Data Processing Agreement
Last updated: March 2026 — Version 1.0
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ascend HR B.V., a company incorporated in the Netherlands ("Processor" or "we"), and the organisation that has accepted the Terms of Service ("Controller" or "you"). It governs the processing of personal data that the Controller submits to the Ascend HR service.
By using Ascend HR you acknowledge that you have read and agree to this DPA. If you are accepting on behalf of an organisation, you represent that you have authority to bind that organisation.
1. Definitions
Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679) unless otherwise defined here.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the Service.
- "Service" means the Ascend HR talent management platform provided under the Terms of Service.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Roles of the Parties
The Controller determines the purposes and means of processing Personal Data entered into the Service (for example, employee profiles, goals, feedback, and evaluation data). The Processor processes that data solely on behalf of the Controller as described in this DPA and Annex A.
3. Controller Instructions
The Processor shall process Personal Data only on documented instructions from the Controller. By entering into this DPA the Controller instructs the Processor to process Personal Data as necessary to provide and improve the Service, for security purposes, and as otherwise set out in this DPA. The Controller may issue further instructions in writing at any time; the Processor will inform the Controller if it believes an instruction infringes the GDPR.
4. Confidentiality
The Processor shall ensure that all persons authorised to process Personal Data are subject to a binding confidentiality obligation, whether by contract or statutory duty, and do not process Personal Data outside the scope of this DPA.
5. Security
The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature and risks of the processing (Article 32 GDPR). These measures include:
- Encryption of data in transit using TLS 1.2 or higher.
- Network-level firewall controls restricting database access to authorised IP addresses.
- Role-based access controls limiting data access to authorised personnel.
- Regular dependency and security patching.
- Access to production systems limited to essential staff.
6. Sub-processors
The Controller grants general authorisation to the Processor to engage the sub-processors listed in Annex B. The Processor shall impose data protection obligations on each sub-processor equivalent to those in this DPA and shall remain liable to the Controller for sub-processor performance.
The Processor will give the Controller at least 30 days' prior written notice (including by email or in-app notification) before adding or replacing a sub-processor. If the Controller reasonably objects within that period the parties will work in good faith to resolve the objection; if no resolution is reached the Controller may terminate the Service on written notice.
7. Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organisational measures, to fulfil the Controller's obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (including the rights of access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller if it receives a data subject request that relates to the Controller's Personal Data, and shall not respond to such requests on the Controller's behalf except as instructed.
8. Assistance with Compliance Obligations
The Processor shall assist the Controller in ensuring compliance with obligations under Articles 32–36 of the GDPR, including in relation to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the information available to the Processor and the nature of the processing.
9. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data ("Personal Data Breach"). Notification shall be sent to the Controller's registered email address and shall include, to the extent known at the time: the nature of the breach, the categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address the breach.
10. Deletion and Return of Data
At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services, and shall delete existing copies unless EU or Member State law requires their retention. Where the Controller cancels its subscription, Personal Data remains accessible for 30 days to allow export, after which it is deleted. Billing records are retained for 7 years as required by Dutch law. The Processor will confirm in writing when deletion is complete on request.
11. Audit Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR, and shall allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. The Controller shall give at least 30 days' prior written notice of any audit, bear the costs of the audit, and ensure that any mandated auditor is bound by a confidentiality obligation. Audits may not unreasonably disrupt the Processor's operations.
12. International Transfers
The Processor does not transfer Personal Data outside the European Economic Area. All infrastructure, including hosting and transactional email, is operated by EEA-based sub-processors (see Annex B). Should a transfer outside the EEA become necessary, the Processor will implement appropriate safeguards (such as EU Standard Contractual Clauses) and notify the Controller in advance.
13. Term and Termination
This DPA is effective for as long as the Processor processes Personal Data on behalf of the Controller under the Terms of Service. It terminates automatically when the underlying Terms of Service terminate, subject to any survival obligations relating to deletion and confidentiality.
14. Governing Law and Jurisdiction
This DPA is governed by Dutch law. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts in the Netherlands, without prejudice to the Controller's right to bring claims before the supervisory authority in its Member State of establishment.
15. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail to the extent of the conflict.
Annex A — Details of Processing
Subject matter and duration
Provision of the Ascend HR talent management platform for the duration of the subscription.
Nature and purpose of processing
Storage, retrieval, display, and transmission of HR data to enable employee onboarding, goal tracking, peer feedback, wellbeing check-ins, and annual evaluation workflows.
Categories of personal data
- Identity and contact data: name, work email address, phone number, profile image.
- Employment data: job title, department, employment status, start date, exit date, manager, reporting relationships.
- Personal details (optional, entered by employee): date of birth, home address, emergency contact name and phone.
- Performance and development data: career goals, goal progress updates, peer feedback, self-assessments, manager evaluation reviews.
- Wellbeing data: mood scores and notes submitted via pulse check-ins (optional feature).
- Technical data: session identifiers, IP address, browser user-agent (retained for 90 days).
Categories of data subjects
Employees, contractors, and other workers of the Controller, including individuals in pre-boarding status.
Lawful basis (Controller responsibility)
The Controller is responsible for identifying and documenting its lawful basis for processing under Article 6 GDPR (typically performance of an employment contract and/or legitimate interests). Wellbeing (pulse) data may additionally require freely given consent from data subjects.
Annex B — Approved Sub-processors
The following sub-processors are authorised as of the date of this DPA. The Processor will notify the Controller of any changes in accordance with Section 6.
| Sub-processor | Country | Purpose | DPA / Privacy Policy |
|---|---|---|---|
| Hetzner Online GmbH | Germany | Cloud infrastructure, database hosting, object storage | hetzner.com/legal/privacy-policy |
| Scaleway SAS | France | Transactional email delivery | scaleway.com/en/privacy-policy |
Note: Mollie B.V. (Netherlands) processes payment data as an independent data controller under its own privacy policy and is not a sub-processor of employee Personal Data.
Questions
If you have questions about this DPA or wish to exercise your audit rights, contact us at hi@ascendhr.eu.