Data Processing Agreement
Version 1.0 · Effective date: 2nd April 2026
For your records, you can print or save this page using your browser.
Parties
Data Processor:
HiveRef Pty Ltd
ACN: 697 040 136
New South Wales, Australia
privacy@hiveref.com
("HiveRef", "Processor")
Data Controller:
The Client organisation that has accepted these Terms through the HiveRef platform compliance onboarding process
("Client", "Controller")
1. Background
This Data Processing Agreement ("DPA") forms part of the HiveRef Terms of Service and governs the processing of personal data by HiveRef on behalf of the Client in connection with the HiveRef reference checking platform.
This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK General Data Protection Regulation ("UK GDPR").
2. Definitions
In this DPA, terms defined in GDPR have the same meaning as in GDPR. In addition:
- "Personal Data" means any personal data processed by HiveRef on behalf of the Client in connection with the platform
- "Services" means the reference checking platform services provided by HiveRef under the Terms of Service
- "Sub-processor" means any third party engaged by HiveRef to process personal data in connection with the Services
3. Subject Matter and Details of Processing
| Item | Detail |
|---|---|
| Subject matter | Automated employment reference checking services |
| Nature of processing | Collection, storage, analysis, transmission, and deletion of personal data in connection with employment reference checks |
| Purpose | To enable the Client to conduct employment reference checks in accordance with applicable law |
| Duration | For the term of the Terms of Service and as required by the retention schedule |
| Categories of personal data | Identity data, contact data, employment history, professional assessment responses, consent records, compliance audit records |
| Categories of data subjects | Candidates, referees, and client organisation users |
| Fraud prevention processing | Pseudonymised email hash, truncated IP hash, device fingerprint hash, normalised business registration number. Purpose: trial abuse prevention. Retention: 24 months (email, registration number), 90 days (IP, device). Lawful basis: legitimate interests. |
4. Processor Obligations
HiveRef shall:
- Process personal data only on documented instructions from the Client, including as set out in this DPA and the Terms of Service
- Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures in accordance with Article 32 of GDPR, including encryption at rest and in transit, access controls, and regular security testing
- Not engage any sub-processor without prior general authorisation from the Client. The Client provides general authorisation for the sub-processors listed at hiveref.com/sub-processors. HiveRef will notify the Client at least 14 days before adding any new sub-processor, during which time the Client may object.
- Ensure that any sub-processor is bound by a data processing agreement imposing equivalent data protection obligations to those in this DPA
- Assist the Client in fulfilling its obligations to respond to data subject rights requests, including by providing the technical capability to export, correct, and delete personal data as required
- Notify the Client without undue delay and within 72 hours of becoming aware of a personal data breach affecting Client data, providing sufficient information for the Client to fulfil its notification obligations to supervisory authorities
- At the Client's election on termination, delete or return all personal data processed under this DPA, except where retention is required by applicable law
- Make available to the Client all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections
5. Controller Obligations
The Client shall:
- Ensure it has a valid lawful basis for processing personal data through the platform, including obtaining candidate consent before initiating any reference check
- Ensure that candidates and referees receive appropriate privacy notices before their personal data is collected or processed
- Ensure that its use of the platform and any hiring decisions made on the basis of reference check reports comply with applicable law in its jurisdiction
- Not instruct HiveRef to process personal data in a manner that would violate applicable law
- Respond to data subject rights requests within the timeframes required by applicable law
6. International Data Transfers
Where the Client is located in the EU or EEA, personal data will be transferred from the EU or EEA to Australia for processing by HiveRef. Australia does not currently hold an EU adequacy decision. This transfer is made on the basis of the Standard Contractual Clauses set out in Annex A of this DPA (Module Two: Controller to Processor), approved by the European Commission by Decision 2021/914 of 4 June 2021.
Where the Client is located in the United Kingdom, personal data will be transferred from the UK to Australia on the basis of the UK International Data Transfer Agreement set out in Annex B of this DPA.
7. Sub-Processors
HiveRef currently engages the following sub-processors in connection with the Services:
| Sub-Processor | Service | Processing Location | DPA in Place |
|---|---|---|---|
| Supabase Inc. | Cloud database and authentication infrastructure | AWS ap-southeast-2, Sydney, Australia | Yes |
| Anthropic PBC | AI model processing (Claude Haiku) | United States | Yes |
| Resend Inc. | Transactional email delivery | United States | Yes |
| Vercel Inc. | Application hosting and infrastructure | United States | Yes |
HiveRef will maintain a current list of sub-processors at hiveref.com/sub-processors. The Client provides general authorisation for HiveRef to engage the above sub-processors. HiveRef will provide at least 14 days notice before adding or replacing any sub-processor.
8. Security Measures
HiveRef implements and maintains the following technical and organisational security measures:
- All personal data in transit is encrypted using TLS 1.2 or higher
- All personal data at rest is encrypted using AES-256
- Access to personal data is role-based with the principle of least privilege applied
- Multi-factor authentication is enforced for all HiveRef administrative accounts
- Penetration testing is conducted at least annually
- Audit logs of data access events are maintained for a minimum of 12 months
- A documented incident response procedure is in place
9. Data Subject Rights Assistance
HiveRef will provide the following technical capabilities to assist the Client in fulfilling data subject rights requests:
- Export of all personal data linked to a candidate record in PDF and JSON format
- Deletion workflow covering all personal data linked to a candidate across all storage locations within 30 days of a confirmed erasure instruction
- Processing hold capability to pause processing of a specific candidate record
- Correction capability to update inaccurate candidate profile data
The Client is responsible for receiving, evaluating, and responding to data subject rights requests within the timeframes required by applicable law. HiveRef will fulfil technical assistance requests within 5 business days of a confirmed instruction from the Client.
10. Breach Notification
In the event of a personal data breach affecting Client data, HiveRef will:
- Notify the Client without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Client with: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences of the breach, and measures taken or proposed to address the breach
- Cooperate with the Client in investigating the breach and in fulfilling the Client's notification obligations to supervisory authorities and affected data subjects
The Client is responsible for notifying its relevant supervisory authority within the timeframes required by applicable law following receipt of a breach notification from HiveRef.
11. Governing Law
This DPA is governed by the laws of New South Wales, Australia, without prejudice to the data subjects' rights under applicable data protection law.
ANNEX A: EU STANDARD CONTRACTUAL CLAUSES
IMPORTANT LEGAL NOTE FOR REVIEWER:
The complete text of the EU Standard Contractual Clauses (Module Two: Controller to Processor) approved by the European Commission by Decision 2021/914 of 4 June 2021 must be inserted here verbatim. The exact approved text is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914
The following Annex details must be completed:
Annex I.A: List of Parties:
- Data exporter: The Client organisation (details to be completed at execution)
- Data importer: HiveRef Pty Ltd, ACN 697 040 136, privacy@hiveref.com
Annex I.B: Description of Transfer:
- Categories of data subjects: Candidates, referees, client users
- Categories of personal data: Identity, contact, employment history, reference responses, consent records
- Sensitive data: Special category data may be incidentally collected and is subject to enhanced handling
- Frequency: Continuous during the term of the agreement
- Nature of processing: Collection, storage, analysis, transmission, deletion
- Purpose: Employment reference checking services
- Retention period: As per the retention schedule in the Privacy Policy
Annex I.C: Competent Supervisory Authority:
The supervisory authority of the EU member state in which the data exporter is established, or as agreed between the parties.
Annex II: Technical and Organisational Measures:
As described in Section 8 of this DPA.
ANNEX B: UK INTERNATIONAL DATA TRANSFER AGREEMENT
IMPORTANT LEGAL NOTE FOR REVIEWER:
The complete text of the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office must be inserted here. The current approved version is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/
The tables within the IDTA must be completed with:
- Exporter details: The Client organisation
- Importer details: HiveRef Pty Ltd, ACN 697 040 136
- Transfer details as described in Annex A above