Data Processing Agreement.

This Data Processing Agreement ("DPA") forms part of the Agreement between SIA "New Tech" ("Yena") and the Client and governs the processing of personal data by Yena as processor on behalf of the Client as controller, in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").

Effective Date: April 24, 2026

Processor: SIA "New Tech" (Sabiedrība ar ierobežotu atbildību "New Tech")

Registered Office: Mazā Nometņu iela 31, Rīga, LV-1002, Latvia

Commercial Register (Komercreģistrs): 40203731548

1. Definitions

Capitalised terms used but not defined here have the meaning given to them in the Terms and Conditions. In this DPA:

"Controller" means the Client.
"Processor" means Yena.
"Data Protection Laws" means the GDPR, the Latvian Personal Data Processing Law, and any other applicable laws relating to the protection of personal data.
"Personal Data" means any information relating to an identified or identifiable natural person processed under the Agreement.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
Other terms — including "personal data breach", "data subject", "processing", "supervisory authority" — have the meaning given in the GDPR.

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data uploaded to, or generated through, the Platform ("Client Data"). The Processor processes Client Data on behalf of the Controller strictly to provide the Services as described in the Agreement and in accordance with the Controller's documented instructions.

Details of the processing (subject matter, duration, nature, purpose, categories of data subjects, and categories of Personal Data) are set out in Annex I.

3. Controller Obligations

The Controller warrants that it:

has a lawful basis (Article 6 GDPR) for the processing of Client Data and, where required, a valid condition under Article 9 GDPR;
has provided the required information to data subjects (Articles 13–14 GDPR), including informing candidates that their data is processed through Yena;
will respond to data subject rights requests relating to Client Data, with the Processor's assistance as provided in Section 7;
is responsible for the accuracy, quality, legality, and appropriateness of Client Data;
will not instruct the Processor to process Client Data in a way that infringes Data Protection Laws.

4. Processor Obligations

The Processor shall:

Documented instructions. Process Client Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by EU or Member State law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by that law).
Confidentiality. Ensure that persons authorised to process Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security. Implement and maintain appropriate technical and organisational measures as described in Annex II.
Sub-processors. Only engage Sub-processors as set out in Section 6.
Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to requests for exercising data subjects' rights.
Support. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, data breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
Return or deletion. At the choice of the Controller, delete or return all Client Data to the Controller at the end of the provision of services, as set out in Section 9.
Audit support. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 8.
No AI training. Not use Client Data — including anonymised or aggregated Client Data — to train, fine-tune, validate, or improve any AI or machine-learning model, whether operated by the Processor, its affiliates, or any third-party Sub-processor, and impose equivalent contractual restrictions on all AI Sub-processors.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

5. Security Measures

The Processor shall implement and maintain the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons.

Current security practices are also published on the Security page and may be updated from time to time, provided that the level of protection is not materially reduced.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors listed on the Security page ( Annex III is by reference to that page, as updated from time to time).

The Processor shall:

impose on each Sub-processor, by written contract, data-protection obligations no less protective than those set out in this DPA, including the no-AI-training obligation in Section 4(9);
remain fully liable to the Controller for the performance of the Sub-processor's obligations;
notify the Controller of any intended addition or replacement of Sub-processors that will process Client Data, giving the Controller at least fifteen (15) calendar days to object on reasonable data-protection grounds before the Sub-processor begins processing Client Data.

If the Controller objects on reasonable data-protection grounds, the Processor shall, in good faith, seek a reasonable alternative. If no alternative is available, the Controller may terminate the affected Service for convenience, with a pro-rata refund of any unused prepaid fees for the affected Service.

7. Data Subject Rights

If a data subject submits a request relating to Client Data directly to the Processor (e.g., access, rectification, erasure, restriction, portability, objection), the Processor shall promptly forward the request to the Controller and shall not respond itself except to confirm receipt, unless required by law or authorised by the Controller.

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures to enable the Controller to respond within the applicable deadlines (generally one month under Article 12(3) GDPR).

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay — and in any event no later than forty-eight (48) hours — after becoming aware of a personal data breach affecting Client Data. The notification shall include, to the extent known at the time:

a description of the nature of the breach, including (where possible) the categories and approximate number of data subjects and records concerned;
the name and contact details of the Processor's point of contact;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Processor shall provide reasonable cooperation to the Controller in any subsequent notification to the supervisory authority (Article 33 GDPR) or to affected data subjects (Article 34 GDPR).

9. Audits and Inspections

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including through:

the information published on the Security page;
the Processor's responses to reasonable security questionnaires;
summaries of third-party audits or certifications (e.g., SOC 2, ISO 27001) under appropriate confidentiality obligations.

If the Controller demonstrates that the above is insufficient to meet a specific audit requirement imposed by a supervisory authority or mandatory law, the Controller (or an independent auditor mandated by the Controller and reasonably acceptable to the Processor, bound by confidentiality) may conduct an on-site audit at the Processor's premises, subject to (i) at least thirty (30) calendar days' prior written notice, (ii) performance during business hours, (iii) no more than once per twelve-month period (save in the case of a confirmed personal data breach), and (iv) no access to data of other customers or to Yena's confidential information beyond what is strictly necessary. Audit costs are borne by the Controller, unless the audit reveals a material breach by the Processor.

10. International Transfers

The Processor shall not transfer Client Data outside the European Economic Area or to an international organisation except:

to a country with an adequacy decision under Article 45 GDPR;
under Standard Contractual Clauses ("SCCs") adopted by the European Commission (2021/914/EC), or any successor mechanism; or
under another safeguard permitted by Chapter V GDPR.

The current list of Sub-processors and the applicable transfer mechanism for each is published on the Security page. Where SCCs apply, the Controller is deemed to have signed, as data exporter, the applicable SCCs with the Processor acting as data importer on behalf of the Sub-processor, pursuant to Article 28 of the SCCs.

11. Return or Deletion of Client Data

Upon termination or expiry of the Agreement, and subject to availability of the Processor's systems and to applicable legal and security requirements, the Processor shall, at the Controller's choice:

make Client Data available for export by the Controller in CSV format for a period of up to ninety (90) calendar days from termination; and/or
delete or anonymise all Client Data at the end of that period, unless retention is required by EU or Member State law (in which case the Processor shall continue to protect Client Data in accordance with this DPA for as long as it is retained).

Assisted exports beyond the inclusions set out in the Terms and Conditions are treated as Professional Services.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions set out in the Terms and Conditions, except as otherwise required by mandatory Data Protection Laws.

13. Precedence and Term

This DPA is incorporated by reference into the Agreement. In the event of any conflict between this DPA and the Terms and Conditions or any Order Form with respect to the processing of Personal Data, this DPA prevails. This DPA enters into force on the effective date of the Agreement and terminates automatically on the termination or expiry of the Agreement, except for clauses that by their nature survive (including Sections 8, 11, and 12).

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Latvia, excluding its conflict-of-law rules. The exclusive jurisdiction of the competent courts of Rīga, Latvia applies, without prejudice to the right of data subjects to bring claims in their country of residence where required by mandatory law.

Annex I — Details of Processing

Subject matter

Provision of the Yena Platform — an applicant tracking system (ATS) and recruiting CRM — and related Services, as described in the Agreement.

Duration

For the duration of the Agreement, plus the retention period set out in Section 11 and in the Agreement.

Nature and purpose of processing

Hosting, storing, organising, retrieving, structuring, and otherwise processing Client Data as necessary to provide the Platform; including AI-assisted features such as candidate matching, resume parsing, and job-description assistance.

Categories of data subjects

the Controller's End Users (recruiters, consultants, administrators);
candidates and prospective candidates whose data the Controller uploads to, or generates through, the Platform;
the Controller's business contacts at client organisations and placement companies;
other third parties referenced in Client Data at the Controller's discretion.

Categories of Personal Data

identification and contact details (name, email, phone, address);
professional information (CVs/resumes, employment history, education, LinkedIn profile data, languages, skills);
assessment and evaluation data (notes, ratings, status, pipeline stage);
communications data (messages, call logs, scheduling metadata);
account and authentication data (credentials, access logs);
any other Personal Data included in Client Data at the Controller's discretion.

Special categories of Personal Data

The Platform is not intended for the routine processing of special categories of Personal Data under Article 9 GDPR. If the Controller chooses to upload such data, the Controller is solely responsible for ensuring it has a valid lawful basis and a valid Article 9 condition.

Annex II — Technical and Organisational Security Measures

The Processor implements and maintains the following measures, as further detailed on the Security page:

Infrastructure and data residency

primary production infrastructure hosted in the European Union (Frankfurt, Germany);
secondary Postgres database hosted by Supabase in Basel, Switzerland (adequacy decision under Article 45 GDPR);
daily encrypted backups retained for seven (7) days;
disaster-recovery and business-continuity procedures.

Encryption

TLS 1.2 or higher for all traffic to and from the Platform;
AES-256 (or equivalent) encryption at rest for databases, object storage, and backups.

Access controls

role-based access control (RBAC) at the application layer;
logical isolation of customer workspaces;
strong password policy, optional Single Sign-On (SSO), and multi-factor authentication (MFA) for administrative accounts;
least-privilege access by Yena personnel, with time-bound and audited access;
mandatory security-awareness training for all employees and contractors.

Monitoring, logging, and incident response

centralised logging of infrastructure and application events;
continuous monitoring of availability, integrity, and security anomalies;
documented incident-response plan with defined severities and escalation paths;
breach-notification process as described in Section 8 of this DPA.

Secure development and vulnerability management

secure software development lifecycle with code reviews;
automated dependency scanning and static analysis;
periodic penetration testing of the Platform;
responsible-disclosure contact at [email protected].

Governance

ISO 27001-aligned information security program;
SOC 2 Type I controls for customer-facing services;
written sub-processor due-diligence and contracting process with no-AI-training obligation.

Annex III — Sub-processors

The current list of Sub-processors, including each Sub-processor's name, purpose, location, and applicable international-transfer mechanism, is maintained on the Security page and is incorporated into this DPA by reference. The Controller may subscribe to sub-processor change notifications by contacting [email protected].

Contact

SIA "New Tech"
Mazā Nometņu iela 31, Rīga, LV-1002, Latvia
Reg. No. 40203731548 (Komercreģistrs)
Privacy: [email protected]
Legal: [email protected]
Security: [email protected]

See also: Privacy Policy • Terms and Conditions • Security • Cookie Policy

Data Processing Agreement.

Effective Date: April 24, 2026

Processor: SIA "New Tech" (Sabiedrība ar ierobežotu atbildību "New Tech")

Registered Office: Mazā Nometņu iela 31, Rīga, LV-1002, Latvia

Commercial Register (Komercreģistrs): 40203731548

1. Definitions

Capitalised terms used but not defined here have the meaning given to them in the Terms and Conditions. In this DPA:

"Controller" means the Client.
"Processor" means Yena.
"Data Protection Laws" means the GDPR, the Latvian Personal Data Processing Law, and any other applicable laws relating to the protection of personal data.
"Personal Data" means any information relating to an identified or identifiable natural person processed under the Agreement.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
Other terms — including "personal data breach", "data subject", "processing", "supervisory authority" — have the meaning given in the GDPR.

2. Scope and Roles

Details of the processing (subject matter, duration, nature, purpose, categories of data subjects, and categories of Personal Data) are set out in Annex I.

3. Controller Obligations

The Controller warrants that it:

has a lawful basis (Article 6 GDPR) for the processing of Client Data and, where required, a valid condition under Article 9 GDPR;
has provided the required information to data subjects (Articles 13–14 GDPR), including informing candidates that their data is processed through Yena;
will respond to data subject rights requests relating to Client Data, with the Processor's assistance as provided in Section 7;
is responsible for the accuracy, quality, legality, and appropriateness of Client Data;
will not instruct the Processor to process Client Data in a way that infringes Data Protection Laws.

4. Processor Obligations

The Processor shall:

Documented instructions. Process Client Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by EU or Member State law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by that law).
Confidentiality. Ensure that persons authorised to process Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security. Implement and maintain appropriate technical and organisational measures as described in Annex II.
Sub-processors. Only engage Sub-processors as set out in Section 6.
Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to requests for exercising data subjects' rights.
Support. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, data breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
Return or deletion. At the choice of the Controller, delete or return all Client Data to the Controller at the end of the provision of services, as set out in Section 9.
Audit support. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 8.
No AI training. Not use Client Data — including anonymised or aggregated Client Data — to train, fine-tune, validate, or improve any AI or machine-learning model, whether operated by the Processor, its affiliates, or any third-party Sub-processor, and impose equivalent contractual restrictions on all AI Sub-processors.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

5. Security Measures

Current security practices are also published on the Security page and may be updated from time to time, provided that the level of protection is not materially reduced.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors listed on the Security page ( Annex III is by reference to that page, as updated from time to time).

The Processor shall:

impose on each Sub-processor, by written contract, data-protection obligations no less protective than those set out in this DPA, including the no-AI-training obligation in Section 4(9);
remain fully liable to the Controller for the performance of the Sub-processor's obligations;
notify the Controller of any intended addition or replacement of Sub-processors that will process Client Data, giving the Controller at least fifteen (15) calendar days to object on reasonable data-protection grounds before the Sub-processor begins processing Client Data.

7. Data Subject Rights

8. Personal Data Breach Notification

a description of the nature of the breach, including (where possible) the categories and approximate number of data subjects and records concerned;
the name and contact details of the Processor's point of contact;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate its possible adverse effects.

The Processor shall provide reasonable cooperation to the Controller in any subsequent notification to the supervisory authority (Article 33 GDPR) or to affected data subjects (Article 34 GDPR).

9. Audits and Inspections

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including through:

the information published on the Security page;
the Processor's responses to reasonable security questionnaires;
summaries of third-party audits or certifications (e.g., SOC 2, ISO 27001) under appropriate confidentiality obligations.

10. International Transfers

The Processor shall not transfer Client Data outside the European Economic Area or to an international organisation except:

to a country with an adequacy decision under Article 45 GDPR;
under Standard Contractual Clauses ("SCCs") adopted by the European Commission (2021/914/EC), or any successor mechanism; or
under another safeguard permitted by Chapter V GDPR.

11. Return or Deletion of Client Data

Upon termination or expiry of the Agreement, and subject to availability of the Processor's systems and to applicable legal and security requirements, the Processor shall, at the Controller's choice:

make Client Data available for export by the Controller in CSV format for a period of up to ninety (90) calendar days from termination; and/or
delete or anonymise all Client Data at the end of that period, unless retention is required by EU or Member State law (in which case the Processor shall continue to protect Client Data in accordance with this DPA for as long as it is retained).

Assisted exports beyond the inclusions set out in the Terms and Conditions are treated as Professional Services.

12. Liability

13. Precedence and Term

14. Governing Law and Jurisdiction

Annex I — Details of Processing

Subject matter

Provision of the Yena Platform — an applicant tracking system (ATS) and recruiting CRM — and related Services, as described in the Agreement.

Duration

For the duration of the Agreement, plus the retention period set out in Section 11 and in the Agreement.

Nature and purpose of processing

Categories of data subjects

the Controller's End Users (recruiters, consultants, administrators);
candidates and prospective candidates whose data the Controller uploads to, or generates through, the Platform;
the Controller's business contacts at client organisations and placement companies;
other third parties referenced in Client Data at the Controller's discretion.

Categories of Personal Data

identification and contact details (name, email, phone, address);
professional information (CVs/resumes, employment history, education, LinkedIn profile data, languages, skills);
assessment and evaluation data (notes, ratings, status, pipeline stage);
communications data (messages, call logs, scheduling metadata);
account and authentication data (credentials, access logs);
any other Personal Data included in Client Data at the Controller's discretion.

Special categories of Personal Data

Annex II — Technical and Organisational Security Measures

The Processor implements and maintains the following measures, as further detailed on the Security page:

Infrastructure and data residency

primary production infrastructure hosted in the European Union (Frankfurt, Germany);
secondary Postgres database hosted by Supabase in Basel, Switzerland (adequacy decision under Article 45 GDPR);
daily encrypted backups retained for seven (7) days;
disaster-recovery and business-continuity procedures.

Encryption

TLS 1.2 or higher for all traffic to and from the Platform;
AES-256 (or equivalent) encryption at rest for databases, object storage, and backups.

Access controls

role-based access control (RBAC) at the application layer;
logical isolation of customer workspaces;
strong password policy, optional Single Sign-On (SSO), and multi-factor authentication (MFA) for administrative accounts;
least-privilege access by Yena personnel, with time-bound and audited access;
mandatory security-awareness training for all employees and contractors.

Monitoring, logging, and incident response

centralised logging of infrastructure and application events;
continuous monitoring of availability, integrity, and security anomalies;
documented incident-response plan with defined severities and escalation paths;
breach-notification process as described in Section 8 of this DPA.

Secure development and vulnerability management

secure software development lifecycle with code reviews;
automated dependency scanning and static analysis;
periodic penetration testing of the Platform;
responsible-disclosure contact at [email protected].

Governance

ISO 27001-aligned information security program;
SOC 2 Type I controls for customer-facing services;
written sub-processor due-diligence and contracting process with no-AI-training obligation.

Annex III — Sub-processors

Contact

SIA "New Tech"
Mazā Nometņu iela 31, Rīga, LV-1002, Latvia
Reg. No. 40203731548 (Komercreģistrs)
Privacy: [email protected]
Legal: [email protected]
Security: [email protected]

See also: Privacy Policy • Terms and Conditions • Security • Cookie Policy