Legal
Data Processing Agreement
Last updated: May 2026 — Article 28 GDPR
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Processor: REFRUIT TNOS Ltd, a company incorporated in the Republic of Ireland, operating the REFRUIT TNOS platform.
- Controller: the agency tenant organisation that has subscribed to the REFRUIT TNOS platform and whose identity is set out in the associated subscription agreement.
This DPA forms part of the Terms of Service and is binding on both parties. It satisfies the requirements of Article 28 of Regulation (EU) 2016/679 (“GDPR”) as given effect in Irish law by the Data Protection Act 2018.
2. Processing details
Subject matter
Processing of personal data in connection with the provision of the REFRUIT TNOS recruitment operations platform.
Duration
For the duration of the active subscription period and, to the extent required by law, for the retention periods set out in the Privacy Policy following termination.
Nature and purpose
Storage, organisation, retrieval, consultation, use, disclosure, combination, restriction, erasure, and destruction of personal data for the purpose of recruitment placement services, including compliance management, shift fulfilment, timesheet processing, and payroll preparation.
Categories of data subjects
- Job candidates and agency workers
- Client employees and authorised hirer personnel
- Agency staff with platform access
Categories of personal data
- Names, contact details, and identity documents
- Work history, qualifications, and references
- Biometric data (facial photographs for kiosk attendance, where in use)
- Financial data including bank details and payroll information
- Compliance records including Garda vetting outcomes
- Health declarations and medical information (where required by law)
- Platform usage logs and audit events
3. Processor obligations
REFRUIT TNOS Ltd, as processor, shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement the technical and organisational security measures described in Section 5 of this DPA.
- Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller. Current sub-processors are listed in Section 4. We will provide advance notice of changes to this list.
- Assist the Controller in fulfilling obligations to respond to requests from data subjects exercising their rights under Chapter III GDPR.
- Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation).
- Delete or return all personal data to the Controller after the end of the provision of services relating to processing, as described in Section 7.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits conducted by the Controller or an authorised auditor.
4. Sub-processors
The Controller hereby provides general authorisation for REFRUIT TNOS Ltd to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU (Ireland) |
| Vercel | Application hosting and edge delivery | EU region |
| Resend | Transactional email delivery | EU region |
| Sentry | Error monitoring and performance tracking | EU region |
We will provide at least 30 days written notice before adding a new sub-processor. The Controller may object to the engagement of a new sub-processor by notifying us in writing within that period, in which case the parties will seek to resolve the matter in good faith.
5. Security measures
REFRUIT TNOS Ltd implements the following technical and organisational measures in accordance with Article 32 GDPR:
- Encryption at rest: all database content is encrypted using AES-256 at the storage layer within Supabase.
- Encryption in transit: all data transmitted between clients and the platform is encrypted via TLS 1.2 or higher. HTTPS is enforced with HSTS headers.
- Access controls: role-based access control (RBAC) with row-level security enforced at the database layer. Each tenant's data is logically isolated. Multi-factor authentication is supported.
- Audit logging: all data access, modification, and deletion events are logged with timestamps, user identity, and IP address. Logs are retained for 7 years.
- Vulnerability management: regular dependency audits, security scanning, and penetration testing on a periodic basis.
- Staff training: all staff with access to production systems receive mandatory data protection training on appointment and annually thereafter.
- Incident response: a documented incident response plan is maintained and tested annually.
6. Personal data breach notification
In the event of a personal data breach as defined in Article 4(12) GDPR, REFRUIT TNOS Ltd shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.
Notification will include, to the extent then known:
- The nature of the breach including the categories and approximate number of data subjects and records concerned
- The name and contact details of the DPO or other point of contact
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Breach notifications should be sent to dpo@refruit.work. Where information is incomplete at the time of initial notification, we will supplement it as soon as reasonably practicable.
7. Termination and data return
Upon termination or expiry of the subscription agreement, REFRUIT TNOS Ltd shall, at the choice of the Controller and within 30 days of the termination date:
- Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV); or
- Securely delete all personal data and provide written confirmation that deletion has been completed.
Backup copies will be deleted within 90 days of the termination date in accordance with our backup rotation schedule. We may retain personal data for longer where required by Irish or EU law, in which case we will notify the Controller of the applicable legal obligation.
8. Contact
Questions regarding this DPA should be directed to our Data Protection Officer at dpo@refruit.work.