General Terms and Conditions of softgarden
Rev. 2.8 valid from 01.07.2024
softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin (“Softgarden”) offers its customers (“company” or „companies“) various services relating to the electronic administration and processing of applications via an applicant management system (Software-as-a-Service) as well as the creation, mediation and placement of job advertisements on the Internet.
The companies have the possibility to place job advertisements as well as to receive and manage applications via the e-recruiting system “softgarden”, which Softgarden operates under the domain https://app.softgarden.io/ (hereinafter “platform”). In addition, softgarden mediates the placement of job advertisements with third-party providers via the platform. The following conditions apply to the use of the platform and the placement of job advertisements with third-party providers:
Content of this page
- General Terms and Conditions of softgarden
- Terms of use of softgarden e-recruiting GmbH for the use of the “softgarden” e-recruiting system
- 1. Scope of application
- 2. Use of the platform
- 3. Placement of job advertisements
- 4. Feedback, Softgarden certificate
- 5. Support
- 6. Granting of rights
- 7. Remuneration
- 8. Data protection
- 9. Transmission of status information
- 10. Liability
- 11. Term of the contract and termination
- 12. Notifications and complaints pursuant to Art. 16 Digital Services Act/ Responsibility for content, restrictions and moderation of content
- 13. Final provisions
- Annex 1: Data Processing Agreement pursuant to Art. 28 DSGVO
- § 1 General
- § 2 Subject matter and duration of processing
- § 3 Rights of the Client to issue instructions
- § 4 Obligations of the Client
- § 5 Obligations of the Contractor
- § 6 Obligation to notify in the event of disclosure
- § 7 Control rights of the Client
- § 8 Subcontracting relationships
- § 9 Transfer of client data to third countries
- § 10 Confidentiality obligation
- § 11 Technical and organisational measures
- § 12 Obligations of the contractor after termination
- § 13 Special provisions for entities of the church
- § 14 Term and termination
- § 15 Liability and compensation
- § 16 Final provisions
- Appendix 1: Specification of the data processing
- Appendix 2: Technical and organisational measures
- Terms of use of softgarden e-recruiting GmbH for the use of the “softgarden” e-recruiting system
Terms of use of softgarden e-recruiting GmbH for the use of the “softgarden” e-recruiting system
1. Scope of application
1.1. The contractual relationship between the companies and Softgarden is exclusively governed by these General Terms and Conditions (hereinafter “GTC”).
1.2. General terms and conditions of the companies shall only become part of the contract if this has been expressly agreed in writing. The use of the platform is only permitted to entrepreneurs within the meaning of § 14 BGB.
1.3. The subject matter of the contract is the provision of a platform for recruiting new employees. Companies can use the platform to create job advertisements, operate their own job portal and manage applications (clause 2). Softgarden also offers the company the option to publish job advertisements on third-party platforms via the platform (clause 3).
2. Use of the platform
2.1. In order to use the Platform, the Company must register on the Platform and open a Company account (hereinafter “Account”). An Account may only be opened by an authorised representative or an employee of the company authorised to represent the company. The required data must be provided truthfully and updated immediately in the event of changes in order to ensure smooth use. Following registration, Softgarden sends the company a confirmation of its registration by e-mail together with these GTC to the e-mail specified in the registration process. This confirmation e-mail also represents the acceptance of the company’s offer to conclude a contract of use and a contract of use is concluded. There is no entitlement to the conclusion of a contract of use.
2.2. The Company itself is responsible for maintaining the confidentiality of the login data. It will keep its user name and password for access secret, will not pass them on, will not tolerate or enable unauthorised persons or third parties to gain knowledge of them and will take the necessary measures to ensure confidentiality and, in the event of misuse or loss of these details or any suspicion thereof, will notify Softgarden of this by e-mail at the e-mail address security@softgarden.de.
2.3. The person acting on behalf of the Company must be authorised or entitled to represent the Company. Softgarden is entitled to request proof of authorisation at any time at its own discretion. If the person acting on behalf of the company does not provide the requested proof of authorisation to create an account and to post job advertisements on the platform within a period of one (1) week after receipt of the corresponding request, Softgarden may block the account at any time.
2.4. Companies can create job advertisements via the Platform and display them on a job portal made available to them by the Platform. Applicants can use this job portal to find out about advertised jobs and apply to the company via an online application form. Companies can process applications received via the platform (e.g. interim response, invitation to interview, offer, hiring).
2.5. The company is obliged to observe all applicable laws and other legal provisions when posting job advertisements and content on the job portal. In particular, the Company may not post and/or disseminate any data or content, such as texts, images, graphics and links, that violate legal provisions, infringe thirdparty property rights or copyrights or other rights of third parties. The company itself is responsible for the data and content it provides. Softgarden does not check the information and job advertisements for correctness, freedom from viruses or for virus-technical processability.
2.6. The company has the possibility to design its profile itself and, for example, to post a logo of the company and to integrate a background image. The company is obliged to ensure that it is authorised to make the logo and background image publicly available. Companies must ensure that their logo, background image or other files uploaded to the platform do not violate legal regulations, morality and/or the rights of third parties.
2.7. No files with depictions of violence, pornographic, discriminatory, insulting, defamatory or other illegal content or depictions may be uploaded and/or made publicly accessible. Furthermore, it is prohibited to upload image files on which exclusively or partially third-party company, brand or other business logos or other protected signs are displayed. This does not apply if the company is entitled to do so, i.e. if it is the owner of the rights to the corresponding logos, advertising photos and other content or if the rights holder has permitted it to use them.
2.8. Pictures or photos of persons, such as employees, may only be posted on the platform if the consent of these persons has been obtained.
2.9. Softgarden is entitled to remove logos, images or files without prior notice if and insofar as there are concrete indications that the publication on the platform violates these GTC, legal regulations, morality and/or the rights of third parties.
2.10. The platform is available for use 24 hours a day and 365 days a year with an availability of 99.8% on a monthly average (hereinafter “SLA”) (“system uptime”). If maintenance work is required and the platform is therefore not available, Softgarden will inform the companies of this in good time by e-mail if possible. Downtimes of the platform due to maintenance work will not be counted towards the SLAs. Softgarden is not responsible for internet/network-related downtimes and in particular not for downtimes during which the platform cannot be accessed via the internet due to technical or other problems beyond Softgarden’s control (e.g. force majeure, etc.).
3. Placement of job advertisements
3.1. The company can commission Softgarden with the placement of job advertisements with third-party providers of job portals/job exchanges (“Third-Party Providers”) via the platform. For this purpose, Softgarden offers on the platform under the heading “Shop” against separate remuneration to publish individual job advertisements or several job advertisements with various third-party providers in a package (“Advertisement Package”) for a certain period of time (“Publication Period”).
3.2. The contract for the publication of individual job advertisements or an advertisement package is concluded via the shop on the platform at the conditions stated there. Upon conclusion of the contract Softgarden undertakes to design one or more job advertisements adapted to the portal of the respective third party provider and to publish them on the respective portal of the third party provider within the period of validity (see section 3.3) at a time to be determined by the company. The concrete service description results from the respective offer on the platform.
3.3. After conclusion of the contract, the Company may determine the time of publication of individual job advertisements. The time for publication of the respective job advertisement must be within the validity period determined in the Softgarden offer (“Validity Period”). After the expiry of the Validity Period, the Company can no longer request the design and publication of booked job advertisements. During the Validity Period, Softgarden assumes the economic risk of any price changes from third party providers. As Softgarden’s assumption of the economic risk is included in the remuneration to be paid, there will be no refund of the remuneration for unpublished job advertisements after the expiry of the validity period.
3.4. Softgarden will endeavour to implement the company’s specifications as best as possible when designing the job advertisements. In the case of a telephone order for job advertisements, Softgarden will send the created job advertisement to the Company for approval before posting the job advertisement on the Third Party Provider’s platform. The company will then give Softgarden its approval within ten (10) working days or inform Softgarden of any change requests to the design of the job advertisement. After expiry of the deadline, the creation of the job advertisement is deemed to have been approved.
3.5. Softgarden will only make changes to the job advertisement that the company requests after approval has been given and during the publication period if this is technically possible, third-party providers allow this and it is reasonable in terms of content. In these cases, the company has to bear the additional costs incurred by the third party provider for the changes. Softgarden will not carry out change requests from the company that involve significant changes to the respective job description. In these cases, the company must commission the publication of a new job advertisement.
4. Feedback, Softgarden certificate
4.1. The company can conclude a separate contract with Softgarden for the use of the “Feedback” function. With the “Feedback” function, the company can give applicants the opportunity to evaluate the application process and the company. For this purpose, applicants receive access to an evaluation form by e-mail during the application process and after being hired. Applicants can use this form to evaluate various aspects of the application process and the company, as well as to make their own comments. All evaluations are displayed to the company in its own account on the platform under the heading “Feedback”. Companies are not allowed to artificially improve the ratings, for example by selective questioning or creating fake applicants.
4.2. Optionally, the company can book the “Softgarden Certificate” for a separate fee. The “Softgarden Certificate” is used to publish the result of the ratings on the platform and, at the request of the company, also on third-party platforms. The “Softgarden Certificate” is awarded for a period of one year and can be extended for a further year in each case. During the validity period of the “Softgarden Certificate”, the Softgarden Certificate page on the platform cannot be deactivated.
4.3. In addition, the company has the option to book the “Certificate Widget” option for a separate fee. The “Certificate Widget” is an image file containing a Softgarden logo and the overall result of the company’s feedback ratings. During the validity period of the “”Softgarden Certificate””, the company receives the right to advertise with this “Certificate Widget” on the Internet. The company may not change the “certificate widget” provided by Softgarden, neither graphically nor in terms of content; in particular, the evaluation result may not be falsified.
4.4. Applicants may not publish any discriminatory, insulting, defamatory or vulgar content via the comment function and may not mention the names of third parties (e.g. persons who were involved in the application process on the part of the company). Softgarden will check comments from applicants for compliance with this rule before publication and, if necessary, make parts of the comments unrecognisable. Should published comments nevertheless violate the rights of the company or the rights of third parties, the company can report these comments to Softgarden. Softgarden will then subject the respective comments to a renewed review and delete any infringing content.
4.5. With the exception of the cases mentioned in section 4.4, the Company has no claim to the deletion or modification of individual ratings or individual comments.
5. Support
5.1. Softgarden will answer questions from the Company regarding the Platform by telephone on +49 (0)30 884 940 510 (landline price) weekdays between 09:00 and 18:00 (CET).
5.2. The Company may also submit questions and error messages regarding the Platform as a ticket at https://softgarden.zendesk.com/hc/de/requests/new . The submitted tickets will be processed within 24 hours (on working days).
6. Granting of rights
To the extent necessary for the placement of job advertisements and/or for a customisation of the dashboard and limited to the aforementioned cases, the Company grants Softgarden the non-exclusive (simple) right, unlimited in space and limited in time to the duration of the Agreement, to use the logo, trademarks, advertising photos as well as all posted content of the Company for the duration of the Agreement on the platform for the purposes of the Agreement and for the placement and creation of job advertisements.
To the extent necessary for the placement of job advertisements and/or for a customisation of the dashboard and limited to the aforementioned cases, the company further grants Softgarden the right to modify logos and to use them modified in such a way that Softgarden may enlarge or reduce the logos and/or colour logos in black and white in order to be able to display the logos in the job portal and in job advertisements accordingly. Softgarden is in particular entitled to store the content in its own databases, to distribute, publish and make the content publicly accessible and/or, in the context of the publication of content with third-party providers, to grant or transfer corresponding rights of use to the third-party providers.
If a separate confirmation is provided by the company at least in text form, Softgarden may name the company as a reference customer on its advertising materials (websites, trade fair presentations, flyers and similar) during the use of the platform. Softgarden will consider objections of the company. For the use as a reference customer, Softgarden will obtain the aforementioned confirmation of the company in text form in advance, otherwise naming as a reference customer is excluded.
7. Remuneration
7.1. Use of the platform
7.1.1. The prices available at https://softgarden.com/de/preise/ apply to the use of the Platform. Companies can test the platform free of charge and without restriction for the first 14 days (“test phase”). The test phase begins with the activation of the account by clicking on the link in the e-mail sent to the specified email address after submitting the registration form and subsequently defining the password.
7.1.2. The costs for the use of the platform result from the selected subscription. The billing period begins on the day on which the account was converted into a paid account after the test phase and ends according to the selected term. The term is automatically extended by the same term in each case, unless notice of termination was given in due time in accordance with 11.1.2. However, Softgarden is entitled to adjust the price for the respective licence packages upwards or downwards at the beginning of each term extension at its reasonable discretion (§315 BGB). A price increase of more than 5% is only permissible if it is announced to the company in such good time beforehand that the company can regularly terminate the contract at the end of the subscription period before the increase takes effect. The Company has the option to change its licence package at any time during the term of the contract by choosing a licence package that includes more services (“upgrade”). If the company chooses an Upgrade during the contract period, the originally agreed contract period will start again from the time Softgarden receives the company’s request for change. The other terms and conditions remain unchanged. The costs will be invoiced in advance at the beginning of each billing period. The invoice will be sent by email to the email address specified in the registration process.
7.2. Placement of job advertisements with third-party providers
7.2.1. For the placement of job advertisements with third-party providers, the prices shown in the offer description in the shop (https://app.softgarden.io/just-hire/shop) apply.
7.2.2. The total price stated in the offer is due for payment without deduction immediately after conclusion of the contract.
7.3. If the customer does not pay within 14 days after the due date, he will be in default without further reminder. Softgarden charges default interest in the amount of 9 percentage points above the respective base interest rate in accordance with § 288 para. 2 BGB (German Civil Code), but at least 9% p.a. If a customer does not fulfil his payment obligations in due time or if payments of the customer are not executed or charged back, Softgarden is furthermore entitled – subject to further claims – to suspend the services until the claims are settled.
7.4. All prices listed are net prices.
8. Data protection
8.1. Softgarden will comply with all data protection requirements, in particular the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation – DSGVO) and the Federal Data Protection Act (BDSG).
In connection with the provision of services, Softgarden processes personal data both as a controller pursuant to Art. 4 No. 7 DSGVO and as a processor pursuant to Art. 4 No. 8 DSGVO.
Softgarden as controller processes personal data in particular for the following purposes:
- Customer management (account and usage data of Softgarden users)
- Customer support (processing support tickets and requests)
- Product improvement (analysis of customer usage behaviour on the Softgarden platform)
The processing of this data, which Softgarden processes as a data controller, is described in the privacy notice, which can be found under Privacy Notice softgarden Products available.
As a processor, Softgarden processes such personal data which are processed by the customer within the Softgarden services and which do not relate to the customer itself (in particular all applicant data). For this processing of personal data on behalf of the customer, the Softgarden order processing agreement applies, which is part of these terms and conditions as Annex 1 and is hereby agreed.
9. Transmission of status information
Insofar as the company (customer) has agreed to this with a provider of job portals and this is part of the contract between the company and the provider of the job portal, Softgarden will forward the status information of the applications by the customer to the provider of the job portal, insofar as this is technically set up and possible. Only the status information of those applicants who have applied to the company via the corresponding job portal and who are registered with the job portal with their own user account will be made available.
Status information is information about the application status of applicants at the company. This includes, for example, the receipt of the application, the opening of the application or the rejection of applicants. The provider of the job portal is responsible for ensuring a legal basis under data protection law for the transfer and processing of this personal data. For the processing of status information, the company and the job portal provider act as joint controllers.
10. Liability
10.1. Claims of the Company for damages are excluded. Excluded from this are claims for damages by the company arising from injury to life, body, health or from the breach of essential contractual obligations (cardinal obligations) as well as liability for other damages based on an intentional or grossly negligent breach of duty by Softgarden, its legal representatives or vicarious agents. Cardinal obligations in the sense of this contract are those obligations which enable the proper execution of the contract and the achievement of its purpose in the first place and on whose compliance the users may therefore regularly rely.
10.2. In the event of a breach of material contractual obligations, Softgarden shall only be liable for the foreseeable damage typical for the contract if such damage was caused by simple negligence, unless it concerns claims for damages by users arising from injury to life, body or health.
10.3. Claims under the Product Liability Act shall remain unaffected.
10.4. The restrictions of clauses 8.1 and 8.2 also apply in favour of Softgarden’s legal representatives and vicarious agents if claims are asserted directly against them.
10.5. The company indemnifies Softgarden against all claims, including claims for reimbursement of expenses and damages, which other users of the platform or other third parties, including authorities, assert against Softgarden due to an infringement of their rights by the content posted by the company on the platform. The company shall bear all reasonable costs, including reasonable costs incurred for legal defence, incurred by Softgarden due to an infringement of third party rights by the company. All further rights as well as claims for damages of Softgarden remain unaffected.
10.6. If the company manually adds an applicant’s personal data to the system, it is obliged to obtain the applicant’s consent to the data protection declaration independently.
11. Term of the contract and termination
11.1. Use of the platform
11.1.1. The contract is concluded for the duration of the settlement period. The contract shall be renewed at the end of the settlement period for the same period if it is not terminated by one of the parties in accordance with the following provisions.
11.1.2. The contract may be terminated by either party by declaration in at least text form (§ 126 b BGB) and with a notice period of three (3) months to the end of the contract term. The right of termination for good cause (§ 314 BGB) and according to § 313 BGB remain unaffected.
11.1.3. In the event of termination, job advertisements that are still active will be deactivated, applications deleted and the job portal deactivated.
11.1.4. In the event of termination, Softgarden is obliged to hand over the applicant data in electronic form. The company has no right of retention.
11.2. Placement of job advertisements with third-party providers
11.2.1. A contract concluded between the Company and Softgarden for the placement of job advertisements with third party providers shall automatically end upon expiry of the validity period stated in the offer.
11.2.2. The ordinary termination of the contract is excluded.
11.3. The termination for good cause remains unaffected. Good cause shall include in particular: – a breach by the Company of the obligations under sections 2.1, 2.5, 2.6, 2.7 and 2.8 and – the manipulation of ratings by the Company, for example by submitting its own rating by the Company itself or on its behalf. A good cause shall be deemed to exist in particular in the event of a permanent blocking of the user account and/or termination of the entire provision of the service in accordance with Section 12.3.
12. Notifications and complaints pursuant to Art. 16 Digital Services Act/ Responsibility for content, restrictions and moderation of content
12.1. The company, its employees and applicants can submit complaints or reports in accordance with Art. 16 Digital Services Act via a web form, which can be accessed here (https://support.softgarden.de/hc/de/requests/new ).
12.2. The company itself is responsible for the data and content it provides. softgarden does not check the information and job advertisements for legality, accuracy, freedom from viruses or virus-processability, unless the file is identified as infected by the existing technical and organisational measures.
12.3. softgarden can take the following measures if the company provides illegal content or content that violates these terms of use:
- Restrictions on the display of certain individual information provided by the user, including removal of content, (temporary or permanent) blocking of access to content or downgrading of content;
- Suspension or termination of all or part of the provision of the service;
- suspension or closure of the user’s account;
12.4. When deciding on the measures to be taken in accordance with Section 12.3, softgarden shall take into account the objective circumstances of the individual case, the severity, frequency and duration of the offences committed, the legitimate interests of the company as well as its intentions and any fault.
12.5. If softgarden takes measures in accordance with Section 12.3, the company concerned will be informed of the measure and the reasons for it within the scope of the legal obligation.
12.6. Before temporarily or permanently blocking the user account, softgarden shall issue a warning to the company concerned, insofar as this is necessary to ensure proportionality and does not conflict with the purpose of the blocking.
12.7. As part of the decision on measures against illegal content and content that violates these Terms of Use, a human review is carried out, depending on the individual case. An automated review by technical means does not take place.
13. Final provisions
13.1. The law of the Federal Republic of Germany shall apply.
13.2. The place of jurisdiction for all legal disputes arising from this contract is Berlin.
13.3. Softgarden is entitled to amend and adjust these terms and conditions during the term of the contract with effect for the future. Softgarden will send the amended terms and conditions to the company in text form prior to the planned entry into force and make special reference to the new provisions and the date of entry into force. At the same time, Softgarden will grant the company a reasonable period of at least six weeks to declare whether it accepts the amended terms of use for the further use of the services. If no declaration is made within this period, which starts to run from receipt of the message in text form, the amended terms and conditions are deemed to be agreed. Softgarden will separately inform the company of this legal consequence, i.e. the right of objection, the objection period and the significance of silence, at the beginning of the period. This amendment mechanism does not apply to amendments to the parties’ main contractual performance obligations.
13.4. Should individual provisions of these GTC be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provisions shall be replaced by such provisions that come closest to the economic purpose of the contract while reasonably safeguarding the interests of both parties.
Annex 1: Data Processing Agreement pursuant to Art. 28 DSGVO
You can sign our data processing agreement digitally here: Sign data processing agreement digitally . You can also download the PDF version here: Data processing agreement (PDF).
between the controller
CLIENT (Company)
– hereinafter referred to as “Client”
and the processor
softgarden e-recruiting GmbH, Tauentzienstraße 14, 10789 Berlin
– hereinafter referred to as “Contractor” –
hereinafter jointly referred to as the Contracting Parties.
The contractor offers the client services relating to the electronic administration and processing of applications via an applicant management system (software as a service) and hosts the applicant data stored in the applicant management system on behalf of the client for this purpose.
§ 1 General
- Within the scope of the existing service contract between the Parties (hereinafter referred to as “Main Contract“), it is necessary that the Contractor, as a processor within the meaning of Article 4 No. 8 of the Data Protection Regulation, processes personal data for which the Client is the controller within the meaning of Article 4 No. 7 of the Data Protection Regulation (hereinafter referred to as “Client Data“). This agreement specifies the rights and obligations of the parties under data protection law in connection with the Contractor’s processing of Client Data for the performance of the main contract. In the event of any contradictions, the provisions of this agreement with all its components shall take precedence over the provisions of the associated main contract.
- Insofar as the term “data processing” is used in this Agreement, this shall be based on the definition of “processing” within the meaning of Art. 4 No. 2 of the GDPR.
§ 2 Subject matter and duration of processing
- The subject matter of this Agreement is the processing of personal Client Data by the Contractor in connection with the use of the Recruiting and Applicant Management System as Software as a Service (SaaS) by the Client.
- The Contractor shall process the personal Client Data on behalf of and only in accordance with the Client’s instructions for the duration of the Main Contract. The nature and purpose of the processing as well as the type of personal data and the categories of data subjects are set out in Appendix 1.
- The term of this agreement on data processing on behalf is based on the term of the associated main contract (service agreements).
§ 3 Rights of the Client to issue instructions
- The Client has the right to issue instructions to the Contractor regarding the type, scope and procedure of data processing. Verbal instructions shall be confirmed by the Client in text form (at least by e-mail/ticket) without undue delay.
- The Contractor shall be obliged to carry out the Client’s instructions without undue delay or, if applicable, within a reasonable period of time determined by the Client. Doing so, the Contractor shall in particular correct, delete or block personal data without undue delay upon the Client’s instructions and confirm this in writing upon request.
- The Contractor shall inform the Client without undue delay if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions. The Contractor shall be entitled, without acknowledging any obligation to check whether an unlawful instruction exists, to reject or suspend an instruction which it considers to be unlawful until it is confirmed or amended by the Client or to reject obviously unlawful instructions at any time or to suspend processing operations relating thereto.
- To the extent that the Contractor is required by Union or Member State law to which the Contractor is subject to process the personal data even without instructions from the Client, the Contractor shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- The Client undertakes to give instructions only to persons authorised to give instructions. The Contractor shall be entitled to assume a corresponding authorisation to issue instructions in the case of instructions issued by the Client.
- The Contractor shall designate the Client Service and Support department as the authorised recipient of instructions, contact: support@softgarden.de. Employees of the department as well as department managers of the Contractor are authorised to receive instructions.
§ 4 Obligations of the Client
- As the controller within the meaning of Article 4 No. 7 of the GDPR, the client is responsible for the lawfulness of the processing of Client Data as well as for the protection of the rights of the data subjects resulting from Articles 12 to 23 of the GDPR.
- The Client is responsible as the controller, in the context of the processing carried out by the Contractor on behalf of the Client, for the notification and communication in the event of a personal data breach, Art. 33 and 34 GDPR.
- The Client is obliged to treat all knowledge of the Contractor’s trade and business secrets (in particular with regard to technical and organisational data security measures) obtained within the framework of the contractual relationship as strictly confidential. This obligation shall remain in force even after termination of this contract.
§ 5 Obligations of the Contractor
- Insofar as a data subject directly contacts the Contractor in exercising its rights under Chapter 3 of the GDPR (Art. 12 to 23 GDPR), taking into account Part 2, Chapter 2 of the Federal Data Protection Act (Sections 32 to 37 ‘BDSG’), the Contractor shall immediately forward this request to the Client. The Contractor shall support the Client in the fulfilment of data subject rights to the best of its ability, in particular in accordance with the Client’s instructions and by means of suitable technical and organisational measures.
- The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Contractor.
- If the Contractor becomes aware of a personal data breach within the meaning of Art. 4 No. 12 of the GDPR (“data protection incident”) with regard to the processed Client Data, it shall report this to the Controller without undue delay. Within the scope of the notification pursuant to Art. 33 (2) GDPR, the Contractor shall inform the Client, if possible, of the time, type and extent of the incident, the IT system affected, the affected data subjects, the time of discovery, all conceivable adverse consequences of the data security incident and the measures taken as a result.
- The Contractor shall inform the Client without undue delay if a supervisory authority takes action against the Contractor pursuant to Art. 58 of the GDPR concerning a processing operation that the Contractor performs on behalf of the Client.
§ 6 Obligation to notify in the event of disclosure
- The Contractor shall inform the Client without undue delay of any request or demand for disclosure of information of any kind by law enforcement agencies and other governmental authorities, insofar as such information is related to the agreements concluded between the Client and the Contractor (“Duty of Notification“).
- The Client shall be solely responsible for the decision on and the procedure for the disclosure of affected Client Data to governmental authorities and shall be supported by the Contractor in the disclosure to the best of its ability.
- The Contractor shall only be exempt from the obligation to notify the Client if the Contractor itself is obliged to disclose to state authorities as well as to maintain secrecy towards the Client.
§ 7 Control rights of the Client
- The Contractor shall grant the Client a right to control the data processing and compliance with this Agreement or the respective project order. In particular, the Contractor shall provide the Client with all information necessary to prove compliance with the obligations set out in this contract and shall enable the performance of audits, including inspections. The audits may also be carried out by a third party bound to secrecy, provided that the third party is not a competitor of the contractor.
- The Parties agree that the Client shall conduct an audit pursuant to Paragraph 1 by instructing the Contractor to submit, at its option, a suitable attestation, report or report extracts from independent bodies (e.g. auditor, audit, data protection officer, information security officer, data protection auditor or quality auditor) or a suitable certification by an IT security or data protection audit – e.g. in accordance with ISO 27001 or “BSI-Grundschutz” – (“audit report”). In justified exceptions, the Client may conduct independent inspections.
- The Contractor undertakes to support the performance of the audits. This includes the granting of all required access, information and inspection rights. The same applies to public inspections by the competent supervisory authority in accordance with the applicable data protection regulations.
- In the event of independent inspections by the Client at the Contractor’s premises, each party shall bear the costs incurred by the inspection, such as inspection, personnel and travel costs. Insofar as the Contractor’s involvement in connection with inspections exceeds the required maximum of three (3) man-days and this is associated with a higher inspection effort or the commissioning of external service providers by the Contractor, the costs incurred for this may be invoiced to the Client in accordance with the hourly and daily rates customary in the industry.
§ 8 Subcontracting relationships
- The Contractor may establish subcontracting relationships with further processors (subcontractors). The Contractor currently employs the subcontractors listed in Appendix 1. The Client agrees to their engagement.
- The Contractor shall always inform the Client in text form or a suitable electronic form of any intended change with regard to the use or substitution of subcontractors, which shall give the Client the opportunity to object to such changes within 14 calendar days, whereby this may not be done without good cause under data protection law. In the event of a justified objection, the Contractor may, at its own discretion, provide the service without the intended change or – if the provision of the service without the intended change is not reasonable for the Contractor – stop the service towards the Client within two (2) weeks after receipt of the objection and terminate the main contract without notice and with immediate effect. This shall not affect the Client’s extraordinary right of termination for good cause.
- The contractor shall ensure that the data protection obligations agreed in this contract also apply to the subcontractor and, pursuant to Article 28 (4) of the GDPR, shall oblige the subcontractor accordingly by way of a contract or other legal instrument in accordance with Union law or the law of the Member State concerned prior to the start of the activities, whereby in particular sufficient guarantees must be provided that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR.
- If the engagement of a subcontractor is associated with a transfer of the client data to a country outside the European Union (EU) or the European Economic Area (EEA) (“third country”), the provisions of Section 9 shall also apply.
- Services of third-party providers that can be booked via the so-called Marketplace of the Contractor and – as far as possible – also individually booked and integrated into the system by the Contractor on behalf of the Client shall – unless otherwise agreed – not become subcontractors of the Contractor and shall not establish any duty of inspection of the Contractor under data protection law.
§ 9 Transfer of client data to third countries
- The provision of the contractually agreed data processing within the scope of the provision of the recruiting and applicant management system generally takes place in member states of the European Union (EU) or the European Economic Area (EEA).
- Any transfer of client data to a country outside the EU/EEA (“third country“) may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
§ 10 Confidentiality obligation
- When processing personal data on behalf of the Client, the Contractor is obliged to maintain the confidentiality of personal data that it processes and/or comes to know in connection with the Service Agreements.
- The Contractor shall ensure that the persons authorised to process the personal Client Data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
§ 11 Technical and organisational measures
- The Contractor commits itself towards the Client to guarantee technical and organisational measures that are necessary to comply with the applicable data protection regulations. This includes, in particular, the requirements of Article 32 of the GDPR. The contractor shall regularly review, assess and evaluate the effectiveness of the technical and organisational measures to ensure the security of the processing and document the results.
- The implemented technical and organisational measures at the time of the conclusion of the contract can be found in Appendix 2 to this agreement. The contracting parties agree that changes to the technical and organisational measures may be necessary in order to adapt to technical and legal circumstances. Changes to the technical and organisational measures must not lead to a lowering of the existing level of protection. The contractor shall document significant changes to the measures taken.
- The Contractor shall publish and regularly update the current technical and organisational measures as well as the evidence of compliance with technical and organisational measures on its website, insofar as these are designated for publication at its reasonable discretion and/or due to another obligation of the Contractor.
§ 12 Obligations of the contractor after termination
- After termination of the service agreements or earlier upon request by the Client – but at the latest upon termination of the service agreements – the Contractor shall, at the Client’s discretion and on the Client’s instructions, delete or return to the Client all documents, data and created processing or utilisation results as well as data files related to the contractual relationship that have come into its possession and delete existing copies, unless there is an obligation to store the personal data under Union law or the law of the Member States. The same applies to test and committee material.
- Documentation and protocols that serve as proof of orderly and proper data processing or legal retention periods shall be retained beyond the end of the contract in accordance with the respective retention periods.
§ 13 Special provisions for entities of the church
- Insofar as the Client is an entity of the church subject to the provisions of the “Kirchengesetz über den Datenschutz der Evangelischen Kirche in Deutschland” (EKD Data Protection Act), the Contractor submits to the church data protection supervision in addition to the provisions of this Data Processing Agreement pursuant to Section 30 (5) sentence 3 EKD-Datenschutzgesetz. The submission extends to the tasks and powers of the Church’s data protection supervision pursuant to Sections 43, 44 EKD Data Protection Act.
- Insofar as the Client is an entity of the church subject to the provisions of the “Gesetz über den Kirchlichen Datenschutz” (KDG), the Parties expressly include the application of the KDG, in particular Sections 29 and 31 KDG, as well as compliance with the provisions made therein in this Agreement.
§ 14 Term and termination
- The term and termination of this contract are governed by the provisions on the term and termination of the main contract. Termination of the main contract automatically results in termination of this contract. An isolated termination of this contract is excluded.
§ 15 Liability and compensation
- The client and the contractor shall be liable towards data subjects in accordance with the provision set out in Article 82 of the GDPR.
- If a data subject asserts claims for damages against one of the contracting parties due to a breach of data protection provisions, the party subject to the claim shall inform the other party thereof without delay.
- The parties shall support each other in the defence of claims for damages by data subjects unless this would endanger the legal position of one party in relation to the other party or the supervisory authority.
§ 16 Final provisions
- This Data Processing Agreement is valid without a separate signature upon conclusion of the main contract.
- This Data Processing Agreement supersedes any prior agreements, contracts or notices between the Client and the Contractor in relation to the processing of Personal Data on behalf of the Client.
- In the event of any contradictions, the provisions of this contract with all its components shall take precedence over the provisions of the associated main contract.
- In the event of conflicts between different language versions of this Agreement, the German version shall prevail.
- If any provision of this agreement should be or become invalid, this shall not affect the validity of the remainder of the agreement.
- The Appendices 1 and 2 attached to this commissioned processing agreement form an integral part thereof.
- The contractual relationship and its performance shall be governed exclusively by the laws of the Federal Republic of Germany. For all disputes arising from or in connection with this contract, the agreement on the place of jurisdiction of the main contract shall apply – as far as permissible.
Appendix 1: Specification of the data processing
You can download Appendix 1 and Appendix 2 (TOM) as PDF files here: Appendix 1 and Appendix 2 to the agreement on commissioned data processing (PDF).
Specification of the data processing
1. Subject of the processing
The subject of the agreement is the processing of personal data by the recruiting and applicant management software, including the booked product components and ancillary processing in the broadest sense, which are processed on behalf of the client.
2. Nature and purpose of the processing
The Contractor shall make the recruiting and applicant management software available to the Client and shall have access to the personal data processed by the Client within the scope of this.
Within the scope of the recruiting and applicant management software, the following data processing takes place in particular:
- Structured recording and collection of applicant data,
- Structured presentation of applicant data,
- Communication of applicants, recruiters and HR managers,
- Implementation and communication of and with third parties and cooperation partners,
- Evaluation of applicant data in the form of reporting,
- Provision of application status information to connected job boards,
- Provision of a talent pool,
- Request feedback from applicants and employees recruited via the software.
- If contractually agreed with the job board portal, forwarding of the quality signal of the application
The Client itself determines which additional service modules are used via the Marketplace or the Contractor’s optional services. Depending on the scope of services, data processing may therefore take place for purposes other than those mentioned above.
Categories of data subjects
The Client determines which data are processed of which groups of data subjects.
Usually, the following groups of data subjects are affected by the data processing:
- Applicants of the Client
- Recruiters, employees and personnel managers of the Client
- Jobseekers and prospective job applicants
Categories of personal data
The Client determines which data are processed of which groups of data subjects.
Typically, the following categories of personal data of applicants may be processed:
- Personal details: Salutation, academic degree, first name, last name, nationality, date of birth
- Contact and address details: Street, house number, postcode, city, country, state, telephone number, fax, e-mail address
- Application data: Application photo, cover letter, CV, work experience/work references, (university) certificates and other qualifications, driving licence class, willingness to travel
- Account and log data: Applicant account, user ID, IP address, log files, status of application
- Usage data, if personal: Email content, invitations, feedbacks, ratings
- Special categories of personal data within the meaning of Art. 9 GDPR: Insofar as stated/consented, an inference is possible or necessary for factual reasons: ethnic origin, political opinion/party affiliation, trade union membership, religious or ideological conviction, genetic/biometric data (e.g. application photo), health data (e.g. information on pregnancy, information on a disability or health restrictions), information on sexual orientation (e.g. sex/gender, homosexuality)
Typically, the following categories of personal data may be processed by recruiters, employees and HR managers:
- Personal details: Salutation, academic degree, first name, last name, function level, company
- Contact and address data: Company headquarters, telephone number, fax, e-mail address
- Account and log data: User ID, IP address, log files, role, logging of processing within the system
- Usage data: Comments, email content, invitations, feedbacks, ratings
Data processing locations
Processing on behalf takes place at the following locations:
- softgarden e-recruiting GmbH (business premises of the Contractor)
- Location Berlin: Tauentzienstraße 14, 10789 Berlin
- Location Saarbrücken: Europaallee 29, 66113 Saarbrücken
- WIIT AG (formerly myLoc managed IT AG), Am Gatherhof 44 40472 Düsseldorf (headquarter)
- Location of the service provider: Am Gatherhof 44 40472 Düsseldorf (data center D1)
- Equinix Germany GmbH, Rebstöcker Straße 33, 60326 Frankfurt (headquarter)
- Locations of the service provider:
- Kruppstraße 121-127, 60388 Frankfurt am Main (data center FR2)
- Albertstraße 27, 40233 Düsseldorf (data center DU1)
- Locations of the service provider:
Persons of the Contractor receiving instructions
The following persons of the Contractor are authorised to accept instructions from the Client: Client Service Team: support@softgarden.de
Data Protection Officer of the Contractor
Herting Oberbeck Datenschutz GmbH, Hallerstraße 76,
20146 Hamburg, Tel.: +49 40 226 34 56 0; Email: datenschutzbeauftragter@softgarden.de
Appointed subcontractors
The confirmation of the use of subcontractors, or of optional and/or free services, is usually carried out via the recruiting system by means of a so-called “opt-in procedure” of the user. In order not to make the provision and use of the software dependent on third-party services, the Contractor will also offer the Client the option of implementing third-party services in the system on behalf of the Client, which can be booked in particular via the Contractor’s Marketplace and – where possible – also individually.
The following subcontractors will be used at the time of the conclusion of the contract:
Name and address of the subcontractor | Order content |
---|---|
WIIT AG (formerly myLoc managed IT AG) Am Gatherhof 44 40472 Düsseldorf | Colocation and Managed Services Redundant firewalls and load balancers Redundant power supply by means of emergency generator, UPS (n+1 redundancy) and A/B feed in the server racks Multiple redundant IP connections and redundant network infrastructure Separate backup and administration networks Redundant, energy-efficient cooling (n+1 redundancy) Dedicated servers SSL certificates Replacement of defective server hardware Other support activities for all server systems (e.g. within the framework of proactive monitoring) |
Equinix (Germany) GmbH Rebstücker Straße 33 60326 Frankfurt am Main | See above: Additional colocation and managed services as described above. Server location is Kruppstraße, Frankfurt, Germany |
Cloudflare Inc. 101 Townsend St San Francisco, CA 94107, USA Cloudflare Germany GmbH Rosenthal 7, c/o Mindspace, 80331 Munich, Germany | DDoS-protection/WAF Data Localisation Suite with “Regional Services” and “Metadata Boundary for Customers” to ensure data localization in Germany. “Regional Services” ensure that end customer content traffic is securely transmitted to Cloudflare PoPs within the region selected by softgarden and inspected within a Point of Presence (‚PoP‘) in that defined region (decrypting that content for inspection and then re-encrypting it). softgarden has chosen Germany as the selected region, therefore all end customer traffic is inspected exclusively on servers in Germany and end customer traffic is not inspected outside of Germany. Metadata Boundary ensures that Cloudflare does not transmit customer logs originating from covered services outside the European Union. |
Textkernel B.V. Nieuwendammerkade 26a5 NL-1022 AB Amsterdam (Server location Germany) | CV parsing (optional opt-in): Convert uploaded CVs into structured form Maintenance and support services for the CV parsing service |
Cronofy B.V. Mr. Treublaan 7, 1097 DP Amsterdam, Niederlande (Server location Germany) | Calendar integration (optional opt-in) to arrange meetings, appointments and tasks Processing of calendar structures and events |
SBB Software und Beratung GmbH Bahnhofstrasse 7, 95119 Naila, Deutschland (Server location Gunzenhausen, Germany) | Pitchyou (WhatsApp connection): Sending an application via WhatsApp, activated in the JustHire system Use of messenger communication via WhatsApp without sending your own phonebook contacts to WhatsApp. |
Appendix 2: Technical and organisational measures
You can download Appendix 1 and Appendix 2 (TOM) as PDF files here: Appendix 1 and Appendix 2 to the agreement on commissioned data processing (PDF).
Technical and organisational measures
The technical and organisational measures described below describe the status at the time of the conclusion of the contract. Pursuant to Section 11 (2) of the contract, the contracting parties agree that changes to the technical and organisational measures may become necessary in order to adapt to technical and legal circumstances. Changes to the technical and organisational measures must not lead to a lowering of the existing level of protection. A current overview of the technical and organisational measures taken can be viewed at any time on our website at https://softgarden.com/en/data-protection-software-as-a-service/.
Abbreviations
- DC: Data centers
- B: softgarden office Berlin
- SB: softgarden office Saarbrücken
Confidentiality
Entrance control
softgarden ensures that unauthorised persons have no access to the office, server and archive rooms. This is done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Central reception area | ✓ | ✓ | ||
Alarm system with connected security guard | ✓ | |||
Coded keys and key issuance to authorised persons only | ✓ | ✓ | ✓ | |
Logging of closures | ✓ | ✓ | ✓ | |
Determination and documentation of access authorisations | ✓ | ✓ | ✓ | |
Documentation of access of external persons (e.g. maintenance personnel, customers, service providers, partners, visitors …) | ✓ | ✓ | ✓ | |
Entrance to the premises by noncompany personnel only in the company of an employee | ✓ | ✓ | ✓ | |
Legitimation of the authorised persons (key, PinCode) | ✓ | ✓ | ✓ | |
Two-factor authentication for access | ✓ | |||
Withdrawal of means of access after expiry of authorisation | ✓ | ✓ | ✓ | |
Security areas with different access authorisations | ✓ | ✓ | ✓ |
Access control
softgarden prevents IT systems from being used by unauthorised persons. This is done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
One user account per user | ✓ | ✓ | ✓ | Use of person-independent support accounts for access to customer systems, login data is only accessible to authorised employees |
Authentication of persons authorised to process data by means of a password procedure (with special characters, minimum length eight characters, regular change of password) | ✓ | ✓ | ✓ | |
Encrypted storage of passwords | ✓ | ✓ | ✓ | |
Automatic blocking of the user account in case of multiple incorrect entry of the access data | ✓ | ✓ | ✓ | |
Automatic locking of the workplace in case of inactivity | ✓ | ✓ | ✓ | |
Immediate blocking of authorisations when employees leave (guideline/ work instruction) | ✓ | ✓ | ✓ | |
Regularly check the validity of authorisations | ✓ | ✓ | ✓ | |
Use of lockable cabinets for the storage of paper files | ✓ | ✓ | No paper file storage in the Saarbrücken office | |
Secure transmission of authentication secrets (credentials) in the network via TLS/HTTPS, SSH, VPN (IPSec, openVPN) | ✓ | ✓ | ✓ | |
Manual blocking of access IDs to computers in case of longer absence of the respective employee (30 days) | ✓ | ✓ | ✓ | After returning, the access IDs must be manually unlocked again by the IT administration. |
Access restriction to Office WLAN | ✓ | ✓ | ||
Operation of an office guest WLAN for mobile devices and visitors | ✓ | ✓ |
Access control
softgarden ensures that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage. This is done by:
Measure | DC | B | SB | Notes |
---|---|---|---|---|
Determination of access authorisations for access to data (creation of an authorisation concept) | ✓ | ✓ | ✓ | |
Storage of data on encrypted data carriers | ✓ | |||
Determination of authorisations of knowledge, input, modification and deletion of data processed by the contractor in the context of the performance of the contract | ✓ | ✓ | ✓ | |
Regular control of accesses, entries, changes and deletions | ✓ | |||
Disposal of data carriers no longer required (guideline/ work instruction) | ✓ | ✓ | ✓ | |
Written regulation on copying data (IT security guideline/ work instruction) | ✓ | ✓ | ✓ | |
Allocation of minimal authorisations (need-to-know principle) | ✓ | ✓ | ✓ | |
No assignment of generic passwords-group identifiers | ✓ | Use of non-personal support accounts for access to customer systems, login data is only accessible to authorised employees | ||
Avoiding the concentration of functions/separation of administrative tasks among different qualified persons | ✓ | ✓ | ✓ | |
Keeping a history of administrative changes made | ✓ | ✓ | ✓ | |
Access to the production infrastructure via VPN | ✓ | ✓ |
Separation control
softgarden ensures that data collected for different purposes can be processed separately. There is no need for physical separation; logical separation of data is sufficient. This is done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Identification of the recorded data (file number, ID, customer/ case number) | ✓ | ✓ | ✓ | |
Logical separation of data processed for different clients, separation of functions production/ test | ✓ | ✓ | ✓ | |
Logical separation of the personal data of the respective clients through assignment to the respective user accounts | ✓ | ✓ | ✓ | Software separation of the clients |
Integrity
Transfer control
softgarden ensures that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which entities personal data is intended to be transmitted by means of data transmission equipment. This shall be done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Determination of the persons authorised for transmission or transport (electronically, manually) | ✓ | ✓ | ✓ | |
Checking data for completeness after data transport, transmission and data transfer or storage | ✓ | ✓ | ✓ | Manual adjustment with checksums |
Implementation of safety gateways at the network transfer points | ✓ | ✓ | ✓ | |
DDoS-Protection/ WAF (Cloudflare) | ✓ | SaaS | ||
Use of a recognised encryption procedure which encrypts all communication between the applicant and the contractor’s servers. | ✓ | ✓ | ✓ | |
Incoming and outgoing data streams are filtered by a modern, cascaded firewall solution | ✓ | ✓ | ✓ | |
Insofar as data carriers are transmitted by transport companies, the data carriers shall only be passed on after prior authentication of the transport company. | ✓ | ✓ | ✓ | |
Paper and data carriers containing personal data are disposed by a qualified disposal company in accordance with data protection regulations. | ✓ | ✓ | ✓ | |
The complete, data protection-compliant and permanent deletion of data carriers with personal data is logged. The logs are stored in an audit-proof manner for at least 12 months. | ✓ | ✓ | ✓ |
Input control
softgarden ensures that it is possible to subsequently check and determine whether and by whom personal data have been entered into, changed or removed from data processing systems. This is done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Documentation of access authorisations (work instruction access groups and access authorisation) | ✓ | ✓ | ✓ | |
Recording of the activities within the scope of the order | ✓ | ✓ | ✓ | |
Random control and evaluation of log data for misuse | ✓ | ✓ | Evaluation of log files via SysOps team in Saarbrücken | |
Maintaining a history for all users using the corresponding application programmes for processing personal data, that records which user has performed which action and when, provided that this action modifies personal data | ✓ | ✓ | ✓ | Recording the history in the “Just Hire” application |
Availability and resilience
Availability control
softgarden ensures that personal data is protected against accidental or intentional destruction or loss. This is done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Uninterruptible Power Supply (UPS) | ✓ | ✓ | ✓ | |
Virus protection (on the workplaces) | ✓ | ✓ | ✓ | Virus protection on Windows workplaces |
Virus protection (on the servers) | ✓ | ✓ | ✓ | |
Firewall | ✓ | ✓ | ✓ | |
Emergency plan | ✓ | ✓ | ✓ | |
DDoS-Protection/ WAF (Cloudflare) | ✓ | SaaS | ||
Geo-redundant data centres | ✓ | |||
Central fire alarm system | ✓ | ✓ | ✓ | |
Availability monitoring | ✓ | ✓ | ✓ | 24/7 monitoring of all critical systems through automated monitoring procedures |
Recoverability
softgarden guarantees the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident through the following measures:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Backup procedure according to backup concept (daily, weekly, monthly) | ✓ | ✓ | ✓ | |
Storage of backup data in data cabinets, safes, in other fire compartment | ✓ | ✓ | ✓ |
Resilience
softgarden ensures availability and resilience of business-critical systems and the systems for processing personal data through the following technical and organisational measures:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Virtualisation and operation in container infrastructure with load balancers | ✓ | |||
Regular penetration tests of softgarden products for security vulnerabilities | ✓ | The softgarden products are tested in the environment of the raking centres. Not applicable in the office environment. Penetration tests by customers can be carried out on the staging environment after consultation with softgarden. Conducting them in the production environment is not permitted. | ||
DDoS-Protection/ WAF (Cloudflare) | ✓ | SaaS |
Procedures for regular review, assessment and evaluation
To ensure the maintenance and continuous improvement of the level of data protection and information security, softgarden regularly (at least annually) undergoes internal and external audits.
softgarden is certified according to
- DIN EN ISO 9001:2015
- DIN EN ISO/IEC 27001:2017 including the requirements of the standards ISO/IEC 27017:2015 and ISO/IEC 27018:2019
Data protection and information security management
softgarden ensures a process for regular review and evaluation of the effectiveness of the technical and organisational protection measures. This is done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Informing and obliging employees to comply with the data protection legal requirements according to the GDPR | ✓ | ✓ | ✓ | |
Regular assessment of the level of data protection by a data protection team | ✓ | ✓ | ✓ | |
Third parties must sign a confidentiality agreement. | ✓ | ✓ | ✓ | |
If there are overlapping functions for organisational reasons, the dual control principle is applied and documented. | ✓ | ✓ | ||
There is a defined system of representatives within the functional groups. | ✓ | ✓ | ||
Regular review of the data protection and information security management system through internal and external audits | ✓ | ✓ | ✓ |
Assessment of the adequate level of protection (Art. 32(2) GDPR)
softgarden ensures a documented assessment of an adequate level of protection, in relation to the risks associated with the processing – in particular through destruction, loss, alteration, unauthorised disclosure or access – of the personal data processed on behalf of it. This shall be done by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Carrying out a risk analysis for the processing operations of personal data | ✓ | ✓ | ✓ | |
Creation of protection needs categories | ✓ | ✓ | ✓ | |
Alignment of processes according to Privacy by Design and Privacy by Default | ✓ | ✓ | ||
Carrying out data protection impact assessments (where required by law) | ✓ | ✓ |
Mandate control (Art. 32 (3) and (4) GDPR)
softgarden guarantees that personal data processed on behalf of the contractor will only be processed in accordance with the instructions of the client and for the fulfilment of the contractually defined purpose. The contractor can prove this by means of a certification pursuant to Art. 40 or an approved certification procedure pursuant to Art. 42 DSGVO. If no certification is available, the proof shall be provided by:
Measures | DC | B | SB | Notes |
---|---|---|---|---|
Clear contract design with subcontractors | ✓ | ✓ | ✓ | |
Formalisation of order placement (forms system) | ✓ | ✓ | ✓ | |
Regular control of the activities | ✓ | ✓ | ✓ | Monitoring the softgarden processes through internal audits |
The persons authorised to give instructions to the client and the persons authorised to receive instructions are contractually defined; instructions are always given in text form (e.g. by e-mail or ticket system). | ✓ | ✓ | ✓ | |
softgarden will inform the client immediately about cases of serious operational disruptions, suspected data protection violations, if errors are detected or other irregularities in the handling of the client’s data. | ✓ | ✓ | ✓ | |
Orders are recorded as a support ticket (minimum details: Client/customer, action/partial order, exact specification of processing steps/parameters, processor, deadlines, recipient if applicable), where the work performed is documented. There is a clear assignment between support ticket number and customer order. | ✓ | ✓ |
Data deletion/ anonymisation:
Data erasure:
Canceled and hired applications are initially set to the status “cancelled/hired” and, in the standard configuration, deleted or anonymised 6 months after cancellation or hiring, unless otherwise set by the client. The anonymisation of rejected applicants who do not wish to be included in the talent pool takes place automatically. Any further deletion/anonymisation of individual applicants (e.g. at the applicant’s request) is carried out manually. Applicant data can also be deleted manually by users with the appropriate authorisation.
Anonymisation of deleted applicants:
After the deadline, the applications are completely anonymised in the softgarden system:
- All attachments of the application are overwritten with a dummy content. The file name, size and content are deleted. Only the fact that and how many attachments were available for an application is retained for reporting purposes.
- Correspondence data is anonymised. In the process
- Attachments are anonymised
- Subject, text and HTML, CC and BCC of the message are overwritten with a dummy text “deleted text”.
- the sender’s address for incoming mails and the recipient’s address for outgoing mails are overwritten with a random string.
- Master data of the application are anonymised
- all application data specified by the client are overwritten with a random string in the process
- The application is removed from the application search index
If the application to be deleted was the last application of the applicant account, the following data is also overwritten with a random string:
- Login name
- Password
- First and last name
- Email address
- IP address from which the account was created
- IP address from which the privacy policy was confirmed
- In addition, all tags of the applicant are deleted
There is the possibility that quantitative evaluations are carried out on the participants to determine which applicants, at which location, had which interest. The anonymised data is used for this purpose. Anonymisation replaces all data with personal references with dummy texts, so that it is no longer possible to draw conclusions afterwards.