Pre-Hire Logo
HomePricing
Log inFree trial
ENFR
Pre-Hire Logo
HomePricingLog inFree trial
ENFR
Home/Legal documents/Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Last updated: April 26, 2026 · Version: 1.2

This Data Processing Agreement (DPA) defines the conditions under which PreHire processes, in its capacity as processor, personal data on behalf of the Recruiter, pursuant to Article 28 of the GDPR (Regulation (EU) 2016/679).

The DPA is an integral part of the Terms of Use and the Terms of Sale. In the event of any conflict, the DPA prevails for matters relating to the processing of Candidates' personal data.

Contents

  1. 1. Definitions
  2. 2. Purpose and duration
  3. 3. Nature and purposes of the processing
  4. 4. Categories of data and data subjects
  5. 5. Customer obligations
  6. 6. Processor obligations
  7. 7. Location and transfers
  8. 8. Liability
  9. 9. Order of precedence
  10. 10. Governing law and jurisdiction
  11. Annex – Summary description

1. Definitions

The terms « personal data », « processing », « controller », « processor », « data subject », « personal data breach » and « supervisory authority » have the meaning ascribed to them by the GDPR.

Platform: the pre-hire.com website and the PreHire application.

Candidate Data: the personal data relating to Candidates processed by PreHire on behalf of the Customer in connection with the Services.

Sub-processor: any third party engaged by the Processor to carry out all or part of the processing operations.

2. Purpose and duration

The Customer entrusts PreHire with the processing of Candidate Data in connection with the provision of the PreHire Services for pre-screening assisted by artificial intelligence.

The DPA takes effect on the date of acceptance of the Terms of Use and remains in force for the entire duration of the contractual relationship.

3. Nature and purposes of the processing

3.1 Purposes

Pre-screening of candidates for a position, including in particular:

  • import and storage of CVs and data provided by Candidates;
  • AI-assisted analysis of CVs against a job offer;
  • sending invitations to Candidates to take part in a video interview;
  • collection and storage of Candidates' video responses;
  • automatic transcription of video responses;
  • indicative scoring of transcribed responses;
  • provision of a dashboard and collaborative review tools for the benefit of the Customer.

3.2 Processing operations

Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, communication, making available to the Customer, alignment, restriction, erasure, destruction.

3.3 Issuance of invitations on behalf of the Customer

Invitations sent to Candidates are issued from PreHire's technical infrastructure but in the name and on behalf of the Customer, identified as the company that is recruiting. In this respect, PreHire acts as a technical delivery provider, without becoming a recipient or controller of the processing of applications.

3.4 Conduct at the end of the trial period

At the end of the free trial period, PreHire ceases all issuance of new invitations and all ingestion of new Candidates. Invitations already issued on behalf of the Customer before the end of the trial remain active; the processing of interviews completed by Candidates following those invitations constitutes the completion of a processing operation initiated by the Customer on its instructions, and not a new solicitation on the part of PreHire.

4. Categories of data and data subjects

4.1 Categories of data

  • Identification data: surname, first name, title, date of birth (where applicable);
  • Contact details: email address, telephone number, postal address;
  • Professional data: career history, education, skills, languages, experience, certifications;
  • CV data: all of the information contained in the CV submitted by the Candidate or collected on their behalf;
  • Video data: video recordings of responses;
  • Transcriptions: textual transcription of video responses;
  • Candidate connection data to the interview interface.

4.2 Special categories (Article 9 GDPR)

PreHire does not request or analyze the following data: health, political opinions, religious beliefs, trade union membership, biometric data, genetic data, sex life or sexual orientation.

Should a Candidate spontaneously disclose such data in their CV or responses, the Customer undertakes not to request it and not to make it a selection criterion.

4.3 Data subjects

Candidates invited by the Customer to take part in a pre-screening process.

5. Customer obligations (controller)

The Customer warrants:

  • (a) that it has an appropriate legal basis to process the Candidate Data (typically: pre-contractual measures, legitimate interest, and where applicable consent);
  • (b) that it has provided Candidates with all of the information required by Articles 13 and 14 of the GDPR before the start of the processing;
  • (c) that it complies with the obligations arising from Regulation (EU) 2024/1689 on artificial intelligence (AI Act), in particular regarding information about the use of AI systems in recruitment processes classified as high-risk;
  • (d) that it maintains effective human oversight over the pre-screening process and does not base any final decision solely on the scores generated by the Platform;
  • (e) that it complies with the principle of minimization and enters into the Platform only the data necessary for the declared purposes;
  • (f) that it defines a retention period consistent with the CNIL recommendations (typically 2 years after the last contact with the unsuccessful Candidate, unless a different justification applies);
  • (g) that it handles requests from Candidates to exercise their rights and responds to data subjects within the legal time limits;
  • (h) that it documents its own processing operations in its internal records;
  • (i) that it ensures the absence of discrimination in the process, in compliance with Articles L.1132-1 and L.1142-1 of the French Labor Code.

6. Processor obligations

6.1 Compliance with instructions

Process the Candidate Data only on the documented instruction of the Customer, as set out in the Terms of Use, the DPA and the configuration of the Platform. If PreHire considers that an instruction constitutes a breach of the GDPR, it shall inform the Customer without delay.

The Customer is solely the controller of the Candidate Data; PreHire does not determine the purposes of that processing, including with regard to the sending of interview invitations. The Customer's configuration of its session — creation of the session, ingestion of candidates, activation of the invitation sequence — constitutes a documented instruction within the meaning of this article.

6.2 Confidentiality

Ensure that the persons authorized to process the Candidate Data are subject to a confidentiality obligation, whether contractual or statutory.

6.3 Security

Implement appropriate technical and organizational measures within the meaning of Article 32 of the GDPR, in particular:

  • encryption of communications via TLS across all exchanges;
  • encryption of data at rest by the hosting layer;
  • hashing of passwords using a proven cryptographic function, with a unique salt per record;
  • role-based access control, principle of least privilege;
  • logging of connections and sensitive operations;
  • regular backups of the databases;
  • segregation of the development, test and production environments;
  • regular updating of dependencies and application of security patches;
  • periodic internal reviews of the security posture.

6.4 Subprocessing

The Customer authorizes PreHire to engage the Sub-processors listed in the List of subprocessors.

PreHire contractually imposes on Sub-processors data protection obligations equivalent to those of this DPA.

PreHire informs the Customer of any intended change concerning the addition or replacement of Sub-processors at least thirty (30) days before the change, by email and by publication of an updated version of the list.

Within that period, the Customer may object on legitimate grounds related to data protection. In the event of an unresolved objection, the Customer may terminate the contract free of charge.

6.5 Assistance to the Customer

PreHire assists the Customer, insofar as possible and taking into account the nature of the processing:

  • in responding to requests from Candidates to exercise their rights (access, rectification, erasure, objection, portability, restriction);
  • in carrying out data protection impact assessments (DPIAs);
  • in prior consultations with the supervisory authorities;
  • in achieving compliance with the obligations arising from Articles 32 to 36 of the GDPR.

Assistance is provided free of charge within the limits of what is technically reasonable. Any specific service requested by the Customer beyond this may be subject to a quotation-based charge.

6.6 Breach notification

PreHire shall notify the Customer of any personal data breach concerning it within seventy-two (72) hours of becoming aware of it, providing it with the information necessary for it to comply with its own obligations to notify the CNIL and, where applicable, the data subjects.

6.7 Audit right

The Customer may, at its own expense and subject to reasonable notice of thirty (30) days, have an audit carried out of PreHire's compliance with the DPA, either by its own staff or by an independent third-party auditor bound by confidentiality. The audit is limited to one (1) per year and is conducted under conditions that do not disrupt PreHire's operations.

PreHire may satisfy the audit obligation by making available the results of its own audits and any certifications (ISO 27001, SOC 2, etc.).

6.8 Return and deletion

At the end of the contractual relationship, or at the Customer's request, PreHire returns or deletes, at the Customer's choice, all of the Candidate Data, including backup copies, unless otherwise required by law.

Deletion takes place no later than thirty (30) days after the request, excluding backup copies whose rotation may take up to ninety (90) days.

6.9 Retention and automatic deletion of Candidate Data (non-converted trial sessions)

For sessions opened as part of a free trial period and not converted into a subscription, PreHire automatically applies the following retention periods, the starting point of which is the end of the trial period:

DataRetentionStarting point
Candidate data — analysis results (score, summary, status)Configurable from 30 days to 12 months — default 30 daysEnd of the trial period
Interview videos — raw files30 days, fixed and non-extendable periodEnd of the trial period
Candidate data — active subscriptionAccording to the schedule applicable to the subscribed accountUnchanged

The retention of raw video files for a fixed period of 30 days is provided in the interest of the Candidate: it aims to give the Customer a reasonable chance to review the Candidate's presentation, the Candidate having agreed to produce this data with a view to being seen. This period is fixed and non-extendable, in accordance with the principle of minimization, and cannot be extended for commercial reasons. The metadata and analysis results, which are less sensitive, are retained for a configurable period in order to allow the Customer to recover the value produced should it subscribe at a later date.

Upon expiry of the applicable period, PreHire proceeds with the definitive and irreversible deletion of the data and videos concerned. This deletion is automatic. PreHire keeps a technical record of the deletion operation (date, scope, session identifier) for the purposes of compliance evidence, without retaining the deleted data. Subscribing to a plan covering the session before the expiry of these periods switches the session to the retention schedule of the subscribed account and cancels the scheduled deletions.

6.10 Means of informing the Candidate

The Customer, in its capacity as controller, is required to inform Candidates of the processing of their data and of its fate, in particular of the deletion at the end of the retention period. PreHire makes available to the Customer, and carries out on its behalf, the technical means of providing information: an accessible candidate notice, a mention in the invitation email, and automatic execution of the deletion. The provision by PreHire of these means does not transfer to the processor the responsibility for providing information, which remains that of the Customer.

7. Location and transfers

7.1 Principle: European residency

By default, PreHire applies a policy of European residency for Candidate Data. The primary storage and hosting of the data are located within the European Union (europe-west1 region or an equivalent EU region).

7.2 Artificial intelligence processing: European Union only

PreHire undertakes contractually to use, for the artificial intelligence processing applied to Candidate Data (extraction of information from CVs, transcription of video responses, indicative scoring), only models hosted within the European Union.

Accordingly:

  • Candidate Data is never transmitted to an AI model operated from the United States or any other third country;
  • PreHire selects and configures its AI routing and inference providers to guarantee this geographic restriction;
  • this commitment constitutes a substantial element of this DPA.

7.3 Technical sub-processors established outside the EU

A limited fraction of PreHire's technical sub-processors are companies incorporated outside the European Union (in particular in the United States), for functions peripheral to the core of the AI processing: transactional emails, payment network, infrastructure whose parent company is established outside the EU. The up-to-date list is public.

For these sub-processors, PreHire applies all of the safeguards provided for by the GDPR:

  • systematic selection of providers offering regions or points of presence in the European Union;
  • signing of the Standard Contractual Clauses (SCCs) adopted by Implementing Decision (EU) 2021/914 of June 4, 2021;
  • benefit of the Data Privacy Framework where the sub-processor is certified under it;
  • additional technical measures: encryption, pseudonymization where relevant, access control, logging;
  • case-by-case assessment of the legislation of the destination country (Transfer Impact Assessment).

The Customer authorizes PreHire to conclude the SCCs on its behalf with the relevant sub-processors.

7.4 Information for the Customer

The Customer may obtain at any time a copy of the applicable safeguards and the mapping of the locations by writing to dpo@pre-hire.com.

7.5 Ongoing sovereignty initiative

PreHire is pursuing an ongoing initiative to strengthen the sovereignty of its infrastructure:

  • maintaining European residency by default for Candidate Data;
  • priority selection of European providers at each review of the stack;
  • planned migration of transactional messaging to a French provider;
  • study of the migration of the primary infrastructure to a sovereign European host.

8. Liability

Each Party is liable for damage resulting from a breach of the obligations incumbent on it under the GDPR or this DPA.

PreHire is liable for damage caused by processing only:

  • where it has not complied with the obligations specifically imposed on processors by the GDPR;
  • or where it has acted outside or contrary to the lawful instructions of the Customer.

The overall limitation of liability provided for in the Terms of Use and Terms of Sale also applies to this DPA.

9. Order of precedence

In the event of a conflict between the DPA and the Terms of Use/Terms of Sale for matters relating to the processing of Candidates' personal data, the DPA prevails. For other matters, the order of precedence is: DPA, Terms of Sale, Terms of Use.

10. Governing law and jurisdiction

This DPA is governed by French law. Any dispute is submitted to the Commercial Court of Lille Métropole.

Annex – Summary description of the processing

  • Purpose: AI-assisted pre-screening of candidates
  • Data subjects: Candidates invited by the Customer
  • Categories of data: identification (surname, first name, email, telephone), CV (career history, education, skills), video responses and their transcriptions, connection data to the interview interface
  • Special categories: none requested
  • Duration: for the duration of the contract + 30 days after termination. Non-converted trial sessions: videos 30 days (fixed), analysis results 30 days to 12 months, from the end of the trial (see art. 6.9)
  • Location: European Union (data residency). AI processing: models hosted exclusively within the European Union. Peripheral technical sub-processors (emails, payment) sometimes established outside the EU and governed by SCCs (see Article 7).

DPO contact: dpo@pre-hire.com

This document is published by Reach Technologies SAS. For any question: contact@pre-hire.com.

See also: Legal Notice · Privacy Policy · Cookies

Pre-Hire Logo

Pre-Hire automates your pre-screening so you only meet the candidates worth your time.

in

Company

  • Contact
  • Legal notice
  • Subprocessors

Legal — Recruiters

  • Terms of Use
  • Terms of Sale
  • DPA
  • Privacy
  • Cookies

Legal — Candidates

  • Candidate Terms
  • Candidate Notice
  • Exercise my rights

© 2026 Pre-Hire — Reach Technologies SAS. All rights reserved.

Made with 💜 for overwhelmed recruiters