HiPeople-Platform General Terms and Conditions of Use

HiPeople GmbH, Zionskirchstraße 73a, 10119 Berlin, Germany ("HiPeople") offers an online platform on app.hipeople.io ("Website") to support customers (each a "Client"; Clients and HiPeople together "Parties") in their recruiting processes ("HiPeople-Platform"). HiPeople supports the Client in obtaining references and evaluating skills and competences of their applicants (each a "Candidate"). For this purpose, the Candidate can propose persons or entities that are eligible for a reference (such persons or entities hereinafter: "References"). The HiPeople-Platform is controlled via a dashboard using standard browsers and is based on a Software-as-a-Service platform provided for a fee.

These General Terms and Conditions ("Agreement“) regulate the contractual relationship between HiPeople and the Clients regarding the use of the HiPeople-Platform.

The services of HiPeople are not aimed at consumers within the meaning of Section 13 of the German Civil Code.

1. Object and Conclusion of the Contract; Client’s T&C

These General Terms and Conditions apply to the provision of the HiPeople-Platform by HiPeople.

The Client’s General Terms and Conditions shall only form part of the Agreement if this has been expressly agreed upon in writing.

The Agreement shall become effective with both Parties signing the Order Form (text form being sufficient).

HiPeople saves the text of this Agreement after the Agreement has been concluded. The text of the Agreement is accessible to the Client.

2. Services by HiPeople

HiPeople shall provide the Client access to the HiPeople-Platform exclusively via the internet for a limited period of time during the term of the Agreement. The place of service transfer is the router exit of the data centre used by HiPeople. HiPeople provides the services exclusively from data centres within the EEA. The Client shall independently ensure that the service can be accepted. In particular, the provision of the necessary hardware and software (e.g. browser) by HiPeople shall not be part of the Agreement. The Client shall have no claim to access to the source codes of the HiPeople-Platform provided by HiPeople. The operation of the HiPeople-Platform is the responsibility of the Client.

Support with the recruiting process

HiPeople supports the Client in his recruiting processes by depicting the evaluation of his Candidates by References via HiPeople. For this purpose, the Client selects questions that he would like to ask the Reference for the position to be filled. HiPeople offers a systematic questionnaire with personal psychological content which the Client can use for the query. The Client can modularly combine the questions for the respective position and add his own content. From the selection of questions, HiPeople creates an overview and summary of the answers and the assessment of the References, which enables the Client to evaluate the Candidate for the selection decision.

In addition, HiPeople supports the Client by allowing him to evaluate his Candidates’ skills and competences based on pre-defined scientific and systematic assessment tests. For this purpose, the Client selects an assessment test for a certain position to be filled, which the Candidate can answer. Such assessment tests consist of different components and can be modified according to the Client and the position to be filled.

HiPeople has no influence on the answers of the References and on the content correctness of the answers of the Candidates in any way. HiPeople continuously checks and optimizes its processes to ensure the highest possible quality of the responses from the References and the Candidates. The selection decision as to which the Candidate will be hired is made solely by the Client.

The Client enters the Candidate contact details on the HiPeople-Platform. Subsequently, the Candidate receives a request from the Client via HiPeople. This gives the Candidate access to the HiPeople-Platform. There, the Candidate enters the contact details of the selected References (and can address a personal message to them) and/or answers the questions of an assessment priorly selected/modified by the Client. If the evaluation of a Candidate includes an assessment by References, HiPeople then contacts the References and gives them access to the HiPeople-Platform where they find the selected questions and can answer them.


HiPeople shall grant the Client access to an interface for a limited period of time during the term of this Agreement to the extent agreed upon in these General Terms and Conditions and in the Order Form. The Client can use the interface to connect his third-party services (means any applications, integrations, plugins, software, code, online services, systems, and other products not developed by HiPeople and that interact in any way with the HiPeople-Platform) and to import data to the HiPeople-Platform („HiPeople-API“).

The Client is solely responsible for the provision of compatible applications for the use of the HiPeople-API.

HiPeople reserves the right to extend the features of the HiPeople-API at any time. For reasons of data security, for compelling technical reasons, for troubleshooting or because of a change in the legal situation due to legislation, court decisions or official guidelines, the features can additionally be changed, restricted or partially discontinued at any time, provided that this is reasonable for the Client taking into account the interests of HiPeople. The Client shall be informed of such changes as early as reasonably possible.

HiPeople is entitled to offer the HiPeople-API in new versions which are not identical in their features to previous versions. Older versions of the HiPeople-API can be discontinued after timely notification in text form if this is reasonable for the Client, taking into account the interests of both Parties.

Other services, in particular consulting, adaptation, implementation or training services, shall only be owed by HiPeople if this has been expressly agreed in writing between the Parties.

HiPeople shall be entitled to commission third parties with the fulfilment of its contractual obligations in whole or in part.

There is necessary planned maintenance work as well as disturbances which are not within the sphere of influence of HiPeople, such as, in particular, force majeure. HiPeople shall inform the Client about planned maintenance work in due time in text form. However, HiPeople expressly reserves the right, if necessary, to carry out unannounced maintenance work, especially if this is necessary for data security and/or operational safety.

HiPeople is entitled to extend and further develop the HiPeople-Platform. HiPeople reserves the right to offer extensions and/or further developments only against payment of an additional fee. If the Client books an extension or further development for a fee through a corresponding supplementary agreement to this Agreement, these General Terms and Conditions shall apply accordingly to this booking. If HiPeople makes extended or additional functions available free of charge after conclusion of the Agreement, these provided functions shall be considered a voluntary service of HiPeople.

HiPeople can change the scope of functions of the HiPeople-Platform at any time to an extent reasonable for the Client. Such a change is deemed to be reasonable in particular where it becomes necessary for a significant reason – for example, due to disruptions in the provision of services by subcontractors or for safety reasons – and the service features defined in the service description as well as the main service obligations of HiPeople remain unchanged. If the changes do not exclusively concern extensions of the functions or not only insignificant components of the services to be provided by HiPeople, HiPeople shall inform the Client of the change by email at least six weeks before it comes into effect. In this case, the Client is entitled to terminate this Agreement extraordinarily. The Client will then receive a pro-rata refund of the prepaid fee in the amount of the fee paid in excess due to the termination.

HiPeople is entitled to block the Client's access to the HiPeople-Platform if

  1. there are indications that the Client’s access data have been or are being misused or the access data have been or are being made available to an unauthorised third party or access data are being used by more than one individual;
  2. there are indications that third parties have otherwise gained access to the HiPeople-Platform provided to the Client;
  3. the blocking is required for technical reasons;
  4. HiPeople is legally, judicially or officially obliged to block access;
  5. the Client is more than two weeks in default with payment of the agreed fee;
  6. the Client has provided incorrect or invalid contact data and communication between HiPeople and the Client is no longer possible;
  7. the Client has entered incorrect payment data and regular fulfilment of the Client's performance obligations is not guaranteed.

HiPeople shall announce the blocking to the Client no later than one working day before the blocking takes effect, at least in text form, insofar as the announcement is reasonable and compatible with the purpose of the blocking, taking into account the interests of both Parties.

3. Obligations of the Client

The Client shall keep the access data to the HiPeople-Platform in a safe place and may only make them accessible to authorised employees. The Client undertakes to oblige his employees to handle the access data confidentially and to inform HiPeople immediately if there is a suspicion that the access data could have become known to unauthorised persons.

The Client shall secure his data himself regularly and in accordance with the risk, as far as this is technically possible for him. This applies to the data on the Client's local systems as well as to the data that the Client stores on the HiPeople-Platform provided by HiPeople.

The Client grants HiPeople a non-exclusive, territorially and temporally unlimited right of use to all content that he transmits to the servers of HiPeople within the scope of using the HiPeople-Platform, to the extent it is necessary for the fulfilment of the Agreement with the Client, in particular to reproduce the content and to make it available to Candidates in accordance with the Client's settings. HiPeople shall be entitled to grant sub-licenses to its vicarious agents, insofar as this is necessary for the fulfilment of the Agreement. Otherwise, the right of use is not transferable. HiPeople is entitled to retain the Client's content beyond the duration of the Agreement, insofar as this is technically or legally necessary. In particular, HiPeople is authorized to keep backup copies of the contents provided by the Client and to store such information as is required for accounting, documentation and billing purposes.

The Client guarantees that he will observe all applicable legal regulations when using the HiPeople-Platform, in particular copyright law, unfair competition law, youth protection act and data protection law. In particular, the Client shall use any functions of the HiPeople-Platform for sending email notifications exclusively for the intended and contractual use of the HiPeople-Platform and in compliance with the legal regulations for sending emails (in particular regulations against the sending of unsolicited spam emails) and shall not upload or send any content that contains viruses, trojans or other malware, intends to deceive third parties to disclose confidential information (e.g. passwords), harasses third parties, infringes the rights of third parties, serves to impair the intended operation of the HiPeople-Platform or otherwise violates applicable law.

The Client shall indemnify HiPeople from all claims of third parties (including the associated costs and expenses, in particular customary lawyer's fees), which they assert against HiPeople due to the Client's illegal or contractually non-compliant use of the HiPeople-Platform. HiPeople shall inform the Client immediately about claims asserted by third parties and on request provide the information and documents necessary for the defence. In addition, HiPeople shall either leave the defence to the Client or after consultation carry it out with the Client. In particular, HiPeople shall neither acknowledge nor make claims asserted by third parties indisputable without consulting the Client. The provisions of this clause shall apply accordingly to contractual penalties as well as administrative or judicial fines and penalties, insofar as the Client is responsible for them.

4. Scope of the Rights of Use

Corresponding with the commencement of the Agreement, HiPeople grants the Client, limited to the duration of the Agreement, the non-exclusive, worldwide, non-transferable and non-sublicensable right to use the HiPeople-Platform in accordance with the Agreement. All other rights are reserved.

Unless expressly agreed otherwise, the Client may only use the HiPeople-Platform for internal purposes and in particular may not arrange for its use to third parties for their own use, whether for payment or free of charge, and may also not use the services of HiPeople to provide its own services to the Client's contractual partners (e.g. carry out surveys or recruiting processes on behalf of third parties).

5. Data Protection

In regard to the personal data of the Client which is used by the Client in connection with the HiPeople-Platform, including personal data of Candidates of the Client, HiPeople acts as the data processor and the Client acts as the controller. The Client is therefore solely responsible for the legality of the processing, unless data protection laws, in particular the General Data Protection Regulation, assigns the data processor its own liability. Details of the Parties' obligations under data protection laws are governed by the “Data Processing Agreement” in Schedule 1, which is hereby expressly incorporated into this Agreement.

6. Fees

The Client shall pay the agreed fee to HiPeople for the use of the HiPeople-Platform.

Unless otherwise specified, the fees are annual and net plus applicable value added tax.

Unless otherwise specified, the invoice shall be issued in advance at the beginning of each stipulated accounting period. The fees invoiced are due upon receipt of the invoice.

7. Warranty

The relevant statutory warranty provisions shall apply to complimentary services.

HiPeople shall otherwise be liable for defects in the provision of the HiPeople-Platform and the HiPeople API exclusively in accordance with the following clauses.

Defects are substantial deviations from the contractually stipulated scope of functions or services.

If the services to be provided by HiPeople according to this Agreement are defective, HiPeople shall, at its discretion, within a reasonable period of time and after receipt of a notification of defects from the Client in text form, either rectify the services or provide them again. If Hi People uses third-party software, the rectification shall consist of the procurement and installation of generally available upgrades, updates or patches.

The provision of instructions for use with which the Client can reasonably deal with defects that have occurred in order to use the HiPeople-Platform according to the Agreement shall also be considered a rectification defect.

If the defect-free provision of services fails for reasons for which HiPeople is responsible, even within a reasonable period of time set by the Client in text form, the Client may reduce the agreed fee by an appropriate amount. For each day which the defect continues the entitlement to reduce payment is restricted to the amount of the price relating to the defective part of the service.

If the reduction pursuant to Section 7.6 reaches the maximum amount specified in Section 7.6 in two consecutive months or in two months of a quarter, the Client may terminate the Agreement without notice.

The Client shall immediately notify HiPeople of any defects in writing or by email. Furthermore, the Client shall support HiPeople free of charge in remedying defects and shall in particular provide HiPeople with all information and documents that HiPeople requires for the analysis and rectification of defects.

8. Compensation and Liability

HiPeople shall be liable for complimentary services in accordance with the statutory provisions.

In all other cases, the legal liability of HiPeople for intent and gross negligence as well as for damages resulting from injury to life, body or health is unlimited.

For simple negligence in cases other than those mentioned in Section 8.2, HiPeople shall only be liable for the breach of an obligation fundamental to the contract. An obligation fundamental to the contract in the sense of this clause is an obligation, the compliance to which is prerequisite to allow the execution of the Agreement in the first place and on whose compliance here to the contractual partner can reasonably expect to be able to rely on.

In the case of Section 8.3, HiPeople shall not be liable for lack of economic success, loss of profit and indirect damages.

Liability in accordance with the above Section 8.3 is limited to the typical, foreseeable damage at the time of the conclusion of the Agreement.

Liability for damages due to loss of data in the case of Section 8.3 is limited to the amount of restoration of data which would have accrued from backups made by the Client at regularly scheduled intervals in accordance with the risk involved.

These limitations of liability shall apply mutatis mutandis to the organs, employees, representatives and vicarious agents of HiPeople.

Any liability of HiPeople for given guarantees (which must be expressly stated as such) and for claims based on the German Product Liability Act and data protection law shall remain unaffected.

Any further liability of HiPeople is excluded.

9. Confidentiality and Non-disclosure

The Client undertakes to treat confidential information and documents ("Confidential Information") of HiPeople, which are either obviously to be regarded as confidential or have been designated as confidential by HiPeople, as trade secrets and not to make them accessible to third parties. For the purposes of this Agreement, third parties also include affiliated companies in which the Client does not hold a majority of capital or votes. The Client's employees and other third parties commissioned by the Client (including subcontractors and freelancers) shall be obligated to give the same undertakings.

Confidential Information shall be deemed to include, in particular, the HiPeople-Platform itself and all technologies of HiPeople, information provided by HiPeople within the scope of support requests or cooperation for the purpose of troubleshooting, as well as this Agreement including the contract form. However, the rights of use granted by HiPeople remain unaffected.

The Client is entitled to disclose the information and documents made available to him/her to third parties if and insofar as this is indispensable for the fulfilment of this Agreement or the exertion of contractual rights or if this is absolutely necessary for legal or supervisory reasons. In the event of enquiries from third parties, judicial or administrative authorities regarding the disclosure of confidential information, the Client must inform HiPeople immediately in writing or in text form and support HiPeople in its efforts to prevent the disclosure of the confidential information.

The obligation of confidentiality shall not apply if the Confidential Information was already known to the Client before disclosure by HiPeople, is generally known or becomes known through no fault of the Client, was developed by the Client itself without access to the confidential information of HiPeople or is brought to the attention of the third party by a bona fide, authorised third party. The mandatory legal obligations to disclose information remain reserved. If the Client relies on one or more of the aforementioned reasons, he must substantiate this by presenting suitable evidence.

The obligation of confidentiality begins with the knowledge of the Confidential Information and exists for the entire term of this Agreement and beyond that for five years from termination or the end of the term of the Agreement, unless legal provisions do not provide for a longer duty of secrecy. The Client guarantees within the scope of what is legally possible that the confidentiality obligations are also binding for his legal successors, assignees and affiliated companies.

During the period of validity of this obligation of confidentiality, Confidential Information must be returned immediately, undamaged and complete upon first request by HiPeople. HiPeople may also order that certain Confidential Information be destroyed, deleted or placed in safe custody and that the execution be confirmed in writing by the Client. The above provisions in this clause shall only apply insofar as this does not significantly impair the use of the contractual service in accordance with the Agreement.

Notwithstanding the above regulations, HiPeople shall be entitled to name the Client as a reference Client, including using any symbols or logos in marketing materials (including websites).

With the exception of Section 9.7, the above regulations do not establish any rights of use under intellectual property law. All rights of use granted under this Agreement shall remain unaffected by the above provisions.

10. Term and Termination

The Agreement shall commence at the time of the conclusion of the Agreement in Section 1.3.

Unless otherwise agreed, the Agreement shall run for 1 year. It shall be extended automatically if it is not terminated by either party with a notice period of 1 month before the end of the term of the Agreement.

The statutory right to extraordinary termination without notice for good cause remains unaffected for both Parties. HiPeople is entitled, amongst other things, to terminate the contract without notice if the Client is more than six weeks in default with the payment of an agreed fee and HiPeople has threatened the Client with termination in text or written form with a notice period of two weeks before the termination takes effect.

Upon termination of the Agreement, for whatever reason, HiPeople will delete the Client's data. HiPeople is entitled, but not obliged, to store data for security reasons for a period of four weeks beyond the termination of the contractual relationship in order to protect the Client from accidental loss of data. HiPeople is also entitled to store data on the termination of the contractual relationship if HiPeople is legally or officially obliged to do so, in particular for reasons of commercial and tax law.

11. Modifications to the General Terms and Conditions

These General Terms and Conditions can be changed between the Client and HiPeople by corresponding agreement as described below, if the change is necessary due to a change in the applicable law (including jurisdiction) or for similar compelling reasons and the main performance obligations of the Parties are not changed to the disadvantage of the Client as a result: HiPeople shall transmit the amended terms and conditions in text form before the planned effective date and shall make separate reference to the new regulations and the planned effective date. At the same time, HiPeople shall grant the Client an appropriate period of at least six weeks to declare whether he accepts the amended terms and conditions for the continued use of the services. If no declaration is made within this period, which begins to run from receipt of the message in text form, the amended terms and conditions shall be deemed to have been agreed. At the start of the period HiPeople shall inform the Client separately of this legal consequence, i.e. the right to object, the objection period and the significance of remaining silent.

12. Trial and Free Versions

As far as HiPeople provides the Client with any deliverables or (parts of) services described in clause 2 of this Agreement on a trial basis and/or free of charge basis ("Trial or Free Version"), HiPeople provides such to the Client in each case on an "as-is" basis. In this regard, HiPeople does not warrant any functionalities or other specifications for the respective Trial or Free Version, in particular regarding its availability. HiPeople will provide details about the duration and scope of such Trial or Free Version directly on the HiPeople website.

HiPeople may at any time, at its sole discretion, without prior notice and without cause, provide an updated or modified version of any Trial or Free Version, or terminate the provision thereof.

HiPeople may offer the Client continuation and/or upgrade of a Trial or Free Version against payment of a fee as set forth in clause 6. By continuing to use the Trial or Free Version beyond the Trial/Free period, the Client accepts such offer from HiPeople and the Parties thereby enter into an agreement for the use of the respective HiPeople service(s) under the terms of this Agreement.

Any liability of HiPeople in connection with the use of the Trial or Free Versions is excluded to the extent permitted under statutory law. These limitations of liability shall apply mutatis mutandis to the organs, employees, representatives and vicarious agents of HiPeople.

13. Final Provisions

The Client may only offset against claims of HiPeople or assert a right of retention if the counterclaim is undisputed or legally binding or is in a synallagmatic relationship to the respective claim concerned.

The contract language is English. Translations into other languages serve exclusively for comprehensibility and are not legally binding.

The law of the Federal Republic of Germany shall apply, excluding the UN Convention on Contracts for the International Sale of Goods. Exclusive place of jurisdiction for all disputes arising from or in connection with this contract is Berlin.

This Agreement is effective as of 07 July 2022.

Schedule 1

Data Processing Agreement
in accordance with Article 28 EU General Data Protection Regulation (GDPR)

  1. Scope and duration of this Data Processing Agreement
  1. Scope

This Data Processing Agreement (“DPA”) specifies the data protection obligations of the Parties. The scope of this DPA results from the agreement on the use of the HiPeople platform between HiPeople and the Client, to which reference is made here (hereinafter referred to as “Service Agreement”).

  1. Term

The term of this DPA corresponds to the term of the respective Service Agreement between HiPeople and the Client.

  1. Specification of the DPA details
  1. Nature and purpose of the intended processing of data

Nature and purpose of processing of personal data by HiPeople for the Client are precisely defined in the Service Agreement.

  1. Type of personal data

The subject matter of the processing of personal data comprises the following data types/categories (list/description of the data categories):

  • Personal master data (e.g. first name, last name)
  • Contact data (e.g. telephone, email)
  • Candidate data/data collected during the application procedure (e.g. answers to questionnaires, professional experience, CV, etc.)
  1. Categories of data subjects

The categories of data subjects covered by the processing comprise:

  • Candidates
  • References
  • Clients

  1. Technical and organisational measures
  1. Before the commencement of processing, HiPeople shall document the execution of the outlined and necessary technical and organisational measures, as set out prior to conclusion of this DPA, particularly with regard to the detailed execution of this DPA and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures shall become the foundation of this DPA. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.
  2. HiPeople shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. Overall, the measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. HiPeople shall take at least the specific measures set out in Annex 1.
  3. The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for HiPeople to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

  1. Rectification, restriction and erasure of data
  1. HiPeople may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only after documented instructions from the Client. Insofar as a data subject contacts HiPeople directly concerning a rectification, erasure, or restriction of processing, HiPeople will immediately forward the data subject’s request to the Client.
  2. Insofar as included in the scope of services, the erasure policy, right to be forgotten, rectification, data portability and access shall be ensured by HiPeople in accordance with documented instructions from the Client without undue delay.

  1. Quality assurance and other duties of HiPeople

In addition to complying with the rules set out in this Agreement, HiPeople shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, HiPeople ensures, in particular, compliance with the following requirements:

  1. written appointment of a data protection officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. His/her current contact details are easily accessible on the website of HiPeople.
  2. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. HiPeople entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. HiPeople and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.
  3. Implementation of and compliance with all technical and organisational measures necessary to this DPA in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Annex 1].
  4. The Client and HiPeople shall cooperate, on request, with the supervisory authority in performance of its tasks.
  5. The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Agreement. This also applies insofar as HiPeople is under investigation or is party to an investigation by a competent authority in the course of administrative or criminal proceedings regarding the processing of personal data in connection with the processing of this Agreement.
  6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or criminal proceeding, a liability claim by a Data Subject or by a third party or any other claim in connection with the data processing by HiPeople, HiPeople shall make every effort to support the Client.
  7. HiPeople shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing within his/her area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
  8. Verifiability of the technical and organisational measures conducted by the Client as part of the Client’s supervisory powers referred to in clause 7 of this contract.

  1. Transfers of personal data to third countries
  1. HiPeople and/or any subcontractors engaged by HiPeople shall solely process personal data which is subject to this DPA within the European Union (EU), a member state of the European Economic Area (EEA) and/or a country for which the European Commission has adopted an adequacy decision pursuant to Article 45(3) of the GDPR or Article 25(6) of the Data Protection Directive (95/46/EC), unless the Client has given its authorization and the requirements set out in Chapter V of the GDPR are met.
  2. Without prejudice to the requirements for the engagement of a subcontractor (Section 7), the Client hereby authorizes HiPeople (as “data exporter”) to transfer personal data which is subject to this DPA to subcontractors in third countries (as “data importers”) on the basis of the applicable Standard Contractual Clauses (SCC). The subcontractors may then process such personal data on the basis of these SCC.

  1. Subcontracting
  1. HiPeople may engage subcontractors (additional contract processors) only after prior explicit written or documented authorization by the Client. The Client hereby grants a general authorization to engage the subcontractors listed on the website https://www.hipeople.io/subprocessors. Any change to the subcontractors engaged by HiPeople is subject to the following terms:
  1. HiPeople shall inform the Client of any intended changes, thereby granting the Client the right to object to such changes within two (2) weeks after receiving the information in text form (e.g. via email).
  2. The Client may object an intended change only if - taking into account all circumstances and weighing up the interests of both sides - the change is unreasonable to the Client. In such case HiPeople shall at its discretion (i) continue the processing without the intended change (i.e. itself or via another subcontractor engaged by HiPeople with the Client’s authorization) or (ii) take any measures to eliminate the cause for objection (in such case proceeding again as per (i)).
  3. Where HiPeople engages another processor, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
  4. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the Client for the performance of that other processor's obligations.
  1. If the subcontractor provides the agreed service outside the EU/EEA, HiPeople shall ensure compliance with the GDPR by appropriate measures.

  1. Supervisory powers of the Client
  1. The Client has the right, after consultation with HiPeople, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this DPA by HiPeople in his business operations by means of random checks. The Client shall notify HiPeople in due time, at least two (2) weeks in advance, before carrying out an inspection.
  2. The Client shall treat company and trade secrets of HiPeople which become known to the Client during an inspection as strictly confidential. The Client shall not make any records of such information unless absolutely necessary for exercising its audit right.
  3. HiPeople shall ensure that the Client is able to verify compliance with the obligations of HiPeople in accordance with Article 28 GDPR. HiPeople undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
  4. HiPeople shall be entitled to request from the Client a reimbursement of costs for its support in conducting inspections where such costs have been agreed in writing by the parties and the inspection exceeds two days per calendar year.

  1. Communication in the case of infringements by HiPeople
  1. HiPeople shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:
  1. Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
  2. The obligation to report a personal data breach immediately to the Client
  3. The duty to assist the Client with regard to the Client’s obligation to provide information to the data subject concerned and to immediately provide the Client with all relevant information in this regard.
  4. Supporting the Client with its data protection impact assessment
  5. Supporting the Client with regard to prior consultations with the supervisory authority
  1. HiPeople may claim compensation for support services which are not included in the description of the services or which are not attributable to failures on the part of HiPeople.

  1. Authority of the Client to issue instructions
  1. The Client shall document individual instructions issued to the processor.
  2. HiPeople shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. HiPeople shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

  1. Deletion and return of personal data
  1. Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
  2. After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, HiPeople shall hand over to the Client all documents, processing and utilization results, and data sets related to the contractual relationship that have come into its possession, or – subject to prior consent – destroy them in a data-protection compliant manner. The same applies to any and all test and discarded material. The log of the destruction or deletion shall be provided on request.
  3. Documentation which serves as proof of the orderly and proper data processing shall be stored beyond the contract duration by HiPeople in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve HiPeople of this contractual obligation.
  4. HiPeople shall be allowed to anonymise the personal data which is subject to this DPA and process the anonymised information for its own purposes.

  1. Indemnification

The parties agree that if HiPeople is held liable by a third party for a damage caused by processing pursuant to the instructions of the Client, the Client shall indemnify HiPeople for any cost, charge, damages, expenses or loss it has incurred.

  1. Miscellaneous
  1. This DPA shall be governed by the law of the country in which HiPeople has its main establishment.
  2. For all disputes in connection with this DPA, the sole place of jurisdiction shall be the place of jurisdiction of the main establishment of HiPeople.

Annex 1
Technical and organisational measures HiPeople GmbH

Last changed on: 4 May 2022

HiPeople utilizes Amazon Web Services as a data processor for their core product and related databases. Amazon Web Services is a trusted and highly secure infrastructure that is regularly audited and certified by international standards such as ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.

  1. Measures to ensure confidentiality
  1. Physical access control

Measures to prevent unauthorised individuals from gaining physical access to the IT and data processing systems as well as to confidential files and storage media:


✔        Controlled key allocation

✔        Surveillance equipment (alarm systems, video)

Amazon Web Services

✔        Physical barrier controls are used to prevent unauthorised entrance to the Facilities both at the perimeter and at building access points.

✔        Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g. card access systems, etc.) or validation by human security personnel (e.g. contract or in-house security guard service, receptionist, etc.).

✔        Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities.

✔        Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorised employees or contractors while visiting the Facilities.

✔        All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities.

✔        AWS also maintains electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (e.g. primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities.

✔        All physical access to the Facilities by employees and contractors is logged and routinely audited

  1. Logical access control

Measures to prevent protected data from being processed or used by unauthorised persons:


✔        Code process, i.e. personal and individual user log (among others special characters, minimum length, regular change of the code)

✔        Automatic blocking (e.g. code or pausing)

✔        Setting up of a user master record per user

✔        Limitation of the numbers of authorised employees

✔        Encoding of storage media

✔        Access lists

✔        Encapsulation of sensitive systems through separate network areas

✔        Authentication process

✔        Recording of the log-in attempts and interruption to the log-in process after a stipulated number of unsuccessful attempts

✔        Set-up of regular updated antivirus and spyware filters

✔        Regular update and version checks

Amazon Web Services

✔        AWS will maintain access controls and policies to manage what access is allowed to the AWS Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.

✔        AWS will maintain corrective action and incident response plans to respond to potential security threats.

  1. Data access control

Measures which guarantee that only authorised persons can exclusively access data so that the data cannot be read, copied, changed, stored or removed during the processing without authorisation:


✔        Authorisation concepts (profiles, roles, etc.) and their documentation

✔        Encoding of different data carriers

✔        Archiving concept

✔        Recording of accesses and improper attempts

Amazon Web Services

✔        AWS provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of AWS or its Affiliates.

  1. Separation requirements

Measures that ensure data collected for different reasons are processed separately and therefore are being separated from other data and systems in order to guarantee that prevent any unauthorised processing of these data.


✔        Authorisation concepts

✔        Encrypted storage of personal data

✔        Client separation within the software

✔        Separation of testing and producing systems

Amazon Web Services

✔        AWS will maintain access controls and policies to manage what access is allowed to the AWS Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.

✔        AWS will maintain corrective action and incident response plans to respond to potential security threats.

  1. Measures to ensure integrity
  1. Data transfer control

Measures which guarantee that personal data cannot be read, copied, changed or deleted during the electronic transmission or during their transfer or storage on data carriers without authorisation as well as measures ensuring that the location of the data transmission is accurate.


✔        Transmission of data via encoded data networks or tunnel connections

✔        Regular update and version checks

Amazon Web Services

✔        AWS will maintain access controls and policies to manage what access is allowed to the AWS Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls.

✔        AWS will maintain corrective action and incident response plans to respond to potential security threats.

  1. Input control

Measures which guarantee that it can be subsequently checked and determined whether and by whom personal data have been entered, changed in or removed from the data processing systems:


✔        Recording of all system activities and storage of these records for at least three years

✔        Regular review of system logs/protocols

✔        Regular update and version checks

Amazon Web Services

✔        Recording of all system activities and storage of these records for at least three years

✔        Record evaluation systems

  1. Measures to ensure availability and resilience
  1.        Availability control

Measures to ensure that personal data are protected against accidental destruction or loss:


✔        Data backup process

✔        Fire alarm system

✔        Alarm system

Amazon Web Services

✔        AWS will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help the Client secure Client data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the AWS Network, and (c) minimise security risks, including through risk assessment and regular testing.

  1. Fast recoverability

Measures that ensure a fast recovery of the availability and accessibility of data in case of a physical or technical incident.


✔        Data backup process

✔        Regular tests of data recoverability

Amazon Web Services

✔        Data backup process

✔        Regular tests of data recoverability

  1. Resilience and testing

Measures that ensure and evaluate effectiveness of the security of data processing:


✔        Data protection management (and specialized external consultants)

✔        Regular vulnerability scans

✔        Formalised processes in case of data protection or security incidents

Amazon Web Services

✔        AWS will conduct periodic reviews of the security of its AWS Network and adequacy of its information security program as measured against industry security standards and its policies and procedures.

✔        AWS will continually evaluate the security of its AWS Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

AWS will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Client secure Client data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the AWS Network, and (c) minimise security risks, including through risk assessment and regular testing.