📄 Annex 1: Data Processing Agreement (DPA)

between

the Customer (hereinafter "Controller")

and

baito UG (haftungsbeschränkt), Silbersteinstraße 124, 12051 Berlin (hereinafter "Processor")

1. Subject Matter and Duration of Processing

(1) The Processor provides services to the Controller in connection with the TalentAlert product. In doing so, it processes personal data exclusively on behalf of and according to documented instructions from the Controller pursuant to Art. 28 GDPR.

(2) The duration of this agreement is governed by the term of the main contract for the use of TalentAlert.

2. Type and Purpose of Processing

The Processor processes personal data for the following exhaustively defined purposes:

Storage and management of email addresses as well as other information defined by the Controller in the registration form (e.g., location, job categories, links to professional profiles such as LinkedIn or Xing)
Implementation of a double opt-in procedure to confirm job alert registration (sending a confirmation email with a unique confirmation link; activation of the subscription only after successful confirmation)
Sending job newsletters and job alerts via email exclusively to confirmed subscribers
Every email sent via TalentAlert contains a clearly marked, always available unsubscribe link that allows the data subject to completely and permanently unsubscribe from the newsletter or job alert with one click. The unsubscription is implemented automatically and takes effect immediately, without requiring any additional steps or re-identification.
Sending emails for re-confirmation of consent (Re-Confirm), if the Controller configures corresponding periods (e.g., 12 or 24 months without interaction)
Processing of technical access data (e.g., IP address, browser information) exclusively to ensure technical operation, prevent abuse, and maintain IT security
Optional server-side evaluation of open and click events via unique, personalized links

Clarification on Tracking and Technology

TalentAlert does not use cookies or tracking/analytics scripts on end users' devices.
The evaluation of open and click events is performed exclusively server-side via unique, personalized links in emails.
Tracking and analytics features are optional, can be disabled, and are fully subject to instructions.
The Controller may disable or restrict tracking at any time.
The use of tracking or analytics features occurs exclusively
- upon documented instruction from the Controller and
- only if the Controller has obtained valid consent from the data subjects for this purpose.

3. Categories of Personal Data and Data Subjects

a) Data Types:

Email address (mandatory)
Additional voluntary or mandatory information as defined by the Controller (e.g., location, job categories, links to professional profiles)
Technical data (e.g., IP address, browser information)
Usage data (open and click events via unique links)

b) Data Subjects: Applicants and interested parties who register for job notifications via TalentAlert.

4. Obligations of the Controller

The Controller is particularly responsible for:

the lawfulness of the collection, processing, and use of personal data
obtaining explicit consent for sending job alerts (direct marketing)
the implementation and lawful design of the double opt-in procedure
informing data subjects in accordance with Art. 13 and 14 GDPR
safeguarding data subject rights
the lawful design of additional data fields
determining retention periods and timeframes for re-confirm emails

5. Obligations of the Processor

The Processor undertakes to

process personal data exclusively upon documented instruction from the Controller
technically support the double opt-in procedure configured by the Controller and ensure that job alerts are sent exclusively to confirmed recipients
bind all persons involved in processing to confidentiality
implement appropriate technical and organizational measures in accordance with Art. 32 GDPR
assist the Controller in exercising data subject rights (access, deletion, withdrawal)
immediately delete or block personal data from sending when instructed by the Controller (e.g., upon withdrawal of consent or unsubscription from job alerts)
immediately inform the Controller of data protection breaches
assist the Controller with data protection impact assessments pursuant to Art. 35 GDPR
delete or return all personal data after the end of the contract, unless there is a legal retention obligation

6. Technical and Organizational Measures (TOMs)

The Processor implements, among others, the following measures:

Hosting on servers of Hetzner Online GmbH in Germany
Encrypted data transmission (TLS)
Role-based access controls
Securing administrative access through strong password policies
Logging of access and system activities
Regular backups and system monitoring
Separation of production and development environments

The Processor provides the Controller with appropriate evidence of the implementation of TOMs upon request.

7. Sub-processors

(1) The Processor uses the following sub-processors:

Hetzner Online GmbH, Germany – Hosting / Data storage
Amazon Web Services EMEA SARL, Germany – Email service provider (Amazon Simple Email Service, SES)

(2) The use of additional or changed sub-processors occurs only after prior notification to the Controller.

The Controller may object to the use of new or changed sub-processors for legitimate data protection reasons.

8. Control Rights of the Controller

The Controller is entitled to verify compliance with data protection requirements at the Processor.

The Processor provides the necessary information and evidence for this purpose.

9. Liability

Liability is governed by the provisions of the main contract as well as Art. 82 GDPR.

10. Priority of Individual Agreements

If an individual data processing agreement is concluded between the parties, it takes precedence over this DPA.

11. Final Provisions

(1) Changes and amendments to this agreement require text form.

(2) This agreement is part of the main contract and is not effective without it.