This addendum governs how HRM8 processes personal data on behalf of its business customers when providing the Services. It forms part of the agreement between you and HRM8.
This Data Processing Addendum (the DPA) applies where HRM8 Pty Ltd (ACN 694 475 208, ABN 93 694 475 208) and its HRM8 Group (HRM8, we) processes personal data on behalf of a customer (you) in providing the Services under our Terms of Service or other agreement (the Agreement). In relation to that personal data, you are the controller and HRM8 is the processor. Where you are yourself a processor for a third party, you appoint HRM8 as a sub-processor, and you confirm you have the authority to do so.
HRM8 also processes some personal data as a controller, for example account contacts and job seeker accounts. That processing is governed by our Privacy Policy, not this DPA.
Terms such as controller, processor, personal data, processing, data subject and personal data breach have the meanings given in applicable data protection law, including the Australian Privacy Act and Australian Privacy Principles, the EU General Data Protection Regulation, and the UK GDPR, as relevant. Customer Personal Data means personal data within the Customer Data that HRM8 processes on your behalf under the Agreement.
HRM8 will process Customer Personal Data only on your documented instructions, including as set out in the Agreement, this DPA and your use and configuration of the Services, unless required to do otherwise by law, in which case we will inform you where the law permits. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex A. You are responsible for the accuracy and lawfulness of the Customer Personal Data and for having a lawful basis, notices and consents for the processing.
HRM8 will ensure that people authorised to process Customer Personal Data are bound by confidentiality obligations and only process it as needed to provide the Services.
HRM8 will implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing. A summary of those measures is in Annex B and on our Security and Trust page.
You give HRM8 general authorisation to engage sub-processors to help provide the Services. HRM8 will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. Our current sub-processors are listed in Annex C and at our sub-processor list. We will give you a way to be notified of new sub-processors before they start processing, and at least 30 days to object on legitimate data protection grounds, for example by email or through the Services.
Taking into account the nature of the processing, HRM8 will provide reasonable assistance, including through the features of the Services, to help you respond to requests from data subjects to exercise their rights. If we receive a request directly that relates to Customer Personal Data, we will direct the individual to you unless the law requires otherwise.
Taking into account the nature of the processing and the information available to us, HRM8 will provide reasonable assistance with your obligations relating to the security of processing, data protection impact assessments, prior consultations with regulators, and personal data breaches.
HRM8 will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your own notification obligations.
HRM8 may process Customer Personal Data in, or transfer it to, countries other than your own, including through HRM8 Group entities and sub-processors. Where required, we will put in place a valid transfer mechanism, such as standard contractual clauses or another mechanism recognised under applicable law. For transfers subject to the EU GDPR or UK GDPR, this includes the relevant standard contractual clauses, which are taken to be incorporated into this DPA where they apply.
HRM8 will make available information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint, on reasonable prior notice, during business hours, subject to confidentiality, and no more than once a year unless required by a regulator or following a breach. We may satisfy audit requests by providing relevant third-party reports or certifications where available.
On the end of the Services, HRM8 will, at your choice, return or delete Customer Personal Data, and delete existing copies, unless we are required by law to keep it. You can export Customer Personal Data while your access remains active. We will complete deletion within 90 days after the end of the Services, unless the law requires us to keep it longer.
This DPA forms part of the Agreement. The liability provisions of the Agreement apply to this DPA. If there is a conflict between this DPA and the rest of the Agreement on the processing of personal data, this DPA prevails for that matter.
Subject matter and duration: the provision of the Services under the Agreement, for its duration.
Nature and purpose: hosting, storing and processing personal data to provide the applicant tracking system, HR management system, Assessment Hub, job distribution, job board and professional services, and to support, secure and improve them.
Categories of data subjects: your authorised users, candidates and applicants, employees and workers, and referees.
Categories of personal data: contact and identity details, profile and application data, resume or CV content, work history and qualifications, screening and assessment responses and results, reference check information, AI interview content where used, employment records you choose to manage, and usage data.
Special category or sensitive data: only where you choose to include it, which you are responsible for doing lawfully.
Measures include encryption of data in transit and at rest, role-based access control on a need-to-know basis, support for single sign-on and multi-factor authentication, logical separation of customer data, secure development practices, monitoring, and backups. A fuller description is on our Security and Trust page, which we update as our controls and certifications develop.
Our current sub-processors, the service each provides and their location are listed at our sub-processor list.
