GDPR commitments.

01Roles

Hirefel SL acts as controller for data about its own prospects, applicants, and corporate contacts. We act as processor for client data we handle under an engagement — in every engagement, we sign a Data Processing Agreement before we touch any client-provided personal data.

02Standing DPA

Our standard DPA is based on the European Commission Standard Contractual Clauses (Module 2: controller-to-processor). It covers:

• Scope, purpose, nature, and duration of processing.
• Categories of data subjects and personal data.
• Controller instructions and processor obligations.
• Sub-processor authorisation and a 15-day objection window.
• International transfers under SCCs or adequacy decisions.
• Assistance with data-subject requests and DPIAs.
• Breach notification timelines (within 24 hours of detection).
• Return and deletion of data on termination.

The DPA is executed as a standalone document or annexed to the Statement of Work.

03Sub-processors

We maintain a live list of approved sub-processors. Additions or replacements are notified at least 15 days in advance; controllers may object in writing within that window.

• Google WorkspaceEmail, document collaborationEU
• LinearProject trackingEU / US (SCCs)
• 1PasswordSecret managementEU / CA (adequacy)
• Fathom AnalyticsPrivacy-preserving site analyticsEU
• StripeBillingEU / US (SCCs)
• LinkedIn (Marketing API)Hirefel SL company-page posting + engagement insightsEU / US (SCCs)

04Technical & organisational measures

Access control

Least-privilege IAM, hardware-key MFA for all engineers, quarterly access review.

Encryption

TLS 1.3 in transit; AES-256 at rest on all managed infrastructure.

Segregation

Per-client isolation: separate cloud accounts, separate credentials, separate logging.

Logging

Tamper-evident access logs retained for 90 days; change logs for 24 months.

Endpoint

MDM-managed laptops, full-disk encryption, remote wipe, no local copies of client data.

Training

Annual GDPR and security refresher for all staff and contractors.

05International transfers

Data stays in the EU/EEA by default. Transfers to third countries happen only under:

• An EU adequacy decision (e.g. Canada, UK, Switzerland), or
• EU Standard Contractual Clauses (2021) with a transfer risk assessment, or
• The EU-US Data Privacy Framework, where the importer is certified.

06Breach notification

On becoming aware of a personal data breach affecting a client's data, we notify the controller in writing within 24 hours, with enough detail to let the controller meet the 72-hour AEPD notification deadline. We do not self-notify authorities on the controller's behalf unless explicitly asked.

07Data subject rights

For data where we are the controller, write to [email protected]. We verify identity, respond within 30 days, and can extend by up to 60 days for complex requests (with explanation). Where we are a processor, we forward the request to the relevant controller within 5 working days and assist as contractually agreed.

You may complain to the Spanish Data Protection Agency — AEPD, aepd.es.

08Data Protection Impact Assessments

For engagements involving high-risk processing — large-scale inference, profiling, biometric data, or sensitive categories — we support the controller's DPIA with documentation of our processing activities, security measures, and sub-processor chain. A DPIA template is annexed to the DPA on request.

09Contact & DPO