Skip to main content

Data security

Data Processing Agreement ("DPA" or "Agreement") between the Company and JOIN. Available on desktop only.

JOIN processes personal data within the applicant tracking tool as a processor on behalf of the Company acting as data controller, in accordance with the GDPR and the Swiss Federal Act on Data Protection (FADP). This Data Processing Agreement (DPA) forms an integral part of any service contract entered into between the parties.


Scope

The provisions of the DPA apply only to JOIN services that constitute data processing under the service contract, in particular the applicant tracking tool.


Purpose and duration of processing

JOIN processes personal data exclusively on behalf of the Company and in accordance with its instructions, for the management of applications, in accordance with the service contract and Art. 28 of the GDPR.


Data subjects and types of data

The data subjects affected by the processing include candidates for positions posted by the Company and the Company's employees. The types of data processed include candidates' basic personal data (name, date of birth, email, phone), application data (CV, references, certificates), information related to the application process recorded in the tool (messages, progress), metadata (process duration, number of candidates), interactions with the management tool, and the Company's employee data (name, role, email, access data).


Rights and obligations of the Company

The Company is solely responsible for assessing the admissibility of the processing, fulfilling information obligations towards candidates, obtaining the necessary consent and complying with deletion deadlines. The Company is authorised to give instructions on the nature, scope and procedure of the data processing, and may carry out compliance audits (at most once a year, with 30 days' notice).


JOIN's obligations

JOIN undertakes to process data only in accordance with the agreement and the Company's instructions, to assist the Company in responding to data subjects' rights (rectification, restriction, deletion), to notify any data breach, to ensure confidentiality and to implement the technical and organisational measures described in Annex 1.


Technical and organisational measures (Annex 1)

JOIN guarantees the following measures:

Confidentiality: physical access control (chip card, transponder), two-factor authentication for critical services, encryption of communications and data media, firewalls, password policy, up-to-date user management, system separation (test/staging/production), pseudonymisation (encryption of sensitive database data, HTTPS, OAuth).

Integrity: personal user account assignment, limited access rights, encrypted transmission (SSL/SSH/SFTP/VPN), mutual two-factor authentication for all critical systems, access logging retained for at least 3 years.

Availability: regular backups with recovery testing, fire detection system, air conditioning in technical rooms, 100% cloud infrastructure (no on-premises servers).

Reliability: system monitoring, redundancies, automatic alerts, version management.


Sub-processors (Annex 2)

The sub-processors engaged by JOIN are: Amazon Web Services Europe (cloud services, Luxembourg), Google Europe (cloud services, Ireland), Mailchimp (marketing and email platform, United States), Stripe Payments Europe Ltd. (payment provider, Ireland), Kombo (API, Germany).

JOIN will inform the Company at least two weeks before any change of sub-processor. The Company has two weeks to object.


Place of processing

JOIN's processing and use of data takes place exclusively in Switzerland, the European Union or the European Economic Area, unless otherwise agreed.


Applicable law

This agreement is governed by Swiss law. For clients established in the European Union, the law of the Member State in which the Company has its registered office applies.

Did this answer your question?