Effective date: 27 June 2026 Last updated: 27 June 2026
This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Service between Tamás Szigeti, an individual entrepreneur (egyéni vállalkozó) registered in Hungary (the "Processor", "we", "us") and the customer Workspace that accepts it (the "Controller", "you").
You accept this DPA when your Workspace is created. It applies whenever we process personal data on your behalf in providing the Service. It is required by Article 28 of the GDPR.
This DPA governs only the data for which you are the Controller — the profiling data your Workspace commissions (questionnaire answers, the derived matrix, and Evaluations relating to your Respondents). It does not cover the User identity records or billing data, for which we are the Controller under our Privacy Policy. The two-role structure is explained in §2 of the Privacy Policy.
Terms not defined here have the meaning given in the GDPR and in the Terms of Service. "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", and "Processing" carry their GDPR meanings.
For the profiling data your Workspace commissions, you are the Controller and we are the Processor. You determine the purposes and means of the processing — whom you profile and why. We process that data only to provide the Service.
| Subject matter | Processing of profiling data to produce profiles and Evaluations through the Service |
| Duration | For the term of the Terms of Service, and until deletion under §9 |
| Nature and purpose | Storing questionnaire answers; computing the matrix; producing Evaluations (including, where applicable, with AI assistance); making the matrix and Evaluation available to you and the Respondent |
| Types of personal data | Questionnaire answers; the derived preference matrix; written Evaluations; Respondent email address and name as needed to deliver Assignments |
| Categories of Data Subjects | The Respondents your Workspace chooses to profile (e.g. staff, candidates, team members) |
Profiling outputs concern an identified individual's preferences and may be sensitive by context. They are not special-category data within the meaning of Article 9 GDPR unless you choose to put such data into them; you must not.
We will:
a. process the data only on your documented instructions, including the instructions embodied in your use of the Service and in the Terms, unless required to act otherwise by law (in which case we will tell you, unless the law forbids it);
b. ensure that people authorised to process the data are bound by confidentiality;
c. implement appropriate technical and organisational security measures (§7);
d. respect the conditions in §8 for engaging Sub-processors;
e. assist you, by appropriate technical and organisational measures and insofar as possible, to respond to Data Subjects exercising their rights (§6);
f. assist you in ensuring compliance with your obligations on security, breach notification, data-protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to us;
g. at your choice, delete or return the data at the end of the provision of services, and delete existing copies unless law requires storage (§9);
h. make available to you the information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits (§10); and
i. inform you if, in our opinion, an instruction infringes the GDPR.
You will:
a. ensure you have a lawful basis for the profiling you commission, and comply with your transparency and notice obligations towards Respondents (this restates the warranty in §6 of the Terms);
b. issue only lawful instructions;
c. not put special-category data into questionnaire answers, the matrix, or Evaluations; and
d. handle Respondents' rights requests for which you are the Controller, with our assistance as described in §6.
We will assist you in meeting Respondents' rights. On your request, and within the timeframes the GDPR requires, we will:
We currently action these requests on your behalf when you contact us. We are introducing self-service tools within the Service to let you perform export, deletion, and retention configuration directly; until those are available, contact us at privacy@profiling.app and we will carry them out.
Where a Respondent contacts us directly about data you control, we will refer them to you (and tell you), and assist as reasonably required.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, we maintain appropriate technical and organisational measures, including:
You give general authorisation for us to engage Sub-processors. The current list, with each Sub-processor's location, purpose, and transfer mechanism, is published at Sub-processor List and forms part of this DPA.
We impose on each Sub-processor data-protection obligations no less protective than those in this DPA. We remain liable to you for a Sub-processor's performance of its obligations.
We will give you a reasonable means of learning of intended changes to the list (additions or replacements of Sub-processors), giving you the opportunity to object on reasonable data-protection grounds. If you object and we cannot reasonably accommodate the objection, you may terminate the affected processing.
On termination, or on your instruction, we will delete or return the profiling data we hold for you, and delete existing copies, unless EU or Member State law requires us to keep it. Backups cycle out within our normal backup-rotation period.
Where profiling data rests in more than one of our internal stores — for example, both the primary database and the prompt/completion store of our AI-evaluation tooling — deletion reaches all such stores, so that a deletion request removes the matrix and Evaluation wherever we hold them.
We will make available the information reasonably necessary to demonstrate compliance with Article 28 and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits must be on reasonable prior notice, during business hours, no more than once a year (unless a regulator requires otherwise or a breach has occurred), and conducted so as not to disrupt the Service or compromise other customers' confidentiality. We may provide an up-to-date third-party report or our own documentation to satisfy an audit request where that reasonably does so.
We process within the EU/EEA save for the Sub-processors identified in the Sub-processor List as based in, or processing in, countries outside the EEA — currently Stripe, Sentry, and Anthropic (United States), and Ably (a global edge network that may process outside the EEA). For those, transfers rely on an adequacy decision or the Standard Contractual Clauses, as stated in the list. We will not transfer your data outside the EEA except under a valid transfer mechanism.
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide the information you reasonably need to meet your own notification obligations, to the extent the information is available to us.
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of Hungary, and the jurisdiction clause of the Terms applies. Where this DPA and the Terms conflict on the processing of profiling data, this DPA prevails.
Data-protection contact for matters under this DPA:
Tamás Szigeti
privacy@profiling.app
2484 Gárdony, Mikszáth Kálmán utca 29., Hungary