Skip to main content

HEROIFY Data Processing Agreement (DPA)

Effective date: March 1, 2026

Personal Data Processing Entrustment Agreement

How does this DPA work?

Using the Heroify platform (including account activation) is equivalent to accepting this DPA in its current wording. The DPA forms an integral part of the contractual relationship between Heroify and the Client.

Clients requiring an individually negotiated DPA (e.g. for a tender or corporate audit) may contact Heroify at gdpr@heroify.co.

This Personal Data Processing Entrustment Agreement (hereinafter: DPA or Agreement) is concluded between the Client using the Heroify platform (hereinafter: Controller) and Heroify sp. z o.o. with its registered office in Warsaw, address: ul. Padewska 23/7, 00-777 Warsaw, entered in the register of entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register, under KRS number: 0000903229, NIP: 5213930518, REGON: 389112980, with share capital of PLN 35,500.00, represented by Paulina Wardega - President of the Management Board (hereinafter: Processor or Heroify) - and governs the rules of processing personal data of Candidates/Participants to the extent that Heroify processes such data on behalf of the Controller, in accordance with Article 28 GDPR.

1. Definitions

For the purposes of this DPA, the following definitions apply:

  • Controller: The Client using the Heroify platform - an entity that independently determines the purposes and means of processing personal data of Candidates/Participants within its recruitment processes or employee assessment.
  • Processor: Heroify sp. z o.o. with its registered office in Warsaw, ul. Padewska 23/7, 00-777 Warsaw, KRS: 0000903229, NIP: 5213930518, REGON: 389112980, share capital: PLN 35,500.00 - processes personal data of Candidates/Participants solely on behalf of and in accordance with the Controller's documented instructions.
  • Candidate/Participant: A natural person whose personal data is processed through the Heroify platform - a candidate in a recruitment process or an employee undergoing internal assessment by the Controller.
  • Personal data: Any information concerning Candidates/Participants processed by Heroify on behalf of the Controller, in particular as indicated in Appendix 1 to this DPA.
  • Platform: The Heroify web application available at www.heroify.co.
  • Sub-processor: A third party to whom Heroify entrusts the processing of personal data for the purpose of providing services to the Controller.
  • Personal data breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data (Article 4(12) GDPR).
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

2. Subject matter and scope of entrustment

  • 2.1 The Controller entrusts Heroify with the processing of personal data of Candidates/Participants to the extent necessary for the provision of Heroify platform services, in particular creating and conducting Assessments, collecting and presenting results, and ensuring the security and reliability of the assessment process.
  • 2.2 A detailed description of the categories of personal data, categories of data subjects, purposes and nature of processing, and processing period is set out in Appendix 1 to this DPA.
  • 2.3 Heroify processes personal data solely on the documented instructions of the Controller, which include in particular: account and settings configuration on the platform, sharing an Assessment with Candidates/Participants, and other actions taken by the Controller or Users through the Heroify platform.
  • 2.4 If Heroify is required to process data under Union law or Member State law, it will inform the Controller before commencing processing, unless such law prohibits providing such information.

3. Heroify's obligations as Processor

Heroify undertakes to:

  • process personal data solely in accordance with the Controller's documented instructions and for the purposes specified in Appendix 1, unless the processing obligation arises from EU or Member State law;
  • ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality;
  • implement appropriate technical and organizational security measures in accordance with Article 32 GDPR, taking into account the state of the art, the nature, scope, context and purposes of processing, and the risk of infringement of the rights or freedoms of natural persons;
  • comply with the conditions for using Sub-processors set out in section 5 of this DPA;
  • assist the Controller, where possible and taking into account the nature of processing, in fulfilling the obligation to respond to requests from data subjects regarding the exercise of their rights under Chapter III GDPR;
  • provide the Controller with all information necessary to demonstrate compliance with obligations set out in Article 28 GDPR and to enable audits in accordance with section 7 of this DPA;
  • inform the Controller without undue delay if, in Heroify's opinion, an instruction issued by the Controller infringes GDPR or other data protection provisions;
  • upon termination of processing services, delete or return all personal data to the Controller and delete existing copies, unless Union or national law requires storage - in accordance with section 9 of this DPA.

4. Technical and organizational security measures

Heroify has implemented and maintains security measures including at least:

  • encryption of data in transit (TLS/HTTPS) and at rest;
  • role-based access control - access to personal data only for authorized employees;
  • pseudonymization of data where possible without detriment to functionality;
  • regular data backups and restoration procedures;
  • monitoring and logging of access to personal data;
  • regular testing and evaluation of the effectiveness of security measures;
  • security incident management procedures;
  • training of employees with access to personal data in the field of data protection.

Heroify may update security measures, provided that the overall level of personal data protection is not reduced.

5. Use of Sub-processors

  • 5.1 The Controller hereby grants Heroify general authorization to use Sub-processors for the provision of Heroify platform services. Heroify maintains an up-to-date list of Sub-processors, which is made available to the Controller upon request sent to gdpr@heroify.co.
  • 5.2 Heroify notifies the Controller of planned changes regarding Sub-processors (addition or replacement) at least 14 days in advance by publishing relevant information on heroify.co or by email to the address associated with the Client account.
  • 5.3 The Controller has the right to raise a justified objection to a planned Sub-processor change within 14 days from receipt of the notification. A justified objection means an objection based on specific, documented data protection grounds, and not an objection of a general or commercial nature.
  • 5.4 If the Controller raises a justified objection and Heroify is unable to provide a solution satisfactory to the Controller within a reasonable time, both parties may terminate the agreement in the scope affected by the objection with 30 days' notice.
  • 5.5 Heroify imposes on Sub-processors data protection obligations at least equivalent to those arising from this DPA. Heroify remains fully liable to the Controller for Sub-processors' performance of their obligations.

6. Personal data breaches

  • 6.1 Heroify notifies the Controller without undue delay - no later than within 48 hours - from becoming aware of a personal data breach concerning data processed on behalf of the Controller.
  • 6.2 The notification referred to in 6.1 includes at least: a description of the nature of the breach and the categories and approximate number of data subjects and data records concerned; contact details for obtaining further information; a description of the likely consequences of the breach; and a description of measures taken or proposed to address the breach.
  • 6.3 If it is not possible to provide all information listed in 6.2 at the same time, Heroify provides it in phases without undue delay.
  • 6.4 Heroify supports the Controller in fulfilling the obligation to notify the supervisory authority (UODO) within 72 hours from becoming aware of the breach, in accordance with Article 33 GDPR, and in notifying data subjects who may be affected by the breach, in accordance with Article 34 GDPR.
  • 6.5 Breach notifications are sent to the email address linked to the Client account or to the GDPR address indicated by the Controller. The Controller is responsible for keeping contact details in its account up to date.

7. Audits and inspections

  • 7.1 Heroify provides the Controller with all information necessary to demonstrate compliance with obligations set out in Article 28 GDPR, including this DPA.
  • 7.2 Upon a justified written request from the Controller, no more than once per calendar year, Heroify enables an audit or inspection by the Controller or an external auditor authorized by the Controller. The audit is carried out at the Controller's expense, after prior agreement on scope and date with at least 30 days' notice, in a manner that does not disrupt Heroify's normal business operations and the rights of other clients.
  • 7.3 The parties may agree that the audit obligation will be replaced by Heroify providing current security certificates (e.g. ISO 27001) or audit reports conducted by accredited external entities.

8. Data transfers outside the European Economic Area (EEA)

  • 8.1 Heroify stores personal data of Candidates/Participants on servers located within the European Union.
  • 8.2 If using Sub-processors located outside the EEA, Heroify ensures appropriate transfer safeguards in accordance with Article 46 GDPR - in particular by applying Standard Contractual Clauses (SCCs) approved by the European Commission and, where appropriate, carrying out a Transfer Impact Assessment.
  • 8.3 Heroify does not transfer personal data of Candidates/Participants to third countries without applying appropriate safeguards referred to in 8.2.

9. Data deletion and return after termination of services

  • 9.1 After termination of the agreement or deletion of the Controller's account, Heroify retains personal data of Candidates/Participants for 30 days from the date of termination, enabling the Controller to export data at its request submitted before expiry of this period.
  • 9.2 After the 30-day period referred to in 9.1, Heroify deletes personal data of Candidates/Participants processed on behalf of the Controller, except for data that Heroify is required to retain under applicable law (e.g. data necessary to defend against claims for the limitation period).
  • 9.3 At the Controller's request submitted before expiry of the period referred to in 9.1, Heroify will provide data export in CSV format or another commonly used machine-readable format.
  • 9.4 The above rules apply to data processed by Heroify as Processor on behalf of the Controller. Data processed by Heroify as an independent controller (profile and results history of Candidates/Participants) is subject to separate rules set out in the Candidate/Participant Privacy Policy.

10. Exercise of data subject rights

  • 10.1 The Controller is responsible for ensuring that data subjects can exercise their rights under GDPR (access, rectification, erasure, restriction of processing, data portability, objection).
  • 10.2 Upon receiving a request directly from a Candidate/Participant concerning data processed on behalf of the Controller, Heroify promptly forwards the request to the Controller and does not respond on the Controller's behalf without authorization.
  • 10.3 Heroify provides the Controller with technical assistance in exercising rights referred to in 10.1, in particular by providing data export functionality and the ability to delete data of a specific Candidate/Participant from the platform level.

11. Liability

  • 11.1 Each party is liable to data subjects for damage caused by processing that infringes GDPR, to the extent it is responsible for such damage.
  • 11.2 Heroify is exempt from liability if it proves that it is not at fault for the event causing the damage, or that it acted in accordance with the Controller's documented instructions.
  • 11.3 Heroify's total liability under this DPA, except for liability resulting from Heroify's GDPR violations committed outside the scope of or contrary to the Controller's instructions, is limited to the amount of fees paid by the Controller during the 12 months preceding the event causing the damage.

12. Changes to the DPA

  • 12.1 Heroify may amend this DPA due to changes in legal provisions, supervisory authority guidelines, or operational requirements. Heroify will notify the Controller of any material change at least 14 days in advance by email or through a platform notice.
  • 12.2 Continued use of the platform after the 14-day notification period constitutes acceptance of the amended DPA.
  • 12.3 If the Controller does not accept the amended DPA, it may terminate the agreement in accordance with the Terms and Conditions before the changes take effect.

13. Resolution of disputes with the supervisory authority

  • 13.1 In the event of a dispute or claim brought by a Data Subject or a supervisory authority (UODO) in connection with personal data processing against one or both parties, the parties will promptly inform each other of such disputes or claims and cooperate to settle them amicably.
  • 13.2 The parties undertake to respond to any non-binding mediation proceedings initiated by a Data Subject or supervisory authority. Participation may take place remotely (telephone, videoconference, or other electronic means).
  • 13.3 Each party will comply with a final and binding decision of the supervisory authority (UODO) or competent court.

14. Final provisions

  • 14.1 This DPA is governed by Polish law and interpreted in accordance with GDPR and the provisions implementing GDPR in Poland.
  • 14.2 To the extent not regulated by this DPA, the provisions of the Heroify platform Terms and Conditions available at https://www.heroify.co/pl/terms and the Cooperation Agreement concluded between the parties apply.
  • 14.3 In the event of conflict between this DPA and the Terms and Conditions, this DPA prevails in matters concerning personal data protection. The Cooperation Agreement may provide for a higher or more detailed data protection standard - in such case, the standard more favorable to personal data protection applies.
  • 14.4 The parties will seek to resolve any disputes arising from this DPA amicably. In the absence of agreement, the court competent for Heroify's registered office shall have jurisdiction.
  • 14.5 If any provision of this DPA is found invalid or ineffective, the remaining provisions remain in force.
  • 14.6 Contact for DPA matters: gdpr@heroify.co.

APPENDIX 1 - Description of processing activities

  • Parties: Controller: Client using the Heroify platform. Processor: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw, NIP: 5213930518.
  • Subject matter of processing: Provision of Heroify platform services, including creating and conducting Assessments evaluating competencies, abilities, fit, and attitude of Candidates/Participants.
  • Processing duration: For the duration of the agreement between the Controller and Heroify, and after its termination for an additional period of 30 days enabling data export, unless legal provisions require longer retention.
  • Nature of processing: Collection, recording, organization, storage, adaptation, review, disclosure (within the platform), restriction, deletion. Processing takes place exclusively electronically via the Heroify platform.
  • Purpose of processing: Conducting Assessment(s) ordered by the Controller, presenting results to the Controller and Users, ensuring reliability and security of the assessment process, and fulfillment of data subject rights.
  • Categories of data subjects: Candidates applying for work with the Controller and the Controller's employees undergoing internal assessments.
  • Categories of personal data: 1. Identification and contact data: first name, last name, email address, phone number. 2. Assessment results: answers to closed questions (Tests), answers to open questions, competency results and reports. 3. Behavioral and technical data (anti-cheating): IP address, device and browser type, time spent on individual questions, system events recorded during the test session.
  • Special categories of data (Article 9 GDPR): As a rule, this DPA does not cover processing of special categories of data. The Controller undertakes not to commission Heroify to process such data without first entering into a separate agreement in writing.