Inloggen

Inloggen

Data Processing Agreement

Last updated: 15 May 2026

This Data Processing Agreement ("DPA") describes how Link, a company registered in the Netherlands (registration 88346137), processes personal data on behalf of you, the Customer, when providing the Link software platform.

This DPA forms an integral part of the Terms of Service between Link and the Customer. In the event of a conflict between this DPA and other parts of the agreement, this DPA shall prevail.

Both parties commit to fulfilling their obligations under the GDPR. Link acts as Processor. The Customer acts as Controller.


General Obligations

Link processes personal data only on the documented instructions of the Customer, as laid down in this DPA and the Terms of Service.

Link will notify the Customer if, in its opinion, any processing instruction infringes the GDPR.

If legally required to process beyond these instructions, Link will inform the Customer beforehand unless prohibited by law.


Sub-Processors

The Customer authorises Link to use the sub-processors listed in the Sub-Processors section of this DPA. Link may update this list at any time by publishing a revised version. Continued use of the Service constitutes acceptance of any updated sub-processor list.

Link ensures all sub-processors are bound by data protection obligations equivalent to those in this DPA and remains fully responsible for their compliance.


International Transfers

Link will only transfer personal data outside the EEA in compliance with GDPR requirements. Where sub-processors are located outside the EEA, Link ensures adequate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission.


Security

You are responsible for using the Service in compliance with all applicable laws and regulations. You must ensure that only authorized personnel have access to the dashboard and that login credentials are kept secure. Misuse of the Service, including unauthorized access or data handling, may result in termination.


Confidentiality

Link limits access to personal data strictly to staff members who need it to perform the services. All such staff are bound by confidentiality obligations.

Link may only disclose personal data when explicitly authorised by the Customer, when necessary to perform the services, or when required by law.

Where Link engages third parties for development or maintenance activities, such parties are contractually bound by confidentiality and data protection obligations equivalent to those in this DPA.


Assistance

If a data subject exercises their privacy rights through Link, Link will forward the request to the Customer to handle.

Link will assist the Customer in fulfilling its GDPR obligations, including data protection impact assessments (DPIAs) where applicable.


Data Breach

In the event of a data breach affecting personal data processed by Link, Link will notify the Customer within 24 hours, conduct an investigation, and provide all relevant information as soon as possible.

Link will take reasonable steps to minimise damage and cooperate with the Customer's remediation efforts.


Audit

The Customer may audit Link's compliance with this DPA once per year, or more frequently in case of suspected non-compliance. Audits must be conducted during business hours with reasonable advance notice and must minimise disruption to Link's operations.

The Customer bears all audit costs unless the audit reveals material non-compliance by Link.


Termination

Upon termination of the agreement, the Customer has 30 days to export their data. After this period, Link will permanently delete all personal data including copies, unless EU law requires retention.



Processing Details


Nature and Purposes of Processing

  • Managing job applications and candidate profiles

  • Facilitating communication between the Customer and candidates

  • Sending automated notifications and updates to candidates

  • Tracking application status and progress

  • Maintaining user accounts for Customer team members


Categories of Data Subjects

  • Candidates who submit applications through the Link widget

  • Customer team members with a user account for the Service


Categories of Personal Data

For candidates:

  • Identity and contact information (name, email address, phone number, home address, date of birth)

  • Professional information (CV, work experience, qualifications, job preferences)

  • Recruitment data (application details, correspondence, availability, language skills)

For Customer team members:

  • Account credentials (email, hashed password)

  • Contact information (name, email address)

  • Device information (IP address, login timestamps)


Duration of Processing

In accordance with the Customer's retention settings within the Service. If no retention period is set, data is retained for the duration of the agreement with a maximum of 24 months after its end.



Sub-Processors


Vercel Inc. — Hosting and serving the Link application. Processes all data that flows through the platform. Data is processed and stored in Europe.

Railway (Railway Corp.) — Backend hosting and infrastructure. Processes all candidate and user data that flows through the Link backend. Data is processed and stored in Europe.

Supabase Inc. — Database storage and authentication. Stores all candidate and user data including profiles, applications and account credentials. Data is processed and stored in Europe.

Airtable Inc. — Internal operations and workflow management. Processes candidate data (including name, email, position, application status and availability) for internal processes. Located in United States.

Make (Celonis SE) — Process automation. Processes candidate data (including name, email, position, application status and availability) as part of automated internal workflows. Data is processed and stored in Europe.

PostHog Inc. — Product analytics. Processes usage data and device information to monitor platform performance. Data is processed and stored in Europe.

Sentry (Functional Software Inc.) — Error monitoring. May process limited personal data (name, email) when included in error reports. Data is processed and stored in Europe.

Postmark (Wildbit LLC) — Transactional email delivery. Processes name and email address to deliver automated emails to candidates and users. Located in United States.

Intercom Inc. — Customer support. Processes name, email and account information of Customer team members who initiate support conversations. Located in United States.


All sub-processors outside the EEA are selected based on demonstrated security certification (SOC 2 Type II and/or ISO 27001) and are contractually bound to the requirements of the GDPR through Standard Contractual Clauses (SCCs).



Security Measures


Encryption

  • TLS encryption for all data in transit

  • Encryption of all data at rest including databases and backups

  • Password hashing for all user credentials


Access Control

  • Role-based access control — users only access data relevant to their role

  • Access to production systems limited to a minimal number of internal staff

  • All staff with access to personal data are bound by confidentiality obligations


Monitoring and Incident Response

  • Real-time error monitoring via Sentry

  • Usage and anomaly monitoring via PostHog

  • Internal data breach procedure in place with notification to the Customer within 24 hours


Infrastructure

  • Application and database hosted in EU regions

  • Regular security updates applied to all infrastructure components



Questions about this DPA? Contact us at info@link-hospitality.com

© 2026 Link

© 2026 Link

Terms

Terms

Privacy Policy

Privacy Policy

Nederlands