Data Processing Agreement
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Data Controller ("Controller"): The company entity that has registered for and uses the Heimdall AI platform ("Company").
Data Processor ("Processor"): Heimdall AI, Sorgenfrigårdsvej 78, 1.th, 2800 Lyngby, Denmark.
This DPA supplements and forms part of the Terms of Service between the parties and is governed by GDPR Article 28.
2. Definitions
Terms not defined here have the meaning given in GDPR Article 4 or the Terms of Service.
- "Platform" — The Heimdall AI web application at heimdall-talent.ai.
- "Candidate Data" — Personal data of candidates processed through the Platform, including CVs, portfolio content, assessment results, and account information.
- "Assessment" — The AI-generated analysis producing TQ and/or AI Potential scores.
3. Scope and Roles
3.1 Processing Relationship
When a Company invites candidates to the Platform for assessment:
- The Company is the Controller for Candidate Data processed in the context of its hiring activities.
- Heimdall AI is the Processor, processing Candidate Data on behalf of the Company to deliver assessment services.
3.2 Heimdall AI as Independent Controller
Heimdall AI acts as an independent controller for:
- Candidate account data (the candidate's own relationship with the Platform).
- Platform security and fraud prevention.
- Compliance with legal obligations (tax, EU AI Act record-keeping).
- Aggregated, anonymized analytics.
This DPA governs only the processing where Heimdall AI acts as Processor on behalf of the Company.
4. Details of Processing
| Element | Description |
|---|---|
| Subject matter | AI-powered assessment of candidates for the Controller's hiring processes |
| Duration | Duration of the Company's active account + retention periods specified in Section 9 |
| Nature and purpose | Receiving candidate CVs/portfolios, generating AI-based assessment scores (TQ and AI Potential), and delivering results to the Company and the candidate |
| Types of personal data | Name, email, LinkedIn profile data, CV/portfolio content (work history, education, skills, certifications), assessment scores and trait breakdowns, IP addresses, session data |
| Categories of data subjects | Candidates invited by the Company to complete assessments |
5. Processor Obligations
Heimdall AI shall:
5.1 Instructions
Process Candidate Data only on the Controller's documented instructions, which are defined by this DPA and the Company's use of the Platform. If Heimdall AI believes an instruction infringes GDPR, we will promptly inform the Controller.
5.2 Confidentiality
Ensure that persons authorized to process Candidate Data are subject to confidentiality obligations.
5.3 Security (Article 32)
Implement appropriate technical and organizational measures, including:
- Encryption of data in transit (TLS) and at rest.
- Role-based access controls with least-privilege principles.
- Regular security reviews and vulnerability assessments.
- Incident response procedures.
- Sub-processor security assessments.
5.4 Sub-Processing
Use sub-processors only as listed in Section 7 and subject to the obligations in Section 7.
5.5 Data Subject Rights
Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection, and Article 22 rights) by providing appropriate technical and organizational measures, taking into account the nature of processing.
5.6 Breach Notification
Notify the Controller of any personal data breach affecting Candidate Data without undue delay and no later than 48 hours after becoming aware of the breach. Notification will include:
- Nature of the breach and approximate number of data subjects affected.
- Contact details for further information.
- Likely consequences and measures taken or proposed to mitigate.
5.7 Data Protection Impact Assessments
Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required, taking into account the nature of processing and information available to Heimdall AI.
5.8 Audit Cooperation
Make available to the Controller information reasonably necessary to demonstrate compliance with Article 28 obligations. Upon written request, Heimdall AI will:
- Provide a completed security questionnaire or written summary of current technical and organizational measures.
- Respond to reasonable follow-up questions regarding data processing practices.
- If Heimdall AI obtains independent security certifications or audit reports in the future, make summaries available to the Controller upon request.
5.9 Deletion and Return
Upon termination of the service relationship, Heimdall AI will cease processing Candidate Data on behalf of the Controller for the Controller's purposes. Candidate Data associated with active candidate accounts is retained per Heimdall AI's retention schedule (Section 9) and the candidate's own relationship with the Platform. Data not subject to candidate retention or legal obligations will be deleted within 90 days of termination. Written confirmation of deletion is provided upon request.
6. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for processing Candidate Data, including providing any required notices to candidates about the use of AI-assisted assessment tools.
- Ensure candidates are informed that their data will be processed by Heimdall AI (our Privacy Policy may be referenced).
- Use assessment results as decision-support tools only, maintaining human oversight over hiring decisions.
- Comply with applicable employment, anti-discrimination, and data protection laws.
- Inform Heimdall AI of any data subject rights requests that require Processor assistance.
- Ensure compliance with EU AI Act deployer obligations applicable to high-risk AI systems used in recruitment (enforceable August 2, 2026).
7. Sub-Processors
7.1 Authorized Sub-Processors
The Controller grants general written authorization for Heimdall AI to engage the following sub-processors:
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | EU (Frankfurt, Germany) | Account data, CVs, assessment results |
| Vercel, Inc. | Web application hosting | Edge network (EU-preferred) | Technical request data |
| Anthropic, PBC | AI model (Claude) for assessment generation | United States | CV/portfolio content (transient processing) |
| Stripe, Inc. | Payment processing | United States / EU | Payment and billing data |
7.2 Sub-Processor Changes
Heimdall AI will notify the Controller of any intended changes to sub-processors (additions or replacements) at least 30 days before the change takes effect, via email to the Controller's registered contact address.
The Controller may object to the change within 15 days of notification. If the Controller objects and the parties cannot resolve the concern within 15 days thereafter, the Controller may terminate the affected services with immediate effect.
7.3 Sub-Processor Obligations
Each sub-processor is bound by data protection obligations no less protective than those in this DPA. Heimdall AI remains liable for the acts and omissions of its sub-processors.
8. International Data Transfers
Where Candidate Data is transferred outside the EU/EEA (specifically to Anthropic and Stripe in the United States):
- Transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914).
- Transfer impact assessments have been conducted for each transfer.
- Supplementary measures are implemented where appropriate.
The Controller may request copies of the relevant SCCs and transfer impact assessments by contacting privacy@heimdall-talent.ai.
For Anthropic specifically: CV content is sent to the Claude API for assessment generation. Anthropic's data processing terms include commitments not to use customer input data for model training. Data is processed transiently and not retained by Anthropic beyond the API request lifecycle.
9. Data Retention
| Data Type | Retention | Reason |
|---|---|---|
| Candidate assessment data (CVs, portfolios, results) | 3 years from creation, or duration of candidate's active account (whichever is longer) | Candidates retain access to their assessments as a platform feature; candidates may request earlier deletion |
| AI Act compliance logs | 10 years from last system use | EU AI Act Article 19 |
| Payment records | 5 years | Danish bookkeeping law |
Candidates may request deletion of their own data at any time under GDPR Article 17. The Controller may also request deletion of Candidate Data processed on its behalf, subject to the candidate's own retention preferences and Heimdall AI's legal obligations.
10. EU AI Act Compliance
10.1 Heimdall AI's Obligations (Provider)
As the provider of a high-risk AI system under Annex III, Section 4(a), Heimdall AI commits to:
- Maintaining technical documentation and a risk management system.
- Implementing appropriate data governance, transparency, and logging measures.
- Ensuring human oversight capability is designed into the system.
- Providing the Controller with information necessary to fulfill deployer obligations.
10.2 Controller's Obligations (Deployer)
As a deployer of a high-risk AI system, the Controller commits to:
- Using the system in accordance with Heimdall AI's instructions and documentation.
- Maintaining human oversight over decisions informed by assessments.
- Informing candidates that AI systems are used in the assessment process.
- Reporting any serious incidents to Heimdall AI and relevant authorities as required.
- Conducting a fundamental rights impact assessment where required under Article 27.
10.3 Cooperation
Both parties agree to cooperate in good faith to ensure compliance with EU AI Act obligations as they come into force.
11. Liability
Liability under this DPA is governed by the liability provisions in the Terms of Service. Each party is liable for damage caused by processing that infringes GDPR, in accordance with Article 82.
12. Term and Termination
This DPA enters into force when the Company creates an account and remains in effect for the duration of the service relationship. It survives termination to the extent necessary to complete data deletion and comply with legal retention obligations.
13. Governing Law and Jurisdiction
This DPA is governed by Danish law. Disputes shall be resolved by the Copenhagen City Court (Københavns Byret), without prejudice to the rights of data subjects or supervisory authorities under GDPR.
14. Amendments
This DPA may be updated to reflect changes in law or processing activities. Sub-processor changes are handled under Section 7.2. For other material changes, Heimdall AI will notify the Controller at least 30 days in advance. Material changes require the Controller's written acceptance (which may be provided electronically). If the Controller does not accept a material change, either party may terminate the affected services.
15. Contact
Privacy Contact: privacy@heimdall-talent.ai
Legal Contact: legal@heimdall-talent.ai
Heimdall AI
Sorgenfrigårdsvej 78, 1.th
2800 Lyngby, Denmark
Annex 1: Technical and Organizational Measures
The following measures are implemented by Heimdall AI as of the effective date:
Access Control
- Authentication via LinkedIn OAuth (OIDC) for candidates; email + LinkedIn for companies.
- Role-based access control with least-privilege principles.
- Administrative access restricted and logged.
Encryption
- Data in transit: TLS 1.2+.
- Data at rest: AES-256 encryption (Supabase managed encryption).
Infrastructure Security
- Sub-processors selected for their security posture (Supabase, Vercel, and Stripe each maintain independent security certifications — details available on request).
- Hosted on EU-region infrastructure where available.
Data Minimization
- AI processing uses only the content necessary for assessment generation.
- Anthropic does not retain input data beyond API request processing.
Incident Response
- Breach notification within 48 hours.
- Defined escalation and communication procedures.
Business Continuity
- Automated database backups (Supabase managed).
- Application hosted on globally distributed infrastructure (Vercel).