HomeAbout UsPriceTalk to an Expert
HomePriceAbout USContact US
LoginTalk to an Expert

Data Processing Agreement

Legal

Last updated / Jun 22 / 2025

1. Scope and Order of Precedence

This Data Processing Agreement ("DPA") forms an integral part of the contractual relationship between the Customer and BeskarStaff AI, as governed by the applicable Terms of Use, Service Agreement, and/or any Order Forms (collectively, the "Agreement"). It sets forth the terms under which BeskarStaff AI processes personal data on behalf of the Customer in connection with the services provided.

This DPA may be updated by BeskarStaff AI from time to time. The Customer will be informed of material updates via appropriate channels (e.g., email or in-platform notification), or updates will be made available on the BeskarStaff AI website. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the processing of personal data.

This DPA shall remain in effect for as long as BeskarStaff AI processes Customer Personal Data under the Agreement. Capitalized terms not otherwise defined in this DPA shall have the meaning assigned in the Agreement or under applicable data protection laws.

2. Definitions

For the purposes of this DPA, the following terms shall apply:

"Customer Personal Data": Any personal data provided to BeskarStaff AI by the Customer or collected by us on their behalf during use of the Services.

"Processing": Any operation or set of operations performed on personal data, such as collection, storage, access, use, or deletion.

"revDSG / FADP": The revised Swiss Federal Act on Data Protection of 25 September 2020, including its implementing ordinances.

"Data Subject": Any natural person whose personal data is processed.

"Sub-processor": Any third party engaged by BeskarStaff AI to process personal data on our behalf.

3. Processing of Customer Personal Data by BeskarStaff AI

3.1 Roles and Responsibilities

The Customer acts as the Controller under the Swiss Federal Act on Data Protection (revFADP), while BeskarStaff AI acts as the Processor. The Customer is responsible for determining the purposes and legal basis of the processing and for ensuring that the Personal Data it shares with BeskarStaff AI has been lawfully obtained.

3.2 Instructions and Scope of Processing

BeskarStaff AI will only process Customer Personal Data in accordance with the Customer's documented instructions, as specified in this DPA and the Service Agreement. If the Customer wishes to provide additional instructions, these must be agreed upon in writing and may result in adjustments to scope, timeline, or pricing.

3.3 Permitted Processing Activities

BeskarStaff AI will process Customer Personal Data solely for the purpose of delivering the Services described in the Agreement. Processing beyond that scope (including disclosure to third parties) will only occur as explicitly permitted by the Agreement or required by law.

BeskarStaff AI processes only publicly accessible information provided by data subjects themselves, such as full name, professional profile data, and photos as published on platforms like LinkedIn. The system does not process, infer, or output sensitive personal data (e.g., gender, race/ethnicity, religion). Any assumptions or conclusions about such characteristics are the responsibility of the Customer and not generated by BeskarStaff AI.

3.4 Support for Data Subject Rights

BeskarStaff AI will support the Customer in fulfilling its obligations to respond to requests by data subjects (e.g., access, rectification, erasure). The Customer remains responsible for managing these requests, but BeskarStaff AI will provide reasonable support upon written request. Costs for complex or frequent support may be charged separately.

3.5 Sub-processors

BeskarStaff AI may engage carefully selected Sub-processors for the provision of its Services. All Sub-processors are contractually obligated to comply with similar data protection standards. Customers will be informed of any changes and may object in writing within a reasonable period. BeskarStaff AI remains liable for Sub-processor compliance.

3.6 Technical and Organizational Measures (TOMs)

BeskarStaff AI implements and maintains appropriate technical and organizational measures to protect Customer Personal Data from unauthorized access, loss, or misuse. These measures are documented and may include encryption, access controls, and system monitoring.

3.7 Cross-border Transfers

Customer Personal Data may only be transferred to countries outside Switzerland if the destination ensures an adequate level of data protection (e.g., EU/EEA, countries with adequacy decisions, or via Standard Contractual Clauses approved by Swiss authorities). BeskarStaff AI will ensure compliance with all requirements of Articles 16–18 revFADP.

3.8 Deletion or Return upon Termination

Upon termination of the Services, BeskarStaff AI will, at the Customer's written request, return or securely delete all Customer Personal Data, unless legal obligations require further retention.

"Authorized Purpose": The provision of recruitment and talent-matching services as specified in the main agreement.

3.9 Incident Management and Breach Notification

BeskarStaff AI maintains internal procedures to identify, assess, and respond to potential or confirmed Personal Data Breaches. In the event that BeskarStaff AI becomes aware of a Personal Data Breach affecting Customer Personal Data, we will inform the Customer without undue delay and in accordance with applicable Swiss data protection law.

Such notification will include, to the extent reasonably available and not prohibited by law:

  • a summary of the nature of the breach,
  • the type of affected data,
  • and any relevant measures taken or proposed to address the breach and mitigate possible adverse effects.

BeskarStaff AI will assist the Customer in fulfilling any legal obligations related to the breach, including communication with data protection authorities or affected individuals, where required. Both parties agree to coordinate in good faith before issuing public statements or notifications related to such incidents.

3.10 Return and Deletion of Customer Personal Data

Upon termination or expiration of the Services, and upon written request from the Customer, BeskarStaff AI will either:

  • return all Customer Personal Data in a commonly used format, or
  • securely delete such data, unless retention is required by applicable law or justified by legitimate internal record-keeping obligations.

If the Customer does not request data return within thirty (30) days after termination, BeskarStaff AI will proceed with secure deletion in line with its internal data retention policies. Any residual copies will be rendered inaccessible except where legal obligations require otherwise.

3.11 Legally Required Disclosures

Unless prohibited by applicable law, BeskarStaff AI will promptly notify the Customer upon receiving any subpoena, court order, administrative request, or other legally binding demand from a public authority that seeks access to Customer Personal Data ("Demand"). Upon request, BeskarStaff AI will provide reasonable information and assistance to the Customer in order to respond to such Demand, to the extent permitted by law. BeskarStaff AI is not responsible for directly interacting with the authority making the Demand unless required by applicable law.

3.12 Service Usage Analysis

BeskarStaff AI may collect and analyze aggregated, non-identifiable data about the performance, usage, and configuration of the Services ("Service Analytics") for legitimate business purposes, such as service improvement, security monitoring, or internal research. Service Analytics will not include or disclose any Customer Personal Data in a manner that allows identification of the Customer or any Data Subject. All intellectual property rights to such analytics remain with BeskarStaff AI.

Schedule 1 – Details of Processing

A. List of Parties

Data Exporter: The Customer, as identified in the Service Agreement or order form.

Data Importer: BeskarStaff AI, acting as Processor, registered in Switzerland.

B. Description of Transfer

Categories of data subjects whose personal data is transferred: Potential candidates and professionals with publicly accessible profiles, such as those published on LinkedIn or similar platforms.

Categories of personal data transferred:

  • Full name
  • Job title
  • Professional experience
  • Education history
  • Skills and qualifications
  • Public contact information (e.g., email or phone number if provided publicly)
  • Links to public profiles (e.g., LinkedIn URLs)
  • Profile photos (as displayed publicly on platforms like LinkedIn)

BeskarStaff AI does not process or infer sensitive data (e.g., gender, race/ethnicity, religion). ANY CONCLUSIONS ABOUT SUCH CHARACTERISTICS ARE MADE BY THE CUSTOMER BASED ON THE DATA PROVIDED AND ARE NOT GENERATED OR DISPLAYED BY BESKARSTAFF AI.

Nature of processing: Collection, storage, indexing, and display of publicly available candidate data for recruitment and talent-matching purposes, in line with Customer instructions.

Purpose(s) of the data transfer and further processing: Provision of recruitment and talent-matching services as specified in the Agreement (Authorized Purpose).

The frequency of the transfer: Continuous or as necessary to provide the Services.

Retention period for personal data: For as long as the Customer uses the Services or as otherwise specified in the Agreement. Upon termination, data will be returned or deleted in accordance with the DPA.

For transfers to (sub-) processors: Only as required for the provision of the Services, in compliance with equivalent data protection obligations.

C. Competent Supervisory Authority

The competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC) for data transfers under Swiss law.

Data Processing Addendum

(Version 22.06.2025)

1. Scope and Order of Precedence

This Data Processing Addendum ("DPA Addendum") forms part of the Data Processing Agreement ("DPA") between the Customer and BeskarStaff AI. It applies when the Customer receives or processes personal data provided by BeskarStaff AI in connection with the Services (for example, through search, access, or filtering of profiles). This DPA Addendum will remain in effect as long as the Customer processes personal data obtained through the BeskarStaff AI platform.

In case of conflict between this DPA Addendum and the DPA or Terms of Use, the provisions of this DPA Addendum shall prevail for the processing of such data.

2. Definitions

"Authorized Purposes" means identifying candidates for recruitment purposes and making initial contact where appropriate.

"BeskarStaff AI Personal Data" means any personal data provided to the Customer by BeskarStaff AI through its Services.

3. Responsibilities

3.1 Customer's Responsibilities

  • The Customer acts as the Controller under applicable data protection law and is responsible for lawful processing of BeskarStaff AI Personal Data.
  • The Customer must ensure that any personal data obtained via BeskarStaff AI is processed strictly for Authorized Purposes and in compliance with the Terms of Use and this DPA Addendum.
  • The Customer must implement appropriate technical and organizational measures to protect BeskarStaff AI Personal Data from unauthorized access, loss, or misuse.
  • The Customer shall not share or transfer BeskarStaff AI Personal Data to third parties unless permitted by the Agreement and under contracts ensuring at least equivalent data protection safeguards.
  • The Customer must notify BeskarStaff AI promptly if it determines that it can no longer meet its obligations under applicable data protection laws. BeskarStaff AI may take reasonable steps to stop and remediate unauthorized use.

3.2 BeskarStaff AI's Responsibilities

  • BeskarStaff AI collects data in compliance with applicable law as an independent controller before providing it to the Customer.
  • BeskarStaff AI provides data for use only as permitted under the Agreement.

4. Data Subject Rights and Cooperation

The Customer must promptly notify BeskarStaff AI of any:

  • Security breach or unauthorized access to BeskarStaff AI Personal Data;
  • Data Subject request (e.g., access, deletion, correction) regarding BeskarStaff AI Personal Data;
  • Inquiry or complaint from authorities or data subjects related to BeskarStaff AI Personal Data.

The Customer will not respond to such requests or inquiries on behalf of BeskarStaff AI unless specifically instructed to do so in writing or required by law.

5. Cross-border Transfers

BeskarStaff AI Personal Data must not be transferred outside Switzerland or the EU/EEA except as explicitly permitted in the Agreement and in compliance with applicable law. (SCCs not included as agreed.)

Schedule 2 – Technical and Organizational Security Measures (TOMs)

BeskarStaff AI has implemented, and will maintain, technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures will be reviewed regularly and updated as necessary to ensure an appropriate level of security.

1. Data Center Security and Data Encryption at Rest

  • Customer data is hosted in data centers located in Switzerland and managed by a third-party provider that maintains physical security controls, including restricted access, surveillance, and environmental safeguards.
  • All Customer Personal Data stored on servers is encrypted at rest using encryption standards consistent with industry best practices, such as AES-256 or equivalent.

2. Access Controls

  • Access to production systems is limited to authorized personnel based on the principles of least privilege and need-to-know.
  • Access rights are reviewed periodically and revoked upon termination of employment or change in role.
  • Multi-factor authentication is enforced for administrative access to systems containing Customer Personal Data.
  • Passwords comply with strong complexity requirements and are subject to expiration and failed attempt lockout mechanisms.

3. Encryption in Transit

  • All data transmitted between Customer and BeskarStaff AI systems is encrypted using modern transport protocols, such as TLS (Transport Layer Security).
  • Internal communications between system components are secured through encryption to protect data in transit.

4. Vulnerability Management and Testing

  • Regular vulnerability scanning is performed on systems and networks supporting the Services.
  • Network intrusion detection and prevention measures are implemented to identify and mitigate potential threats.
  • Penetration testing by qualified third parties is conducted at least annually.

5. Endpoint and Device Security

  • Servers and endpoints are protected by anti-malware solutions and are regularly updated to address known vulnerabilities.
  • Critical patches are applied in a timely manner based on severity assessments.

6. Data Backup and Disaster Recovery

  • Customer Personal Data is backed up daily, with backups retained for a defined period and stored in encrypted form.
  • Disaster recovery plans and procedures are in place to ensure data availability and service restoration in the event of an incident.

7. Data Retention and Secure Disposal

  • Customer Personal Data is retained only for as long as necessary to provide the Services or as required by law.
  • Upon expiry of the retention period or upon Customer instruction, Customer Personal Data is securely deleted or rendered irrecoverable in accordance with industry standards for media sanitization.

8. Secure Development Practices

  • BeskarStaff AI applies secure development practices aligned with recognized standards, including addressing common vulnerabilities identified in the OWASP Top 10.
  • Code reviews, security testing, and change management processes are in place to ensure the integrity of the software.

9. Security Governance and Incident Management

  • Security roles and responsibilities are clearly defined within BeskarStaff AI's organization.
  • An incident response plan is maintained, including procedures for detecting, reporting, and responding to security incidents involving Customer Personal Data.
  • Logs and security events are monitored to identify and respond to suspicious activity.

10. Data Minimization, Portability, and Erasure

  • BeskarStaff AI only processes the minimum Customer Personal Data necessary to provide the Services.
  • Customer Personal Data can be exported in a standard format (e.g. CSV) upon Customer request.
  • Customer Personal Data is deleted upon Customer instruction in accordance with agreed procedures.

11. Accountability and Review

  • BeskarStaff AI regularly reviews its security controls and policies to ensure continued effectiveness and compliance with applicable data protection laws.
  • Data protection impact assessments are performed where required to identify and mitigate risks associated with processing activities.