This DPA forms part of the Terms of Service between Customer and placement.solutions and applies whenever placement.solutions processes Personal Data on Customer's behalf.
Unless otherwise defined here, capitalized terms have the meaning given in the Terms of Service. The following defined terms apply to this DPA:
The subject matter of the Processing is the provision of the Service to Customer under the Terms of Service. The Processing begins on the effective date of the Order Form and continues for the term of the Agreement plus the post-termination retention period in section 6.9 below.
The nature of the Processing is the operation, security, billing, and support of the Service. The purpose is to deliver to Customer the functionality described in the documentation and on the Order Form. We do not Process Personal Data for any purpose outside this scope without Customer's documented instruction.
The Service is not designed to receive special categories of Personal Data (GDPR Art. 9), criminal conviction data (GDPR Art. 10), children's data (GDPR Art. 8), or US-equivalent sensitive personal information. Customer shall not transmit such data to the Service without prior written agreement and an executed amendment to this DPA.
For Personal Data Customer transmits to the Service (account, configuration, support, and any Personal Data Customer voluntarily includes in API parameters), Customer is the Controller and placement.solutions is the Processor.
For the firm and role records that constitute Index Data, placement.solutions is the Controller. Index Data consists of public-domain professional information collected, licensed, or generated by placement.solutions and is not Personal Data Customer entrusts to us. Where Index Data incidentally contains Personal Data of professionals (for example, a partner's name attached to a public posting), placement.solutions is the Controller and processes such data on the lawful bases described in the Privacy Policy.
For US state law equivalents (CCPA/CPRA), placement.solutions acts as a "service provider" with respect to Personal Data Customer transmits and shall not (a) sell or share such data, (b) retain, use, or disclose it outside the direct business purpose of providing the Service, or (c) combine it with Personal Data received from another source except as expressly permitted under the CCPA/CPRA.
placement.solutions shall Process Personal Data only on Customer's documented instructions, including the instructions deemed given through Customer's use of the Service per the documentation. If we believe an instruction violates Applicable Data Protection Law, we will inform Customer and may suspend that specific Processing activity until resolved.
We ensure that personnel authorized to Process Personal Data are bound by enforceable confidentiality obligations and have received appropriate data protection training.
We implement and maintain technical and organizational measures appropriate to the risk, including those described in our Trust Center at security.html: encryption in transit (TLS 1.2+), encryption at rest (AES-256), mTLS between internal services, MFA on all employee accounts, role-based access control, audit logging of administrative actions, daily encrypted backups with point-in-time recovery, annual external penetration testing, and continuous SAST/DAST in our build pipeline.
We notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Data. The notification will include, to the extent then known, (a) the nature of the breach including categories and approximate number of Data Subjects and records concerned, (b) the likely consequences, (c) measures taken or proposed to address the breach and mitigate its possible adverse effects, and (d) the name and contact details of our data protection contact for follow-up. We will publish a public root-cause analysis within fourteen (14) days where the incident affected the Service generally.
We provide Customer with the information reasonably necessary to demonstrate compliance with Applicable Data Protection Law and with this DPA. See section 9 (Audit rights).
On Customer's reasonable written request, we provide reasonable assistance to support Customer's data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to us.
Where we receive a request directly from a Data Subject regarding Customer Data, we will not respond except to confirm we are a Processor acting on Customer's behalf and to direct the Data Subject to Customer. We will provide reasonable assistance, taking into account the nature of the Processing, to enable Customer to respond to Data Subject rights requests within applicable timelines.
See section 7.
On termination or expiration of the Agreement, we delete Customer Data per Privacy Policy section 5 and the timelines in Terms of Service section 10 unless Applicable Data Protection Law requires longer retention. On Customer's written request submitted within thirty (30) days of termination, we provide a structured export of Customer's configuration data before deletion. After deletion, we will issue a written attestation of deletion on request.
Customer authorizes placement.solutions to engage Sub-Processors to deliver the Service. The current list of Sub-Processors is published at subprocessors.html.
We notify Customer at least thirty (30) days before adding or replacing a Sub-Processor. Customers may subscribe to email notifications of changes by writing to hunter@placement.solutions. During the notification window, Customer may object to a new Sub-Processor on reasonable data protection grounds by written notice to hunter@placement.solutions. If we cannot accommodate the objection within fifteen (15) days, Customer may terminate the affected portion of the Service with pro-rata refund of prepaid fees.
We remain responsible to Customer for the performance of each Sub-Processor's obligations under this DPA. Each Sub-Processor is bound by a written data processing agreement that imposes data protection obligations no less protective than those imposed on us under this DPA.
All production Personal Data is stored and processed in the continental United States. The following transfer mechanisms apply when Customer or its Authorized Users transmit Personal Data from outside the United States:
The SCCs are incorporated by reference into this DPA. Module Two (Controller-to-Processor) applies. Where Customer is a Processor and we are a Sub-Processor, Module Three applies. Optional clauses are deemed selected as follows: Clause 7 (docking) is included; Clause 9(a) Option 2 (general written authorization) applies with the thirty-day notice period in section 7 of this DPA; Clause 11(a) (independent dispute resolution body) is not selected; Clause 17 governing law is the law of the Republic of Ireland; Clause 18 forum is the courts of Ireland. Annexes I, II, and III to the SCCs are populated by the corresponding sections of this DPA and the Subprocessor List.
The IDTA is incorporated by reference. The Approved Addendum is the UK ICO's IDTA in force as of the effective date. The Tables are populated by the corresponding sections of this DPA, the Order Form, and the Subprocessor List.
The SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner: references to the GDPR are deemed to refer to the FADP, references to EU member states are deemed to refer to Switzerland, supervisory authority is the FDPIC, and the governing law clause is amended accordingly.
If a successor adequacy framework or transfer mechanism is adopted (for example, the EU-US Data Privacy Framework as it evolves), the parties may rely on it in lieu of the SCCs by written notice from us, provided the successor framework provides substantially equivalent protection.
On Customer's reasonable written request and not more than once per twelve-month period (more frequently if required by Applicable Data Protection Law or following a confirmed Personal Data Breach affecting Customer), we will make available to Customer a summary of our most recent SOC 2 report (or successor attestation), our most recent external penetration test summary, and reasonable additional information needed to demonstrate compliance with this DPA.
If the standard documentation is not sufficient, we will support a remote audit (questionnaire, interviews, screen-shared evidence walkthrough) at no cost. On-site audit at Customer's expense is available within thirty (30) days of a confirmed material Personal Data Breach affecting Customer, scoped to the systems and processes implicated in the breach. Audits shall not unreasonably interfere with our business, shall be conducted under written confidentiality, and shall not include access to data of other customers.
Each party's liability under this DPA is subject to the liability cap and exclusions in Terms of Service section 13, except as Applicable Data Protection Law mandates otherwise. Where Customer and placement.solutions are jointly held liable to a Data Subject under Article 82 GDPR or equivalent provision, each party is responsible for the share of damages corresponding to its responsibility for the harm caused.
We may update this DPA to (a) align with changes in Applicable Data Protection Law, (b) reflect new transfer mechanisms, or (c) clarify obligations. Material changes that materially reduce Customer's rights are notified at least thirty (30) days in advance per Terms of Service section 18. Updates required by law are effective on the date the law requires.
This DPA is effective 2026-05-06 and supersedes any prior data processing addendum between the parties for the same subject matter. In the event of a conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data, this DPA controls. In the event of a conflict between this DPA and the SCCs (as applicable), the SCCs control.