Data Processing Agreement ("DPA")
Effective date: 2 March 2026
This Data Processing Agreement ("DPA") forms part of the Customer Agreement between the Customer ("Controller") and HI ("Processor") and sets out the terms and conditions when HI Processes Personal Data on behalf of the Customer. In the event of any conflict between this DPA and the Customer Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
Definitions
In this DPA, capitalized terms have the same meaning ascribed to them under the Customer Agreement or the GDPR. In addition, the following capitalized terms will have the meanings ascribed to them below, and references to the singular will include the plural and vice versa.
| "Data Privacy Laws" | means any law and regulation in force at any time concerning the Processing of personal data, including but not limited to the GDPR, other European Union legislation relating to the Processing of personal data, national legislation implemented under and in compliance with the GDPR and the decisions, advice, recommendations and opinions of the EU court(s), national courts, the European Data Protection Board and the applicable Supervisory Authority. |
| "EU Model Clauses" | means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. |
| "GDPR" | means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). |
| "Sub-Processor" | means a processor engaged by the Processor to fulfill the Processor's obligations under this DPA in whole or in part, and when doing so Processes the Controller's Personal Data on behalf of the Processor. |
Processing of Personal Data
HI undertakes to comply with the Data Privacy Laws and to only Process Personal Data to the extent necessary to provide the Services, and only in accordance with the Customer's written instructions, Appendix 1.A.
HI will immediately inform the Customer if it lacks an instruction on how to Process Personal Data in a particular situation or if it believes an instruction provided under this DPA infringes the Data Privacy Laws.
If HI Processes Personal Data in addition to or in violation of the Customer's instructions, due to being required to do so by Union or Member State law to which HI is subject, HI will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
If Data Subjects, competent authorities, or any other third parties request information from HI regarding the Processing of Personal Data covered by this DPA, HI will refer such request to the Customer as soon as possible after receipt of such request. HI will assist the Customer to fulfil its obligations to respond to requests from Supervisory Authorities and Data Subjects to exercise their rights under Chapter III of the GDPR.
Without prejudice to any other provision of this DPA, HI shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to HI.
HI will, upon the Customer's request, assist the Customer with carrying out Data Protection Impact Assessment(s) where required under the Data Privacy Laws. HI will in particular assist with:
- Describing the nature of the Processing, including the Personal Data involved and the Processing location;
- Identifying and assessing risks to the rights and freedoms of Data Subjects;
- Providing information on the technical and organizational measures and safeguards taken or envisaged to address the identified risks in order to ensure the protection of Personal Data Processed under this DPA; and
- Providing detailed information on any other parties involved in the Processing of Personal Data (including information on their part of the process and their location).
Upon the Customer's request, HI will assist the Customer with carrying out prior consultations with the Supervisory Authority, where such consultations are required under the Data Privacy Laws.
HI will without undue delay and, not later than 72 hours upon becoming aware of a Personal Data Breach, notify the Customer in writing thereof. The notification shall, to the extent such information is available to HI at the time of notification, at least:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by HI to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where it is not possible to provide all information at the same time, the information may be provided in phases without further undue delay.
If the Customer so requests, HI will assist the Customer in fulfilling the Data Controller's obligations under Article 33 of the GDPR. HI will, in consultation with the Customer and at HI's cost, take all reasonable steps necessary to mitigate the consequences of the Personal Data Breach. As soon as practicable following the Personal Data Breach, HI will inform the Customer of the remedial action(s) HI proposes to take to prevent any similar security incident occurring in the future.
The Customer's Undertakings
The Customer will provide clear and documented instructions to HI. The instructions are documented in Appendix 1.A.
Sub-Processors
HI is granted a general authorization to engage the Sub-Processors necessary to provide the Services under the Customer Agreement. HI will notify the Customer of the intention to engage new Sub-Processors or make changes to the already engaged Sub-Processors by informing the Customer in writing and by posting the change to the Sub-Processor's list available at https://www.hiassessments.com/data-processors, at least thirty (30) days prior to such change taking effect.
If the Customer objects to the change on reasonable grounds, the Parties shall try to find a solution in good faith. If such cannot be reached, the Customer may terminate the DPA and the Customer Agreement by providing written notice to HI before the change takes effect.
HI will ensure that any Sub-Processors engaged by HI are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this DPA and that meet the requirements of Article 28(3) of the GDPR.
If the Sub-Processor fails to perform its obligations, HI will be fully liable to the Customer for the due performance of the Sub-Processor's obligations.
Technical and Organizational Measures
HI guarantees that it has implemented and, during the term of this DPA, will continue to implement and maintain appropriate technical and organizational measures to ensure that the Personal Data is adequately protected. The measures implemented by HI will provide a level of security appropriate to the risk, taking into account existing technical possibilities, costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
HI is obliged to ensure that only personnel that directly require access to Personal Data in order to fulfil its obligations in accordance with this DPA have access to such information. HI will ensure that such personnel are bound by a confidentiality obligation to the same extent as HI in accordance with this DPA and that they are informed how they may Process the Personal Data.
Data Localisation
All customer personal data is hosted and processed within the European Economic Area (EEA). HI does not transfer customer personal data outside the EEA, unless instructed to do so by Customer.
The processing activities (including storage) take place on the location(s) set out in HI's current Sub-Processor list available at https://www.hiassessments.com/data-processors.
If a Sub-Processor engaged in accordance with the "Sub-Processors" section of this DPA is established or otherwise processes personal data outside the EEA, HI shall enter into the EU Standard Contractual Clauses with the Sub-Processor, if required by the Data Privacy Laws, and if no other applicable transfer mechanism under Chapter V GDPR applies. HI must also ensure that a transfer risk assessment is performed and that any relevant additional safeguards are implemented prior to transferring the personal data from HI to the Sub-Processor.
Regardless of the above, HI may also transfer data outside the EEA if required by EU law or by any EU member state law to which HI is subject, provided that HI informs the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
In the event the Supervisory Authority makes an intervention towards either the Customer, HI or a Sub-Processor and warns or decides that a processing activity constitutes a transfer that does not comply with the Data Privacy Laws, HI shall, together with the Sub-Processor, without undue delay take action to implement all necessary technical and organisational measures, after consulting with the Customer, to comply with the warning or decision.
Audit Rights
Upon the Customer's request, HI will make available to the Customer third-party reports demonstrating compliance with this DPA and the Data Privacy Laws.
If the audit reveals inadequate technical and organizational security measures or other non-compliance with this DPA, HI shall without undue delay remedy such inadequacy or non-compliance.
HI shall procure that the Customer is similarly entitled to conduct audits in respect of the Sub-Processors, to the extent permitted by HI's agreements with such Sub-Processors.
Liability
In the event that HI processes Personal Data in violation of the Customer's instructions, HI shall indemnify the Customer for any damage incurred. If HI's wrongful processing is due to circumstances attributable to the Customer, the Customer shall instead indemnify HI for any damage incurred.
If HI suffers damage due to the Customer's breach of applicable Data Privacy Laws, the Customer shall indemnify HI for any damage incurred. If the Customer's breach is due to circumstances attributable to HI, HI shall instead indemnify the Customer for any damage incurred.
Administrative fines under Article 83 of the GDPR or any other applicable data protection legislation shall be borne in full by the Party upon which such a fine has been imposed.
In no event shall HI's liability under this DPA exceed the Fees paid by the Customer to HI during the preceding twelve (12) months.
Additional Fees
To the extent HI provides assistance to the Customer pursuant to this DPA, including but not limited to assistance with Data Protection Impact Assessments, prior consultations with Supervisory Authorities, and responses to requests from Data Subjects, the Customer shall reimburse HI for reasonable and documented costs incurred in connection with such assistance, unless otherwise agreed between the parties.
Term
This DPA shall remain in force for as long as HI Processes Personal Data on behalf of the Customer. Upon cessation of all Processing activities, this DPA shall automatically terminate, without prejudice to any obligations that by their nature survive termination.
Return of Data etc.
Upon expiry of this DPA, HI will, at the choice of the Customer, delete or return all Personal Data to the Customer and will ensure that any Sub-Processor does the same, unless it is required to keep copies of the data under Union or Member State law to which HI is subject.
For the avoidance of doubt, this DPA will apply as long as HI or its Sub-Processor processes personal data for which the Customer is the Data Controller.
Governing Law and Dispute Resolution
This DPA shall be governed by and construed in accordance with the governing law provisions set out in the Customer Terms. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set out in the Customer Terms.
APPENDIX 1.A
Instructions
| The purposes and categories of the processing | The Personal Data are Processed for the purpose of providing the Services under the Customer Agreement. This includes the provision of the platform, storing the Personal Data, displaying test results and candidate profiles, and generating AI-assisted structured summaries and insights based on assessment results (only when AI features are enabled by the Customer). For the avoidance of doubt, HI will be the sole Data Controller for the performance of tests and its own relationship with Customer employees and job applicants, when applicable. |
| Categories of Data Subjects | Employees and job applicants of the Customer |
| Categories of Personal Data | Contact information (such as name and e-mail address), candidate profiles, and test scores. AI-assisted processing uses pseudonymized candidate identifiers (such as first name and surname initial) and assessment data. HI does not intentionally generate or infer special categories of personal data (Article 9 GDPR) through AI processing. AI-generated outputs are descriptive summaries intended to support human decision-making. The Customer is responsible for ensuring that AI-generated outputs are not used as the sole basis for decisions producing legal effects concerning data subjects. |
| Erasure procedures | HI will erase the Personal Data relating to assessment participants after a retention period configured by the Customer within the platform (minimum 90 days, maximum 10 years, default 24 months), unless otherwise agreed or required by law. Personal Data relating to Authorized Users will be retained for the duration of the account and deleted when the account is deleted by the Customer. |