Back to home

Data Processing Agreement

Effective date: 02/02/2026

This data processing agreement (the DPA) sets forth the terms required under the Applicable Data Law (as defined below). This DPA forms part of, and is incorporated into, the main agreement (the Agreement) between the same parties to the Agreement, namely:

(1) The Client identified in the Agreement or Order Form (hereinafter the Controller); and

(2) The SPOTT entity as identified in the Agreement or Order Form (hereinafter the Processor).

The Controller and the Processor are hereinafter together referred to as the Parties and each individually as a Party. This DPA is entered into on the same day as the Agreement.

Background

(A) Under the Agreement, the Processor will process Personal Data on behalf of the Controller.

(B) The Parties intend to ensure that such processing is carried out in compliance with Applicable Data Law, in particular article 28 GDPR.

(C) This DPA sets out the respective rights and obligations of the Parties with regard to such processing.

(D) This DPA results from free and informed negotiations. The Parties acknowledge that its terms were deliberately agreed and included, consider them fair and balanced, and confirm they had the opportunity to seek independent advice.

The Parties Have Agreed as Follows:

1. Interpretation and Definitions

1.1. Interpretation

1.1.1. Headings are for convenience only and do not affect interpretation. In writing and written mean written form including email, but not other electronic forms unless stated otherwise. Include and words of similar effect mean including without limitation. In the event of any conflict or inconsistency between the terms of this DPA and the Agreement, the terms of this DPA shall prevail to the extent of such conflict or inconsistency, notwithstanding anything to the contrary in the Agreement.

1.1.2. Capitalized terms and expressions, including their conjugations, derivatives, and combinations with other words or prefixes, have the meanings set out in Article 1.2 of this DPA, unless the context clearly requires otherwise. Any capitalized terms not defined herein shall have the meaning given to them in the Agreement. The terms Controller, Data Subject, Personal Data, Personal Data Breach, and Processor shall have the meaning given to them in the GDPR. Unless the context clearly requires otherwise, the singular includes the plural and the plural includes the singular.

1.2. Definitions

1.2.1. Agreement means the agreement as set out in the second sentence of this DPA.

1.2.2. Applicable Data Law means any law, statute, regulation, rule, code, ordinance, decree, order, judgment, treaty, international convention, or other legal requirement of any Competent Authority that is binding on a Party, the performance of that Party's obligations under this DPA, or the subject matter of this DPA, in each case as amended, re-enacted, consolidated, or replaced and in force from time to time. Applicable Data Law includes the GDPR and all national implementing acts.

1.2.3. Article means any numbered article in this DPA, and not any article of the Agreement.

1.2.4. Business Day means, unless the Agreement provides otherwise, any day on which commercial banks in Belgium are generally open for business, other than a Saturday, Sunday, or public holiday.

1.2.5. Competent Authority means any supervisory, regulatory, judicial or administrative authority competent under Applicable Data Law, including the competent data protection authority.

1.2.6. DPA means this data processing agreement, including the Schedules attached hereto.

1.2.7. Electronic Signature means any electronic process that is: (a) attached to or logically associated with this DPA; and (b) executed through a method that reliably identifies the signatory and records their intent to be legally bound, including qualified, advanced, or other electronic signatures within the meaning of Regulation (EU) 910/2014, or comparable methods under applicable law (including widely used e-signature platforms such as DocuSign, Connective, Adobe Sign, or similar).

1.2.8. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, as may be amended or replaced from time to time.

1.2.9. Notice means any notice, request, consent, demand, or other formal communication that this DPA requires to be given as a Notice, which shall be in writing and delivered in accordance with Article 15.1 of this DPA.

1.2.10. Schedule means any document attached to this DPA that forms part of it, whether titled as a schedule, annex, appendix, or otherwise.

1.2.11. Services means all services, functions, responsibilities and outputs of Processor as described in the Agreement.

1.2.12. Sub-Processor means any third party engaged by the Processor who processes Personal Data on behalf of the Controller.

2. Scope of Processing

2.1. The Processor shall process Personal Data as necessary for the performance of the Services under the Agreement and in accordance with this DPA, unless the Processor is required by Applicable Data Law to process Personal Data beyond the Controller's instructions. The Processing will cover the categories of Data Subjects, categories of Personal Data, and purposes set out in Schedule 1.

2.2. The Agreement, including this DPA, constitutes the Controller's complete and final instructions to the Processor regarding the Processing of Personal Data. Any additional or alternative instructions shall require the prior written agreement of both Parties and shall be commercially reasonable and technically feasible. The Processor shall be entitled to suspend execution of any instruction that it reasonably believes infringes Applicable Data Law, until the Controller modifies or withdraws such instruction.

3. Controller Obligations

The Controller shall:

  • (a) comply with all Applicable Data Law in relation to the Processing of Personal Data under this DPA;
  • (b) be solely responsible for determining the purposes and means of the Processing of Personal Data, including identifying a valid legal basis under Applicable Data Law and, where required, obtaining any necessary consents, notices, or authorizations from Data Subjects or third parties;
  • (c) ensure that any Personal Data provided to the Processor are accurate, complete, up to date and adequate for the intended Processing, and promptly notify the Processor of any relevant changes or inaccuracies; and
  • (d) implement and maintain appropriate technical and organizational measures for the protection of Personal Data in respect of all components, systems and credentials under its control, including user workstations, data transfer mechanisms, and access credentials.

4. Processor Obligations

The Processor shall:

  • (a) process Personal Data only on documented instructions from the Controller, unless required to do so by Applicable Data Law. Where such law prevents prior notice, the Processor shall inform the Controller as soon as legally permitted;
  • (b) not process Personal Data for its own purposes;
  • (c) ensure that persons authorized to process Personal Data are subject to confidentiality obligations under contract, policy, or law;
  • (d) implement and maintain technical and organizational measures as described in Article 9 of this DPA;
  • (e) provide reasonable assistance to the Controller as further detailed in Article 5 of this DPA in fulfilling the Controller's obligations under Applicable Data Law, insofar as this is possible and taking into account the nature of the Processing and the information available to the Processor; and
  • (f) make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Law.

5. Assistance to the Controller

5.1. Data Subjects' rights

The Controller shall be solely responsible for enabling Data Subjects to exercise their rights under Applicable Data Law. If a Data Subject contacts the Processor directly, the Processor shall, within a reasonable period, inform the Controller of the request and redirect the Data Subject to the Controller, unless expressly and reasonably otherwise instructed by the Controller or required by Applicable Data Law. The Processor shall not be required to take further action unless agreed in writing, but shall provide reasonable cooperation insofar as this is possible and taking into account the nature of the processing and the information available to the Processor.

5.2. Cooperation with assessments and DPIAs

The Processor shall provide reasonable assistance to the Controller, insofar as this is possible and taking into account the nature of the processing and the information available to the Processor, with data protection impact assessments and consultations with Competent Authorities that are required under Applicable Data Law in connection with the processing carried out under this DPA, subject always to reimbursement of the Processor's reasonable costs.

5.3. Notices of Competent Authority requests

5.3.1. Unless prohibited under Applicable Data Law, the Processor shall inform the Controller without undue delay if it or any Sub-Processor: (a) receives an inquiry, subpoena, inspection request, or audit demand from a Competent Authority relating to the Processing; (b) is required to disclose Personal Data to a Competent Authority outside the scope of the Services; or (c) receives an instruction that the Processor reasonably believes infringes Applicable Data Law.

5.3.2. The Processor shall provide such cooperation as is reasonably required, taking into account the nature of the Processing and the information available to the Processor, to enable the Controller to comply with its statutory obligations, subject always to reimbursement of the Processor's reasonable costs reimbursed, except where the relevant request or investigation results directly from a fault or negligence of the Processor.

6. Disclosure

6.1. The Processor shall not disclose Personal Data to any third party, public authority, or other recipient except: (a) on the documented instructions of the Controller; (b) to authorized Sub-Processors in accordance with Article 7 of this DPA; or (c) where required by Applicable Data Law, provided that, where legally permitted, the Processor shall use reasonable efforts to inform the Controller in advance.

6.2. The Processor shall ensure that any person acting under its authority who has access to Personal Data: (a) is bound by appropriate confidentiality obligations under contract, policy, or law; and (b) accesses Personal Data only where necessary for the performance of their duties.

7. Use of Sub-Processors

7.1. The Controller acknowledges and agrees that the Processor may engage Sub-Processors to support the provision of the Services. A list of the Processor's current Sub-Processors will be made available to the Controller upon request. The Processor may engage additional or replacement Sub-Processors, provided that the Processor informs the Controller. The Controller may object to a new Sub-Processor on reasonable grounds based on compliance with Applicable Data Law by providing written Notice within thirty (30) days of receiving the Processor's information. If the Controller does not object within that period, the Sub-Processor shall be deemed approved. If the Controller does object, the Processor will use reasonable efforts to make available a reasonable alternative. If no alternative is available, either Party may terminate the affected Services by written Notice.

7.2. The Processor shall ensure that each Sub-Processor is bound by written obligations providing a level of protection for Personal Data not less than that required under Applicable Data Law. The Processor shall use reasonable efforts to ensure compliance by its Sub-Processors.

7.3. The Processor shall make available to the Controller an up-to-date list of contracted Sub-Processors, either upon written request or by publication on a designated website or portal.

8. Location of Processing

8.1. The Processor may process and store Personal Data within the European Economic Area (EEA) and, where required for the provision of the Services, in other jurisdictions, provided that such processing complies with Applicable Data Law.

8.2. Where the Processing of Personal Data involves a transfer outside the EEA, the Processor shall implement and rely on an appropriate transfer mechanism recognized under Applicable Data Law and shall inform the Controller of the transfer and the mechanism relied upon. The Controller shall be deemed to have approved such transfers provided a valid mechanism is in place. The Controller remains solely responsible for determining whether any transfer impact assessment or supplementary measures are required in connection with such transfer. The Processor shall provide reasonable cooperation and assistance in this regard, limited to the information in its possession. For clarity, the Processor shall not be responsible for the legal sufficiency of any transfer mechanism mandated or adopted under Applicable Data Law.

8.3. If the Processor becomes aware that a transfer mechanism relied upon is no longer valid or effective, it shall inform the Controller. The Processor may continue the relevant transfer for as long as permitted under Applicable Data Law and shall not be obliged to suspend processing unless and until the Controller provides alternative lawful instructions.

9. Technical and Organizational Measures

9.1. The Processor shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing. Such measures may include, where appropriate, encryption, access controls, backup and recovery procedures, and regular testing and evaluation.

9.2. Upon receiving Notice from the Controller, the Processor shall, within a reasonable period, provide a general description of its technical and organizational measures sufficient to demonstrate compliance with Applicable Data Law. The Processor may fulfill this obligation by providing, where available, relevant third-party certifications, audit reports, or equivalent documentation. Adherence to an approved code of conduct under article 40 GDPR or to an approved certification mechanism under article 42 GDPR may also serve as evidence of sufficient guarantees under this Article 9. Any cooperation beyond the scope of this Article 9 shall remain subject to confidentiality and security restrictions and to reimbursement of the Processor's reasonable costs.

10. Personal Data Breaches

10.1. In the event of a known or reasonably suspected Personal Data Breach, the Processor shall inform the Controller without undue delay and in any event within forty-eight (48) hours of becoming aware. At such time, the Processor shall communicate the information then available to it.

10.2. The Processor shall inform the Controller as further information is obtained, and shall cooperate with the Controller to investigate the Personal Data Breach, take appropriate steps to mitigate its adverse effects, and assist with any notifications to Competent Authorities or Data Subjects as required by Applicable Data Law.

11. Audit Rights

11.1. The Processor shall make available to the Controller, upon written request, information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Law. Where available, the Processor may satisfy this obligation by providing up-to-date third-party audit or certification reports (such as ISO, SOC, or equivalent), which the Controller agrees shall be sufficient to discharge this obligation.

11.2. The Controller may carry out an audit (including inspections) only where the information provided under Article 11.1 of this DPA is not reasonably sufficient to demonstrate compliance. Any such audit shall: (a) be conducted no more than once in any twelve (12) month period; (b) be subject to at least thirty (30) days' prior Notice; (c) take place during normal business hours; and (d) be strictly limited to documents and systems relevant to the processing of Personal Data under this DPA.

11.3. Each Party shall bear its own costs in connection with any audit. Any additional cooperation or resources required from the Processor beyond providing existing information or reports shall be subject to reimbursement of the Processor's reasonable costs.

12. Liability

Each Party shall be liable for breaches of its own obligations under this DPA and Applicable Data Law. The Processor shall not be liable for: (a) fines or penalties imposed directly on the Controller, unless and to the extent such fines or penalties result from the Processor's own breach of this DPA or Applicable Data Law; (b) indirect, consequential, punitive or exemplary damages; or (c) losses arising from the Controller's own failure to comply with Applicable Data Law or to give lawful instructions.

13. Deletion and Return of Personal Data

13.1. The Processor shall retain Personal Data only for as long as necessary to perform the Services or as required by Applicable Data Law. Upon expiry or termination of the Agreement, the Processor shall, at the Controller's choice and within a reasonable period and subject to its technical capabilities: (a) make available for download to the Controller a copy of the Personal Data in a commonly used format; or (b) securely delete the Personal Data, except to the extent retention is required by Applicable Data Law. Where Applicable Data Law requires continued storage, the Processor shall notify the Controller (unless legally prohibited) and shall ensure such Personal Data is kept securely and not processed for any other purpose.

13.2. Any additional data export, migration, or assistance requested by the Controller shall be subject to the Processor's standard professional services terms and the reimbursement of its reasonable costs.

14. Term and Termination

14.1. This DPA shall enter into force on the date of its signing by all Parties and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller under the Agreement. Termination of the Agreement shall automatically result in termination of this DPA, except to the extent the Processor continues to process Personal Data on behalf of the Controller, in which case this DPA shall remain in force until such processing ceases and the Processor has complied with its obligations under Article 13 of this DPA.

14.2. Each Party may terminate this DPA, or the affected part of the Services, with immediate effect by Notice to the other Party if that other Party is in material breach of this DPA and fails to remedy such breach within a reasonable period (not less than thirty (30) days) of receiving Notice thereof. Where the Processor is unable to comply with Applicable Data Law due to the invalidation or ineffectiveness of a transfer mechanism under Article 8 of this DPA, the Controller may only terminate if the Processor has not implemented a suitable alternative transfer mechanism within sixty (60) days of becoming aware of such invalidation or ineffectiveness.

14.3. The provisions of this DPA that are expressly stated to survive, or that by their nature should reasonably survive termination or expiry, will remain in effect. This includes Articles 6, 12, 14, and 15 of this DPA.

15. Miscellaneous

15.1. Notices

Notices under this DPA shall be delivered to the address or email of the other Party as set out below. A Notice sent by email is deemed received on the date of transmission, provided no delivery failure message is received. If sent after 17:00 or on a non-Business Day, it is deemed received on the next Business Day.

If to the Processor: To the address stated in the Agreement, or to any other address specified by the Processor in a Notice given in accordance with this Article 15.1.
E-mail: info@spott.io

If to the Controller: To the address stated in the Agreement, or to any other address specified by the Controller in a Notice given in accordance with this Article 15.1.
E-mail: as communicated in the Agreement or via Processor's online Platform.

15.2. Amendment

This DPA may be amended or modified only by a written document, excluding email, signed by duly authorized representatives of all Parties. Signature by means of an Electronic Signature is permitted. Any unilateral attempt by a Party to amend, supplement, or override this DPA, whether by Notice, conduct, or otherwise, shall have no legal effect and shall be deemed rejected in advance.

15.3. Severability

If any provision of this DPA (or part of it) is held invalid, illegal, or unenforceable, that provision or part shall be limited or severed to the extent required, without affecting the remainder of this DPA or the Agreement or the unaffected part of that provision. To the extent permitted by applicable law, the Parties shall replace the invalid provision with one that reflects its intent and purpose as closely as possible. Where applicable, the deciding court may make such substitution.

15.4. Assignment

Neither Party may assign or transfer any of its rights or obligations under this DPA without the prior written consent of the other Party, unless otherwise provided in the Agreement. By way of exception: (a) the Processor may delegate processing obligations to authorized Sub-Processors in accordance with Article 7 of this DPA; and (b) the Processor may assign this DPA together with the Agreement to a successor in interest including by merger, reorganization or sale of business, or may assign this DPA to any of its affiliates, in each case provided that the assignee assumes the Processor's obligations under this DPA in full.

15.5. Governing law and jurisdiction

This DPA shall be governed by, and disputes arising out of or in connection with it shall be subject to, the governing law and jurisdiction provisions set out in the Agreement.

15.6. Signature

This DPA may be executed by handwritten signature or Electronic Signature. An Electronic Signature shall have the same legal effect as a handwritten signature to the extent permitted by applicable law. Neither Party may object to the validity, enforceability, or admissibility of this DPA solely because it was executed electronically. If signed by hand, this DPA may be transmitted electronically (including as a scanned PDF or similar format) and shall be deemed an original. If signed by hand in physical form, this DPA shall be executed in as many originals as there are Parties.

Schedule 1 – Details of the processing

1. Subject-Matter and Duration

Provision of the Spott recruitment Platform, including hosting, storage, analytics, support, and (when applicable) AI-assisted features within the Platform.

2. Nature and Purposes of the Processing

Nature of Processing: collection, recording, organization, structuring, storage, consultation, use, disclosure by transmission (to authorized Sub-Processors), alignment/combination, restriction, erasure/destruction.

Purposes: (i) enabling the Controller and its Authorized Users to manage recruitment processes and related workflows; (ii) platform operation, security, maintenance, support; (iii) usage analytics and performance monitoring (as part of providing the Services).

3. Categories of Data Subjects

  • Controller's employees and staff involved in recruitment activities
  • Authorized Users of the platform
  • Candidates/applicants (potential, existing and former)
  • Client contacts and business contacts uploaded by the Controller
  • Other data subjects whose Personal Data the Controller uploads or generates in the platform (e.g., referees, interviewers)

4. Categories of Personal Data

Depending on the Controller's usage of the Platform, categories of personal data may include:

  • Identification and Contact Data: Name, surname, business and personal contact details, email address, phone number, postal address, social profile URLs (e.g., LinkedIn), internal identifiers (e.g., candidate/contact ID).
  • Recruitment Process Data: Application date/source, consent/opt-in status, pipeline stage history, interview schedules, interviewer assignments, evaluation forms/scorecards, rejection reasons.
  • Job-Related Preferences: Desired role, seniority, availability/start date, preferred location or remote preference, work authorization/visa status.
  • Professional Data: Current/previous job titles and employers, employment history, application status, interview notes/feedback, assessments, work eligibility fields, data concerning termination of employment, attendance, salary, bonuses, benefits.
  • Education and Training Data: Education history, degrees, certifications, courses, skills, languages, professional experience/history as included in CV/profile.
  • Communications Data: Email/message content and metadata (sender/recipient, subject, timestamps), templates, replies, attachments.
  • Image Recordings: Photos, video recordings, profile images, LinkedIn profile URLs (if provided by the customer/user).
  • Relational Data: References, referees, (potential)/(ex) customers, client contacts, (potential)/(ex) business partners, as included in CVs or entered by the customer, but not actively processed beyond storage, display, search, and export as part of the document/profile.
  • Leisure Activities and Interests: Hobbies, sports, other interests, as included in uploaded CVs/attachments, but not actively processed beyond storage, display, search, and export as part of the document/profile.
  • Income and Asset Data: Salary/compensation expectations, current salary, offered salary/compensation, salary range linked to a role, bonuses/benefits, data concerning assets (e.g., house, characteristics), savings or financial instruments (if provided).
  • Technical Data: User account identifiers, logs, device/browser information, IP address, cookies, license plate (if provided).
  • Other included Personal Data: Any other information the Controller chooses to include in free-text fields, notes, uploads, or attachments.
  • Special Categories of Data: The platform is not intended to require or process special categories of Personal Data (as defined in Article 9 GDPR). If such data is uploaded, the Controller is solely responsible for ensuring a lawful basis and appropriate safeguards.

Controller acknowledges that due to the flexible and AI-native nature of the platform, the Controller could theoretically import any type of data, including data not explicitly listed above. The Controller remains responsible for the lawfulness, accuracy, and appropriateness of all data uploaded to the platform, and for ensuring that no misuse occurs.

5. Processing Locations / Transfers

The primary hosting region will be as described in the Agreement or Order Form (e.g., Azure West-Europe region).

Sub-Processors may process data in the EEA and, where applicable, outside the EEA subject to appropriate transfer mechanisms under Applicable Data Law.

6. Retention and Deletion/Return

During the Agreement, the Personal Data will be retained as necessary to provide the Services.

After the termination of the Agreement, the Personal Data will be available for retrieval/export during the agreed retrieval period, and will thereafter be deleted and/or returned in accordance with Article 13 of this DPA, unless retention is required by law.

Outp(l)ace everyone.

You can’t win tomorrow’s placements
with yesterday’s tools.

Try Spott for free
Book a demo
Five diverse business people sitting together, smiling and laughing in a bright office.