Job Boardly Data Processing Agreement
Version 1.0 — Effective as of 6 May 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Glacier Systems Pty Ltd (ABN 47 687 105 184) (“Job Boardly”, “we”, “us”, the “Processor”) and you, the customer (the “Controller”). It governs the processing of personal data by Job Boardly on your behalf in connection with the Job Boardly platform and services (the “Services”).
By subscribing to a paid plan, you agree to this DPA.
1. Definitions
In this DPA:
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council
- “UK GDPR” means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018
- “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, “Sub-processor”, and “Personal Data Breach” have the meanings given in the GDPR (or UK GDPR, as applicable)
- “SCCs” means the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914
- “IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner’s Office
- “Services” has the meaning given in the Terms of Service
2. Roles of the parties
You are the Controller of personal data collected from job seekers, employers, applicants, and other users of your job board. Job Boardly is the Processor, processing that personal data solely on your behalf and in accordance with your instructions.
For personal data that Job Boardly collects from you directly (such as your account and billing information), Job Boardly acts as an independent Controller, as described in our Privacy Policy.
3. Subject matter, nature and duration
| Subject matter | Processing of personal data in connection with the provision of the Services |
| Duration | The term of your subscription agreement with Job Boardly |
| Nature of processing | Collection, storage, retrieval, transmission, and deletion of personal data through the platform |
| Purpose | Enabling you to operate a job board and manage job seeker, employer, and applicant data |
4. Types of personal data and data subjects
Types of personal data processed:
- Job seeker and applicant data: names, email addresses, phone numbers, CVs, cover letters, and application responses
- Employer and recruiter data: names, email addresses, company information, and job posting content
- Job board visitor data: IP addresses, browser data, and usage data (where applicable)
Categories of data subjects:
- Job seekers applying through your job board
- Employers or recruiters posting on your job board
- Visitors to your job board
5. Controller obligations
As Controller, you agree to:
- Ensure you have a lawful basis for collecting and processing personal data through your job board
- Provide a privacy notice to your job board users explaining how their data will be used and shared
- Only instruct Job Boardly to process personal data in ways that are lawful under applicable privacy law
- Ensure that personal data you provide or make available to Job Boardly is accurate
- Comply with your obligations under GDPR, UK GDPR, or any other applicable privacy legislation
- Where your job board qualifies as a hosting service or online platform under the Digital Services Act (Regulation (EU) 2022/2065), ensure your own compliance with applicable DSA obligations, including maintaining compliant terms of service under Article 14 DSA and establishing a notice and action mechanism under Article 16 DSA. Job Boardly will provide reasonable technical assistance in this regard upon request
6. Processor obligations
Job Boardly, as Processor, agrees to:
- Process personal data only on your documented instructions, unless required to do so by applicable law (in which case we will inform you, unless prohibited by law from doing so)
- Ensure that all personnel authorised to process personal data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures in accordance with Article 32 GDPR
- Assist you in meeting your obligations with respect to data subject rights (Articles 15–22 GDPR), data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to us
- Provide and maintain a Consent Management Platform (CMP) that enables you to obtain, record, and demonstrate visitor consent for cookies and similar technologies on your job board in line with the ePrivacy Directive, GDPR Article 7, the UK PECR, and applicable US state privacy laws. You are responsible for configuring the CMP (categories enabled, branding, third-party integrations) and for the lawfulness of any custom code you integrate via the CMP. We retain consent records on your behalf for up to 24 months and make them available for export and deletion via your operator dashboard
- Delete or return all personal data to you upon termination of the agreement, at your choice
- Make available all information reasonably necessary to demonstrate compliance with Article 28 GDPR
7. Sub-processors
Job Boardly engages sub-processors to assist in providing the Services. A current list of sub-processors is available at jobboardly.com/sub-processors.
We will provide at least 30 days’ prior notice of any intended change to our sub-processor list (additions or replacements) by updating the sub-processors page and notifying customers by email.
You may object to any intended change by contacting us at hello@jobboardly.com within the notice period, setting out your reasonable grounds for objection. If we are unable to accommodate your objection, you may terminate the affected Services on written notice.
Job Boardly remains liable to you for the acts and omissions of its sub-processors to the same extent as if Job Boardly had performed the processing directly.
8. International data transfers
Job Boardly is headquartered in Australia, which does not benefit from an EU adequacy decision.
EU/EEA transfers: Transfers of personal data from the EEA to Job Boardly in Australia are governed by the SCCs (Module 2: Controller to Processor), which are incorporated into this DPA by reference. The SCCs are available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. The information required by Annex I (parties and processing description) and Annex II (technical and organisational security measures) of the SCCs is set out in Sections 3, 4, and 9 of this DPA respectively.
UK transfers: Transfers of personal data from the UK to Job Boardly are governed by the IDTA issued by the UK ICO, or by SCCs supplemented by the UK Addendum (as issued by the ICO), as applicable.
Sub-processor transfers: Job Boardly ensures that transfers of personal data to sub-processors in third countries are protected by appropriate safeguards, including SCCs, adequacy decisions, or other approved transfer mechanisms. Details are set out in our Sub-processor List.
9. Security
Job Boardly implements and maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit (TLS) and at rest
- Access controls and role-based authentication
- Regular security assessments and monitoring
- Incident response procedures
- A self-hosted Consent Management Platform that supports script blocking, jurisdiction-aware behaviour (opt-in for GDPR-equivalent regions, opt-out for US state privacy law regions, notice elsewhere), automatic honouring of the Global Privacy Control browser signal, accessible (WCAG 2.1 AA) banner and preference centre, multi-tenant logical isolation of consent records, and a tamper-resistant consent log retained for up to 24 months
10. Personal data breach notification
In the event of a Personal Data Breach affecting your data, Job Boardly will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach (to the extent reasonably practicable)
- Provide sufficient information to allow you to assess the breach and meet your own notification obligations to supervisory authorities and data subjects
- Cooperate with you in investigating, remediating, and reporting the breach
Breach notifications will be sent to the email address associated with your account.
11. Data subject rights
Job Boardly will provide reasonable technical assistance to help you respond to requests from data subjects exercising their rights under applicable law, including the rights of access, rectification, erasure, portability, restriction, and objection.
Where Job Boardly receives a data subject request directly relating to your job board, we will promptly forward it to you.
12. Audit rights
Job Boardly will make available all information reasonably necessary to demonstrate compliance with its obligations under this DPA.
Upon at least 30 days’ prior written notice, you may conduct (or appoint an independent auditor to conduct) an audit of Job Boardly’s data processing activities relevant to this DPA, at your own cost. Audits must be conducted during business hours, in a manner that minimises disruption to our operations, and subject to appropriate confidentiality undertakings.
13. Return and deletion of data
Upon termination or expiry of your subscription, Job Boardly will, at your election, either return or securely delete all personal data processed on your behalf, within 90 days of the termination date. This obligation does not apply where applicable law requires continued retention of the data.
Dormant end-user account deletion: In accordance with the storage limitation principle under Article 5(1)(e) GDPR, Job Boardly applies a default dormancy retention policy to personal data processed on your behalf. End-user accounts (job seeker and employer/recruiter accounts on your job board) that have had no activity for 12 months will be flagged as dormant. Job Boardly will send a warning notification to the account holder on your behalf, and if the account holder does not log in within 30 days of that notification, the account and associated personal data will be permanently deleted. As Controller, you are responsible for ensuring your privacy policy accurately reflects this retention schedule. If you require a different retention period, please contact us at hello@jobboardly.com.
Dormant operator account deletion: Lifetime plan accounts that have had no activity for 24 months will be flagged as dormant and scheduled for deletion in accordance with our Terms of Service. Job Boardly will send a warning email to your registered email address before deletion. If you do not log in within 30 days of that notification, your account and all associated data (including all data processed on your behalf as Controller) will be permanently deleted. For monthly and annual plan subscribers, account data is deleted within 90 days of subscription termination or expiry as set out above.
14. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law.
15. Governing law
This DPA is governed by the laws of Queensland, Australia. For EU/EEA or UK users, nothing in this clause affects the rights of data subjects or the powers of supervisory authorities under applicable EU or UK data protection law.
16. Changes to this DPA
We may update this DPA from time to time to reflect changes in applicable law or our processing activities. Material changes will be notified to you by email at least 30 days before they take effect. Continued use of the Services after that date constitutes acceptance of the updated DPA.
17. Enterprise DPA
Enterprise customers with specific contractual or compliance requirements may request a customised Data Processing Agreement. Please contact us at hello@jobboardly.com to discuss your requirements.
18. EU/EEA and UK representative
As Glacier Systems Pty Ltd is established in Australia, we have appointed DataRep as our representative in the EU/EEA under Article 27 GDPR and in the United Kingdom under Article 27 UK GDPR. Data subjects, supervisory authorities, and Controllers may contact DataRep directly with queries relating to our processing of personal data:
DataRep
Email: datarequest@datarep.com (please quote “Job Boardly” in the subject line)
Online webform: www.datarep.com/data-request
EU/EEA postal address (head office): DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
UK postal address: DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
DataRep has locations in each of the 27 EU countries, and in Norway and Iceland in the European Economic Area (EEA). A full list of country-specific addresses is available on request.
When mailing inquiries, please mark your letter for “DataRep” (not “Job Boardly”) and refer clearly to Job Boardly in your correspondence.
19. Contact
For any queries relating to this DPA or our data processing activities:
Glacier Systems Pty Ltd
Email: hello@jobboardly.com
ABN: 47 687 105 184
EU/EEA and UK data subjects may also contact our representative DataRep using the details set out in Section 18 above.