This DPA is made between JobAdder Operations Pty Ltd  (ACN 167 597 953) (JobAdder, we, us or our) and you, the individual or entity that has entered into our Principal Agreement with us (Customer, you or your), together the Parties and each a Party. This DPA supplements the Principal Agreement entered into between the Parties and applies to the provision of Services under the Principal Agreement. This DPA applies only where you are located in the European Union or the United Kingdom.

Capitalised terms not defined herein shall have the meanings assigned to those terms in the Principal Agreement.


  1. The Parties have entered into the Principal Agreement for the provision of Services.
  2. The Parties would like to implement this DPA to set out each Party’s rights and obligations in connection with the processing of Personal Data under the Principal Agreement.
  3. Where you, or your Invited Users, provide Personal Data to us to sign up to our Services and create an account, we are acting as a data Controller. When you input personal data into the Services and we process it on your behalf, you are acting as a data Controller and we are acting as a data Processor.
  4. For the purposes of the EU SCCs and/or the UK Addendum, we are the Data Importer and you are the Data Exporter.
  1. Definitions and Interpretation
  1. In this DPA, unless the context otherwise requires, all terms have the meanings given to them in the Appendices and Annexures, and:

Applicable Data Protection Law means the laws and regulations applicable to the processing of Personal Data by the Parties in connection with the Principal Agreement, including:

  1. the EU GDPR;
  2. the UK GDPR; and
  3. the legal requirements of the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth) (as if each Party is an “APP entity” as defined in the Privacy Act 1988 (Cth)).

Controller means the Party specified in the Background section C as the Controller that performs the role of a Controller as that term is defined under the EU GDPR, or UK GDPR, as applicable.

Data Subject means any individual person that is identified or identifiable by way of Personal Data.

DPA means this Data Processing Agreement and all Annexes attached to it.

EEA means the European Economic Area.

EU GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

EU SCCs means in respect of the EU GDPR, the standard contractual clauses annexed to the European Commission’s implementing decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 , as may be amended, superseded or replaced from time to time.

Liability means any expense, cost, liability, loss, damage, claim, notice, entitlement, investigation, demand, proceeding or judgement (whether under statute, contract, equity, tort (including negligence), misrepresentation, restitution, indemnity or otherwise), howsoever arising, whether direct or indirect and/or whether present, unascertained, future or contingent and whether involving a third party or a Party to this DPA or otherwise.

Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Controller in connection with the Principal Agreement.

Personnel mean  any  employees, consultants, and subcontractors of the Processor.

Processor means the Party specified in the Background section C as a Processor that performs the role of a Processor as that term is defined under the EU GDPR, or UK GDPR, as applicable.

Principal Agreement means the commercial agreement entered into between the Parties for the provision of Services.  

Restricted Transfer means:

  1. where the EU GDPR applies, a transfer of personal data from an EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; or
  2. where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

Services means the services the subject of the Principal Agreement.

Sub-Processor means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller in connection with the Principal Agreement.

Supervisory Authority has the meaning given to that term in the GDPR.

UK Addendum means the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers implemented by the UK Information Commissioner’s Office pursuant to the Data Protection Act 2018, as may be amended, superseded or replaced from time to time.

UK GDPR means the Data Protection Act 2018 and the EU GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

  1. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the EU GDPR or UK GDPR, as applicable.

  2. The terms, “Data Exporter” and “Data Importer” shall have the same meaning as in the EU SCCs and/or the UK Addendum (as applicable).

  3. The word include shall be construed to mean include without limitation.

  1. Commencement and Term
  1. This DPA will commence on the Contract Start Date and will continue for as long as the Principal Agreement remains in effect, or the Processor retains any of the Personal Data in its possession or control (whichever is the longer) (Term).

  2. By entering into this DPA, each Party agrees to be bound by the terms and conditions set out in this DPA, in exchange for the other Party also agreeing to be bound by this DPA.

  1. Processing of Personal Data
  1.  The Parties acknowledge and agree that with regard to the processing of Personal Data solely on behalf of Customer, (i) Customer is the Controller of Personal Data and  (ii) JobAdder is the Processor of such Personal Data.

  2. Customer, in its use of the Services, and Customer’s instructions to the Processor, shall comply with Data Protection Laws. Customer shall establish and have any and all required legal basis in order to collect, process and transfer to Processor the Personal Data, and to authorise the processing activities by Processor on Customer’s behalf.

  3. In providing the Services to the Controller pursuant to the terms of the Principal Agreement, the Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with the Controller’s instructions documented in the Principal Agreement and this DPA, as may be updated from time to time by the Controller.

  4. The Controller acknowledges and agrees that, in the course of providing the Services to the Controller, it may be necessary for the Processor to access the Personal Data to respond to any technical problems or Controller queries and to ensure the proper working of the Services. All such access by the Processor will be strictly limited to those purposes.

  5. Processor shall inform Controller without undue delay if, in Processor’s opinion, an instruction for the processing of Personal Data given by Controller infringes Applicable Data Protection Laws.

  1. The subject-matter of processing of Personal Data by Processor is the performance of the Services pursuant to the Principal Agreement and the purposes set forth in this DPA. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annexure 1 to this DPA.
  1. Data Subject requests
  1. If the Processor receives a request from a Data Subject in relation to Personal Data, the Processor will refer the Data Subject to the Controller unless the Controller is not identifiable on the face of the request, or otherwise prohibited by law. The Controller shall reimburse the Processor for all costs incurred resulting from providing reasonable assistance in dealing with a Data Subject request. In the event that the Processor is legally required to respond to the Data Subject, the Controller will fully cooperate with the Processor as applicable.

  1. Taking into account the nature of the Processing, Processor shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible and reasonable, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Applicable Data Protection Laws.
  1. Confidentiality

Processor shall ensure that its Personnel and advisors engaged in the processing of Personal Data have contractually committed themselves to confidentiality obligations.

  1. Sub-processors
  1. Customer acknowledges and agrees that the Processor may each engage third-party Sub-Processors in connection with the provision of the Services. Processor makes available to Customer the current list of Sub-Processors used by Processor to process Personal Data via The Sub-Processor List as of the Contract Start Date, as defined in the Principal Agreement, is hereby deemed authorised upon first use of the Services.

  1. Customer may reasonably object to Processor’s use of a new Sub-Processor, for reasons relating to the protection of Personal Data intended to be processed by such Sub-Processor, by notifying Processor in writing to within ten (10) business days after receipt of the Processor’s notice. Such written notice must include the reasons for objecting to Processor’s use of the relevant new Sub-Processor. Failure to object to a new Sub-processor in writing within ten (10) business days following Processor’s notice shall be deemed as acceptance of the new Sub-Processor. If Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected to Sub-Processor without unreasonably burdening the Customer. If Processor is unable to make available such change within thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Processor without the use of the objected-to Sub-Processor, by providing written notice to Processor. All amounts due under the Principal Agreement before the termination date for the terminated portion of the Service shall be duly paid to Processor.
  2. Processor, or a Processor’s Affiliate on behalf of Processor, has entered into a written agreement with each Sub-Processor containing appropriate safeguards to the protection of Personal Data. Where Processor engages a Sub-Processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-Processor by way of a contract, in particular obligations to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where a Sub-Processor fails to fulfil its data protection obligations concerning its processing of Personal Data, Processor shall remain responsible for the performance of the Sub-Processor's obligations.
  1. Security
  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees to implement industry standard  technical and organisational measures in relation to the Personal Data to ensure a level of security appropriate to that risk in accordance with Applicable Data Protection Laws, and as set out in Annexure 2. The Controller accepts and agrees that the technical and organisational measures are subject to development and review and that the Processor may use alternative suitable measures to those detailed in the attachments to this DPA, provided such measures are at least equivalent to the technical and organisational measures set out in Annexure 2.
  1. Audits and inspection
  1. JobAdder has ISO27001 certification and intends to maintain ISO27001 as its security standard. JobAdder warrants that it will within 15 business days and, subject to the Customer entering into an NDA, provide the Customer with the most recent copy of its ISO27001 certification and audit results.

  1. Customer may request from JobAdder information regarding JobAdder’s compliance with this DPA or its obligations under Article 28 of the GDPR. JobAdder must respond to this request within a reasonable time period. If:

    (a) JobAdder fails to respond to the request; or
    (b) Customer does not deem the response to be adequate and determines after consulting with JobAdder  that a further round of questions will not be adequate to resolve its queries,

    then Customer may, at its own expense, audit JobAdder for compliance with this DPA or Article 28 of the GDPR. JobAdder will contribute to such audits and will
    co-operate with and respond to all reasonable requests of the Customer or any independent third party auditor appointed by the Customer in respect of the audit.

  1. The information provided by JobAdder to Customer, or its appointed auditor, pursuant to this clause is Confidential Information of JobAdder and must only be used by the Customer to assess compliance with this DPA or Article 28 of the GDPR. To the extent permitted by Applicable Privacy Laws, the information shall not be used for any other purpose or disclosed to any third party without Processor’s prior written approval.

  1. In the event of an audit pursuant to this clause:
  1. the audit must be conducted during the Processor’s regular business hours, with reasonable advance notice (which shall not be less than 30 business days);
  2. will be subject to the Processor’s reasonable confidentiality procedures;
  3. must be limited in scope to matters specific to the Controller and agreed in advance with the Processor;
  4. must not require the Processor to disclose to the Controller any information that could cause the Processor to breach any of its obligations under Applicable Data Protection Laws;
  5. to the extent the Processor needs to expend time to assist the Controller with the audit (or inspection), will be funded by the Controller, in accordance with pre-agreed rates; and
  6. may only be requested by the Controller a maximum of one time per year, except where required by a competent Supervisory Authority or where there has been a Personal Data Breach in relation to Personal Data, caused by the Processor.
  1. Controller shall ensure that it (and each of its appointed auditors) will not cause (or, if it cannot avoid, minimise) any damage, injury or disruption to Processor’s premises, equipment, Personnel and business while conducting such audit or inspection.

  1. Information and audit rights of the Controller only arise under this clause where the Principal Agreement does not otherwise give it information and audit rights meeting the relevant requirements of Applicable Data Protection Law
  1. Personal Data Breach
  1. Processor maintains security incident management policies and procedures and, to the extent required under applicable Applicable Data Protection Laws, shall notify Customer without undue delay, and in any event no later than 48 hours, after becoming aware of a Personal Data Breach affecting the Personal Data

  2. The Processor will make reasonable efforts to identify and take steps as the Processor deems necessary and reasonable, to  remediate and/or mitigate the cause of such Data Incident to the extent the remediation and/or mitigation is within Processor’s reasonable control. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals, and excluding disclosure to third-party consultants and advisors of Customer that are subject to appropriate confidentiality undertakings) without Processor’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so in order to notify any competent data protection authority of a Personal Data Breach in a mandatory manner prescribed by such authority, or pursuant to applicable Data Protection Laws. To the extent permitted by law, if the Controller decides to notify a Supervisory Authority, Data Subjects or the public of a Personal Data Breach, the Controller agrees to provide the Processor with advance copies of the proposed notices and, subject to Applicable Data Protection Law (including any mandated deadlines under the GDPR), allow the Processor an opportunity to provide any clarifications or corrections to those notices.

  1. Data Protection Impact Assessment and Prior Consultation

Upon Customer’s reasonable request, Processor shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Applicable Data Protection Law to undertake data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is in the Processor’s control.

  1. Deletion or return of Personal Data

Subject to any document retention requirements at law, the Processor agrees to promptly, and in any event within 90 days
following termination of the Principal Agreement, delete all the Personal Data it processes solely on behalf of the Customer.

  1. Restricted Transfers
  1. The Parties agree that where the transfer of Personal Data between the Parties is a Restricted Transfer protected by the EU GDPR, it will be subject to the EU SCCs, which shall be deemed to be incorporated into this DPA and form part of this DPA, subject to Annexure 1, and are considered an appropriate safeguard.

  2. The Parties agree that where the transfer of Personal Data between the Parties is a Restricted Transfer protected by the UK GDPR, it will be subject to the UK Addendum (and any documents or legislation referred to within it), which shall be deemed incorporated into this DPA, and:

  1. the tables in Part 1 of the UK Addendum shall be populated with the relevant information set out in the Annexes to this DPA; and
  2. the Parties agree that the UK Addendum is considered an appropriate safeguard.
  1. Liability
  1. Despite anything to the contrary in this DPA, to the maximum extent permitted by law, the Liability of each Party and its affiliates under this DPA is subject to the exclusions and limitations of Liability set out in the Principal Agreement.

  2. General
  1. Contracts (Rights of Third Parties) Act 1999: Notwithstanding any other provision of this DPA, nothing in this DPA confers or is intended to confer any right to enforce any of its terms on any person who is not a party to it.

  2. Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties, the SCCs shall prevail, then the Annexes, followed by this DPA and then the Principal Agreement.

  3. Governing law and disputes: This DPA is governed by the laws of England and Wales. Each Party irrevocably and unconditionally submits to the exclusive jurisdiction of the courts operating in England and Wales and any courts entitled to hear appeals from those courts and waives any right to object to proceedings being brought in those courts.  

  4. Severance: If a provision of this DPA is held to be void, invalid, illegal or unenforceable, that provision is to be read down as narrowly as necessary to allow it to be valid or enforceable, failing which, that provision (or that part of that provision) will be severed from this DPA without affecting the validity or enforceability of the remainder of that provision or the other provisions in this DPA.


Data Controller in respect of the Personal Data stored by Customer in the Service


Data Processor in respect of the Personal Data stored by Customer in the Service

Job Adder Operations Pty Ltd

Personal Data Transferred

  • Identity Data including first name, middle name, last name, maiden name, title, date of birth, gender, job title, photographic identification documents such as licences and passports for candidates, pronouns.
  • Contact Data including email addresses and telephone numbers, home addresses for candidates and billing addresses for clients.
  • Professional Data including job descriptions of employees and professional history of potential candidates such as previous positions and professional experience.
  • Employee Details including Identity Data and Contact Data of past, present and future employees.
  • Financial Data including bank account, superannuation and tax file numbers
  • Technical and Usage Data including internet protocol (IP) address, login data, browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, information about user access and use of our Service, including through the use of Internet cookies, communications with our Service the type of browser used by users, the type of operating system used by users and the domain name of users’ Internet service provider.
  • Profile Data including usernames and passwords for our Service, support requests made with us, content posted and shared through our Service.
  • Marketing and Communications Data including preferences in receiving marketing from us and our third parties and communication preferences.

Special Categories of Personal Data and criminal convictions and offences

Depending on what the Controller elects to store in the Service, the transferred data may for some Controllers include data relating to:

  • Criminal checks
  • Vaccination status
  • physical or mental health

Relevant Data Subjects

The following Data Subjects will have their Personal Data shared with the Data Processor:

  • Invited Users of the Services;
  • Anyone about whom Personal Data is inputted into the Service by the Data Controller including: candidates, temporary workers and clients

Frequency of the transfer

Continuous on the Controller’s instructions.

Nature of the transfer

As specified in the Principal Agreement, this DPA and as instructed by the Data Exporter (if applicable), including without limitation:

  • collection, organisation, storage (hosting), retrieval and other processing of Personal Data by JobAdder necessary to provide, maintain and improve the Services; and
  • transmission, disclosure and dissemination of Personal Data to provide the Services in accordance with the Principal Agreement or as compelled by law.
  • Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Principal Agreement and the Controller’s instructions. Processing operations include but are not limited to: management of candidates, employees, and client contacts, candidate selection, managing the placement of candidates with clients, client management, contractor management, posting job advertisements and selection making comments and updates on these, management of lists of candidates, employees, contact and other users, providing support to user and other recruitment functions.
  • Technical support, issue diagnosis and error correction and to identify, analyse and resolve technical issues both generally in the provision of the Services and specifically in answer to a Controller query.
  • Virus, anti-spam and malware checking in accordance with the Services provided.

Purpose of processing

The purpose of the transfer and processing are to provide the Services as specified in the Principal Agreement and this DPA.

Duration of the Processing

The term of the Principal Agreement and for a period of  90 days after termination or expiry of the Principal Agreement.  


  1. If the EU SCCs apply, the competent supervisory authority is the Data Protection Commission of the Republic of Ireland.
  2. If the UK Addendum applies, the competent supervisory authority is the UK Information Commissioner’s Office.


Information required for Sections I – IV of the SCCs


Module in operation

Clause 7 (Docking Clause)

Clause 11

Clause 9a (Prior Authorisation or General Authorisation)

Clause 9a (Time period)

Is personal data received from the Importer combined with personal data collected by the Exporter?


Close with solid fill




Checkmark with solid fill 


Not incorporated

General authorisation

10 business days


Close with solid fill






Checkmark with solid fill 


Not incorporated


Clause 17 of the EU SCCs (Governing Law)

The governing law for the purposes of clause 17 shall be the (i) the laws of the Republic of Ireland where the relevant transfer falls within the territorial scope of application of the EU GDPR; or (ii) the laws of England & Wales where the relevant transfer falls within the territorial scope of the UK GDPR.

Clause 18 of the EU SCCs (Choice of forum and jurisdiction)

The choice of forum and jurisdiction for the purposes of clause 18 shall be (i) the courts of the Republic of Ireland where the relevant transfer falls within the territorial scope of application of the EU GDPR; or (ii) the courts of England & Wales where the relevant transfer falls within the territorial scope of the UK GDPR.

Information required for Table 4 of the UK Addendum

Ending this Addendum when the Approved UK Addendum changes

Which Parties may end this Addendum as set out in Section 19 of Part 2 of the UK Addendum:

☐ Importer

☐ Exporter

☒ Neither Party





Designated data protection officer (if required) or privacy manager


Tel: +44 (0)330 223 2246

Security certifications

Processor is certified to the ISO270012013 Standard. A copy of our certificate is available here

Internal policies e.g. security policy, data retention and deletion policies

Processor has a comprehensive set of security policies implemented as part of its information security management system governing areas including:

  • Access Control
  • Information Classification and Handling
  • Information Security Incident Management
  • Logging and Monitoring
  • Backups and Retention
  • Secure Software Development
  • Supplier Relationships

Pseudonymisation and encryption of personal data

HTTPS using TLS 1.2 or above with approved secure  ciphers is required for all web applications accessing the Service. Certificates are 2048-bit RSA. All data in the Service is encrypted at rest

Product security features

JobAdder provides two options for authentication to the platform, JobAdder local accounts or SSO using customers' own IDP (via OIDC or SAML2)

Local accounts must have a minimum 15 character password. OTP based MFA (multi-factor authentication) is switched on by default for all accounts. The functionality can be turned on and off by the account administrator for all users on an account

SSO can be implemented using either OIDC or SAML 2.0, this provides customers the convenience of SSO and the ability to define their own password/authentication and session requirements.

Antimalware and/or EDR solutions are deployed on all hosts. This includes a Yes Proactive Managed Threat Hunting service.

Processor engages a CREST certified auditor to undertake an annual penetration test of the Service. A copy of the auditor’s attestation letter is available upon request.

Network security

AVG Scanners are installed on AWS servers to scan incoming uploads.

JobAdder uses Cloudflare for WAF (web application firewall) and DDOS mitigations.

AWS Network Load Balancer, restricts access to only required ports/services.

AWS security groups are utilised for network segmentation on a least access model

Application server operating systems are hardened to provide only necessary ports, protocols, services and applications as part of the baseline standard build.

Physical security and disaster recovery

Application data and systems are hosted with AWS and subject to their high level of physical security controls including but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means.

JobAdder has a documented Disaster Recovery Policy and  Business Continuity Plan which have been reviewed by an external auditor as part of its ISO27001 certification..

JobAdder utilises AWS multiple regions and Availability Zones to remain resilient in the face of most failure modes. Therefore, if one Availability Zone were to go down, there are two others that would continue in each region. The frequent back-ups to AWS Data Centres means business continuity is addressed continuously and the business would continue, relatively unaffected in a disaster event. Disaster Scenarios are mapped and planned for, with testing completed regularly.

Human resources security

  • Background and criminal checks are conducted on all employees that have access to Personal Data in the Service in accordance with documented policies.
  • Processor obtains written commitment of employees and contractors to maintain confidentiality in employment contracts and contractors agreements.
  • Access is revoked on a timely basis in accordance with security procedures upon the departure of any personnel.
  • Deliver regular (approximately 6 monthly) information security awareness training to all employees.

Other Technical & Security Measures

If you require more information about JobAdder’s Technical and Security Measures, you can request a copy of our Security FAQs via our Customer Support here