Terms and Conditions

• Service Provider – Heroify Sp. z o.o. based in Warsaw, address: ul. Padewska 23/7 with NIP 521-39-30-518, e-mail address: contact@heroify.co.
• Platform – the Heroify online platform available at www.heroify.co and owned by the Service Provider, within which the Service Provider enables the creation and solving of Tests.
• User – any natural person who has ever used the Platform and whose data is on the Platform.
• Recruiter – a person who creates Tests using the Platform and then makes them available to Candidates.
• Candidate – a person who completes the Tests made available to them by the Recruiter.
• Services – all the services provided to users by the Platform on the basis of these regulations.
• Account – a collection of resources within the Service Provider's data system, in which Users' data is stored, thanks to which Users can use the Platform.
• Test – a set of questions and tasks generated by the Recruiter through the Platform and solved by the Candidates, which checks the competencies defined by the Recruiter.
• Promotion for start – a set of rules according to which the Service Provider allows Recruiters free use of the Platform, including creation of an unlimited number of Tests and their solving by an unlimited number of Candidates.

The platform can be used by all users who have agreed to the terms of the Regulations and who have created a free account by providing true and up-to-date information. Providing false data may result in the closure of the Account on the Platform.

The Provider, through the Platform, provides the following Services to Users:

• creation and maintenance of an Account on the Platform
• creation of Tests on the basis of questions and tasks available on the Platform as well as own Tests
• making Tests available to Candidates
• solving Tests by Candidates
• comparing Candidates' results
• sending newsletters

Tests are created automatically after the Recruiter performs the following actions:

1. providing the name of the position,
2. determining the level of the position,
3. making a job offer available,
4. choosing the type of test,
5. confirmation or selection of competencies to be tested.

Tests consist of questions and tasks checking the competences selected by the Recruiter, chosen automatically by the Platform on the basis of the information provided by the Recruiter. The Recruiter is not able to choose questions and tasks from the Platform's database, but is able to add his/her own questions and tasks.

Each test has a predefined suggested time, but candidates can exceed it. The final result of the test is influenced by number of correctly and incorrectly provided answers.

In the case of the newsletter service, in order to receive it, it is necessary to give a separate consent and make your e-mail address available in the appropriate field on the Platform. The newsletter is sent free of charge and the User may unsubscribe at any time by clicking on the deactivation link in the email.

All content made available on the Platform, including photos, questions and tasks, is protected by copyright and belongs directly to the Provider or to Users who publish on the Platform with the permission of the Provider.

Copying the content made available on the Platform and making it available and using it without the written consent of the Service Provider is prohibited and illegal. It may give rise to civil and criminal proceedings against those who do so.

The use of the Service to a different extent than specified in the Regulations is permitted only with the prior written consent of the Service Provider.

The DPA attached below to the Terms & Conditions constitutes the instructions given by the Customer to Heroify regarding the processing of Personal Data, in accordance with GDPR, Article 28. Acceptance of the DPA is a condition precedent to the conclusion of the Terms and Conditions between the Parties and its entry into force.

Complaints related to the Service may be submitted to the e-mail address: contact@heroify.co. The complaint should contain the name and surname, company name (in case of Recruiters), email address and a description of the reason for the complaint.

The Service Provider undertakes to investigate the complaint within 14 days of receiving it and to inform the User about the outcome of the investigation.

The Service Provider and its suppliers make every effort to ensure that the Service and the Platform are free of errors and operate continuously, but they do not give any warranty and are not liable for any damages, including loss of profits.

The Service Provider is not responsible for the content and results of the Tests or for any false or incomplete data or information provided by Users.

Service Provider is not responsible for the consequences of the use of information obtained by Users as a result of using the Service, in particular for the consequences of decisions taken on this basis.

Service Provider may make changes to the Regulations without giving reasons. All changes shall become effective upon publication on the Platform, of which the User will be informed by electronic means to the e-mail address provided during registration.

Any disputes between the parties shall be resolved amicably. However, if it is not possible to resolve a dispute amicably, the Court of competent jurisdiction to hear the dispute shall be the Court with jurisdiction over the Service Provider's registered office.

All disputes arising under these Terms of Use shall be governed by Polish law.

These Terms and Conditions enter into force on 30/11/2021.

Background

This Data Processing Agreement ("DPA") specifies the Parties' data protection obligations, which arise from the Service Provider's ("Data Processor") processing of personal data on behalf of the Customer ("Data Controller") under the service agreement between the Parties ("Terms and Conditions" or "T&C").

The DPA is adopted as an appendix to the T&C. In the event that any provision of this DPA is inconsistent with any term(s) of the T&C, the DPA will prevail.

Definitions

For the purposes of this DPA:

• "Applicable Data Protection law" means any privacy law which may apply to the terms of this agreement and which may vary from time to time;
• "Data Controller" and "Data Processor" shall have the meanings as set out in Article 4(7) and (8) respectively of EU General Data Protection Regulation 2016/679 (the "GDPR");
• "Data Protection Supervisory Authority" (DPSA) is the supervisory authority for the purposes of Article 51 of the GDPR;
• "Data Subject" shall mean the subject of Personal Data;
• "Personal Data" shall have the meaning set out in Article 4(1) of the GDPR;
• "Prompt Notice" shall mean 24 hours unless otherwise expressly stated in this agreement;
• "Special Category Data" shall have the meaning set out in Article 9(1) of the GDPR;
• "Third Country" shall mean a location outside of the European Economic Area (EEA).

This DPA, including these definitions and its recitals and schedules, is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

The details of the data processing (as well as the Personal Data covered) are specified in Schedule 1 hereto.

1. Terms

The Data Controller and the Data Processor agree that:

• 1.1 The Data Controller and the Data Processor acknowledge that for the purposes of the Applicable Data Protection Law (as amended) the Customer is the Data Controller and Heroify Sp. z o.o. is the Data Processor in respect of any Personal Data.
• 1.2 The Data Processor shall process Personal Data only for the purposes of carrying out their obligations arising under the T&C.
• 1.3 The Data Controller shall instruct the Data Processor to process the Personal Data in any manner that may reasonably be required in order for the Data Processor to carry out the processing in compliance with this DPA and in compliance with Applicable Data Protection law.
• 1.4 The Data Controller shall refrain from providing instructions which are not in accordance with applicable laws including Applicable Data Protection law, and, in the event that such instructions are given, the Data Processor is entitled to resist carrying out such instructions.
• 1.5 The details of the transfer and of the Personal Data are specified in Schedule 1. The parties agree that Schedule 1 may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency.
• 1.6 This DPA shall continue for no less a term than the term of the Agreement.
• 1.7 The rights and obligations of the parties with respect to each other under this Clause 1 shall survive any termination of the Agreement.

2. Regulatory Compliance

To the extent required by law or regulation:

• 2.1 The Data Processor shall co-operate with the DPSA in connection with any activities performed by the Data Processor;
• 2.2 The Data Controller, its auditors and the DPSA shall have effective access to data related to such activities, as well as effective access to the Data Processor's business premises;
• 2.3 The DPSA shall have without notice the right of access to the Data Processor's business premises for purposes of this Clause 2; and
• 2.4 The Data Processor shall give prompt notice to the Data Controller of any development that may have a material impact on the Data Processor's ability to perform services effectively under this Agreement and in compliance with applicable laws and regulatory requirements.

3. Obligations of the Data Controller

The Data Controller warrants and undertakes to:

• 3.1 The Personal Data has been collected, processed and transferred in accordance with the GDPR and all Applicable Data Protection law.
• 3.2 It has used reasonable efforts to determine that the Data Processor is able to satisfy its legal obligations under this DPA.
• 3.3 It will respond to enquiries from Data Subjects and the DPSA concerning processing of the Personal Data by the Data Controller, unless the parties have agreed that the Data Processor will so respond, in which case the Data Controller will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Processor is unwilling or unable to respond.
• 3.4 It will make available, upon request, a copy of this DPA to Data Subjects who are relevant to the processing, unless this DPA contains confidential information, in which case it may redact such information.

4. Obligations of the Data Processor

The Data Processor warrants and undertakes that:

• 4.1 It will comply with all applicable law including Applicable Data Protection law in its performance of this DPA.
• 4.2 It will only process the Personal Data on the instructions of the Data Controller.
• 4.3 It will not transfer Personal Data to a Third Country without the prior written approval of the Data Controller and only then once the transfer has been legitimized and an adequate Data Protection regime exists or adequate security measures have been implemented.
• 4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller.
• 4.5 It will have in place appropriate technical and organizational measures, and all measures pursuant to Article 32 of the GDPR, to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.
• 4.6 It will obtain guarantees from any sub-processors that they will have in place appropriate technical and organisational measures to protect the Personal Data.
• 4.7 It will have in place procedures so that any individual it authorises to have access to the Personal Data will respect and maintain the confidentiality and security of the Personal Data.
• 4.8 It will not disclose any Personal Data to a third party other than at the specific written request of the Data Controller, unless required by applicable law.
• 4.9 It will notify the Data Controller of any request for information by the DPSA and will not disclose any Personal Data without the prior consent of the Data Controller.
• 4.10 It will notify the Data Controller of any complaint, notice or communication received which relates to the processing of the Personal Data.
• 4.11 It will give the Data Controller prompt notice of a Personal Data breach or a potential data breach once becoming aware of it, and will cooperate in implementing appropriate action.
• 4.13 It will delete from its systems all copies of any Personal Data and return all documentation on the completion of the Service Agreement or on request from the Data Controller, except where the Data Processor has a legitimate reason to continue processing or is legally required to maintain data records.
• 4.14 It will identify to the Data Controller a contact person within its organisation authorised to respond to enquiries concerning processing of the Personal Data.
• 4.15 It will be capable of demonstrating its compliance with the obligations of Applicable Data Protection law.

5. Right of Audit

5.1 Upon reasonable request of the Data Controller, the Data Processor will submit its data processing facilities, data files and documentation for reviewing, auditing and/or certifying by the Data Controller to ascertain compliance with the warranties and undertakings in this Agreement, with reasonable notice and during regular business hours.

6. Data Subject's Rights

6.1 The Data Processor will assist the Data Controller, whenever reasonably required, to fulfill the Data Controller's obligation to respond to requests for exercising the Data Subject's rights as provided under Applicable Data Protection law.

7. Liability and Indemnity

• 7.1 The Data Processor will not be liable for any claim brought by a Data Subject arising from any action by the Data Processor to the extent that such action resulted directly from the Data Controller's instructions.
• 7.2 Except as provided for in Clause 7.1, the Data Processor shall indemnify the Data Controller for any monetary fine or penalty imposed on the Data Controller by the DPSA that results from the Data Processor's breach of its obligations under this DPA.

8. Law Applicable

8.1 This DPA shall in all respects be governed by and interpreted in accordance with the laws of Poland. The parties hereto hereby submit to the exclusive jurisdiction of the Polish Courts for all the purposes of this DPA.

9. Resolution of Disputes

• 9.1 In the event of a dispute or claim brought by a Data Subject or the DPSA concerning the processing of the Personal Data, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
• 9.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the DPSA. The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
• 9.3 Each party shall abide by a decision of the DPSA which is final and against which no further appeal is possible.

10. Termination

• 10.1 In the event that either the Data Processor or the Data Controller is in breach of its obligations under this DPA, then either party may temporarily suspend the transfer of Personal Data until the breach is repaired or the DPA is terminated.
• 10.2 The parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this DPA as regards the processing of the Personal Data transferred.

Schedule 1 — Description of the Transfer

• Data Subjects: Customer's Candidates participating in recruitment processes that involve use of Heroify's software; Customer's employees using Heroify software ("Users").
• Purpose of the transfer(s): This transfer is necessary for Heroify to provide Customers with services included in the T&C.
• Categories of data: First and last name of each Candidate and User; Email address of each Candidate and User; Phone number of each Candidate; Heroify test score of each Candidate; IP address of each Candidate and User.
• Recipients: Google (Google Inc. based in the USA), provider of Google Cloud, the Service in which Heroify's web application is hosted.
• Sensitive data: No Sensitive Data will be transferred within this transfer.
• Contact points for data protection enquiries: Heroify's Data Protection Officer: gdpr@heroify.co