Preamble

JOIN has set itself the mission of connecting job seekers and companies worldwide. Companies can use the JOIN platform at https://join.com (hereinafter referred to as “platform”) to advertise vacancies and manage applications received in one central location. Our services are designed to make the recruiting process easier for companies and employees alike, especially for the allocation of suitable candidates and simplifying the job application procedure. The platform also gives candidates the opportunity to search for interesting job offers and find out what vacancies are available.

The Company can manage specific application procedures on the platform using a web-based management tool (“applicant management tool“). In this context, personal data generated by the Company for the respective application process is processed by JOIN acting as the processor for the Company as the controller as defined by the current data protection laws. As for JOIN’s other services, such as the allocation of suitable candidates or offers for candidates, personal data is processed by JOIN as the controller as defined by the current data protection laws.

This AVV serves to protect the parties against the improper use of the personal data processed in the applicant management tool, to ensure data protection by JOIN due to personal data that the Company has made known to them, and to comply with the legal requirements in the event that the business relationship between the company and JOIN should be deemed as data processing.

This AVV shall form part of every service agreement between the parties, unless otherwise expressly agreed in a contract to be concluded after the conclusion of this AVV. This document, including all appendices, also specifies the data protection obligations of the parties from the underlying service agreement as follows:

1. Scope and definitions

1.1 The following provisions only apply to JOIN services that qualify as data processing within the framework of the service agreement, in particular the applicant management tool.

1.2 Where the term “data processing” or “processing” of data is used in this agreement, this generally refers to the use of personal data. Data processing or the processing of data means any operation or series of operations performed upon personal data, with or without the aid of automated processes. The term is also defined as such in Art. 4 No. 2 of the General Data Protection Regulation (“GDPR“) and Art. 3 (a) of the Swiss Data Protection Act (“DSG“) (GDPR and DSG together” applicable data protection laws“).

1.3 Reference is made to the other definitions in Art. 4 GDPR and Art. 3 DSG.

2. Subject and duration of the agreement

2.1 Under this AVV, JOIN shall process personal data exclusively on behalf of and in accordance with the Company’s instructions. This includes in particular those processing services that JOIN provides for the Company via the applicant management tool solely for application management in accordance with the service agreement. In this service agreement and in Section 4, the parties have specified the details in accordance with Article 28 (3) GDPR, in particular the subject and duration of the data processing, as well as the handling, nature and purpose of the intended data processing, the type of data and those affected.

2.2 The data processing by JOIN on behalf of the Company is carried out in accordance with Art. 28 GDPR and Art. 10 (a) DSG. The company always remains the entity responsible for data processing.

3. Ranking of the contractual agreements

The provisions of this AVV are an integral part of the service agreement between the parties and take precedence over the other contractual agreements of the parties, in particular other contracts that contain provisions that deviate from those of this AVV to the detriment of the Company. Clause 1.1. remains unaffected. The provisions of this AVV do not apply to the processing of personal data that JOIN, as the controller, provides to the company as part of the service agreement.

4. Purpose, scope and nature of data processing

The parties hereby agree that the purpose of the data processing is the fulfilment of the contractual purposes according to the service agreement, in particular the implementation and management of specific application processes, which can be accessed by the Company via the applicant management tool on the JOIN platform. The scope and nature of data collection, processing and/or use of personal data are determined by the provisions of the service agreement as well as the services actually used by the Company.

5. Persons affected

The persons affected by the handling of personal data within the framework of the service agreement include

• candidates for positions published by the Company via the platform; and
• company employees.

6. Types of personal data

The following types of data are particularly affected by order processing:

• Personal master data of the candidates (e.g. name, title, academic degree, date of birth, telephone number, email address),
• the data transmitted by the applicants (applicant data; curriculum vitae, references, references, certificates, etc.),
• all information related to the application process recorded in the applicant management tool, such as messages sent via the platform, information about the application process and a candidate’s progress in the application process recorded on our platform, or questions, which are asked as part of the application process and are recorded on our platform,
• data generated through the use of the applicant management tool, such as metadata, this includes information about how long an application process takes, how many candidates have applied and how far a candidate has come in the application process,
• data generated through interactions with the applicant management tool, such as the answers provided to questions asked by candidates, data recorded by the company itself that has not been deleted in the applicant management tool and contact establishing messages to the candidates or JOIN,
• Personal master data (e.g. name, job title, email address, telephone number, business address) and access data (e.g. username and password) of company employees.

If this data is processed as part of other JOIN services, such as the allocation of suitable candidates or services for candidates, this does not take place within the scope of this AVV. In such cases, JOIN shall process this data as the controller as defined by the current data protection laws.

7. Rights and obligations of the Company

7.1 The Company alone is responsible for assessing the admissibility of the data processing carried out by JOIN on behalf of the Company and for safeguarding the rights of those affected pursuant to Article 4 No. 7 GDPR and Article 3 (i) DSG. The Company is particularly, but not exclusively, responsible for (1) fulfilling the data protection information obligations with regard to the candidates, (2) obtaining the necessary consent from the candidates for the processing of the data by the Company or JOIN, if this is absolutely required according to the current data protection laws, and (3) to comply with the deletion deadlines applicable to the respective application process.

7.2 As the data controller, the company is entitled at any time to issue instructions on the nature, scope and procedure of the data processing carried out on behalf of the customer. Verbal instructions must be confirmed by the company in writing (including email).

7.3 If the Company deems it necessary, persons authorised to issue instructions may be named. The information must be provided in writing by the Company. In the event that there is a change in the persons authorised to issue instructions at the Company, the Company shall inform JOIN of this in good time, naming the new person or persons in each case.

7.4 The Company shall inform JOIN if errors or irregularities are detected in connection with the processing of personal data by JOIN.

7.5 The Company is entitled check the compliance of the technical and organisational data security measures taken by JOIN in accordance with Section 9 before the start of data processing and then at regular intervals, but no more than once a year, after timely prior notification of at least 30 days during normal business hours and taking into account the interests of JOIN. The Company can also have this check carried out by a third party, provided they have previously concluded a confidentially agreement. The Company is obliged to pay the usual remuneration to the persons entrusted implementing these measures.

7.6 The Company is obliged to inform JOIN about data protection incidents or other breaches of the current data protection laws affecting JOIN’s processing activities.

7.7 The Company shall inform JOIN promptly if it becomes aware of specific measures taken by the supervisory authorities affecting the Company, in particular investigative measures by the authorities, provided that this affects data processing for the Company and the Company is not obliged to maintain confidentiality.

8. JOIN’s obligations

8.1 Data processing

JOIN is obliged to process personal data under this AVV solely in accordance with this agreement and/or the underlying service agreement and the instructions of the Company. 

8.2 Rights of data subject

JOIN will support the Company as far as possible in fulfilling the rights of data subjects, in particular with regard to correction, restriction of processing and deletion, notification and provision of information. 

JOIN shall, on the company’s instructions, rectify, delete or restrict the processing of the personal data processed on behalf of the Company. This obligation does not apply to personal data that JOIN processes as controller as part of the services it offers via the platform.

If a data subject contacts JOIN directly to request correction, deletion or restriction of processing of his or her personal data, JOIN shall forward this request to the Company immediately upon receipt. The Company shall remain responsible for the execution of the requests.

8.3 Internal control obligations

JOIN shall implement the appropriate control measures, e.g. internal audits, data protection concept, etc., to ensure that the personal data processed under this AVV is processed in accordance with this agreement and the corresponding instructions.

8.4 Duty to inform

JOIN, as the controller, shall inform the Company if, according to its own assessment, an instruction violates legal regulations. JOIN shall then be entitled to suspend the execution of the corresponding instruction until it is amended by the company. This does not hereby justify JOIN’s obligation to check or notify.

JOIN shall notify the Company of any breach of data protection regulations, of the regulations made in the service agreement and the agreement and/or the instructions issued, which occurs in the course of the processing of data by it, persons employed by it or other third parties entrusted with the processing, if this triggers the current data protection reporting obligations.

If access to the personal data that the company has transmitted to JOIN for data processing is endangered by measures taken by third parties (e.g. measures taken by an insolvency administrator, confiscation by tax authorities, etc.), JOIN is obliged to notify the company of this.

JOIN shall only pass on information to a party requesting information after prior agreement with the Company, unless JOIN is obliged to provide information by government measures or court decisions.

8.5 Creation of a processing log

Upon request, JOIN shall support the Company in compiling a list of processing activities within the scope of the AVV and the data processing that is taking place and provide the necessary information in a suitable manner.

JOIN shall also maintain its own log of all categories of processing activities carried out on behalf of the Company in accordance with the provisions of the current data protection laws.

8.6 Reporting obligations

JOIN shall support the company upon request in fulfilling the obligations pursuant to Art. 33-36 DSGVO.

8.7 Place of data processing

Unless otherwise agreed between the parties, the processing and use of the data by JOIN takes place exclusively in Switzerland, the European Union or in another treaty state of the Agreement on the European Economic Area. Any relocation of JOIN’s data processing activities to a third country is only permitted if the special requirements of Art. 44 et seq. GDPR or Art. 6 DSG are observed.

8.8 Deletion of personal data after termination of the agreement

After the termination of the service agreement, JOIN is obliged at the request of the Company to hand over to the Company all personal data, documents and processing and usage results that are subject to this AVV and that are related to the contractual relationship as well as delete in compliance with data protection and data security guidelines and in accordance with the company’s instructions that which JOIN is not contractually or legally entitled or obliged to continue processing. This obligation to delete does not apply to personal data that JOIN processes as controller as part of the services it offers via the platform.

9. Data protection checks and audit rights

9.1 JOIN hereby agrees that the Company is entitled, after prior mutual agreement, to conduct checks for compliance with data protection regulations and contractual agreements to the necessary extent, either itself or through third parties who have previously concluded a confidentially agreement, in particular by obtaining information and inspecting the stored data and systems as well as other on-site controls. In order to exercise the right to conduct checks, JOIN shall grant the Company the right to visit JOIN’s premises during its normal business hours upon notification at least 30 days in advance, provided this does not disrupt the course of business and taking into account JOIN’s interests, to gain confirmation of the appropriateness of the organisational and technical measures taken and contractually agreed by JOIN to comply with the requirements of the provisions in place for data processing.

9.2 JOIN shall support the company in carrying out checks to the best of its ability and shall provide swift and complete clarification where necessary.

9.3 JOIN shall accept any control measures by the data protection supervisory authority if there is a legal or obligation to do so. It shall inform the Company in accordance with Section 8.4 after notification or becoming aware of the implementation of the control measure and other enquiries or investigations by the data protection supervisory authority, insofar as the measures or inquiries may affect data processing that JOIN provides for the Company and JOIN is not legally obliged to maintain confidentiality.

9.4 Upon request, JOIN shall confirm in writing compliance with the technical and organizational measures specified in Appendix 1.

10. Subcontracting and Subcontractors

10.1 JOIN is entitled to commission subcontractors with data processing in accordance with the following provisions:

JOIN carefully selects subcontractors based on their suitability and reliability and ensures that the respective subcontractor guarantees an appropriate level of data protection.

If subcontractors are commissioned, a level of protection must always be guaranteed that is comparable to that of this agreement.

JOIN is obliged to draft the contractual agreements with the subcontractors in accordance with the current agreements in the relationship between the Company and JOIN, and to ensure that any supplementary instructions from the Company also apply to the subcontractors.

JOIN shall inform the Company in good time, i.e. no later than two weeks before the start of the planned subcontracting, of any intended change in relation to the involvement or replacement of other processors. If the Company does not object to the subcontracting within two weeks of receiving the information, it is deemed to have been approved. If the Company objects to the subcontracting, the parties shall be entitled to extraordinarily terminate the service agreement and these AVV.

10.2 JOIN shall provide the Company with a copy of the subcontracted processing agreement upon request, provided and insofar as this is not contrary to JOIN’s interests.

10.3 JJOIN shall, at the time of the conclusion of the agreement, cooperate with the subcontractors named in Appendix 2 in the fulfilment of the agreement, the commissioning of which the Company expressly agrees.

11. Data secrecy

11.1 JOIN is obliged to maintain confidentiality and data secrecy when processing data for the Company.

11.2 JOIN shall only use employees or other vicarious agents to fulfil the agreement who are sufficiently committed to data secrecy or confidentiality when handling personal data provided and who have been properly briefed on the data protection requirements.

12. Technical and organisational measures

12.1 The technical and organisational measures outlined in Appendix 1 are obligatory.

12.2 JOIN shall observe the principles of proper data processing in accordance with Article 32 in conjunction with Article 5 (1) GDPR and Article 7 in conjunction with Article 4 DSG. It guarantees the contractually agreed and legally prescribed data security measures outlined in Appendix 1. For the duration of the contractual relationship, JOIN shall take all necessary measures to secure the data and the security of the processing, in particular taking into account the current technology standards, as well as to reduce possible disadvantageous consequences for the data subjects. In order to always be able to guarantee an appropriate level of security for data processing, JOIN shall ensure that the measures implemented are regularly reviewed and, if necessary, upgraded. JOIN is free to make such changes to the technical and organisational measures that increase the agreed level of security. JOIN shall inform the Company of changes made to these measures in good time.

13. Form clause

13.1 Any amendments or additions to this AVV or other agreements made between the parties with reference to it, or any declaration that directly amends the content, scope of the services or obligations of either party under this AVV must be in written form to be effective. This also applies to an amendment to this clause.

13.2 All declarations by the parties, in particular notifications, announcements, statements and other information to be transmitted to the other party, must be in written form to be effective. At the request of the receiving party, which must be asserted in writing promptly after receipt of the declaration, a declaration sent in writing must be confirmed in writing by the declaring party. If the confirmation is not issued, the declaration made in writing is deemed not to have been made.

14. Place of jurisdiction

14.1 The sole place of jurisdiction, also internationally, for all disputes arising directly or indirectly from this AVV shall be the court having jurisdiction for JOIN’s registered office. The agreement on the place of jurisdiction does not apply if the dispute relates to claims other than pecuniary claims or if a sole place of jurisdiction has already been established for the dispute in accordance with the statutory provisions.

14.2 JOIN is entitled to take legal action against the Company at its general place of jurisdiction.

15. Miscellaneous

15.1 In the event of any inconsistency between the provisions of this agreement and the provisions of the service agreement, the provisions of this agreement shall prevail.

15.2 This agreement is governed by Swiss law to the exclusion of the UN Convention on Contracts for the International Sale of Goods and conflict of laws. For customers based in the European Union, the law of the member state in which the Company has its registered office applies.

APPENDIX 1 to the AVV

Technical and organisational measures

JOIN assures that it has taken the following technical and organizational measures:

1. Measures to ensure confidentiality

1.1. Access control

Measures that physically prevent unauthorised persons from accessing IT systems and data processing systems that process personal data, as well as confidential files and data carriers.

• The area for data processing is adequately secured by an appropriate construction method
• All possible entrances have been secured against unauthorised access
• An access control system with chip card reader and transponder locking system is set up
• There is a controlled key allocation, chip card, etc.
• Documentation of key and chip card allocation
• Door security (electronic door opener, etc.)
• Obligation of employees to data secrecy according to BDSG (German Data Privacy Act), esp. §5, §43
• Password policy
• Digital certificates
• Two-factor user login, (for critical services)
• Encryption of communication/data processing
• Use of software firewalls (for Windows devices)
• Automatic screen lock/employee policy
• Up-to-date user management
• Encryption of data carriers in laptops/notebooks
• Assignment of user rights (where possible, set up especially for critical services)

1.2 Access control

Measures to prevent unauthorised persons from processing or using data protected by data protection law.

• Obligation of employees to data secrecy according to BDSG (German Data Privacy Act), esp. §5, §43
• Authorisation concepts (profiles, roles, etc.)
• No on-site server storage (cloud only)
• Password procedure, i.e. personal and individual user log-in when registering on the system (including special characters, minimum length, regular change of password)
• A password generator for random passwords is used
• The transmission of the confidential authentication details via the network is encrypted
• Access passwords and/or form inputs are not stored on the client or in its environment (e.g. storage in the browser or Post-Its)
• Access authorisations are always assigned individually (personally)
• The circle of authorised persons is minimised to the number deemed operationally necessary
• A person responsible for issuing access authorisations has been appointed
• Management of rights by system administrator
• ID card reader, controlled key allocation, chip card, etc.
• Door security (electronic door opener, etc.)
• Manual locking system
• Security locks
• Access control systems with chip card readers and transponder locking systems
• There is a secure procedure for resetting access blocks, e.g. reassigning a user ID
• Limiting the number of authorised employees
• Access lists
• Encapsulation of sensitive systems through separate network areas (since no sensitive systems are hosted on site)
• Authentication procedure
• Installation of antivirus and spyware filters that are regularly updated
• Transmission of data via encrypted data networks or tunnel connections (VPN – this is partly the case with sensitive data)
• Password policy
• Use of software firewalls
• Installation of anti-virus and spyware filters that are regularly updated (for the devices and services used, this is partly done on the service side, otherwise automatically on the device side)

1.3 Access control

Measures that ensure that those authorised to use the data processing procedures can only access the personal data subject to their access authorisation, so that data cannot be read, copied, amended or removed without authorisation during processing, use and storage.

• Authorisation concepts (profiles, roles, etc.)
• Access authorizations are always assigned individually (personally)
• Management of rights by system administrator
• The circle of authorised persons is minimised to the number deemed operationally necessary
• Number of administrators is limited to the number deemed essential.
• A person responsible for issuing access authorisations has been appointed
• Each person with access authorisation can only access the data that they specifically need to process the current process in accordance with their assignment and that are set up in their individual authorisation profile.
• Authorisations are linked to a personal user ID and an account.
• Automatic screen lock/employee policy
• Password policy
• Allocation of user rights
• Logging of login attempts and termination of the login process after a specified number of unsuccessful attempts (dependent on whether this is included in the service)
• Logging of access and attempted misuse (dependent on whether this is included in the service)
• Physical erasure of media before reuse
• Use of document shredders or service providers (if possible with data protection seal and/or certification)

1.4 Separation requirement

Measures to ensure that data collected for different purposes is processed separately and is separated from other data and systems in such a way that this data cannot be inadvertently used for other purposes.

• Customer separation, software-side
• Separation of test and production systems: separation into development server, staging server and production server
• Separate databases and services (for example, in the sales database only the company ID is stored, but not other information about the company (stored in another database). Likewise, performance data for a specific product per customer is separated from both the aforementioned databases.

1.5 Pseudonymisation

Measures that reduce personal data being directly attributed to a specific data subject during processing in such a way that the identification of a specific data subject is only possible with the inclusion of additional information. This additional information must be stored separately from the pseudonym using suitable technical and organisational measures.

• Generalisation
• Encryption of sensitive data when stored in database (e.g. Blowfish encryption for stored passwords)
• Use of HTTPS throughout the site and particularly sensitive information transfers
• Tokens for transmitting the payment data
• App and database communication via OAuth
• Separate databases and services (for example, in the sales database only the company ID is stored, but not other information about the company (stored in another database). Likewise, performance data for a specific product per customer is separated from both the aforementioned databases.

2. Measures to ensure integrity

2.1 Transfer control

Measures to ensure that personal data cannot be read, copied, amended or removed without authorisation during electronic transmission or during their transport or storage on data carriers, as well as measures that can be used to check and determine to where personal data is to be transmitted.

• Appropriate segregation of duties
• Assignment of personal user accounts
• Password policy
• Limited allocation of administrator rights
• Limited allocation of access rights to data
• Deactivation of unused user accounts
• Unauthorised persons are prevented from gaining access to processing facilities 
• Unauthorised access to personal data is prevented
• Unauthorised modification or deletion of personal data is prevented
• Personal data will only be processed on the instructions of the company
• Transmission of data via encrypted data networks or tunnel connections (VPN)
• Data transmission between clients and servers is encrypted (SSL, SSH or SFTP)
• The connection to the backend systems is protected.
• Data with high protection requirements are encrypted.
• Handling processes with individual responsibility
• Management of rights by system administrator
• Storage of access and/or log files
• Hardware components or documents are destroyed in such a way that recovery is not possible at all or only possible with disproportionate effort (NB: depends on the document)
• Use of software firewalls
• The firewalls are always activated
• Mutual authentication using cryptographic methods (human-machine authentication) – 2 Factor Auth via additional app, regardless of position for all critical systems

2.2 Data entry control

Measures that ensure whether and by whom personal data has been accessed, amended or removed in the IT systems can be subsequently checked and determined.

• Traceability of persons who have accessed, amended and deleted data through the use of individual usernames (not user groups)
• Allocation of rights to access, amend and delete data based on an authorisation concept
• Logging of all system activities and retention of these logs for at least three years

3. Measures to ensure availability and reliability

3.1 Availability control

Measures to ensure that personal data is protected against accidental destruction or loss.

• Recovery and backup concepts (RAID, hard drive mirroring, etc.)
• Backups carried out regularly
• Checks are regularly conducted to determine whether it is possible to restore a backup (data recovery)
• Fire and smoke detection systems
• Fire extinguishing system/fire extinguishers in or in front of the
• electronics rooms
• Air conditioning in electronics rooms
• Electronics rooms not situated under sanitary/water-bearing systems
• No server rooms in the building, all data and tools run via the cloud

3.2 Rapid recoverability

Measures to ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident.

• Regular testing of data recovery
• Recovery and backup concepts (RAID, hard drive mirroring, etc.)
• Backups carried out on a regular basis
• Checks are regularly conducted to determine whether it is possible to restore a backup (data recovery)
• Backups are stored in a secure, off-site location

4. Measures to regularly evaluate data processing security

Measures to ensure data protection-compliant and secure processing. 

• Data protection management
• General data protection concept
• Deletion concept
• Company instructions are documented
• Formalised contract management

5. Measures to ensure reliability

Measures to ensure that all functions of the system(s) are available and that any malfunctions that occur are reported.

• Availability monitoring of relevant services
• System redundancies
• System monitoring
• Monitoring via automated network management system (NMS)
• Backup plans
• Use of test/pre-staging systems
• Use of a version management system for operating systems
• Alerts

6. Measures to ensure reliability

Measures to ensure that personal data collected for different purposes can be processed separately.

• Data protection concept
• Authorisation concepts (profiles, roles, etc.) and their documentation
• Definition of database rights
• Creation of data categories with different storage locations
• Internal multi-client capability
• Logical client separation
• Internal earmarking concept
• The data of different JOIN customers is stored in separate files and in separate directories depending on the content and is not merged
• Access concepts
• Isolation of data sets, systems (e.g. UAT, staging and production) and processes
• Physical separation of data categories
• Separation of particularly sensitive data

APPENDIX 2 to the AVV

List of subcontractor processors commissioned by JOIN

Amazon Web Services Europe
Cloud service provider
Luxemburg

Google Europe
Cloud service provider
Irland

Mailchimp
Marketing and mailing platform
USA

Stripe Payments Europe Ltd.
Payment service provider
Irland