Data processing agreement
pursuant to Article 28 GDPR
between
Your Mellon Group Cloud Services and Human Resources Consultancy - FZCO
Building A1, IFZA Business Park
Dubai Silicon Oasis
Dubai, United Arab Emirates
Registration No.: DSO-FZCO-50566
Email: info@yourmellon.group
hereinafter referred to as the “Processor”, “YourMellon”, “we”, “us” or “our”
and
the customer using the YourMellon SaaS platform under the applicable Terms, order form, subscription agreement or other main agreement
hereinafter referred to as the “Controller”, “Customer”, “you” or “your”.
Together referred to as the “Parties”.
1. Purpose and scope
1.1 This Data Processing Agreement “DPA” forms part of the agreement between the Customer and YourMellon governing the use of the YourMellon SaaS platform, including the applicable Terms, subscription agreement, order form or other commercial agreement “Main Agreement”.
1.2 This DPA applies where YourMellon processes personal data on behalf of the Customer in the course of providing the YourMellon SaaS platform and related services.
1.3 The purpose of this DPA is to ensure compliance with Article 28 of Regulation EU 2016/679, the General Data Protection Regulation “GDPR”, and any applicable data protection laws.
1.4 In the event of a conflict between this DPA and the Main Agreement regarding the processing of personal data on behalf of the Customer, this DPA shall prevail. Commercial provisions of the Main Agreement remain unaffected.
2. Definitions
2.1 Terms such as personal data, processing, controller, processor, data subject, personal data breach, special categories of personal data, and subprocessor shall have the meaning given to them in the GDPR.
2.2 Customer Personal Data means any personal data processed by YourMellon on behalf of the Customer in connection with the SaaS platform.
2.3 Services means the YourMellon SaaS platform and related support, hosting, maintenance, communication, recruiting CRM, ATS, candidate management, calendar integration, translation, analytics and other related services provided under the Main Agreement.
2.4 Subprocessor means any third party engaged by YourMellon to process Customer Personal Data on behalf of the Customer.
3. Roles of the parties
3.1 For Customer Personal Data processed within the scope of this DPA, the Customer acts as controller and YourMellon acts as processor.
3.2 The Customer determines the purposes and means of processing Customer Personal Data, including which data is uploaded, stored, managed, shared, communicated or otherwise processed through the Services.
3.3 YourMellon processes Customer Personal Data only on behalf of the Customer and in accordance with this DPA, the Main Agreement and the Customer’s documented instructions, unless required to do otherwise by applicable law.
3.4 The Parties acknowledge that YourMellon may also process certain personal data as an independent controller, including data relating to its own customer relationship management, billing, invoicing, fraud prevention, contractual administration, website operation, product improvement and compliance obligations. Such processing is not governed by this DPA.
3.5 Apiro GmbH may be involved in invoicing, payment-related administration and related accounting processes. Apiro GmbH is not the primary SaaS processor under this DPA.
4. Customer instructions
4.1 The Customer instructs YourMellon to process Customer Personal Data as necessary to provide the Services under the Main Agreement.
4.2 The Customer’s instructions include:
a. processing required to provide, maintain, secure and support the SaaS platform;
b. processing initiated by Customer users through the platform;
c. processing required for candidate management, recruiting workflows, CRM and ATS functions;
d. communication between Customer users and candidates;
e. storage and management of candidate profiles, notes, statuses, tasks, documents and communication records;
f. optional calendar integrations initiated by Customer users;
g. on-demand translation of chat messages and job advertisements;
h. technical monitoring, troubleshooting and support;
i. deletion, export or return of Customer Personal Data according to this DPA.
4.3 Additional instructions must be documented. YourMellon may refuse instructions that are unlawful, technically unreasonable, outside the scope of the Services, or would require a material change to the Services, unless separately agreed.
4.4 If YourMellon believes that an instruction violates applicable data protection law, YourMellon shall inform the Customer without undue delay.
5. Details of processing
5.1 The subject matter, duration, nature, purpose, categories of personal data and categories of data subjects are described in Annex 1.
5.2 The technical and organisational measures are described in Annex 2.
5.3 The approved subprocessors are listed in Annex 3.
5.4 International transfer safeguards are described in Annex 4.
6. Obligations of the Customer
6.1 The Customer is responsible for ensuring that:
a. it has a valid legal basis for processing Customer Personal Data;
b. it is entitled to instruct YourMellon to process Customer Personal Data;
c. all required transparency information is provided to data subjects;
d. Customer users are authorised to use the Services and process personal data through the platform;
e. Customer Personal Data uploaded, entered, synced or otherwise processed through the Services is lawful, accurate and appropriate for the intended purpose;
f. special categories of personal data or sensitive documents are only processed where the Customer has a valid legal basis and appropriate safeguards.
6.2 The Customer remains responsible for responding to data subject requests, unless this DPA states otherwise.
6.3 The Customer shall not use the Services in a manner that violates applicable data protection law.
7. Obligations of YourMellon
7.1 YourMellon shall process Customer Personal Data only in accordance with the Customer’s documented instructions, unless required by applicable law.
7.2 YourMellon shall ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations.
7.3 YourMellon shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
7.4 YourMellon shall assist the Customer, taking into account the nature of processing and the information available to YourMellon, with:
a. responding to data subject requests;
b. fulfilling security obligations;
c. notifying personal data breaches;
d. conducting data protection impact assessments where required;
e. consulting with supervisory authorities where required.
7.5 YourMellon shall make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security and trade secret limitations.
7.6 YourMellon shall notify the Customer without undue delay if it becomes aware of a personal data breach affecting Customer Personal Data.
8. Confidentiality
8.1 YourMellon shall ensure that all personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
8.2 Confidentiality obligations shall continue after termination of employment, contractor engagement or other relationship with YourMellon or Apiro GmbH.
8.3 Access to Customer Personal Data is limited to vetted and qualified personnel who require such access for providing, maintaining, securing or supporting the Services.
9. Security measures
9.1 YourMellon shall implement appropriate technical and organisational measures as described in Annex 2.
9.2 These measures include, among others:
a. TLS encryption in transit;
b. encryption of S3 file storage;
c. encryption of sensitive database fields, including payment-related information and passwords;
d. multi-factor authentication for admin and support access;
e. role-based access controls;
f. separation of production and staging environments;
g. no use of real customer data in testing;
h. code reviews before deployment;
i. weekly dependency scanning;
j. confidentiality obligations for critical personnel;
k. device security measures, including password managers, current antivirus protection and screen locks;
l. access logging for admin and support access with retention of at least 180 days.
9.3 YourMellon may update or modify its security measures from time to time, provided that the overall level of security is not materially reduced.
10. Support and administrative access
10.1 Customer Personal Data may be accessed through support or administrative interfaces only by vetted and qualified personnel.
10.2 Such access is permitted only where necessary for:
a. providing customer support;
b. troubleshooting technical issues;
c. maintaining platform security;
d. investigating errors or incidents;
e. fulfilling documented Customer requests;
f. ensuring proper operation of the Services.
10.3 Admin and support access is protected by multi-factor authentication and role-based access controls.
10.4 Admin and support access is logged, including timestamp, accessing user and relevant access/action information. Such logs are retained for at least 180 days.
10.5 Support personnel in the United Arab Emirates may access the admin/support interface where required for support and service operation purposes.
10.6 Support personnel in Serbia may access the candidate support interface only.
10.7 Support personnel in Greece may access the candidate support interface only.
10.8 Third-country access is subject to the safeguards described in Annex 4.
11. Subprocessors
11.1 The Customer authorises YourMellon to engage the subprocessors listed in Annex 3.
11.2 YourMellon shall ensure that subprocessors are bound by written obligations that provide an appropriate level of data protection.
11.3 YourMellon remains responsible for the performance of its subprocessors to the extent required under Article 28 GDPR.
11.4 YourMellon may add or replace subprocessors by providing at least 30 days’ prior notice by email and by updating the public subprocessor page.
11.5 The Customer may object to a new subprocessor for reasonable data protection reasons within the notice period.
11.6 If the Customer objects, the Parties shall work in good faith to find a commercially reasonable solution. If no solution is available and the use of the new subprocessor is necessary for the Services, the Customer may terminate the affected Services in accordance with the Main Agreement.
12. International transfers
12.1 Hosting and primary infrastructure for the Services are located in Germany and/or the European Union.
12.2 Customer Personal Data may be accessed remotely by authorised personnel located outside the EU/EEA, including in the United Arab Emirates and Serbia, solely for support and service operation purposes.
12.3 Such access is subject to appropriate safeguards, including:
a. confidentiality obligations;
b. role-based access controls;
c. multi-factor authentication;
d. access logging;
e. limited access based on role and necessity;
f. internal data protection policies;
g. contractual safeguards;
h. transfer mechanisms under Chapter V GDPR where required, including Standard Contractual Clauses or equivalent safeguards.
12.4 Where a subprocessor or authorised personnel process Customer Personal Data outside the EU/EEA in a country without an adequacy decision, YourMellon shall ensure that appropriate transfer safeguards are in place.
12.5 YourMellon shall not transfer Customer Personal Data outside the EU/EEA except as described in this DPA or otherwise agreed with the Customer.
13. Optional integrations
13.1 The Services may include optional integrations that are initiated by Customer users, including Google Calendar and Microsoft Outlook calendar integrations.
13.2 If a Customer user connects a calendar integration, the Services may sync calendar event data from the selected calendar, including event titles, descriptions, dates, times and related metadata.
13.3 Calendar tokens are stored for the purpose of maintaining the integration.
13.4 Customer users may disconnect calendar integrations at any time. Upon disconnection, synced calendar data is deleted from the Services, unless retention is legally required or technically delayed due to backup cycles.
13.5 The Customer is responsible for ensuring that Customer users are authorised to connect calendars and sync calendar data to the Services.
14. Translation services
14.1 The Services may include on-demand translation functionality for chat messages and job advertisements.
14.2 Translation is triggered by Customer users or candidates through a request or click and is not automatically performed in the background unless configured by the user or made part of the specific workflow.
14.3 YourMellon uses Google Cloud Translation API for this functionality.
14.4 The content submitted for translation may include personal data if such data is included in chat messages or job advertisements.
14.5 The Customer is responsible for ensuring that personal data submitted for translation may lawfully be processed for this purpose.
15. In-app calling
15.1 The Services may include in-app calling functionality provided through Twilio in the EU region.
15.2 Twilio is used for technical call connection and related functionality.
15.3 YourMellon does not use Twilio for phone number processing in connection with in-app calling.
15.4 Calls are not recorded by YourMellon.
15.5 Call logs may be stored manually by Customer users in the platform.
15.6 Where Customer users manually store call logs or notes, the Customer remains responsible for the lawfulness of such processing.
16. Monitoring and logs
16.1 YourMellon uses monitoring and error tracking tools to maintain security, availability and performance of the Services.
16.2 Laravel Nightwatch and Sentry are used in the EU, Frankfurt region.
16.3 Monitoring and error tracking data is limited to technical information and user IDs. YourMellon does not intentionally include personal content data in monitoring logs.
16.4 Monitoring logs are retained for 90 days.
16.5 YourMellon shall take reasonable steps to avoid unnecessary personal data in logs and monitoring systems.
17. Special categories of personal data and uploaded documents
17.1 The Services are not specifically designed to request or require special categories of personal data under Article 9 GDPR.
17.2 However, candidates, Customer users or other authorised users may upload or enter documents, messages, notes or other content that contain special categories of personal data or other sensitive information.
17.3 Such content may include, depending on user behaviour, identification documents, residence permits, work permits, certificates, health-related information, disability information, criminal record information, photos, videos or other sensitive data.
17.4 The Customer remains responsible for ensuring that any such data is processed lawfully and that appropriate legal bases and safeguards are in place.
17.5 YourMellon processes such data only according to the Customer’s documented instructions and as necessary to provide the Services.
18. Data subject requests
18.1 Taking into account the nature of the processing, YourMellon shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects.
18.2 If YourMellon receives a request from a data subject relating to Customer Personal Data, YourMellon shall, where legally permitted, forward the request to the Customer or instruct the data subject to contact the Customer.
18.3 YourMellon shall not respond directly to such requests unless authorised by the Customer or required by applicable law.
18.4 The Customer is responsible for verifying the identity of the requesting data subject and determining the appropriate response.
19. Personal data breaches
19.1 YourMellon shall notify the Customer without undue delay, preferably within 48 hours after becoming aware of a personal data breach affecting Customer Personal Data.
19.2 The notification shall include, to the extent available:
a. the nature of the breach;
b. the categories and approximate number of affected data subjects;
c. the categories and approximate number of affected records;
d. the likely consequences of the breach;
e. measures taken or proposed to address the breach;
f. contact details for further communication.
19.3 YourMellon may provide information in phases where not all details are immediately available.
19.4 The Customer remains responsible for determining whether notification to supervisory authorities or data subjects is required.
19.5 YourMellon shall reasonably assist the Customer with breach-related obligations, taking into account the nature of processing and the information available to YourMellon.
20. Deletion and return of Customer Personal Data
20.1 During the term of the Main Agreement, the Customer may delete or export Customer Personal Data to the extent supported by the Services.
20.2 Upon termination of the Main Agreement or upon documented request by the Customer, YourMellon shall delete or return Customer Personal Data without undue delay, unless a different deletion or export period is agreed case by case or legal retention obligations apply.
20.3 Customer Personal Data contained in backups may remain until the end of the regular backup retention cycle.
20.4 Daily backups are retained for 7 days and are then deleted or overwritten according to the regular backup process.
20.5 Deletion does not apply to data that YourMellon or Apiro GmbH must retain as independent controllers for legal, accounting, tax, billing, fraud prevention or compliance purposes.
20.6 Upon request, YourMellon may confirm deletion after completion of the applicable deletion process.
21. Audits and information rights
21.1 YourMellon shall make available information reasonably necessary to demonstrate compliance with this DPA.
21.2 Audits shall primarily be conducted on a document-based basis, including review of relevant policies, security documentation, TOMs, certifications, subprocessor information or other appropriate evidence.
21.3 On-site audits are only permitted where legally required or where document-based information is insufficient to verify compliance.
21.4 Any audit must be subject to reasonable prior notice, confidentiality obligations, reasonable scope limitations and measures to avoid disruption of YourMellon’s business operations and security.
21.5 Unless required due to a confirmed personal data breach or mandatory law, audits may be limited to once per calendar year.
21.6 The Customer shall bear its own audit costs and any reasonable costs incurred by YourMellon, unless the audit reveals a material breach of this DPA by YourMellon.
21.7 Audits shall not require disclosure of trade secrets, confidential information of other customers, security-sensitive information or information that would compromise the security of the Services.
22. Assistance with compliance obligations
22.1 Taking into account the nature of processing and the information available to YourMellon, YourMellon shall reasonably assist the Customer with:
a. security obligations under Article 32 GDPR;
b. personal data breach obligations under Articles 33 and 34 GDPR;
c. data protection impact assessments under Article 35 GDPR;
d. prior consultation with supervisory authorities under Article 36 GDPR.
22.2 If assistance requires substantial effort outside the normal scope of the Services, YourMellon may charge reasonable fees unless the assistance is required due to a breach of this DPA by YourMellon.
23. Return, deletion and portability support
23.1 The Customer may request reasonable assistance with exporting Customer Personal Data.
23.2 Export functionality may be limited by the technical capabilities of the Services.
23.3 YourMellon is not required to provide custom export formats unless separately agreed.
23.4 The Customer is responsible for exporting data before termination where the Customer wishes to retain such data.
24. Liability
24.1 Liability between the Parties shall be governed by the Main Agreement, unless mandatory applicable data protection law provides otherwise.
24.2 Nothing in this DPA limits liability where such limitation is prohibited by applicable law.
25. Term and termination
25.1 This DPA becomes effective when the Customer accepts the Main Agreement or otherwise uses the Services in a manner involving the processing of Customer Personal Data.
25.2 This DPA remains in effect for as long as YourMellon processes Customer Personal Data on behalf of the Customer.
25.3 Termination of the Main Agreement shall also terminate this DPA, subject to the continued application of provisions necessary for deletion, return, confidentiality, audit, legal retention and compliance obligations.
26. Governing law and jurisdiction
26.1 This DPA follows the governing law and jurisdiction of the Main Agreement, unless mandatory data protection law requires otherwise.
26.2 Mandatory rights of data subjects and supervisory authorities remain unaffected.
27. Changes to this DPA
27.1 YourMellon may update this DPA where necessary to reflect changes in law, Services, security measures, subprocessors or processing activities.
27.2 Material changes shall be communicated to the Customer by reasonable means.
27.3 Changes to subprocessors are governed by Section 11.
Annex 1
Details of processing
1. Subject matter of processing
The processing of Customer Personal Data in connection with the provision of the YourMellon SaaS platform for recruiting, candidate sourcing, candidate management, applicant tracking, recruiting CRM, communication, job advertisements, team collaboration, analytics, integrations, support and related services.
2. Duration of processing
For the duration of the Main Agreement and thereafter only as necessary for deletion, return, backup expiry, legal retention, dispute resolution or compliance obligations.
Backups are retained for 7 days.
3. Nature of processing
The processing may include:
a. collection;
b. recording;
c. organisation;
d. structuring;
e. storage;
f. adaptation;
g. retrieval;
h. consultation;
i. use;
j. transmission;
k. making available;
l. alignment;
m. combination;
n. restriction;
o. erasure;
p. destruction.
4. Purpose of processing
The purposes include:
a. provision of the SaaS platform;
b. candidate search and candidate management;
c. recruiting CRM and ATS functionality;
d. application pipeline management;
e. communication between Customers and candidates;
f. internal Customer collaboration, notes, tasks and lists;
g. job advertisement management;
h. company profile management;
i. candidate profile access and unlocking;
j. candidate verification support where applicable;
k. appointment and calendar management;
l. optional Google Calendar and Microsoft Outlook integrations;
m. on-demand translation of chat messages and job advertisements;
n. in-app calling;
o. analytics and recruiting KPIs;
p. support and troubleshooting;
q. security, monitoring, logging and service maintenance;
r. backup and restoration.
5. Categories of data subjects
The categories of data subjects may include:
a. Customer employees;
b. Customer administrators;
c. recruiters;
d. hiring managers;
e. staffing agency users;
f. recruitment agency users;
g. candidates;
h. applicants;
i. jobseekers;
j. Customer contacts;
k. persons included in uploaded documents or calendar events;
l. communication participants;
m. references or third parties included in candidate documents, where applicable.
6. Categories of personal data
The categories of personal data may include:
Candidate and applicant data
a. first name and last name;
b. email address;
c. phone number;
d. address, place of residence, postal code and country;
e. date of birth;
f. nationality;
g. profile picture;
h. video CV;
i. CV/resume data;
j. education history;
k. professional qualifications;
l. certificates;
m. work experience;
n. employer history;
o. job title;
p. industry experience;
q. responsibilities;
r. language skills;
s. hard skills;
t. soft skills;
u. desired jobs, industries and preferences;
v. application status;
w. interview notes;
x. internal Customer comments;
y. communication history;
z. uploaded documents.
Customer user data
a. name;
b. business email address;
c. business phone number;
d. company affiliation;
e. role and permissions;
f. login data;
g. user ID;
h. IP address;
i. activity data;
j. support requests;
k. calendar integration data where connected.
Calendar integration data
a. calendar event titles;
b. event descriptions;
c. dates and times;
d. participants where included in calendar events;
e. calendar metadata;
f. calendar tokens.
Communication and collaboration data
a. chat messages;
b. call notes manually entered by users;
c. task data;
d. appointment data;
e. team notes;
f. candidate lists;
g. application pipeline data;
h. activity logs.
Technical data
a. user IDs;
b. session data;
c. authentication data;
d. system logs;
e. error logs;
f. monitoring data;
g. device/browser information;
h. IP addresses where technically processed;
i. access logs.
Billing/customer account data
Where processed in connection with the Customer account:
a. company name;
b. billing address;
c. billing contact;
d. payment-related information;
e. invoice data;
f. subscription data.
7. Special categories of personal data
The Services are not designed to specifically request special categories of personal data. However, Customer users, candidates or other authorised users may upload or enter arbitrary documents or content that may include special categories of personal data or sensitive information.
This may include, depending on user behaviour:
a. health data;
b. disability information;
c. biometric-like photo or video data, where uploaded;
d. identification documents;
e. residence permits;
f. visa or work permit documents;
g. criminal record information;
h. religious information;
i. trade union information;
j. other sensitive personal data included in documents, messages or notes.
The Customer remains responsible for the lawfulness of such processing.
Annex 2
Technical and organisational measures
1. Hosting and infrastructure security
1.1 The primary hosting provider is Hetzner, using VPS infrastructure located in Nuremberg, Germany.
1.2 File storage is provided through Amazon S3, configured in the Europe Frankfurt region.
1.3 AWS services used in connection with the Services are configured in the Europe Frankfurt region.
1.4 S3 files are encrypted by default.
1.5 Daily backups are created and retained for 7 days.
1.6 Production and staging environments are separated.
1.7 Real Customer Personal Data is not used in testing.
2. Access control
2.1 Access to production systems and Customer Personal Data is limited to vetted and qualified personnel.
2.2 Access is granted based on role and necessity.
2.3 Multi-factor authentication is required for admin and support access.
2.4 Role-based access control is implemented.
2.5 Support and admin access is available only through dedicated support or admin interfaces.
2.6 Access rights are reviewed and adjusted where personnel change role or no longer require access.
3. Admin and support access logging
3.1 Administrative and support access to Customer accounts is logged.
3.2 Logs include at least:
a. timestamp;
b. accessing user;
c. relevant access/action information.
3.3 Admin and support access logs are retained for at least 180 days.
4. Encryption and transmission security
4.1 Customer Personal Data is protected in transit using TLS encryption.
4.2 S3 file storage is encrypted.
4.3 Sensitive database fields, including payment-related information and passwords, are encrypted.
4.4 Passwords are not stored in plain text.
5. Development and deployment security
5.1 Code reviews are performed before deployment.
5.2 Weekly dependency scanning is performed.
5.3 Production and staging environments are separated.
5.4 Real Customer Personal Data is not used in development or testing environments.
5.5 Changes to the platform are reviewed before release.
6. Monitoring and incident detection
6.1 Monitoring and error tracking tools are used to maintain platform security, stability and availability.
6.2 Laravel Nightwatch is used in the EU, Frankfurt region.
6.3 Sentry is used in the EU, Frankfurt region.
6.4 Monitoring data does not intentionally include personal content data and is limited to technical information and user IDs.
6.5 Monitoring logs are retained for 90 days.
7. Personnel security
7.1 Critical personnel are subject to confidentiality agreements.
7.2 Personnel with access to Customer Personal Data are vetted and qualified.
7.3 Access to Customer Personal Data is limited to personnel who require access for support, maintenance, security or service operation purposes.
7.4 Personnel are required to comply with internal security and data protection requirements.
8. Device security
8.1 Personnel use password managers.
8.2 Devices are protected with current antivirus protection.
8.3 Devices use screen locks.
8.4 Access to systems is protected by individual credentials.
9. Backup and recovery
9.1 Daily backups are created.
9.2 Backups are retained for 7 days.
9.3 Backup data is deleted or overwritten according to the regular backup process.
9.4 Backup procedures are designed to support restoration in case of technical incidents.
10. Data minimisation and purpose limitation
10.1 YourMellon processes Customer Personal Data only as necessary to provide the Services and comply with documented instructions.
10.2 Monitoring and logs are limited to technical data where possible.
10.3 Pusher is used only for event signals and does not process message content.
10.4 Twilio is used for in-app call connection and does not record calls.
11. Availability and resilience
11.1 Infrastructure, backups and monitoring are used to support availability and resilience of the Services.
11.2 YourMellon maintains procedures for technical troubleshooting, restoration and incident handling.
Annex 3
Approved subprocessors
The Customer authorises the following subprocessors.
Subprocessor | Purpose | Location / Region | Data processed |
|---|---|---|---|
Hetzner Online GmbH | VPS hosting / infrastructure | Nuremberg, Germany | Platform data, Customer Personal Data, candidate data, system data |
Amazon Web Services | S3 file storage, SES email services | Europe Frankfurt region | Uploaded files, email content/metadata, system data |
Pusher | Realtime websocket event signals | EU region | Technical event signals only, no message content |
Stripe | Payment processing | Used through Apiro GmbH | Customer billing/payment data only, no candidate data |
Google Maps Embed, Google Cloud Translation API, Google Calendar integration | Google infastructure, EU region | Company address for Maps, translated chat/job ad content, calendar events, calendar tokens | |
Twilio | In-app calling | EU region | Technical call connection data; no phone number processing, no call recording |
Microsoft / Outlook | Optional calendar integration | Microsoft infrastructure, EU region | Calendar event data, calendar metadata, calendar tokens |
Laravel Nightwatch | Monitoring | EU, Frankfurt | User IDs, technical monitoring data |
Sentry | Error tracking / monitoring | EU, Frankfurt | User IDs, technical error data |
Notes on specific subprocessors
Stripe
Stripe receives customer billing and payment-related data only. No candidate data is intentionally transferred to Stripe. The Stripe contractual relationship is handled through Apiro GmbH.
Google Maps Embed
Google Maps Embed receives company address data where maps are displayed.
Google Cloud Translation API
Google Cloud Translation API is used for on-demand translation of chat messages and job advertisements. Translation is triggered by user action.
Google Calendar and Microsoft Outlook
Calendar integrations are optional and must be initiated by the user. Synced calendar data may include all events from the selected calendar, including event titles, descriptions, dates and times. Calendar tokens are stored to maintain the integration. Users may disconnect the integration at any time, after which synced calendar data is deleted, subject to backup retention.
Twilio
Twilio is used for in-app calling in the EU region. Calls are not recorded by YourMellon. Call logs may be manually stored by Customer users.
Pusher
Pusher is used only for technical websocket event signals. Message content is not transferred through Pusher.
Annex 4
International transfers and third-country access
1. Hosting and primary processing location
The primary hosting and infrastructure used for the Services are located in Germany and/or the European Union.
This includes:
a. Hetzner VPS infrastructure in Nuremberg, Germany;
b. Amazon S3 file storage in Frankfurt, Germany;
c. AWS SES in the Europe Frankfurt region;
d. Laravel Nightwatch in the EU, Frankfurt region;
e. Sentry in the EU, Frankfurt region.
2. Remote access from third countries
Authorised personnel may access Customer Personal Data remotely from outside the EU/EEA where necessary for support and service operation purposes.
Such access may occur from:
Country | Role | Access type |
|---|---|---|
United Arab Emirates | Support | Admin/support interface |
Serbia | Support | Candidate support interface only |
Greece | Support | Candidate support interface only |
Greece is within the EU and is therefore not a third-country transfer.
The United Arab Emirates and Serbia are outside the EU/EEA and may require transfer safeguards under Chapter V GDPR.
3. Safeguards for third-country access
Remote access from third countries is subject to:
a. confidentiality obligations;
b. vetted and qualified personnel only;
c. role-based access control;
d. multi-factor authentication;
e. access limitation based on necessity;
f. admin/support access logging;
g. retention of admin/support access logs for at least 180 days;
h. internal security and data protection requirements;
i. contractual safeguards;
j. Standard Contractual Clauses or other appropriate transfer mechanisms where required.
4. No unrestricted third-country transfer
Customer Personal Data is not hosted in the United Arab Emirates or Serbia.
Remote access from third countries is limited to authorised support and service operation purposes and does not constitute unrestricted storage or hosting in those countries.
5. Changes to transfer setup
YourMellon shall inform the Customer of material changes to international transfer arrangements where such changes materially affect the processing of Customer Personal Data.
Annex 5
Subprocessor change notice mechanism
YourMellon may update the subprocessor list from time to time.
YourMellon shall provide at least 30 days’ prior notice before adding or replacing a subprocessor that processes Customer Personal Data.
Notice shall be provided by:
a. email notification; and
b. update of the public subprocessor page.The Customer may object to the new subprocessor within the notice period for reasonable data protection reasons.
If the objection is justified, the Parties shall work in good faith to find a reasonable solution.
If no reasonable solution is available and the subprocessor is necessary for the continued provision of the Services, the Customer may terminate the affected Services in accordance with the Main Agreement.