Last updated: 15 May 2026

Link, registered in the Netherlands (registration 88346137), enters into this Data Processing Agreement ("DPA") with you, the Customer, in connection with the use of the Link software platform.

This DPA is part of the Terms of Service between Link and the Customer. Where this DPA conflicts with other parts of the agreement, this DPA takes precedence. Link acts as Processor. The Customer acts as Controller. Both parties are committed to meeting their obligations under the GDPR.

What We Process

Link processes personal data for the following purposes: managing job applications and candidate profiles, enabling communication between the Customer and candidates, sending automated notifications, tracking application progress, and maintaining user accounts.

Two categories of individuals are involved: candidates who have applied for a position with the Customer via Link, and users with access to the platform on behalf of the Customer.

For candidates, this includes identity and contact details (name, email, phone number, home address, date of birth), professional information (CV, work experience, qualifications, job preferences), and recruitment data (application details, correspondence, availability, language skills).

For users, this includes account credentials (email, hashed password), contact details (name, email address), and device information (IP address, login timestamps).

How We Handle Your Data

Link processes personal data solely on the basis of documented instructions from the Customer, as set out in this DPA and the Terms of Service. If Link believes an instruction would violate the GDPR, it will inform the Customer without delay. Where EU or national law requires processing beyond those instructions, Link will notify the Customer in advance unless prohibited by law.

Data Security

Link has put in place the technical and organisational measures set out in the Security Measures section of this DPA. These measures may be updated at any time, provided they continue to meet the requirements of Article 32 GDPR.

Access and Confidentiality

Access to personal data within Link is limited to staff who require it to do their jobs. All such staff are bound by confidentiality obligations. Personal data will only be disclosed to third parties when explicitly authorised by the Customer, when necessary to deliver the service, or when required by law. Any third parties engaged for development or maintenance purposes are contractually bound by equivalent confidentiality and data protection obligations.

Sub-Processors

Link works with a number of sub-processors to deliver its platform. The Customer grants general authorisation for Link to engage the sub-processors listed in the Sub-Processors section of this DPA. Link may update this list at any time by publishing a revised version on its website. Continued use of the platform constitutes acceptance of any changes. Link remains fully responsible for ensuring all sub-processors meet the same data protection standards set out in this DPA.

Cross-Border Data Transfers

Where sub-processors are based outside the EEA, Link ensures that all transfers of personal data comply with GDPR requirements. Appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or certification under the EU-U.S. Data Privacy Framework (DPF).

Supporting the Customer

If a data subject submits a request to exercise their rights, Link will forward this to the Customer to handle. Link will also provide reasonable support with data protection impact assessments (DPIAs) and related GDPR obligations where needed.

Incidents and Breaches

If Link becomes aware of a data breach involving personal data it processes, it will notify the Customer within 24 hours, carry out an investigation, and share all relevant information as quickly as possible. Link will take all reasonable steps to limit any damage and support the Customer's response.

Verification

The Customer may verify Link's compliance with this DPA once per year, or more frequently where there is reasonable cause for concern. Any verification must take place during business hours with adequate advance notice and with minimal disruption to Link's operations. Costs are borne by the Customer unless a material breach by Link is found.

End of Agreement

Data is retained for as long as the Customer requires, or until the Customer requests deletion. If no retention period is set, data is retained for the duration of the agreement. When the agreement ends, the Customer has 30 days to export their data. After this period, Link will permanently delete all personal data, unless retention is required by law.

Sub-Processors

Vercel Inc. — Hosting of the front-end. Data is processed and stored in Europe.

Railway (Railway Corp.) — Backend hosting and infrastructure. Data is processed and stored in Europe.

Supabase Inc. — Database storage and authentication. Data is processed and stored in Europe.

Airtable Inc. — Internal operations and workflow management. Processes candidate data (including name, email, position, application status and availability) for internal processes. Located in United States. (SCCs, ISO 27001/SOC 2 Type II)

Make (Celonis SE) — Process automation. Data is processed and stored in Europe.

PostHog Inc. — Product analytics. Data is processed and stored in Europe.

Sentry (Functional Software Inc.) — Error monitoring. May process limited personal data (name, email) when included in error reports. Located in United States. (SCCs)

Postmark (Wildbit LLC) — Transactional email delivery. Processes name and email address to deliver automated emails to candidates and users. Located in United States. (SCCs)

Intercom Inc. — Customer support. Processes name, email and account information of users who initiate support conversations. Located in United States. (DPF-certified)

All sub-processors located outside the EEA are bound to the requirements of the GDPR through Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework (DPF). Where applicable, sub-processors hold security certifications including SOC 2 Type II, ISO 27001, and/or ISO 27701.

Security Measures

Encryption

TLS encryption for all data in transit, encryption of all data at rest including databases and backups, and password hashing for all user credentials.

Access Control

Role-based permissions ensure users only access data relevant to their role. Access to production systems is limited to a minimal number of internal staff, all of whom are bound by confidentiality obligations.

Monitoring and Incident Response

Real-time error monitoring via Sentry, usage and anomaly monitoring via PostHog, and an internal data breach procedure with notification to the Customer within 24 hours.

Infrastructure

Application and database hosted in EU regions, with regular security updates applied across all infrastructure components.

Questions about this DPA? Contact us at info@link-hospitality.com