HireNix ATS
EU Data Protection

GDPR Compliance

We are committed to the highest standards of data privacy. Discover how Hire Nix ATS helps your recruitment team remain fully compliant with the General Data Protection Regulation (GDPR).

Effective Date: May 12, 2026

Processor Role

We act as a Data Processor, giving you (the Controller) full ownership of candidate data.

Right to Erasure

One-click candidate deletion to instantly fulfill "Right to be Forgotten" requests.

Data Transfer

Standard Contractual Clauses (SCCs) ensure lawful cross-border data flows.

1. Our Role Under GDPR

Under the EU General Data Protection Regulation (GDPR), the entity that decides how and why personal data is processed is the Data Controller, and the entity that processes data on their behalf is the Data Processor.

  • Our Customers (Employers/Agencies) act as the Data Controllers. You define the purpose of collecting applicant resumes, screening questions, and interview notes.
  • Hire Nix ATS acts as the Data Processor. We provide the software, infrastructure, and AI tools to execute your instructions securely.

2. Empowering Data Subject Rights

GDPR grants EU citizens (candidates) specific rights regarding their personal data. Hire Nix ATS provides native features to help Data Controllers easily fulfill these requests:

  • Right to Access & Portability: Controllers can export a complete, machine-readable (JSON/CSV) profile of a candidate's data, including parsed resumes and application history, to fulfill access requests.
  • Right to Erasure (Right to be Forgotten): Our "Hard Delete" function permanently purges a candidate's Personally Identifiable Information (PII) from our active databases and S3 storage buckets within milliseconds. Anonymized macro-data (e.g., that an application occurred in Q1) may be retained for statistical integrity.
  • Data Retention Automation: Controllers can configure automated deletion schedules (e.g., automatically deleting rejected candidate profiles after 12 months) unless explicit consent is renewed.

3. Data Processing Agreement (DPA)

To comply with Article 28 of the GDPR, we require all enterprise and agency customers to sign our Data Processing Agreement (DPA). This legally binding document outlines our specific obligations regarding security, sub-processing, and breach notification.

Our standard DPA incorporates the latest Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring that any data transferred outside the European Economic Area (EEA) remains fully protected by EU standards.

4. Approved Sub-processors

To deliver our service, Hire Nix engages carefully vetted third-party sub-processors. We maintain strict DPAs with all vendors.

AI Sub-Processing (OpenAI / Anthropic)

We utilize Large Language Models for resume parsing and match scoring. To maintain strict GDPR compliance, candidate data sent to our AI providers is processed via Zero Data Retention enterprise endpoints. Your data is processed ephemerally and is explicitly barred from being stored or used to train external models.

A full, up-to-date list of our sub-processors (including AWS/GCP for hosting, and Stripe for billing) is available in our DPA documentation.

5. Technical & Organizational Security

Article 32 of the GDPR requires Processors to implement adequate security measures. Hire Nix ATS employs:

  • Encryption: AES-256 encryption at rest and TLS 1.3 for data in transit.
  • Logical Isolation: PostgreSQL Row-Level Security (RLS) ensuring strict multi-tenant data siloing.
  • Access Control: Mandatory Hardware 2FA for all internal Hire Nix support staff.
  • Incident Response: A formal 72-hour breach notification protocol to Controllers in the event of unauthorized data access.

Data Protection Officer (DPO)

If you are a Data Controller seeking to execute a DPA, or a Data Subject inquiring about your rights, please reach out to our DPO directly.