People Flow Terms of Service
Introduction
These Terms of Service ("Terms") govern your use of the People Flow Platform, Job Portal, and Website (collectively "People Flow Services"), operated by SAMETA s.r.o., Čulenova 7936/5, 811 09 Bratislava, Company ID: 50 706 667, registered in the Slovak Commercial Register (District Court Bratislava III, Insert No. 117160/B) ("People Flow", "we", "us", "our").
By using any People Flow Services, you agree to be bound by these Terms. If you do not agree, please do not use our Services.
These Terms are subject to change. The current version is always available at this link. By entering into an agreement with People Flow or by using the Services, you acknowledge that you have read, understood, and agree to be bound by these Terms.
Services Description
People Flow is a web-based platform that supports companies in managing recruitment processes, including job posting, candidate tracking, scheduling, document sharing, and communication. The Service consists of:
- People Flow Platform: For companies and recruiters to manage hiring workflows.
- People Flow Job Portal: For candidates to view and apply to job openings.
- People Flow Website: Our representative site with information about our services.
Further all as ("People Flow Service").
Provision of Service
Subject to these Terms, People Flow provides access to the Platform and Job Portal for Customer's internal recruitment and hiring management.
Access
Access is provided electronically. To use certain features, you may need to register for an account and provide accurate, complete information. You are responsible for maintaining the confidentiality of your login credentials and for all activity under your account.
No Equipment Provided
People Flow does not provide hardware, internet connection, or ancillary services necessary to access the Platform.
Service Modifications
People Flow may update, enhance, or modify the Platform from time to time. Customer acknowledges that functionality may evolve without compensation.
Subcontractors
People Flow may use subcontractors to deliver the Service, remaining responsible for their performance.
Feedback
People Flow may freely use feedback or suggestions to improve the Service without obligation to Customer.
Use of the Service
Purpose
Customer may use the Service solely for its internal recruitment processes in accordance with these Terms.
User Accounts
Each User must be registered to a single email address. Accounts are personal and may not be shared.
Age Restriction
The Service is not intended for users under 18. Customer warrants no Users will be under 18.
Prohibited Use
Customer agrees not to:
- Create derivative works based on the Platform.
- Circumvent limits or restrictions.
- Reverse engineer or copy Platform components.
- Remove proprietary notices.
- Use the Service for illegal activities.
- Upload or transmit malicious code.
- Interfere with Service integrity or performance.
Disclaimer on Customer Data Storage
People Flow is not responsible for what personal data companies store about candidates, for how long, or whether they are authorized to do so. Each Customer is solely responsible for compliance with data retention obligations as a data controller.
Disclaimer on Uploaded Content
People Flow is not responsible for the content uploaded to the platform by candidates or HR staff. Customers and Users are solely responsible for the content they upload or share. People Flow has the right (but not the obligation) to remove content that violates these Terms or applicable laws.
No Responsibility for Company Data Practices
Companies using People Flow to manage their hiring processes act as data controllers. People Flow acts as a data processor on their behalf. People Flow does not guarantee or take responsibility for:
- What personal data companies store about candidates,
- For how long,
- Or whether they have a legal basis to do so.
You should review the relevant company's privacy policies and practices independently.
Payment
Currently, People Flow Services are provided free of charge. We reserve the right to introduce paid features in the future with appropriate notice.
Warranties
Mutual Warranties
Each Party warrants it is validly incorporated and has authority to enter into these Terms.
Service Availability
People Flow will use reasonable efforts to maintain availability of the Platform.
Disclaimer of Warranties
TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". PEOPLE FLOW DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, NON-INFRINGEMENT, OR SYSTEM INTEGRATION.
Limitation of Liability
To the fullest extent permitted by law, People Flow will not be liable for any indirect, incidental, special, consequential, or punitive damages arising from or relating to your use of the Services.
Force Majeure
Neither Party is liable for failure due to events beyond reasonable control.
Confidentiality
Obligations
Each Party shall:
- Use Confidential Information only to fulfil obligations under these Terms.
- Restrict disclosure to those with a need to know and under confidentiality obligations.
- Protect Confidential Information with reasonable care.
Exceptions
Confidentiality obligations do not apply to information:
- Publicly available without breach.
- Lawfully obtained from a third party.
- Independently developed.
- Required to be disclosed by law (with notice where possible).
INTELLECTUAL PROPERTY AND DATA PROTECTION
Intellectual Property
- People Flow retains all rights to the Platform and its technology.
- Customer retains all rights to Customer Data.
- Customer grants People Flow a limited right to use Customer Data to provide the Service and improve functionality.
- Customer grants People Flow a limited right to use Customer's logo and name to identify them as a customer.
Data Processing
Processing of personal data is governed by the Data Processing Addendum which forms an integral part of this Terms. In case of conflict, these Terms prevail.
Governing Law
These Terms are governed by and construed in accordance with the laws of the Slovak Republic. Any disputes will be resolved by the courts of the Slovak Republic, unless mandatory legal provisions provide otherwise.
TERM, SUSPENSION, TERMINATION
Term
The Term starts on the Effective Date and continues for the agreed period, or twelve (12) months if unspecified.
Renewal
The Agreement renews automatically unless either Party provides thirty (30) days' notice before expiry.
Suspension
People Flow may suspend access with notice if Customer materially breaches these Terms.
Termination for Cause
Either Party may terminate immediately if the other:
- Materially breaches and fails to cure within thirty (30) days.
- Becomes insolvent or subject to bankruptcy proceedings not dismissed within sixty (60) days.
Post-Termination
Upon termination:
- Each Party returns or destroys Confidential Information.
- Customer may request export of Customer Data within thirty (30) days.
- People Flow may permanently delete Customer Data after sixty (60) days.
Changes to Terms
We may update these Terms from time to time. Significant changes will be notified via our website or via email. Continued use of the Services after changes take effect constitutes acceptance of the updated Terms.
Contact
For any questions about these Terms, please contact us at:
SAMETA s.r.o.
Čulenova 7936/5
811 09 Bratislava
Email: [email protected]
DATA PROCESSING ADDENDUM
INITIAL PROVISIONS
This Data Processing Addendum forms an integral part of the Agreement and is referenced in the Agreement.
By entering into the Agreement with People Flow, You, the Customer, acknowledge that you have read and understood this Data Processing Addendum and agree to be bound by it.
PEOPLE FLOW'S OBLIGATIONS
Roles
For the purposes of the GDPR and similar Data Protection Legislation, Customer (or third party on whose behalf Customer is authorised to instruct People Flow) is the Controller of Customer Data that are Personal Data, and People Flow shall Process Personal Data as a Processor (or sub-Processor, as applicable to Customer's use of Service).
Permitted Purposes
People Flow shall Process Personal Data for the purposes described in Annex A and in accordance with Customer's documented lawful instructions ("Permitted Purposes"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Legislation. To the extent required by Data Protection Legislation, this Clause 3.2 constitutes the certification from People Flow to the Processing instructions herein. People Flow is obliged at all times to Process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.
Processing Instructions
People Flow shall immediately inform Customer if it becomes aware that Customer's Processing instructions infringe Data Protection Legislation. If People Flow is unable to Process Personal Data in accordance with the Customer's documented lawful instructions, People Flow is obliged to promptly notify Customer of its inability to comply.
Security Measures
People Flow shall implement and maintain reasonable and appropriate technical and organisational measures designed to protect all data, including Personal Data, from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex C of this Data Processing Addendum.
Access and Confidentiality
People Flow shall ensure that any person it authorises to Process the Personal Data (including People Flow' staff, agents and Sub-processor's) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only in accordance with the need-to-know principle. People Flow shall ensure that all Personnel Process the Personal Data only as necessary for the Permitted Purposes.
Data Returns and Deletion
Upon termination or expiration of the Agreement, People Flow must delete or return to Customer all Personal Data (including copies) in its possession or control in accordance with the Agreement.
Audit Rights
Customer shall have the right to conduct an audit to verify People Flow's compliance with its obligations laid down in Art. 28 GDPR (if applicable) and in this Addendum. People Flow shall allow the Customer to carry out the audit under the following conditions:
- Customer asks People Flow to carry out the audit via a written notice at least 30 (thirty) days in advance;
- Customer will specify the agenda for such audit in the notification;
- the audit shall not take place more than once a year;
- all associated costs and expenses shall be borne by Customer and reimbursed to People Flow on demand; and
- the audit shall last no longer than the equivalent of 1 working day (8 hours) of the People Flow representative.
In case Customer requests the audit via third independent party – external licensed auditor, People Flow may object to an external licensed auditor appointed by Customer to conduct the audit if the auditor is, in People Flow's reasonable opinion, not suitably qualified or independent, a competitor of People Flow, or otherwise manifestly unsuitable. Any such objection will require Customer to appoint another auditor. In case Customer requires more than one audit within one calendar year, Customer shall obtain prior written permission of People Flow and shall bear the cost associated with such audits and reimburse People Flow all reasonably incurred costs of such audits. On the request of Customer, People Flow will provide Customer with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by Customer.
CUSTOMER'S OBLIGATIONS
Customer's Processing of Personal Data
Customer shall, in its use of Service, Process Personal Data in accordance with Data Protection Legislation. Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and how Customer acquired Personal Data.
Customer's Compliance
Customer agrees that:
- it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to People Flow;
- it has provided notice and obtained (or shall obtain) all consents or any other necessary authorisations (as applicable) under Data Protection Legislation for People Flow to Process Personal Data for the Permitted Purposes;
- it shall be responsible for providing any notices required by Data Protection Legislation to its Users and other relevant data subjects with respect to sharing their Personal Data with People Flow;
- it has fulfilled (or shall fulfil) all registration or notification obligations to which Customer is subject to under the Data Protection Legislation; and
- it is responsible for its own Processing of Personal Data, including integrity, security, maintenance and appropriate protection of Personal Data under Customer's control.
Technical and Organisational Measures
Customer is responsible for its secure use of Service, including securing the Admin/User Account, protecting the security of Personal Data when in transit to and from Service and taking any appropriate technical, organisational and security measures to securely encrypt or backup any Personal Data uploaded to Service. Customer is also responsible for the use of Service by any person the Customer authorised to access or use Service, and any person who gains access to its Personal Data or the Service as a result of its failure to use reasonable security precautions, even if Customer did not authorise such use. Customer agrees to, immediately upon awareness, notify People Flow of any unauthorised use of Service or the Admin/User Account or of any other breach of security involving Service.
COOPERATION
Data Subject Rights
To the extent that Customer is unable to access the relevant Personal Data within Service independently, People Flow shall, taking into account the nature of the Processing, provide assistance (including by appropriate technical and organisational measures) to provide reasonable cooperation to Customer in order to:
- respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data (collectively "Correspondence").
In the event that any such Correspondence is made directly to People Flow, it shall promptly notify Customer and shall not respond directly unless legally completed to do so. If People Flow is required to respond to such Correspondence, People Flow shall promptly notify Customer and provide it with a copy of the request, unless legally prohibited from doing so.
Data Protection Impact Assessment
To the extent required by Data Protection Legislation, People Flow shall provide reasonable cooperation regarding Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.
Request for Disclosure
People Flow is obliged to promptly notify Customer about any legally binding request for disclosure of the personal data by a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry and to assist Customer therewith (at Customer's expense).
SECURITY INCIDENTS
Data Breach
Upon becoming aware of a Data Breach, People Flow shall notify Customer without undue delay and shall provide such timely information and cooperation as Customer may reasonably require in order to fulfil its data breach reporting obligations under Data Protection Legislation, including the type of data affected and the identity of the affected person(s) as soon as such information becomes known or available to People Flow.
No Acknowledgement
Customer agrees that any notification that People Flow provides to Customer in relation to a Data Breach shall not be construed or understood as an acknowledgement of any fault or liability.
Further Conduct
People Flow shall further take all such measures and actions as are reasonable to remedy or mitigate the effects of the Data Breach and shall keep Customer informed of all developments in connection with the Data Breach.
Cooperation
If a Data Breach is caused or materially contributed to by the Customer, People Flow will cooperate in the investigation of the Data Breach subject to Customer's obligation to compensate People Flow for its expenses and costs.
SUB-PROCESSING
Authorised Sub-processors
Customer provides a general authorisation for People Flow to engage Sub-processors to Process Personal Data on Customer's behalf. The Sub-processors currently engaged by People Flow are listed in Annex B.
New Sub-processors
People Flow shall provide at least 10 days prior written notice to the Customer of the engagement of any new Sub-processor (including details of the Processing and location), whereas People Flow provides such notifications to Customer via the List of Subprocessors page on People Flow's website. It is the responsibility of the Customer to regularly check this page for updates.
Objections
If Customer has a reasonable objection to any new sub-processor, it shall notify People Flow of such objections in writing to [email protected] within ten (10) days from receiving the notification and the Parties will seek to resolve the matter in good faith. If Customer does not provide a timely objection to any new sub-processor in accordance with this Section 8.3, Customer will be deemed to have consented to the sub-processor and waived its right to object.
Liability for Sub-processors
People Flow remains fully liable for any breach of this Data Processing Addendum or the Agreement caused by an act, error or omission of such Sub-processor.
DATA TRANSFERS
International Data Transfers
People Flow shall take all such measures necessary to ensure that the Processing and transfer of Personal Data in or to a territory other than the territory in which the Personal Data was first collected complies with Data Protection Legislation.
Application of Standard Contractual Clauses
The Parties agree that when and to the extent the transfer of Personal Data from Customer to People Flow is a Restricted Transfer and EU Data protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the EU SCCs, which shall be incorporated by reference into and form an integral part of this DPA as follows:
For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):
- Where Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where Customer is a Processor acting on behalf of third-party Controllers, Module 3 (Processor to Processor Clauses) will apply;
- in Clause 7 (Docking Clause), the optional docking clause will apply;
- in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 8.2. of this DPA and the period for notification of objections in Clause 8.3. of this PDA;
- in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
- in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Slovak law;
- in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Slovak Republic;
LIMITATION OF LIABILITY
Customer's remedies, including its Affiliates, and People Flow's liability arising out of or in relation to this Data Processing Addendum (including Standard Contractual Clauses), are subject to those limitations of liability and disclaimers set forth in the Agreement. For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.
FINAL PROVISIONS
Third-Party Beneficiaries
Data Subjects are the sole third-party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to the Agreement and this Data Processing Addendum.
Governing Law and Jurisdiction
This Data Processing Addendum shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.
Scope of this Data Processing Addendum
For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this Data Processing Addendum.
Term
This Data Processing Addendum shall continue to be in effect for the term of the Agreement plus the period from expiry of the Agreement until People Flow ceases to process Personal Data on behalf of Customer.
ANNEXES
Annex A: Description of the Processing Activities / Transfer
Annex A(1) List of Parties:
| Data Exporter | Data Importer |
|---|---|
| Name: Customer | Name: SAMETA s.r.o. |
| Address: As identified in the Order | Address: Čulenova 7936/5, 811 09 Bratislava |
| Contact details: As identified in the Order | Contact details: [email protected] |
| Activities relevant to the transfer: See Annex A(2) below | Activities relevant to the transfer: See Annex A(2) below |
| Role: Controller | Role: Processor |
Annex A(2) Description of Transfer:
| Categories of data subjects: |
|
| Categories of personal data: |
|
| Sensitive data: | People Flow does not require any special categories of data to provide Service and does not intentionally collect or process such data in connection with the provision of Service. However, documents or free-text fields may include special categories of data if users voluntarily provide them (e.g. disability info, racial or ethnic origin in CVs). |
| Frequency of the transfer: | Continuous |
| Nature and subject matter of processing: | The Personal Data may be subject to the following processing activities:
|
| Duration of the processing: | Processing Term. |
| Purpose(s) of the data transfer and further processing: |
|
| Retention period: |
|
Annex A(3): Competent supervisory authority
With respect to EU Data the competent supervisory authority is the Slovak Data Protection Authority (the "Slovak DPA").
Annex B: Approved Sub-processors
| Sub-processor | Processing Activity |
|---|---|
| Firebase (Google) | User authentication (Firebase Auth) |
| AWS (S3, Parameter Store, Secrets Manager, IAM) | File storage, secure configuration management, and infrastructure access control |
| Google API (Gmail & Calendar) |
|
| Sentry | Error monitoring and logging |
| OpenAI API | Language model embeddings generation and structured data extraction |
| MistralAI API | Language model embeddings generation |
| Vercel | Frontend deployment |
The complete and up-to-date list of subprocessors with detailed information (entity details, location/jurisdiction, types of personal data processed) is available on our List of Subprocessors page.
Annex C: Technical and Organisational Measures
The technical and organisational measures implemented by People Flow (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described below.
| Type of measure | Implemented measure |
|---|---|
| Measures of pseudonymisation and encryption of personal data | Pseudonymization of text data before sending to external AI APIs; HTTPS/TLS encryption for data in transit; encryption of data at rest on AWS S3. |
| Measures for ensuring ongoing confidentiality of processing systems and Service | Role-based access controls; OAuth 2.0 / JWT for user sessions; separate environments for staging/production. |
| Measures for ensuring ongoing integrity of processing systems and Service | Input validation; strict logging of data changes; code reviews. |
| Measures for ensuring ongoing availability and resilience of processing systems and Service | AWS cloud redundancy; automatic scaling; database backups. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Automated daily backups; defined disaster recovery plan. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Security audits; vulnerability scanning; monitoring via Sentry. |
| Measures for user identification and authorisation | Firebase Auth, Google SSO, Apple SSO; strict session management. |
| Measures for the protection of Data during storage | Encrypted storage on AWS S3; access limited to authorized services. |
| Measures for ensuring physical security of locations at which personal data are processed | AWS and Google Cloud data centers with certified physical security. |
| Measures for ensuring events logging | Audit logs of user actions; monitoring of admin access. |
| Measures for ensuring system configuration, including default configuration | Secure defaults; minimal access permissions; CI/CD with approvals. |
| Measures for internal IT and IT security governance and management | Developer training; security policy enforcement. |
| Measures for ensuring data minimisation | Only necessary data collected; optional fields clearly marked. |
| Measures for ensuring data quality | Validation of user input; user access to update data. |
| Measures for ensuring limited data retention | Retention policies aligned with legal needs; deletion workflows with user-triggered account deletion. |
| Measures for ensuring accountability | Documented privacy policies and procedures. |
| Measures for allowing data portability and ensuring erasure | User interface for data access and account deletion; manual support via email. |