Data Processing Agreement.

This Data Processing Agreement applies between AskMyHRM B.V. as data processor and the customer organisation as data controller. It governs the processing of personal data inside the AskMyHRM platform and forms an integral part of the main services agreement.

Subject matter. Provision of the AskMyHRM HR platform, including AI specialist processing of HR data, case management, and document indexing.

Duration. The DPA stays in force for the duration of the main services agreement plus the agreed return or deletion period.

Customer employees, contractors, applicants where the customer chooses to enrol them, dependents where the customer chooses to record them, and other persons whose personal data the customer chooses to process through the platform.

Identification data, contact data, employment data, leave and absence data, case communications, documents uploaded by the customer, and audit metadata. Special category data only where the customer enables and instructs such processing.

We process personal data only on documented instructions from the controller. We ensure persons authorised to process the data are under confidentiality. We implement appropriate technical and organisational measures. We assist the controller in fulfilling data subject rights. We notify of personal data breaches without undue delay.

We use a limited list of sub processors, all of which operate within the EU under equivalent data protection terms. The current list is available on request and on the AskMyHRM customer portal.

No data transfers outside the European Economic Area under standard configuration. Where a customer specifically requests an exception, transfer safeguards under Chapter V of the GDPR are put in place.

Upon termination, the controller may request export of all personal data within thirty days in JSON and PDF formats. After that period, AskMyHRM securely deletes the personal data from production systems within thirty days and from backups within ninety days. A signed certificate of destruction is provided on request.

AskMyHRM notifies the controller of a confirmed personal data breach without undue delay and within forty-eight hours of confirmation. Notification includes the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed (GDPR Art. 33(3)).

The controller may audit AskMyHRM's compliance with this DPA once per year on thirty days' notice, or following a confirmed breach. AskMyHRM provides attestations, the NEN 7510 control mapping, and the most recent third-party penetration test report under NDA. On-site audits at controller cost, subject to reasonable security constraints (GDPR Art. 28(3)(h)).

AskMyHRM does not train any foundation or shared AI model on customer data. Per-tenant fine-tuning, where requested, is contractually opt-in. Azure OpenAI Service does not use customer data to train or improve OpenAI models.