annex I.B of the Standard Contractual Clauses shall be completed as described in Annex I of this DPA.
  11. The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
  12. In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Annex 1 of this DPA.
  13. Annex I.C of the SCC shall be completed as follows: The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
  14. Annex 3 of this DPA serves as Annex II of the SCC.
  15. The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
  16. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Customer Agreement, the provisions of the Standard Contractual Clauses will prevail.
  17. In the event of EEA Transfer or UK Transfer the Parties agree to supplement international data transfer(s) with the appropriate safeguards and representations.

ANNEX 3 Security and Organizational Measures

TECHNICAL AND ORGANISATIONAL MEASURES

A.

The below provides a description of the technical and organizational measures, which shall be implemented by the data processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The data processor shall guarantee to have/be:

  1. the ability and technical capacity to ensure the ongoing security, confidentiality, integrity, availability, and resilience of processing systems, networks and services. Data processor shall maintain network and physical security policies, procedures, and systems and shall perform network security and activities consistent with best practices in the data processor’s industry, but that, at a minimum, include but are not limited to: network firewall provisioning, intrusion detection, and regular (but in no event less frequently than annually) vulnerability assessments. In no event shall the foregoing, as applied to the personal data of the data controller, be any less stringent and protective than those applied by the data processor to the protection of its own data and systems of a like or similar nature;
  2. the ability and technical capacity to restore the availability and access to the personal data in a timely manner in the event of a physical or technical incident;
  3. an adequate process for regularly monitoring, testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
  4. adequate and current controls and preventive measures in place against access of unauthorized persons to data processing systems (physical access control), concretely the following measures are implemented with respect to Access Management: i) Need-to-Know basis, Least Privilege, Segregation of Duties (SoD). ii) Approval for each access request must be obtained through a verifiable process to confirm the necessity. Information systems must leverage a robust framework consisting of these processes: Identification, Authentication, Authorization, Accounting (logging);
  5. proper and accurate controls in place for keeping personal data logically separate from data processed on behalf of any third party and / or for other purposes as well as proper controls regarding the sharing of personal data within your organization and with third parties;
  6. applying a level of encryption (at rest and in transit) and pseudonymisation of the personal data, appropriate to the risks and personal data processed;
  7. ensuring that in the course of processing activities and after storage, personal data cannot be read, copied, modified, or deleted without authorization (data access control);
  8. envisaging and applying the necessary measures to ensure that the personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage, and that the target entities for any transfer of the personal data by means of data transmission facilities can be established and verified (data transfer control);
  9. ensuring the establishment of logging and the deployment of an audit trail to document whether and by whom the personal data has been entered into, modified in, or removed from data processing systems (entry control);
  10. maintaining and enforcing an information security policy and security incident management and continuity plans, consisting of, among others, the analysis performed in this respect and the risk management of personal data, a description of various responsibilities and organizational rules, a description of how security incidents are managed, and the measures that were introduced to keep the security system up-to-date after installation;
  11. ensuring that information security is led by trained experts with the necessary competencies. Moreover, ensuring that the staff is trained and obliged to confidentiality, and aware and trained in data protection.
  12. ensuring physical environment security, for instance, by means of security and surveillance regarding buildings, premises, and installations where carriers of personal data and computer systems processing the data are positioned, as well as prevention, detection, and operating procedures in the case of fire, intrusion, and water damage;
  13. ensuring that asset management process, policy, and procedures are in place (asset inventory is in place with annual reviews);
  14. ensuring that human resources processes, policies, and procedures are in place (employee background checks prior to hiring where applicable, account disabling upon termination, annual security awareness trainings, etc.);
  15. ensuring that antivirus protection/EDR is in place (as additional operational controls);
  16. ensuring effective change management process, policy, and procedures are in place (changes are reviewed, tested, and approved before being deployed to production);
  17. maintaining complete and up-to-date documentation proportionate to the risk profile of the processing operations, including, but not limited to, technical documentation of implemented security measures and other information necessary to demonstrate compliance with the requirements of this Annex; and
  18. ensuring that the personal data is processed solely in accordance with the relevant controller’s instructions (control of instructions).

Security Breach Notification - In the event of a personal data breach or breach of any of the data processor’s security obligations, the data processor shall notify the data controller of such an event without undue delay of discovery by telephone and e-mail at the following phone number and email address:

E-mail: privacy@orfi.ai

B.

The below provides a description of the technical and organisational measures, which shall be implemented by the data processor in order to assist the data controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679, and the scope and the extent of the assistance required.

The data processor shall ensure to have/be:

  1. the ability to effectively and promptly notify the data controller that it has received a request from a data subject to exercise its rights under Regulation (EU) 2016/679 concerning the personal data of the data controller;
  2. the ability, at its own cost and expense, to co-operate with the data controller as requested to enable the data controller to comply with exercise of rights by a data subject under Regulation (EU) 2016/679 concerning the personal data of the data controller, and to comply with any assessment, inquiry, notice or investigation under Regulation (EU) 2016/679 concerning the personal data of the data controller, which includes:
  • providing all data requested by the data controller within a reasonable timescale, which shall always be set by the data controller, but in any case not longer than 3 days, including full details and copies of the complaint, communication, or reques,t and any of the personal data of the data controller it holds in relation to a data subject;
  • where applicable, providing such assistance as is reasonably requested by the data controller to comply with the relevant request within the timescales prescribed by Regulation (EU) 2016/679; and
  • implementing any additional technical and organisational measures as may be reasonably required by the data controller to allow the data controller to respond effectively to relevant complaints, communications or requests.
  1. the ability to assist the data controller in fulfilling the data controller's obligation to respond to a request to exercise the rights of the data subject as set out in Chapter III of Regulation (EU) 2016/679. In particular, the data processor undertakes to respond to requests for access to data, requests for rectification and erasure of data, requests for restriction of processing, and requests to exercise the right to data portability.

Rectangle

Publication date: [04/11/2025]

Web address: https://docs.orfi.ai/data-processing-agreement/