General Terms and Conditions

General Terms and Conditions of softgarden

Rev. 2.7 valid from 01.01.2024

softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin (“Softgarden”) offers its customers (“company” or „companies“) various services relating to the electronic administration and processing of applications via an applicant management system (Software-as-a-Service) as well as the creation, mediation and placement of job advertisements on the Internet.

The companies have the possibility to place job advertisements as well as to receive and manage applications via the e-recruiting system “softgarden”, which Softgarden operates under the domain https://app.softgarden.io/ (hereinafter “platform”). In addition, softgarden mediates the placement of job advertisements with third-party providers via the platform. The following conditions apply to the use of the platform and the placement of job advertisements with third-party providers:

Terms of use of softgarden e-recruiting GmbH for the use of the “softgarden” e-recruiting system

1. Scope of application

1.1. The contractual relationship between the companies and Softgarden is exclusively governed by these General Terms and Conditions (hereinafter “GTC”).

1.2. General terms and conditions of the companies shall only become part of the contract if this has been expressly agreed in writing. The use of the platform is only permitted to entrepreneurs within the meaning of § 14 BGB.

1.3. The subject matter of the contract is the provision of a platform for recruiting new employees. Companies can use the platform to create job advertisements, operate their own job portal and manage applications (clause 2). Softgarden also offers the company the option to publish job advertisements on third-party platforms via the platform (clause 3).

2. Use of the platform

2.1. In order to use the Platform, the Company must register on the Platform and open a Company account (hereinafter “Account”). An Account may only be opened by an authorised representative or an employee of the company authorised to represent the company. The required data must be provided truthfully and updated immediately in the event of changes in order to ensure smooth use. Following registration, Softgarden sends the company a confirmation of its registration by e-mail together with these GTC to the e-mail specified in the registration process. This confirmation e-mail also represents the acceptance of the company’s offer to conclude a contract of use and a contract of use is concluded. There is no entitlement to the conclusion of a contract of use.

2.2. The Company itself is responsible for maintaining the confidentiality of the login data. It will keep its user name and password for access secret, will not pass them on, will not tolerate or enable unauthorised persons or third parties to gain knowledge of them and will take the necessary measures to ensure confidentiality and, in the event of misuse or loss of these details or any suspicion thereof, will notify Softgarden of this by e-mail at the e-mail address security@softgarden.de.

2.3. The person acting on behalf of the Company must be authorised or entitled to represent the Company. Softgarden is entitled to request proof of authorisation at any time at its own discretion. If the person acting on behalf of the company does not provide the requested proof of authorisation to create an account and to post job advertisements on the platform within a period of one (1) week after receipt of the corresponding request, Softgarden may block the account at any time.

2.4. Companies can create job advertisements via the Platform and display them on a job portal made available to them by the Platform. Applicants can use this job portal to find out about advertised jobs and apply to the company via an online application form. Companies can process applications received via the platform (e.g. interim response, invitation to interview, offer, hiring).

2.5. The company is obliged to observe all applicable laws and other legal provisions when posting job advertisements and content on the job portal. In particular, the Company may not post and/or disseminate any data or content, such as texts, images, graphics and links, that violate legal provisions, infringe thirdparty property rights or copyrights or other rights of third parties. The company itself is responsible for the data and content it provides. Softgarden does not check the information and job advertisements for correctness, freedom from viruses or for virus-technical processability.

2.6. The company has the possibility to design its profile itself and, for example, to post a logo of the company and to integrate a background image. The company is obliged to ensure that it is authorised to make the logo and background image publicly available. Companies must ensure that their logo, background image or other files uploaded to the platform do not violate legal regulations, morality and/or the rights of third parties.

2.7. No files with depictions of violence, pornographic, discriminatory, insulting, defamatory or other illegal content or depictions may be uploaded and/or made publicly accessible. Furthermore, it is prohibited to upload image files on which exclusively or partially third-party company, brand or other business logos or other protected signs are displayed. This does not apply if the company is entitled to do so, i.e. if it is the owner of the rights to the corresponding logos, advertising photos and other content or if the rights holder has permitted it to use them.

2.8. Pictures or photos of persons, such as employees, may only be posted on the platform if the consent of these persons has been obtained.

2.9. Softgarden is entitled to remove logos, images or files without prior notice if and insofar as there are concrete indications that the publication on the platform violates these GTC, legal regulations, morality and/or the rights of third parties.

2.10. The platform is available for use 24 hours a day and 365 days a year with an availability of 99.8% on a monthly average (hereinafter “SLA”) (“system uptime”). If maintenance work is required and the platform is therefore not available, Softgarden will inform the companies of this in good time by e-mail if possible. Downtimes of the platform due to maintenance work will not be counted towards the SLAs. Softgarden is not responsible for internet/network-related downtimes and in particular not for downtimes during which the platform cannot be accessed via the internet due to technical or other problems beyond Softgarden’s control (e.g. force majeure, etc.).

3. Placement of job advertisements

3.1. The company can commission Softgarden with the placement of job advertisements with third-party providers of job portals/job exchanges (“Third-Party Providers”) via the platform. For this purpose, Softgarden offers on the platform under the heading “Shop” against separate remuneration to publish individual job advertisements or several job advertisements with various third-party providers in a package (“Advertisement Package”) for a certain period of time (“Publication Period”).

3.2. The contract for the publication of individual job advertisements or an advertisement package is concluded via the shop on the platform at the conditions stated there. Upon conclusion of the contract Softgarden undertakes to design one or more job advertisements adapted to the portal of the respective third party provider and to publish them on the respective portal of the third party provider within the period of validity (see section 3.3) at a time to be determined by the company. The concrete service description results from the respective offer on the platform.

3.3. After conclusion of the contract, the Company may determine the time of publication of individual job advertisements. The time for publication of the respective job advertisement must be within the validity period determined in the Softgarden offer (“Validity Period”). After the expiry of the Validity Period, the Company can no longer request the design and publication of booked job advertisements. During the Validity Period, Softgarden assumes the economic risk of any price changes from third party providers. As Softgarden’s assumption of the economic risk is included in the remuneration to be paid, there will be no refund of the remuneration for unpublished job advertisements after the expiry of the validity period.

3.4. Softgarden will endeavour to implement the company’s specifications as best as possible when designing the job advertisements. In the case of a telephone order for job advertisements, Softgarden will send the created job advertisement to the Company for approval before posting the job advertisement on the Third Party Provider’s platform. The company will then give Softgarden its approval within ten (10) working days or inform Softgarden of any change requests to the design of the job advertisement. After expiry of the deadline, the creation of the job advertisement is deemed to have been approved.

3.5. Softgarden will only make changes to the job advertisement that the company requests after approval has been given and during the publication period if this is technically possible, third-party providers allow this and it is reasonable in terms of content. In these cases, the company has to bear the additional costs incurred by the third party provider for the changes. Softgarden will not carry out change requests from the company that involve significant changes to the respective job description. In these cases, the company must commission the publication of a new job advertisement.

4. Feedback, Softgarden certificate

4.1. The company can conclude a separate contract with Softgarden for the use of the “Feedback” function. With the “Feedback” function, the company can give applicants the opportunity to evaluate the application process and the company. For this purpose, applicants receive access to an evaluation form by e-mail during the application process and after being hired. Applicants can use this form to evaluate various aspects of the application process and the company, as well as to make their own comments. All evaluations are displayed to the company in its own account on the platform under the heading “Feedback”. Companies are not allowed to artificially improve the ratings, for example by selective questioning or creating fake applicants.

4.2. Optionally, the company can book the “Softgarden Certificate” for a separate fee. The “Softgarden Certificate” is used to publish the result of the ratings on the platform and, at the request of the company, also on third-party platforms. The “Softgarden Certificate” is awarded for a period of one year and can be extended for a further year in each case. During the validity period of the “Softgarden Certificate”, the Softgarden Certificate page on the platform cannot be deactivated.

4.3. In addition, the company has the option to book the “Certificate Widget” option for a separate fee. The “Certificate Widget” is an image file containing a Softgarden logo and the overall result of the company’s feedback ratings. During the validity period of the “”Softgarden Certificate””, the company receives the right to advertise with this “Certificate Widget” on the Internet. The company may not change the “certificate widget” provided by Softgarden, neither graphically nor in terms of content; in particular, the evaluation result may not be falsified.

4.4. Applicants may not publish any discriminatory, insulting, defamatory or vulgar content via the comment function and may not mention the names of third parties (e.g. persons who were involved in the application process on the part of the company). Softgarden will check comments from applicants for compliance with this rule before publication and, if necessary, make parts of the comments unrecognisable. Should published comments nevertheless violate the rights of the company or the rights of third parties, the company can report these comments to Softgarden. Softgarden will then subject the respective comments to a renewed review and delete any infringing content.

4.5. With the exception of the cases mentioned in section 4.4, the Company has no claim to the deletion or modification of individual ratings or individual comments.

5. Support

5.1. Softgarden will answer questions from the Company regarding the Platform by telephone on +49 (0)30 884 940 510 (landline price) weekdays between 09:00 and 18:00 (CET).

5.2. The Company may also submit questions and error messages regarding the Platform as a ticket at https://softgarden.zendesk.com/hc/de/requests/new . The submitted tickets will be processed within 24 hours (on working days).

6. Granting of rights

To the extent necessary for the placement of job advertisements and/or for a customisation of the dashboard and limited to the aforementioned cases, the Company grants Softgarden the non-exclusive (simple) right, unlimited in space and limited in time to the duration of the Agreement, to use the logo, trademarks, advertising photos as well as all posted content of the Company for the duration of the Agreement on the platform for the purposes of the Agreement and for the placement and creation of job advertisements.

To the extent necessary for the placement of job advertisements and/or for a customisation of the dashboard and limited to the aforementioned cases, the company further grants Softgarden the right to modify logos and to use them modified in such a way that Softgarden may enlarge or reduce the logos and/or colour logos in black and white in order to be able to display the logos in the job portal and in job advertisements accordingly. Softgarden is in particular entitled to store the content in its own databases, to distribute, publish and make the content publicly accessible and/or, in the context of the publication of content with third-party providers, to grant or transfer corresponding rights of use to the third-party providers.

If a separate confirmation is provided by the company at least in text form, Softgarden may name the company as a reference customer on its advertising materials (websites, trade fair presentations, flyers and similar) during the use of the platform. Softgarden will consider objections of the company. For the use as a reference customer, Softgarden will obtain the aforementioned confirmation of the company in text form in advance, otherwise naming as a reference customer is excluded.

7. Remuneration

7.1. Use of the platform

7.1.1. The prices available at https://softgarden.com/de/preise/ apply to the use of the Platform. Companies can test the platform free of charge and without restriction for the first 14 days (“test phase”). The test phase begins with the activation of the account by clicking on the link in the e-mail sent to the specified email address after submitting the registration form and subsequently defining the password.

7.1.2. The costs for the use of the platform result from the selected subscription. The billing period begins on the day on which the account was converted into a paid account after the test phase and ends according to the selected term. The term is automatically extended by the same term in each case, unless notice of termination was given in due time in accordance with 11.1.2. However, Softgarden is entitled to adjust the price for the respective licence packages upwards or downwards at the beginning of each term extension at its reasonable discretion (§315 BGB). A price increase of more than 5% is only permissible if it is announced to the company in such good time beforehand that the company can regularly terminate the contract at the end of the subscription period before the increase takes effect. The Company has the option to change its licence package at any time during the term of the contract by choosing a licence package that includes more services (“upgrade”). If the company chooses an Upgrade during the contract period, the originally agreed contract period will start again from the time Softgarden receives the company’s request for change. The other terms and conditions remain unchanged. The costs will be invoiced in advance at the beginning of each billing period. The invoice will be sent by email to the email address specified in the registration process.

7.2. Placement of job advertisements with third-party providers

7.2.1. For the placement of job advertisements with third-party providers, the prices shown in the offer description in the shop (https://app.softgarden.io/just-hire/shop) apply.

7.2.2. The total price stated in the offer is due for payment without deduction immediately after conclusion of the contract.

7.3. If the customer does not pay within 14 days after the due date, he will be in default without further reminder. Softgarden charges default interest in the amount of 9 percentage points above the respective base interest rate in accordance with § 288 para. 2 BGB (German Civil Code), but at least 9% p.a. If a customer does not fulfil his payment obligations in due time or if payments of the customer are not executed or charged back, Softgarden is furthermore entitled – subject to further claims – to suspend the services until the claims are settled.

7.4. All prices listed are net prices.

8. Data protection

8.1. Softgarden will comply with all data protection requirements, in particular the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation – DSGVO) and the Federal Data Protection Act (BDSG).

In connection with the provision of services, Softgarden processes personal data both as a controller pursuant to Art. 4 No. 7 DSGVO and as a processor pursuant to Art. 4 No. 8 DSGVO.

Softgarden as controller processes personal data in particular for the following purposes:

  • Customer management (account and usage data of Softgarden users)
  • Customer support (processing support tickets and requests)
  • Product improvement (analysis of customer usage behaviour on the Softgarden platform)

The processing of this data, which Softgarden processes as a data controller, is described in the privacy notice, which can be found under Privacy Notice Softgarden Products available.

As a processor, Softgarden processes such personal data which are processed by the customer within the Softgarden services and which do not relate to the customer itself (in particular all applicant data). For this processing of personal data on behalf of the customer, the Softgarden order processing agreement applies, which is part of these terms and conditions as Annex 1 and is hereby agreed.

9. Transmission of status information

Insofar as the company (customer) has agreed to this with a provider of job portals and this is part of the contract between the company and the provider of the job portal, Softgarden will forward the status information of the applications by the customer to the provider of the job portal, insofar as this is technically set up and possible. Only the status information of those applicants who have applied to the company via the corresponding job portal and who are registered with the job portal with their own user account will be made available.

Status information is information about the application status of applicants at the company. This includes, for example, the receipt of the application, the opening of the application or the rejection of applicants. The provider of the job portal is responsible for ensuring a legal basis under data protection law for the transfer and processing of this personal data. For the processing of status information, the company and the job portal provider act as joint controllers.

10. Liability

10.1. Claims of the Company for damages are excluded. Excluded from this are claims for damages by the company arising from injury to life, body, health or from the breach of essential contractual obligations (cardinal obligations) as well as liability for other damages based on an intentional or grossly negligent breach of duty by Softgarden, its legal representatives or vicarious agents. Cardinal obligations in the sense of this contract are those obligations which enable the proper execution of the contract and the achievement of its purpose in the first place and on whose compliance the users may therefore regularly rely.

10.2. In the event of a breach of material contractual obligations, Softgarden shall only be liable for the foreseeable damage typical for the contract if such damage was caused by simple negligence, unless it concerns claims for damages by users arising from injury to life, body or health.

10.3. Claims under the Product Liability Act shall remain unaffected.

10.4. The restrictions of clauses 8.1 and 8.2 also apply in favour of Softgarden’s legal representatives and vicarious agents if claims are asserted directly against them.

10.5. The company indemnifies Softgarden against all claims, including claims for reimbursement of expenses and damages, which other users of the platform or other third parties, including authorities, assert against Softgarden due to an infringement of their rights by the content posted by the company on the platform. The company shall bear all reasonable costs, including reasonable costs incurred for legal defence, incurred by Softgarden due to an infringement of third party rights by the company. All further rights as well as claims for damages of Softgarden remain unaffected.

10.6. If the company manually adds an applicant’s personal data to the system, it is obliged to obtain the applicant’s consent to the data protection declaration independently.

11. Term of the contract and termination

11.1. Use of the platform

11.1.1. The contract is concluded for the duration of the settlement period. The contract shall be renewed at the end of the settlement period for the same period if it is not terminated by one of the parties in accordance with the following provisions.

11.1.2. The contract may be terminated by either party by declaration in at least text form (§ 126 b BGB) and with a notice period of three (3) months to the end of the contract term. The right of termination for good cause (§ 314 BGB) and according to § 313 BGB remain unaffected.

11.1.3. In the event of termination, job advertisements that are still active will be deactivated, applications deleted and the job portal deactivated.

11.1.4. In the event of termination, Softgarden is obliged to hand over the applicant data in electronic form. The company has no right of retention.

11.2. Placement of job advertisements with third-party providers

11.2.1. A contract concluded between the Company and Softgarden for the placement of job advertisements with third party providers shall automatically end upon expiry of the validity period stated in the offer.

11.2.2. The ordinary termination of the contract is excluded.

11.3. The termination for good cause remains unaffected. Good cause shall include in particular: – a breach by the Company of the obligations under sections 2.1, 2.5, 2.6, 2.7 and 2.8 and – the manipulation of ratings by the Company, for example by submitting its own rating by the Company itself or on its behalf.

12. Final provisions

12.1. The law of the Federal Republic of Germany shall apply.

12.2. The place of jurisdiction for all legal disputes arising from this contract is Berlin.

12.3. Softgarden is entitled to amend and adjust these terms and conditions during the term of the contract with effect for the future. Softgarden will send the amended terms and conditions to the company in text form prior to the planned entry into force and make special reference to the new provisions and the date of entry into force. At the same time, Softgarden will grant the company a reasonable period of at least six weeks to declare whether it accepts the amended terms of use for the further use of the services. If no declaration is made within this period, which starts to run from receipt of the message in text form, the amended terms and conditions are deemed to be agreed. Softgarden will separately inform the company of this legal consequence, i.e. the right of objection, the objection period and the significance of silence, at the beginning of the period. This amendment mechanism does not apply to amendments to the parties’ main contractual performance obligations.

12.4. Should individual provisions of these GTC be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provisions shall be replaced by such provisions that come closest to the economic purpose of the contract while reasonably safeguarding the interests of both parties.

Annex 1: Data Processing Agreement pursuant to Art. 28 DSGVO

You can sign our data processing agreement digitally here: Sign data processing agreement digitally . You can also download the PDF version here: Download data processing agreement as PDF.

between the controller

CLIENT (Company)

– hereinafter referred to as “Client

and the processor

softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin

– hereinafter referred to as “Contractor” –

hereinafter jointly referred to as the Contracting Parties.

The contractor offers the client services relating to the electronic administration and processing of applications via an applicant management system (software as a service) and hosts the applicant data stored in the applicant management system on behalf of the client for this purpose.

§ 1 General

  1. Within the scope of the existing service contract between the Parties (hereinafter referred to as “Main Contract“), it is necessary that the Contractor, as a processor within the meaning of Article 4 No. 8 of the Data Protection Regulation, processes personal data for which the Client is the controller within the meaning of Article 4 No. 7 of the Data Protection Regulation (hereinafter referred to as “Client Data“). This agreement specifies the rights and obligations of the parties under data protection law in connection with the Contractor’s processing of Client Data for the performance of the main contract. In the event of any contradictions, the provisions of this agreement with all its components shall take precedence over the provisions of the associated main contract.
  2. Insofar as the term “data processing” is used in this Agreement, this shall be based on the definition of “processing” within the meaning of Art. 4 No. 2 of the GDPR. 

§ 2 Subject matter and duration of processing

  1. The subject matter of this Agreement is the processing of personal Client Data by the Contractor in connection with the use of the Recruiting and Applicant Management System as Software as a Service (SaaS) by the Client.
  2. The Contractor shall process the personal Client Data on behalf of and only in accordance with the Client’s instructions for the duration of the Main Contract. The nature and purpose of the processing as well as the type of personal data and the categories of data subjects are set out in Appendix 1.
  3. The term of this agreement on data processing on behalf is based on the term of the associated main contract (service agreements).

§ 3 Rights of the Client to issue instructions 

  1. The Client has the right to issue instructions to the Contractor regarding the type, scope and procedure of data processing. Verbal instructions shall be confirmed by the Client in text form (at least by e-mail/ticket) without undue delay.
  2. The Contractor shall be obliged to carry out the Client’s instructions without undue delay or, if applicable, within a reasonable period of time determined by the Client. Doing so, the Contractor shall in particular correct, delete or block personal data without undue delay upon the Client’s instructions and confirm this in writing upon request.
  3. The Contractor shall inform the Client without undue delay if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions. The Contractor shall be entitled, without acknowledging any obligation to check whether an unlawful instruction exists, to reject or suspend an instruction which it considers to be unlawful until it is confirmed or amended by the Client or to reject obviously unlawful instructions at any time or to suspend processing operations relating thereto.
  4. To the extent that the Contractor is required by Union or Member State law to which the Contractor is subject to process the personal data even without instructions from the Client, the Contractor shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  5. The Client undertakes to give instructions only to persons authorised to give instructions. The Contractor shall be entitled to assume a corresponding authorisation to issue instructions in the case of instructions issued by the Client.
  6. The Contractor shall designate the Client Service and Support department as the authorised recipient of instructions, contact: support@softgarden.de. Employees of the department as well as department managers of the Contractor are authorised to receive instructions.

§ 4 Obligations of the Client 

  1. As the controller within the meaning of Article 4 No. 7 of the GDPR, the client is responsible for the lawfulness of the processing of Client Data as well as for the protection of the rights of the data subjects resulting from Articles 12 to 23 of the GDPR.
  2. The Client is responsible as the controller, in the context of the processing carried out by the Contractor on behalf of the Client, for the notification and communication in the event of a personal data breach, Art. 33 and 34 GDPR.
  3. The Client is obliged to treat all knowledge of the Contractor’s trade and business secrets (in particular with regard to technical and organisational data security measures) obtained within the framework of the contractual relationship as strictly confidential. This obligation shall remain in force even after termination of this contract.

§ 5 Obligations of the Contractor

  1. Insofar as a data subject directly contacts the Contractor in exercising its rights under Chapter 3 of the GDPR (Art. 12 to 23 GDPR), taking into account Part 2, Chapter 2 of the Federal Data Protection Act (Sections 32 to 37 ‘BDSG’), the Contractor shall immediately forward this request to the Client. The Contractor shall support the Client in the fulfilment of data subject rights to the best of its ability, in particular in accordance with the Client’s instructions and by means of suitable technical and organisational measures.
  2. The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Contractor.
  3. If the Contractor becomes aware of a personal data breach within the meaning of Art. 4 No. 12 of the GDPR (“data protection incident”) with regard to the processed Client Data, it shall report this to the Controller without undue delay. Within the scope of the notification pursuant to Art. 33 (2) GDPR, the Contractor shall inform the Client, if possible, of the time, type and extent of the incident, the IT system affected, the affected data subjects, the time of discovery, all conceivable adverse consequences of the data security incident and the measures taken as a result.
  4. The Contractor shall inform the Client without undue delay if a supervisory authority takes action against the Contractor pursuant to Art. 58 of the GDPR concerning a processing operation that the Contractor performs on behalf of the Client.

§ 6 Obligation to notify in the event of disclosure

  1. The Contractor shall inform the Client without undue delay of any request or demand for disclosure of information of any kind by law enforcement agencies and other governmental authorities, insofar as such information is related to the agreements concluded between the Client and the Contractor (“Duty of Notification“).
  2. The Client shall be solely responsible for the decision on and the procedure for the disclosure of affected Client Data to governmental authorities and shall be supported by the Contractor in the disclosure to the best of its ability.
  3. The Contractor shall only be exempt from the obligation to notify the Client if the Contractor itself is obliged to disclose to state authorities as well as to maintain secrecy towards the Client.

§ 7 Control rights of the Client 

  1. The Contractor shall grant the Client a right to control the data processing and compliance with this Agreement or the respective project order. In particular, the Contractor shall provide the Client with all information necessary to prove compliance with the obligations set out in this contract and shall enable the performance of audits, including inspections. The audits may also be carried out by a third party bound to secrecy, provided that the third party is not a competitor of the contractor.
  2. The Parties agree that the Client shall conduct an audit pursuant to Paragraph 1 by instructing the Contractor to submit, at its option, a suitable attestation, report or report extracts from independent bodies (e.g. auditor, audit, data protection officer, information security officer, data protection auditor or quality auditor) or a suitable certification by an IT security or data protection audit – e.g. in accordance with ISO 27001 or “BSI-Grundschutz” – (“audit report”). In justified exceptions, the Client may conduct independent inspections.
  3. The Contractor undertakes to support the performance of the audits. This includes the granting of all required access, information and inspection rights. The same applies to public inspections by the competent supervisory authority in accordance with the applicable data protection regulations.
  4. In the event of independent inspections by the Client at the Contractor’s premises, each party shall bear the costs incurred by the inspection, such as inspection, personnel and travel costs. Insofar as the Contractor’s involvement in connection with inspections exceeds the required maximum of three (3) man-days and this is associated with a higher inspection effort or the commissioning of external service providers by the Contractor, the costs incurred for this may be invoiced to the Client in accordance with the hourly and daily rates customary in the industry.

§ 8 Subcontracting relationships 

  1. The Contractor may establish subcontracting relationships with further processors (subcontractors). The Contractor currently employs the subcontractors listed in Appendix 1. The Client agrees to their engagement.
  2. The Contractor shall always inform the Client in text form or a suitable electronic form of any intended change with regard to the use or substitution of subcontractors, which shall give the Client the opportunity to object to such changes within 14 calendar days, whereby this may not be done without good cause under data protection law. In the event of a justified objection, the Contractor may, at its own discretion, provide the service without the intended change or – if the provision of the service without the intended change is not reasonable for the Contractor – stop the service towards the Client within two (2) weeks after receipt of the objection and terminate the main contract without notice and with immediate effect. This shall not affect the Client’s extraordinary right of termination for good cause.
  3. The contractor shall ensure that the data protection obligations agreed in this contract also apply to the subcontractor and, pursuant to Article 28 (4) of the GDPR, shall oblige the subcontractor accordingly by way of a contract or other legal instrument in accordance with Union law or the law of the Member State concerned prior to the start of the activities, whereby in particular sufficient guarantees must be provided that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR.
  4. If the engagement of a subcontractor is associated with a transfer of the client data to a country outside the European Union (EU) or the European Economic Area (EEA) (“third country”), the provisions of Section 9 shall also apply.
  5. Services of third-party providers that can be booked via the so-called Marketplace of the Contractor and – as far as possible – also individually booked and integrated into the system by the Contractor on behalf of the Client shall – unless otherwise agreed – not become subcontractors of the Contractor and shall not establish any duty of inspection of the Contractor under data protection law.

§ 9 Transfer of client data to third countries

  1. The provision of the contractually agreed data processing within the scope of the provision of the recruiting and applicant management system generally takes place in member states of the European Union (EU) or the European Economic Area (EEA).
  2. Any transfer of client data to a country outside the EU/EEA (“third country“) may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.

§ 10 Confidentiality obligation

  1. When processing personal data on behalf of the Client, the Contractor is obliged to maintain the confidentiality of personal data that it processes and/or comes to know in connection with the Service Agreements.
  2. The Contractor shall ensure that the persons authorised to process the personal Client Data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

§ 11 Technical and organisational measures

  1. The Contractor commits itself towards the Client to guarantee technical and organisational measures that are necessary to comply with the applicable data protection regulations. This includes, in particular, the requirements of Article 32 of the GDPR. The contractor shall regularly review, assess and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing and document the results.
  2. The implemented technical and organisational measures at the time of the conclusion of the contract can be found in Appendix 2 to this agreement. The contracting parties agree that changes to the technical and organisational measures may be necessary in order to adapt to technical and legal circumstances. Changes to the technical and organisational measures must not lead to a lowering of the existing level of protection. The contractor shall document significant changes to the measures taken.
  3. The Contractor shall publish and regularly update the current technical and organisational measures as well as the evidence of compliance with technical and organisational measures on its website, insofar as these are designated for publication at its reasonable discretion and/or due to another obligation of the Contractor.

§ 12 Obligations of the contractor after termination

  1. After termination of the service agreements or earlier upon request by the Client – but at the latest upon termination of the service agreements – the Contractor shall, at the Client’s discretion and on the Client’s instructions, delete or return to the Client all documents, data and created processing or utilisation results as well as data files related to the contractual relationship that have come into its possession and delete existing copies, unless there is an obligation to store the personal data under Union law or the law of the Member States. The same applies to test and committee material.
  2. Documentation and protocols that serve as proof of orderly and proper data processing or legal retention periods shall be retained beyond the end of the contract in accordance with the respective retention periods.

§ 13 Special provisions for entities of the church

  1. Insofar as the Client is an entity of the church subject to the provisions of the “Kirchengesetz über den Datenschutz der Evangelischen Kirche in Deutschland” (EKD Data Protection Act), the Contractor submits to the church data protection supervision in addition to the provisions of this Data Processing Agreement pursuant to Section 30 (5) sentence 3 EKD-Datenschutzgesetz. The submission extends to the tasks and powers of the Church’s data protection supervision pursuant to Sections 43, 44 EKD Data Protection Act.
  2. Insofar as the Client is an entity of the church subject to the provisions of the “Gesetz über den Kirchlichen Datenschutz” (KDG), the Parties expressly include the application of the KDG, in particular Sections 29 and 31 KDG, as well as compliance with the provisions made therein in this Agreement.

§ 14 Term and termination

  1. The term and termination of this contract are governed by the provisions on the term and termination of the main contract. Termination of the main contract automatically results in termination of this contract. An isolated termination of this contract is excluded.

§ 15 Liability and compensation

  1. The client and the contractor shall be liable towards data subjects in accordance with the provision set out in Article 82 of the GDPR.
  2. If a data subject asserts claims for damages against one of the contracting parties due to a breach of data protection provisions, the party subject to the claim shall inform the other party thereof without delay.
  3. The parties shall support each other in the defence of claims for damages by data subjects unless this would endanger the legal position of one party in relation to the other party or the supervisory authority.

§ 16 Final provisions

  1. This Data Processing Agreement is valid without a separate signature upon conclusion of the main contract.
  2. This Data Processing Agreement supersedes any prior agreements, contracts or notices between the Client and the Contractor in relation to the processing of Personal Data on behalf of the Client.
  3. In the event of any contradictions, the provisions of this contract with all its components shall take precedence over the provisions of the associated main contract.
  4. In the event of conflicts between different language versions of this Agreement, the German version shall prevail.
  5. If any provision of this agreement should be or become invalid, this shall not affect the validity of the remainder of the agreement.
  6. The Appendices 1 and 2 attached to this commissioned processing agreement form an integral part thereof.
  7. The contractual relationship and its performance shall be governed exclusively by the laws of the Federal Republic of Germany. For all disputes arising from or in connection with this contract, the agreement on the place of jurisdiction of the main contract shall apply – as far as permissible.

Appendix 1: Specification of the data processing

You can download Appendix 1 and Appendix 2 (TOM) as PDF files here: Appendix 1 and Appendix 2 to the agreement on commissioned data processing as a PDF download.

Specification of the data processing

1. Subject of the processing

The subject of the agreement is the processing of personal data by the recruiting and applicant management software, including the booked product components and ancillary processing in the broadest sense, which are processed on behalf of the client.

2. Nature and purpose of the processing

The Contractor shall make the recruiting and applicant management software available to the Client and shall have access to the personal data processed by the Client within the scope of this.

Within the scope of the recruiting and applicant management software, the following data processing takes place in particular:

  • Structured recording and collection of applicant data, 
  • Structured presentation of applicant data, 
  • Communication of applicants, recruiters and HR managers, 
  • Implementation and communication of and with third parties and cooperation partners, 
  • Evaluation of applicant data in the form of reporting, 
  • Provision of application status information to connected job boards, 
  • Provision of a talent pool, 
  • Request feedback from applicants and employees recruited via the software.
  • If contractually agreed with the job board portal, forwarding of the quality signal of the application

The Client itself determines which additional service modules are used via the Marketplace or the Contractor’s optional services. Depending on the scope of services, data processing may therefore take place for purposes other than those mentioned above.

Categories of data subjects

The Client determines which data are processed of which groups of data subjects.

Usually, the following groups of data subjects are affected by the data processing:

  • Applicants of the Client
  • Recruiters, employees and personnel managers of the Client
  • Jobseekers and prospective job applicants

Categories of personal data

The Client determines which data are processed of which groups of data subjects.

Typically, the following categories of personal data of applicants may be processed:

  • Personal details: Salutation, academic degree, first name, last name, nationality, date of birth
  • Contact and address details: Street, house number, postcode, city, country, state, telephone number, fax, e-mail address
  • Application data: Application photo, cover letter, CV, work experience/work references, (university) certificates and other qualifications, driving licence class, willingness to travel
  • Account and log data: Applicant account, user ID, IP address, log files, status of application
  • Usage data, if personal: Email content, invitations, feedbacks, ratings
  • Special categories of personal data within the meaning of Art. 9 GDPR: Insofar as stated/consented, an inference is possible or necessary for factual reasons: ethnic origin, political opinion/party affiliation, trade union membership, religious or ideological conviction, genetic/biometric data (e.g. application photo), health data (e.g. information on pregnancy, information on a disability or health restrictions), information on sexual orientation (e.g. sex/gender, homosexuality)

Typically, the following categories of personal data may be processed by recruiters, employees and HR managers:

  • Personal details: Salutation, academic degree, first name, last name, function level, company
  • Contact and address data: Company headquarters, telephone number, fax, e-mail address
  • Account and log data: User ID, IP address, log files, role, logging of processing within the system
  • Usage data: Comments, email content, invitations, feedbacks, ratings

Data processing locations

Processing on behalf takes place at the following locations:

  • softgarden e-recruiting GmbH (business premises of the Contractor)
    • Location Berlin: Tauentzienstraße 14, 10789 Berlin
    • Location Saarbrücken: Europaallee 29, 66113 Saarbrücken
  • myLoc managed IT AG, Am Gatherhof 44 40472 Düsseldorf (data centre)
    • Locations of the service provider: Am Gatherhof 44 40472 Düsseldorf; In der Steele 40599 Düsseldorf
  • PlusServer GmbH, Welserstraße 14 51149 Köln (data centre)
    • Locations of the service provider: In der Steele 40599 Düsseldorf; Welsestraße 14 51149 Cologne
  • Equinix Germany GmbH, Kruppstraße, 60388 Frankfurt am Main (data centre)
    • Location of the service provider: Rebstücker Straße 33, 60326 Frankfurt

Persons of the Contractor receiving instructions

The following persons of the Contractor are authorised to accept instructions from the Client: Client Service Team: support@softgarden.de

Data Protection Officer of the Contractor

Herting Oberbeck Datenschutz GmbH, Hallerstraße 76,

20146 Hamburg, Tel.: +49 40 226 34 56 0; Email: datenschutzbeauftragter@softgarden.de

Appointed subcontractors

The confirmation of the use of subcontractors, or of optional and/or free services, is usually carried out via the recruiting system by means of a so-called “opt-in procedure” of the user. In order not to make the provision and use of the software dependent on third-party services, the Contractor will also offer the Client the option of implementing third-party services in the system on behalf of the Client, which can be booked in particular via the Contractor’s Marketplace and – where possible – also individually.

The following subcontractors will be used at the time of the conclusion of the contract:

Name and address of the subcontractorOrder content
myLoc managed IT AG
Am Gatherhof 44
40472 Düsseldorf		Colocation and Managed Services
Redundant firewalls and load balancers
Redundant power supply by means of emergency generator, UPS (n+1 redundancy) and A/B feed in the server racks
Multiple redundant IP connections and redundant network infrastructure
Separate backup and administration networks
Redundant, energy-efficient cooling (n+1 redundancy)
Dedicated servers
SSL certificates
Replacement of defective server hardware
Other support activities for all server systems (e.g. within the framework of proactive monitoring)
PlusServer GmbH
Welserstraße 14
51149 Cologne		Colocation and Managed Services
Redundant firewalls and load balancers
Redundant power supply by means of emergency generator, UPS (n+1 redundancy) and A/B feed in the server racks
Multiple redundant IP connections and redundant network infrastructure
Separate backup and administration networks
Redundant, energy-efficient cooling (n+1 redundancy)
Dedicated servers
SSL certificates
Replacement of defective server hardware
Other support activities for all server systems (e.g. within the framework of proactive monitoring)
Equinix (Germany) GmbH
Rebstücker Straße 33
60326 Frankfurt am Main		See above: Additional colocation and managed services as described above.
Server location is Kruppstraße, Frankfurt, Germany
Textkernel B.V.
Nieuwendammerkade 26a5
NL-1022 AB Amsterdam
(Server location Germany)		CV parsing (optional opt-in):
Convert uploaded CVs into structured form
Maintenance and support services for the CV parsing service
Cronofy B.V.
Mr. Treublaan 7, 1097 DP Amsterdam,
Niederlande
(Server location Germany)		Calendar integration (optional opt-in)
to arrange meetings, appointments and tasks
Processing of calendar structures and events
SBB Software und Beratung GmbH
Bahnhofstrasse 7, 95119 Naila, Deutschland
(Server location Gunzenhausen, Germany)		Pitchyou (WhatsApp connection):
Sending an application via WhatsApp, activated in the JustHire system
Use of messenger communication via WhatsApp without sending your own phonebook contacts to WhatsApp.
List of subcontractors

Appendix 2: Technical and organisational measures

You can download Appendix 1 and Appendix 2 (TOM) as PDF files here: Appendix 1 and Appendix 2 to the agreement on commissioned data processing as a PDF download.

Technical and organisational measures

The technical and organisational measures described below describe the status at the time of the conclusion of the contract. Pursuant to Section 11 (2) of the contract, the contracting parties agree that changes to the technical and organisational measures may become necessary in order to adapt to technical and legal circumstances. Changes to the technical and organisational measures must not lead to a lowering of the existing level of protection. A current overview of the technical and organisational measures taken can be viewed at any time on our website at https://softgarden.com/en/data-protection-software-as-a-service/.

Abbreviations

  • DC: Data centers
  • B: softgarden office Berlin
  • SB: softgarden office Saarbrücken

Confidentiality

Entrance control

softgarden ensures that unauthorised persons have no access to the office, server and archive rooms. This is done by:

MeasuresDCBSBNotes
Central reception area
Alarm system with connected security guard
Coded keys and key issuance to authorised persons only
Logging of closures
Determination and documentation of access authorisations
Documentation of access of external persons (e.g. maintenance personnel, customers, service providers, partners, visitors …)
Entrance to the premises by noncompany personnel only in the company of an employee
Legitimation of the authorised persons (key, PinCode)
Two-factor authentication for access
Withdrawal of means of access after expiry of authorisation
Security areas with different access authorisations
list of entrance control measures
Access control

softgarden prevents IT systems from being used by unauthorised persons. This is done by:

Measures DCBSBNotes
One user account per userUse of person-independent support accounts for access to customer systems, login data is only accessible to authorised employees
Authentication of persons authorised to process data by means of a password procedure (with special characters, minimum length eight characters, regular change of password)
Encrypted storage of passwords
Automatic blocking of the user account in case of multiple incorrect entry of the access data
Automatic locking of the workplace in case of inactivity
Immediate blocking of authorisations when employees leave (guideline/ work instruction)
Regularly check the validity of authorisations
Use of lockable cabinets for the storage of paper filesNo paper file storage in the Saarbrücken office
Secure transmission of authentication secrets (credentials) in the network via TLS/HTTPS, SSH, VPN (IPSec, openVPN)
Manual blocking of access IDs to computers in case of longer absence of the respective employee (30 days)After returning, the access IDs must be manually unlocked again by the IT administration.
Access restriction to Office WLAN
Operation of an office guest WLAN for mobile devices and visitors
list of access control measures
Access control

softgarden ensures that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage. This is done by:

MeasureDCBSBNotes
Determination of access authorisations for access to data (creation of an authorisation concept)
Storage of data on encrypted data carriers
Determination of authorisations of knowledge, input, modification and deletion of data processed by the contractor in the context of the performance of the contract
Regular control of accesses, entries, changes and deletions
Disposal of data carriers no longer required (guideline/ work instruction)
Written regulation on copying data (IT security guideline/ work instruction)
Allocation of minimal authorisations (need-to-know principle)
No assignment of generic passwords-group identifiersUse of non-personal support accounts for access to customer systems, login data is only accessible to authorised employees
Avoiding the concentration of functions/separation of administrative tasks among different qualified persons
Keeping a history of administrative changes made
Access to the production infrastructure via VPN
list of access control measures
Separation control

softgarden ensures that data collected for different purposes can be processed separately. There is no need for physical separation; logical separation of data is sufficient. This is done by:

MeasuresDCBSBNotes
Identification of the recorded data (file number, ID, customer/ case number)
Logical separation of data processed for different clients, separation of functions production/ test
Logical separation of the personal data of the respective clients through assignment to the respective user accountsSoftware separation of the clients
list of separation control measures

Integrity

Transfer control

softgarden ensures that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which entities personal data is intended to be transmitted by means of data transmission equipment. This shall be done by:

MeasuresDCBSBNotes
Determination of the persons authorised for transmission or transport (electronically, manually)
Checking data for completeness after data transport, transmission and data transfer or storageManual adjustment with checksums
Implementation of safety gateways at the network transfer points
Use of a recognised encryption procedure which encrypts all communication between the applicant and the contractor’s servers.
Incoming and outgoing data streams are filtered by a modern, cascaded firewall solution
Insofar as data carriers are transmitted by transport companies, the data carriers shall only be passed on after prior authentication of the transport company.
Paper and data carriers containing personal data are disposed by a qualified disposal company in accordance with data protection regulations.
The complete, data protection-compliant and permanent deletion of data carriers with personal data is logged. The logs are stored in an audit-proof manner for at least 12 months.
list integrity control measures
Input control

softgarden ensures that it is possible to subsequently check and determine whether and by whom personal data have been entered into, changed or removed from data processing systems. This is done by:

MeasuresDCBSBNotes
Documentation of access authorisations (work instruction access groups and access authorisation)
Recording of the activities within the scope of the order
Random control and evaluation of log data for misuseEvaluation of log files via SysOps team in Saarbrücken
Maintaining a history for all users using the corresponding application programmes for processing personal data, that records which user has performed which action and when, provided that this action modifies personal dataRecording the history in the “Just Hire” application
list of input control measures

Availability and resilience

Availability control

softgarden ensures that personal data is protected against accidental or intentional destruction or loss. This is done by:

MeasuresDCBSBNotes
Uninterruptible Power Supply (UPS)
Virus protection (on the workplaces)Virus protection on Windows workplaces
Virus protection (on the servers)
Firewall
Emergency plan
Geo-redundant data centres
Central fire alarm system
Availability monitoring24/7 monitoring of all critical systems through automated monitoring procedures
list of availability measures
Recoverability

softgarden guarantees the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident through the following measures:

MeasuresDCBSBNotes
Backup procedure according to backup concept (daily, weekly, monthly)
Storage of backup data in data cabinets, safes, in other fire compartment
list of recoverability measures
Resilience

softgarden ensures availability and resilience of business-critical systems and the systems for processing personal data through the following technical and organisational measures:

MeasuresDCBSBNotes
Virtualisation and operation in container infrastructure with load balancers
Regular penetration tests of softgarden products for security vulnerabilitiesThe softgarden products are tested in the environment of the raking centres. Not applicable in the office environment.
Penetration tests by customers can be carried out on the staging environment after consultation with softgarden. Conducting them in the production environment is not permitted.
list of resilience measures

Procedures for regular review, assessment and evaluation

To ensure the maintenance and continuous improvement of the level of data protection and information security, softgarden regularly (at least annually) undergoes internal and external audits.

softgarden is certified according to

  • DIN EN ISO 9001:2015
  • DIN EN ISO/IEC 27001:2017 including the requirements of the standards ISO/IEC 27017:2015 and ISO/IEC 27018:2019
Data protection and information security management

softgarden ensures a process for regular review and evaluation of the effectiveness of the technical and organisational protection measures. This is done by:

MeasuresDCBSBNotes
Informing and obliging employees to comply with the data protection legal requirements according to the GDPR
Regular assessment of the level of data protection by a data protection team
Third parties must sign a confidentiality agreement.
If there are overlapping functions for organisational reasons, the dual control principle is applied and documented.
There is a defined system of representatives within the functional groups.
Regular review of the data protection and information security management system through internal and external audits
list of data protection and information security management measures
Assessment of the adequate level of protection (Art. 32(2) GDPR)

softgarden ensures a documented assessment of an adequate level of protection, in relation to the risks associated with the processing – in particular through destruction, loss, alteration, unauthorised disclosure or access – of the personal data processed on behalf of it. This shall be done by:

MeasuresDCBSBNotes
Carrying out a risk analysis for the processing operations of personal data
Creation of protection needs categories
Alignment of processes according to Privacy by Design and Privacy by Default
Carrying out data protection impact assessments (where required by law)
list of assessment measures
Mandate control (Art. 32 (3) and (4) GDPR)

softgarden guarantees that personal data processed on behalf of the contractor will only be processed in accordance with the instructions of the client and for the fulfilment of the contractually defined purpose. The contractor can prove this by means of a certification pursuant to Art. 40 or an approved certification procedure pursuant to Art. 42 DSGVO. If no certification is available, the proof shall be provided by:

MeasuresDCBSBNotes
Clear contract design with subcontractors
Formalisation of order placement (forms system)
Regular control of the activitiesMonitoring the softgarden processes through internal audits
The persons authorised to give instructions to the client and the persons authorised to receive instructions are contractually defined; instructions are always given in text form (e.g. by e-mail or ticket system).
softgarden will inform the client immediately about cases of serious operational disruptions, suspected data protection violations, if errors are detected or other irregularities in the handling of the client’s data.
Orders are recorded as a support ticket (minimum details: Client/customer, action/partial order, exact specification of processing steps/parameters, processor, deadlines, recipient if applicable), where the work performed is documented. There is a clear assignment between support ticket number and customer order.
list of mandate control measures
Data deletion/ anonymisation:
Data erasure:

Canceled and hired applications are initially set to the status “cancelled/hired” and, in the standard configuration, deleted or anonymised 6 months after cancellation or hiring, unless otherwise set by the client. The anonymisation of rejected applicants who do not wish to be included in the talent pool takes place automatically. Any further deletion/anonymisation of individual applicants (e.g. at the applicant’s request) is carried out manually. Applicant data can also be deleted manually by users with the appropriate authorisation.

Anonymisation of deleted applicants:

After the deadline, the applications are completely anonymised in the softgarden system:

  • All attachments of the application are overwritten with a dummy content. The file name, size and content are deleted. Only the fact that and how many attachments were available for an application is retained for reporting purposes.
  • Correspondence data is anonymised. In the process
    • Attachments are anonymised
    • Subject, text and HTML, CC and BCC of the message are overwritten with a dummy text “deleted text”.
    • the sender’s address for incoming mails and the recipient’s address for outgoing mails are overwritten with a random string.
  • Master data of the application are anonymised
    • all application data specified by the client are overwritten with a random string in the process
  • The application is removed from the application search index

If the application to be deleted was the last application of the applicant account, the following data is also overwritten with a random string:

  • Login name
  • Password
  • First and last name
  • Email address
  • IP address from which the account was created
  • IP address from which the privacy policy was confirmed
  • In addition, all tags of the applicant are deleted

There is the possibility that quantitative evaluations are carried out on the participants to determine which applicants, at which location, had which interest. The anonymised data is used for this purpose. Anonymisation replaces all data with personal references with dummy texts, so that it is no longer possible to draw conclusions afterwards.