Learn More About Our AI ✨
Enter a valid first name
Enter a valid last name
Enter a valid business email
Enter a valid business email
Book a Demo
Something went wrong while submitting the form.
Please try again, or contact us at sales@competewith.com
Let's schedule a a call ⭐
We are excited to meet you!
The next step is to schedule a 30-minute call below.
Home
Data Processing Addendum

Data Processing Addendum

Last updated - Aprile 2nd, 2026

This Data Processing Addendum (“DPA”) forms anintegral part of the commercial agreement or any other agreement (“Agreement”)in connection with the provision of services by and between Compete HR Ltd. (“Compete”),the provider of services under the Agreement (the “Services”), and therecipient of services under the Agreement (“Customer”), to reflect theparties’ agreement on the Processing of Customer Personal Data.

All capitalized terms not defined herein will have themeaning set forth in the Agreement, or under applicable Privacy Laws andRegulations. All terms under the Agreement apply to this DPA, except that theterms of this DPA will supersede any conflicting terms under the Agreement.

In the course of providing the Services, Compete may ProcessCustomer Personal Data. Accordingly, the parties agree to comply with thefollowing provisions under this DPA with respect to the Processing of CustomerPersonal Data, as further described herein.

1. DEFINITIONS

1.1 “Customer Personal Data”means Personal Data Processed by Compete on behalf of Customer as part of theprovision of Services.

1.2 “Data Subject” means an identified oridentifiable natural person; an identifiable natural person is one who can beidentified, directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, an online identifieror to one or more factors specific to the physical, physiological, genetic,mental, economic, cultural, or social identity of that natural person.

1.3 “EU SCCs” means the StandardContractual Clauses pursuant to EU Commission Decision C(2021)3972,available here.

1.4 “Personal Data Breach”means a breach of security leading to the accidental or unlawful destruction,loss, alteration, unauthorized disclosure of, or access to, Customer PersonalData transmitted, stored, or otherwise processed.

1.5 “Personnel” means persons authorized by Competeto Process Customer Personal Data.

1.6 “Privacy Laws and Regulations”means all data protection and privacy laws and regulations that are applicableto the Personal Data being processed under this DPA and the Agreement,including, but not limited to, as applicable:
the Protection of Privacy Law, 5741–1981, and any regulations promulgatedpursuant to it, including the Protection of privacy regulations (data security)5777-2017 as may be amended or superseded from time to time (“Israeli Privacy Laws”),Regulation(EU) 2016/679of the European Parliament and of the Council of 27 April 2016 onthe protection of natural persons with regard to the processing of personaldata and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”),andthe GDPR as saved into United Kingdom law by virtue of Section 3 of the UnitedKingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”);TheCalifornia Consumer Privacy Act ("CCPA") as amended by the CaliforniaPrivacy Rights Act ("CPRA").

1.7 “Third Country” means a countryoutside the European Economic Area or the UK which was not acknowledged by theEU Commission or a UK Secretary of State as providing an adequate level ofprotection in accordance with Article 45(3) of the GDPR or Article 45 of the UKGDPR.

2.DATA PROCESSING

2.1 Scope and Roles.This DPA applies when Customer Personal Data is Processed by Compete as part ofCompete’s provision of the Services, as further specified in the Agreement andthe applicable order form. In this context, to the extent that provisions underPrivacy Laws and Regulations apply to Customer Personal Data, Customer is theController and Compete is the Processor.

2.2 Subject Matter, Duration, Nature, and Purpose of Processing.Compete processes Customer Personal Data as part of providing Customer with theServices, pursuant to the specifications and for the duration under the termsof the Agreement, Compete represents and warrants to Customer to adhere to the technicaland organizational measures stipulated under Annex II hereto..

2.3 Instructions for Compete’s Processing of Customer Personal Data.Compete will only Process Customer Personal Data on behalf of and in accordancewith Customer’s instructions. Customer instructs Compete to Process CustomerPersonal Data for the following purposes:

2.3.1 Processing in accordance with the Agreement andapplicable order forms, including, without limitation to provide, operate,control, supervise, and safeguard the Services – all integral parts of theprovision of the Services to Customer;

2.3.2 Processing to comply with other reasonableinstructions provided by Customer where such instructions are consistent withthe terms of the Agreement and comply with applicable Privacy Laws andRegulations. Processing outside the scope of this DPA (if any) will requireprior written agreement between Compete and Customer on additional instructionsfor Processing, including agreement on any additional fees Customer will pay toCompete for carrying out such instructions.

2.4 As required under applicable Privacy Laws andRegulations, Compete will inform Customer immediately, if in Compete’s opinionan instruction violates any provision under applicable Privacy Laws andRegulations and will be under no obligation to follow such instruction, untilthe matter is resolved following a good-faith discussion between the parties.

2.5 Compete will not retain, use, or disclose CustomerPersonal Data: (A) for any purpose other than for the specific purpose ofperforming the Services, or (B) outside of the direct business relationshipbetween Customer and Compete, except as permitted under applicable Privacy Lawsand Regulations. Compete acknowledges and will comply with the restrictions setforth in this Section 2.5.

2.6 Customer acknowledges and agrees that it is solelyresponsible for ensuring that all Personal Data provided or otherwise madeavailable to Compete for Processing under the Agreement and this DPA has beencollected and is provided in full compliance with applicable Privacy Laws andRegulations. This includes, without limitation, all necessary notices toIndividuals and receive all necessary permissions and consents in accordancewith applicable Privacy Laws and Regulations, and ensuring a lawful ground ofProcessing, as necessary for Compete to process Personal Data under the termsof the Agreement and this DPA, pursuant to applicable Privacy Laws andRegulations, including with respect to the cross-border of Personal Data.

2.7 To the extent required under applicable Privacy Laws AndRegulations, Customer will appropriately document the Individuals’ notices andconsents, or necessary assessment with other applicable lawful grounds ofProcessing.

2.8. Customer will ensure the Personal Data is accurate,relevant, and limited to what is necessary for the Processing activitiesperformed under the Agreement and this DPA.

2.9. Customer further represents and warrants that Compete’sProcessing of the Personal Data in accordance with the Agreement and this DPAwill not cause Compete to violate any Privacy Laws and Regulations

3. ASSISTANCE

Taking into account the nature of the Processing, Competewill assist Customer by appropriate technical and organizational measures,insofar as this is possible, for the fulfilment of Customer’s obligation torespond to requests for exercising Data Subjects’ rights, as required underapplicable Privacy Laws and Regulations. Compete will further assist Customerin ensuring compliance with Customer’s obligations in connection with thesecurity of Processing, notification of a Personal Data Breach to supervisoryauthorities and affected Data Subjects, Customer’s data protection impactassessments and Customer’s prior consultation with supervisory authorities, inrelation to Compete’s Processing of Customer Personal Data under this DPA.Except for negligible costs, Customer will reimburse Compete with costs andexpenses incurred by Compete in connection with the provision of assistance toCustomer under this DPA.

4. COMPETE PERSONNEL

4.1 Limitation of Access.Compete will ensure that Compete’s access to Customer Personal Data is limitedto those personnel who require such access to perform the Agreement.

4.2 Confidentiality. Compete will imposeappropriate contractual obligations upon Compete Personnel, including relevantobligations regarding confidentiality, data protection, and data security.Compete will ensure that Compete Personnel are informed of the confidential natureof Customer Personal Data, have received appropriate training in theirresponsibilities, and have executed written confidentiality agreements thatbind them by substantially the same material obligations as under this DPA.Compete will ensure that such confidentiality agreements survive thetermination of the employment or engagement of its personnel.

5. SUB-PROCESSORS

5.1 Compete may engage third-party service providers toprocess Customer Personal Data (“Sub-Processors”). Customer herebyprovides Compete with a general authorization to engage all Sub-Processors listed here in Compete’sSub-Processors List. All Sub-Processors have entered into written agreementswith Compete that bind them by substantially the same material obligations asunder this DPA.

5.2 Compete may engage with a new Sub-Processor (“New Sub-Processor”)to Process Customer Personal Data on Customer’s behalf. Compete will notifyCustomer of the intended engagement with the New Sub-Processor ten (10) daysprior to such engagement. Customer may object to the Processing of CustomerPersonal Data by the New Sub-Processor, for reasonable and explained grounds,within five (5) business days following Compete’s written notice to Customer ofthe intended engagement with the New Sub-Processor. If Customer timely sendsCompete a written objection notice, the parties will make a good-faith effortto resolve Customer’s objection. In the absence of a resolution, Compete willmake commercially reasonable efforts to provide Customer with the same level ofservice, without using the New Sub-Processor to Process Customer Personal Data.

5.3 Liability. Compete will be liable for theacts and omissions related to the Processing of Personal Data by its Sub-Processorsto the same extent that Compete would be liable if performing the Service ofeach Processor, under the terms of the Agreement.

6. ONWARD AND TRANS-BORDER TRANSFER

6.1 Any transfer of Customer Personal Data will be carriedout in accordance with applicable Privacy Laws and Regulations. Transfer ofGDPR-governed Customer Personal Data (“EEA Transferred Data”)from Customer to Compete in Israel is safeguarded by the EU Commission AdequacyDecision. EEA Transferred Data to a Third Country, is made in accordance withthe EU SCCs, giving effect to module three, which is incorporated by referenceto this DPA, or as required, in accordance with any successor thereof or analternative lawful data transfer mechanism, and as follows:

6.1.1 In Clause 7, the optional docking clause will apply;

6.1.2 in Clause 9, Option 2 will apply, and the time periodfor prior notice of sub-processor changes will be as set out in Section 5 ofthis DPA;
6.1.3 In Clause 11, the optional language will not apply;

6.1.4 In Clause 17, Option 1 will apply, and the EU SCCswill be governed by Irish law;

6.1.6 In clause 18(b), disputes will be resolved before thecourts of Ireland.

6.1.6 Annexes I and II of the EU SCCs will be completed withthe relevant information set out in Annexes I and II to this DPA.

6.2 Transfer of UK GDPR-governed Customer Personal Data (“UK Transferred Data”,and together with EEA Transferred Data: “Transferred Data”)to a Third Country, is either:

6.2.1 made in accordance with the International DataTransfer Agreement (“IDTA”), issued by the Information Commissioner’sOffice’s (“ICO”) in accordance with section 119A of the Data ProtectionAct 2018, as officially published here,which is incorporated by reference to this DPA;

or -

6.2.2 made in accordance with the UK Addendum issued by theICO in accordance with section 119A(1) of the Data Protection Act 2018 (“UK Addendum”),incorporating the EU SCCs, as officially published here,which is incorporated by reference to this DPA;

or -

6.2.3 if neither Section 6.3.1 and 6.3.2 apply, then theparties will cooperate in good faith to implement appropriate safeguards fortransfers of UK Transferred Data, as required or permitted by the UK GDPRwithout undue delay.

6.3 In accordance with Article 46 of the GDPR and the EUSCCs, and without prejudice to any provisions of this DPA, Compete undertakesto implement the following organizational and technical safeguards, in additionto the safeguards mandated by the EU SCCs and in accordance with Clause14(b)(C) of the EU SCCs, to ensure the required adequate level of protection toTransferred Data:

6.3.1 Compete will implement and maintain the technicalmeasures, as specified in Annex II to this DPA, which is attached andincorporated by reference to this DPA, with a purpose to protect theTransferred Data from Processing for national security or other governmentalpurposes that goes beyond what is necessary and proportionate in a democraticsociety, considering the type of Processing activities under the Agreement andrelevant circumstances;

6.3.2 For the purposes of safeguarding Transferred Data,when any Third Country’s government or regulatory agency requests access tosuch data (“Request”), and unless required by a valid court order or ifotherwise Compete may face criminal charges for failing to comply with ordersor demands to disclose or otherwise provide access to Transferred Data, orwhere the access is requested in the event of imminent threat to lives, Competewill:

6.3.2.1 not purposefully create ‘back doors’ or similarprogramming that could be used to access Transferred Data;

6.3.2.2 not provide the source code or encryption keys toany government agency for the purpose of accessing Transferred Data; and,

6.3.2.3 upon Customer’s written request, provide reasonableavailable information about the requests for access to Personal Data bygovernment agencies that Compete has received in the six (6) months precedingto Customer’s request.

‍6.3.3 If Compete receives a Request, Compete will notifyCustomer of such request to enable the Customer to take necessary actions, tocommunicate directly with the relevant agency and to respond to the Request. IfCompete is prohibited by law to notify the Customer of the Request, Competewill make reasonable efforts to challenge such prohibition through judicialaction or other means at Customer’s expense and, to the extent possible, willprovide only the minimum amount of information necessary.

7. INFORMATION SECURITY

Compete will maintain administrative, physical, andtechnical safeguards for the protection of the security, confidentiality, andintegrity of Customer Personal Data. Compete regularly monitors compliance withthese safeguards. Compete will not materially decrease the overall security ofthe Service during the term of the Agreement. Further information aboutCompete’s technical and organizational measures is detailed in ANNEX II.

8.AUDIT AND DEMONSTRATION OF COMPLIANCE

8.1 Customer or another auditor mandated by Customer, inrelation to Compete’s obligations under this DPA is entitled to carry out anaudit to Compete to supervise compliance with this DPA. Compete may satisfy theaudit obligation under this section by providing Customer with attestations,certifications and summaries of audit reports conducted by accredited thirdparty auditors. Other audits by Customer are subject to the following terms: (A) theaudit will be pre-scheduled in writing with Compete, at least forty-five (45)days in advance and will be performed not more than once a year (unless theaudit is required by a Supervisory Authority); (B) athird-party auditor will execute a non-disclosure and non-competitionundertaking toward Compete; (C) the auditor will not haveaccess to non-Customer data (D) Customer will make sure thatthe audit will not interfere with or damage Compete’s business activities andinformation and network systems; (E) Customer will bear allcosts and expenses related to the audit; (F) The auditor willfirst deliver a draft report to Compete and allow Compete reasonable time andno less than ten (10) business days, to review and respond to the auditor’sfindings, before submitting the report to the Customer; (G) Customerwill receive only the auditor’s report, with Compete’s comments, without anyCompete ‘raw data’ materials, will keep the audit results in strictconfidentiality and will use it solely for the specific purposes of the auditunder this DPA; and, (H) as soon as the purpose of the auditis completed, Customer will permanently and completely dispose of all copies ofthe audit report.

8.2 Customer may, at its sole discretion request thatCompete shall provide Customer with a report demonstrating Compete’s compliancewith its obligations under this Addendum and the Israeli Privacy Laws, once ayear.

9.SECURITY BREACH MANAGEMENT AND NOTIFICATION

9.1 Compete maintains security incident management andbreach notification policies and procedures and will notify Customer withoutundue delay after becoming aware of a Personal Data Breach related to CustomerPersonal Data which Compete, or any of Compete’s Sub Processors, Process.Compete’s notice will at least: (A) describe the nature of thePersonal Data Breach including where possible, the categories and approximatenumber of Data Subjects concerned and the categories and approximate number ofCustomer Personal Data records concerned; (B) communicate thename and contact details of the Compete’s data protection team, which will beavailable to provide any additional available information about the PersonalData Breach; (C) describe the likely consequences of thePersonal Data Breach; (D) describe the measures taken orproposed to be taken by Compete to address the Personal Data Breach, including,where appropriate, measures to mitigate its possible adverse effects. Where,and in so far as, it is not possible to provide the information at the sametime, the information may be provided in phases without undue further delay.

9.2 Compete will work diligently, pursuant to its incidentmanagement and breach notification policies and procedures to promptly identifyand remediate the cause of the Personal Data Breach and will promptly informCustomer accordingly.

10.DELETION AND RETENTION OF CUSTOMER PERSONAL DATA

10.1 Data Deletion. Withinreasonable time after the end of the provision of the Service, Compete willreturn Customer Personal Data to Customer or delete such data, including byde-identifying thereof.

10.2 Data Retention.Notwithstanding, Customer acknowledges and agrees that Compete may retaincopies of Customer Personal Data as necessary in connection with its routinebackup and archiving procedures and to ensure compliance with its legalobligations and its continuing obligations under applicable law, including toretain data pursuant to legal requirements and to use such data to protectCompete, its affiliates, agents, and any person on their behalf in court andadministrative proceedings.

1.1. DISCLOSURE TO COMPETENT AUTHORITIES‍

Compete may disclose Customer Personal Data: (A) ifrequired by a subpoena or other judicial or administrative order, or ifotherwise required by law; or (B) if Compete deems thedisclosure necessary to protect the safety and rights of any person, or thegeneral public.

12. ANONYMIZED AND AGGREGATED DATA‍

Compete may process data based on extracts of CustomerPersonal Data on an aggregated and non-identifiable form, for Compete’slegitimate business purposes, including for testing, development, controls, andoperations of the Services, and may share and retain such data at Compete’sdiscretion, provided that such data cannot reasonably identify a Data Subject.

13. TERM‍

This DPA will commence on the same date that the Agreementis effective, or as otherwise provided explicitly under this DPA, and willcontinue until the Agreement expires or is terminated, pursuant to the termstherein.

14. COMPLIANCE‍

Compete’s compliance team is responsible to make sure thatall relevant Compete’s personnel adhere to this DPA. Compete’s compliance teamcan be reached at: dpo@competewith.com.

15. DISPUTE RESOLUTION

15.1 Each Party will create an escalation process andprovide a written copy to the other Party within five (5) business days of anydispute arising out of or relating to this DPA. The escalation process will beused to address disputed issues related to the performance of this DPA,including but not limited to technical problems. The Parties agree tocommunicate regularly about any open issues or process problems that requireprompt and accurate resolution as set forth in their respective escalation processdocumentation. The Parties will attempt in good faith to resolve any disputearising out of or relating to this DPA, before and as a prior condition forcommencing legal proceedings of any kind, first as set forth above in theescalation process and next by negotiation between executives who haveauthority to settle the controversy and who at a higher level of managementthan the persons with direct responsibility for administration of this DPA.

15.2 Any Party may give the other Party written notice ofany dispute not resolved in the normal course of business. Within two (2)business days after delivery of the notice, the receiving Party shall submit tothe other a written response. The notice and the response will include: (A) astatement of each Party’s position and a summary of arguments supporting thatposition; and,

(B) the name and title of the executive who willrepresent that Party and of any other person who will accompany the executive.Within five (5) business days after delivery of the disputing Party’s notice,the executives of both Parties shall meet at a mutually acceptable time andplace, including telephonically, and thereafter as often as they reasonablydeem necessary, to attempt to resolve the dispute. All reasonable requests forinformation made by one Party to the other will be honored. All negotiationspursuant to this clause are confidential and will be treated as compromise andsettlement negotiations for purposes of applicable rules of evidence. Thedispute resolution process under this section 15 must be exercised as apre-condition for initiating legal or administrative proceedings by any of theparties.

16. MISCELLANEOUS

Any alteration or modification of this DPA is not validunless made in writing and executed by duly authorized personnel of bothparties. Invalidation of one or more of the provisions under this DPA will notaffect the remaining provisions. Invalid provisions will be replaced to theextent possible by those valid provisions which achieve essentially the sameobjectives.

16.1. Compete’sservices and systems are not designed to store, receive, maintain, transmit, orotherwise process Protected Health Information (“PHI”) as defined under theU.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) andits implementing regulations and PCI data subject to the Payment Card IndustryData Security Standard (“PCI DSS”) (together: “Excluded Data Types”).Customer shall not provide, and shall use commercially reasonable efforts toensure that no Excluded Data Types are provided, uploaded, or otherwise madeavailable to the Compete or processed through the Services. Compete shall haveno liability under the Agreement or this DPA for Excluded Data Types providedby Customer in violation of this section, and Customer shall be solelyresponsible for any compliance obligations, damages, or claims arisingtherefrom.

ANNEX I

DATA PROCESSING DESCRIPTION

This Annex forms part of the DPA and describes theProcessing that the Processor will perform on behalf of the Controller.

A. LIST OF PARTIES

1. Controller(s) / Data exporter(s):Customer whose name, address and contact details are further set out in theAgreement. Customer will provide certain personal data in order to receive theServices pursuant to the Agreement.

2. Processor(s) / Data importer(s):Compete, whose registered name, address and contact details are further set outin the Order Form. Compete will process personal data in order to provide theServices pursuant to the Agreement.

B. DESCRIPTION OF TRANSFER‍

Item Description
Categories of data subjects whose personal data is transferred Customer’s employees
Categories of Customer Personal Data transferred HR data, for example: legal name, place of employment, department and role, information on employees’ terms of employment (e.g., salary, scope, seniority, etc.), gender, age, and nationality, and additional employment related details, as agreed between the parties.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved Financial Information (salary and benefits).
The frequency of the transfer Continuous.
Nature of the Processing Provision of Services and associated services.
Purpose(s) of the data transfer and further Processing As necessary to perform Compete’s obligations in accordance with the Agreement.
The period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period As set out in Clause 10 of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the Processing Same as above.

C. COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State- the supervisory authority of such EU Member State shall act as competentsupervisory authority.

Where the data exporter is not established in an EU MemberState but falls within the territorial scope of the GDPR in accordance with itsArticle 3(2) and has appointed a representative pursuant to Article 27(1) - thesupervisory authority of the Member State in which the representative isestablished shall act as competent supervisory authority.

Where the data exporter is not established in an EU MemberState but falls within the territorial scope of the GDPR in accordance with itsArticle 3(2) without however having to appoint a representative pursuant toArticle 27(2) – the supervisory authority of one of the Member States in whichthe data subjects whose personal data is transferred under these Clauses, shallact as competent supervisory authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICALAND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measuresimplemented by the data importer(s) (including any relevant certifications) toensure an appropriate level of security, taking into account the nature, scope,context and purpose of the Processing, and the risks for the rights andfreedoms of natural persons.

Measure Description
Pseudonymization & Encryption of Personal Data Raw data is encrypted at rest and in transit in accordance with best practices. Data is available to named individuals at Compete for support purposes only and per customer’s request.
Ensuring Confidentiality, Integrity, Availability, & Resilience of Processing Systems and Services Personal Data is protected against accidental destruction or loss via measures capable of rapidly restoring the availability of and access to Personal Data in the event of a physical or technical incident.
Ensuring the Ability to Restore Availability and Access Compete holds BCP and DRP programs to ensure integrity, restore availability, and resilience of processed data (e.g., routine backups, strict access control, periodic recovery testing).
Testing, Assessing, & Evaluating Technical and Organizational Measures
  • Backup/recovery testing.
  • Regular testing of backup system.
  • Documented process for detecting and reporting security incidents/data breaches (including mandatory reporting to supervisory authorities).
User Identification & Authorization Technical Measures:
  • Access to applications, specifically when entering, changing, and deleting data, is logged.
  • DLP measures for sensitive files and folders.
  • Central permission management.
  • SSH encrypted access.
  • Certified SSL encryption.
Organizational Measures:
  • Use of authorization concepts.
  • Minimum number of administrators.
  • Management of user rights by administrators.
  • Information Security and User Access management Policies.
Data Protection During Transmission Compete requires TLS 1.3 and enforces HTTPS connection with its servers.
Data Protection During Storage
  • All databases are backed up to a dedicated storage bucket and saved for 30 days.
  • Backup data is encrypted at rest.
  • Access to backup data is restricted.
Physical Security of Locations Processing Personal Data Technical Measures:
  • Employees connect to their systems over a WPA2 secure Wi-Fi connection using company-owned and fully managed laptops.
  • Alarm system.
  • Automatic access control system.
  • Smart cards / transponder systems.
  • Manual locking system.
  • Doors with knobs outside.
  • Video surveillance of entrances.
Organizational Measures:
  • Clean Desk Policy.
  • Reception / Receptionist / Gatekeeper.
  • Employee / visitor badges.
  • All visitors are accompanied by employees.
  • Work Instruction access control.
Event Logging All access to applications is logged, specifically when entering, changing, and deleting data. DLP measures are applied to sensitive files and folders. Security logs are retained for 24 months.
System Configuration
  • Testing and development environments are separated and isolated from production.
  • Changes are pre-approved by authorized personnel and traced accordingly.
IT & IT Security Governance Compete holds ISO27001 and ISO27701 certifications.
Certification/Assurance of Processes & Products
  • New staff are trained in Secure Software Development Lifecycle (SSDLC) practices.
  • Security team reviews new product initiatives based on SPbD (Security and Privacy by Design) principles.
  • System code is tested against known vulnerabilities (e.g., OWASP top 10).
  • Core systems are tested for security vulnerabilities periodically, both by automated scanners and external independent parties.
Data Minimization
  • Collection is limited to the required data needed to fulfill the specific purpose of the Agreement.
  • Data minimization is assured during our SDLC process.
Data Quality Data points not updated for 6 months are removed to ensure accuracy.
Data Retention Data is retained for the duration of the contract. After termination, Personal Data is deleted or de-identified.
Accountability Compete personnel are vetted before engagement and trained periodically on data protection and information security. Internal policies ensure compliance with privacy laws. Compete is the only authorized entity to process customer personal data.
Data Portability & Erasure Data can be exported from the Compete system by authorized employees of the customer.

For transfers to (sub-) processors, also describe thespecific technical and organizational measures to be taken by the (sub-)processor to be able to provide assistance to the Controller and, for transfersfrom a processor to a sub-processor, to the data exporter.

Measure Description
DSARs Responding to DSARs is at the Customer’s level.
Built for modern teams, our AI helps organizations manage, support, and grow their people — to build winning teams.
Follow us on linkedin:

Product

AI Business PartnerAI-Driven AnalyticsPersonalized Workflows

Resources

PricingBlog

Policies

Terms of UsePrivacy PolicyCookies Policy
© 2026 Compete HR Ltd. All rights reserved.