Terms and conditions
A. General Part
1. Contracting parties
These General Terms and Conditions of Business (hereinafter referred to as “GTC”) apply to all contracts between StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany, represented by its Managing Directors Dr. Sebastian Dettmers, Simone Köhler-Reif, and the customer and govern all aspects connected with the performance of services between the parties.
The customer within the meaning of these GTC is any entrepreneur as defined under section 14 German Civil Code (BGB) or merchant as defined under section 1 German Commercial Code (HGB) or a legal entity under private or public law.
2. Subject matter of the contract
The subject matter of the contract is the content of the respective order confirmation from StepStone with the documents referred to therein, including the GTC in the version valid at the point of the conclusion of the agreement.
Any of the customer’s contractual terms that deviate from/contradict these GTC shall not be recognised, regardless of whether they represent a substantial amendment of the order confirmation. Any varying stipulations shall only apply if StepStone expressly agrees to them in writing.
3. Conclusion of contract
The contract between the parties shall come into effect when the customer avails itself of a service via a StepStone website. By clicking the Order button and accepting the GTC, the customer submits to StepStone an offer to enter into a contract. The customer then receives an automated e-mail via the specified e-mail address that confirms receipt of the order. This e-mail does not constitute binding acceptance of the order. Order acceptance is performed by way of a separate e-mail.
3.2 By telephone
If the parties enter into a contract by telephone, the customer receives a written confirmation by e-mail including the terms and conditions agreed by telephone. No further declarations by the parties are required.
3.3 Order form
A contract shall also come into effect if StepStone receives a StepStone order form signed by the customer by post, fax, e-mail or other electronic form or StepStone provides written confirmation in a different form on the basis of the order form.
If the customer changes the content of StepStone order forms, this shall be deemed to be a new offer by the customer; in this case the contract will only be concluded if it is expressly accepted by StepStone. The provision of a service will not be deemed to be implied acceptance of the amended contractual offer.
4. Description of service
The description of the respective service on offer is set out in Part B of these GTC.
The contract entitles StepStone to use the customer data and data produced in the course of the business relationship to analyse trends and create overviews, and also to publish this data in an anonymised form.
Exclusion of competition is not granted.
5. Fee for services
The fee for the service to be provided by StepStone is determined on the basis of the prices published on the StepStone website at the point of the conclusion of the contract. All prices are net of statutory VAT.
Prices for services that are not published on the StepStone website will be agreed between StepStone and the customer on a case-by-case basis.
6. Payment agreements, settlement of costs and right of retention
The invoice is issued upon conclusion of contract, unless otherwise is agreed in the individual contract. StepStone reserves the right to demand payment in advance from the customer.
The payment claim will be payable ten days after issue of the invoice without deduction. In the event of default or discontinuation of payment, interest of nine percentage points above the base rate of the European Central Bank as well as costs and fees for ascertaining and enforcing the payment claim shall be charged. In addition, StepStone will have the right to claim a flat charge for default in the amount of €40.00 (section 288 (5) BGB).
In the event of default of payment, StepStone is entitled to withhold services in full or in part until payment has been made in full. This will not apply if the customer has right of retention. If, in the case of agreed payment by instalments, an instalment is not paid within 30 days of the due date, the total remaining amount will be payable immediately; the right of retention set out in sentence 1 shall apply accordingly.
We will only accept payment by bank transfer from abroad if the customer simultaneously assumes liability for all bank charges incurred.
Payments from the customer will in all cases be set off against the oldest existing claim. StepStone may refuse performance of its services until the customer has made all payments due.
We reserve the right to send invoices and all correspondence related to invoices, such as but not limited to payment reminders, solely in the form of an e-mail attachment. To this end, the customer undertakes to provide a current e-mail address for correspondence and to promptly notify StepStone of any changes to the e-mail address.
7. Basis for the cooperation
The customer’s rights under the contract are non-transferable and non-assignable. The contract may only be transferred to a third party subject to written agreement from StepStone.
If StepStone has obtained the customer’s e-mail address in connection with the customer’s order, StepStone will have the right, including after the end of the contract, to e-mail to the customer information, questionnaires and other commercial communications concerning the ordered StepStone services and similar services. The customer may opt out of such communications from StepStone at any time with future effect by e-mailing email@example.com or by calling +49 211 93493-0. StepStone will provide specific information about this right to opt out in every e-mail.
The customer undertakes to provide StepStone in good time with all information and documents that are necessary and appropriate for the performance of the contractual services. Additional cooperation duties of the customer are set out in Part B of these GTC in accordance with the respective product-specific description of services.
StepStone has the right to use vicarious agents.
The customer shall ensure that any content it publishes on the StepStone websites or that it passes to StepStone for publication is free from third-party rights. The customer warrants that it disposes over all third-party usage rights. The customer shall compensate StepStone for any losses arising as a result of a breach of this provision at the first time of asking. With the placement of the order the customer confirms that it has acquired all of the usage rights from the holders of copyrights, ancillary copyrights and other rights to the documents and data provided by it required for placement in the Internet and that it can use these as it pleases.
In terms of services that are published and/or used on websites not operated by StepStone Deutschland GmbH, additional requirements and limitations may apply alongside these GTC, in particular in addition to the provisions under Part B of these GTC.
8. Copyright and other intellectual property rights
This contract does not contain any transfer of property rights and usage rights, licences or other rights to the software to the customer. All rights to the software used by the customer, to marks, titles, trademarks, copyrights and other commercial rights/intellectual property rights of StepStone will remain entirely with StepStone.
All work results and information published by StepStone are subject to StepStone’s copyright. Excluded from this are only such work results and information published by StepStone created by the customer or a third party and adopted by StepStone unchanged for publication on the Internet.
StepStone is the maker and originator of its databases as set out in section 87a (1), (2) German Copyright Act (UrhG) and section 4 UrhG and is the holder of all associated exclusive rights.
9. Warranty and limitation
The provision of services is based exclusively on the service features and scope of performance agreed in writing. The customer shall review the services on receipt without undue delay and notify StepStone of any deficiencies without undue delay. If it fails to do so, the services shall be deemed provided in a flawless manner.
In the first instance, StepStone shall attempt to meet its obligation of subsequent performance by means of rectification. Only if this fails twice may the customer revoke the contract or exercise its right to demand a price reduction.
The customer’s warranty rights do not extend to defects that relate to a merely minor variance from the agreed condition or a merely minor impairment of utility.
All warranty claims shall lapse within one year. The limitation period shall commence at the point at which the customer acquires knowledge of the defect or ought to have acquired knowledge in the event of gross negligence.
StepStone shall be liable for damages, irrespective of the legal grounds, in the event of wilful misconduct and gross negligence.
In other cases, StepStone shall only be liable in the event of the breach of a contractual obligation, the proper execution of which is essential for the performance of the contract and on compliance with which a customer may normally rely (known as a cardinal duty). This liability shall be limited to compensation for the foreseeable loss typical for this type of contract. In all other cases liability shall be excluded, subject to the following provision in clause 10.3.
The foregoing limitations and exclusions of liability shall have no bearing on liability for losses arising from death or personal injury and under the German Product Liability Act (Produkthaftungsgesetz).
The customer can only withdraw or terminate due to a breach of duty not involving a defect if StepStone is responsible for this breach of duty.
If a claim is made against the customer by a third party (“property rights claim”) for an infringement of patents, copyrights, trademarks, business designations or business secrets by a service provided by StepStone (“property rights infringement”), StepStone will indemnify the customer against all costs (including legal defence costs) and claims which it incurs due to final judgements by competent courts or written settlements concluded by StepStone, provided that (i) the customer did not cause the property rights infringement, for example in the case of the publication of unlawful content as defined at Part B., clause 1.3.2, (ii) the customer informs StepStone in writing within no more than twenty (20) working days of the claim first being made, (iii) StepStone retains sole control of the defence against the property rights claim and (iv) the customer provides appropriate support and all of the information so that StepStone meet its obligations according to this. The above obligation will not apply to actions or declarations for which StepStone has not given its prior consent in writing and not if the customer continues the infringing activity after it has been informed of changes which would have prevented an infringement. If a property rights infringement has been established by a competent court or is considered to be possible by StepStone, StepStone may at its own discretion and at its own cost either (i) replace or change the services so that a property rights infringement no longer exists, or (ii) obtain a usage right for the customer to the property right or (iii) if measures pursuant to (i) or (ii) are not possible or not reasonable, terminate this contract extraordinarily with immediate effect.
11. Confidentiality and protection of personal data
StepStone agrees to treat as confidential all information marked as “confidential” which StepStone receives from the customer under this contract. This obligation will also be met by StepStone after the contract term ends.
When using IDs, passwords, usernames or other security devices provided in connection with the services, the customer shall exercise the greatest possible care and take all measures that ensure the confidential, secure handling of the data and prevent its disclosure to third parties. The customer will be held responsible for the use of its passwords or usernames by third parties if it cannot explain convincingly that the access to such data was not caused by the customer itself and the reasons for this were out of its control. The customer shall inform StepStone immediately of any potential or already known unauthorised use of its access details. In the event of a breach of one or more of the obligations specified in these GTC by the customer, in particular but not limited to those stated under this point, StepStone will have the right to terminate the services without further notice and remove them from the website, without waiving any payment obligations of the customer.
The contracting parties undertake to maintain confidentiality over all information that they have acquired directly or indirectly in connection with the respective contract as well as in the course of the execution thereof and that is of a technical, financial or other commercial or confidential nature and not to pass such to third parties. Companies affiliated with StepStone in terms of sections 15 et seq. AktG are not deemed to be third parties.
This duty of confidentiality does not apply to information that is in the public domain or that was already known to the party, or that the party lawfully acquired from a third party or developed itself without breaching confidentiality obligations. The burden of proof shall lie with the party seeking to rely on this provision.
These comprehensive confidentiality obligations shall also remain in force after the end of the respective contract.
StepStone is entitled to collect, process and store personal data of the customer subject to observance of and compliance with the provisions of the applicable data protection laws, directives and other regulations.
StepStone further warrants that all StepStone employees have been subjected to the duty of data secrecy and the observance of particular confidentiality in accordance with applicable data protection and telecommunication laws and other relevant legislation.
12. Warning, court ruling
If the customer has received a warning regarding a publication or its content on the StepStone websites, if it has already made a cease-and-desist declaration concerning certain content made available for publication or if a corresponding temporary injunction, judgement, court ruling or official order has been made, the customer is obliged to inform StepStone of this in writing without undue delay. If the customer fails to do so, StepStone will not be liable. The customer will then be required to indemnify StepStone against any claim by a third party at the first time of asking and compensate StepStone for any damages arising as a result.
13. Term and termination
The contract shall take effect at the point of the conclusion of the contract unless an agreement to the contrary has been made. The contract shall end automatically on expiry of the agreed term unless separate product-specific stipulations are defined in Part B of these GTC.
14. Closing provisions
These GTC and all legal relationships between the contracting parties are subject to the law of the Federal Republic of Germany under exclusion of the United Nations Convention on Contracts for the International Sale of Goods (CISG) and international private law and associated clauses on legal forum or conflicts of law.
The exclusive place of jurisdiction is Düsseldorf, Germany.
B. Special Part
1. Job adverts
1.1 Description of service
StepStone provides the customer with advertising space for the publication of job adverts on the StepStone websites. The job adverts (“adverts”) are published on the Internet in the customer’s name.
StepStone will integrate a button in the job adverts that is labelled “Apply Now” or similar. Depending on the customer’s selection, this button can either a) link to a website indicated by the customer or b) link to a standardised application form operated by StepStone on its platforms. The data requested in the form will be transmitted by the applicant to the customer’s account (“Recruiter Space”) by StepStone and can be received by the customer herein.
Via the “Apply Now” link that is positioned on the page when the job advert is accessed, applicants can use the application form stored there to enter their contact details and upload their CV and other application documents.
In cases where the customer uses the StepStone application form, applications will be made available in the StepStone Recruiter Space.
StepStone accepts no responsibility for supplied data material, advertising texts or associated storage media and in particular will not have to store or return such to the customer.
Unless otherwise agreed, job adverts are displayed for a period of 30 days (“Running Time”). Provided the adverts are placed within the contract term, they will be published for the entire agreed period. On expiry of the Running Time, a job advert may be extended by 30 days at a time, provided this is done within the contractual term. The customer may request an extension from its customer advisor or alternatively arrange it itself in the StepStone Recruiter Space. The extension of the publication of a job advert is deemed a new chargeable publication on the basis of the contract between StepStone and the customer.
Job adverts may be saved in the personal accounts of registered users for a maximum period of six months and may therefore also be visible by the registered user beyond the Running Time pursuant to clause 1.1.4.
The number of agreed job adverts can only be accessed within the agreed contract term. On expiry of the contract term, the customer’s right to use advertising space not used during the contract term lapses.
1.2 Customers’s obligations
When creating job adverts, the customer is required to observe the quality standards of StepStone. These include in particular the providing of the job title and the job description as well as the customer’s company logo in accordance with these quality standards and other requirements. The respective applicable version of the quality standards can be accessed at
The customer will bear the sole responsibility under press law, competition law, data protection law and all other applicable rules for the content intended for publication that it provides. The customer is responsible in particular for compliance with the applicable statutory provisions relating to the content it supplies. The customer further warrants that the content of the adverts breach neither any statutory prohibitions nor third-party rights.
The customer will ensure that e-mails from StepStone are received without issue and in this connection will set up StepStone as a “trusted server”. This should prevent that notifications to the customer via e-mail being avoided by any spam filter used by the customer.
The customer shall configure its own infrastructure in keeping with the current state of technology so that it is neither the target nor the origin of disruptions that are likely to affect the Internet service provided by StepStone or the general smooth and flawless network operation.
StepStone reserves the right not to fulfill orders placed by the customer, or to remove job adverts already published on the Internet, if the published content is in breach of statutory requirements or official prohibitions, violates the rights of third parties, offends the principles of common decency or is in breach of StepStone’s terms and conditions. The same will apply if links to service elements are set on the customer instructions which lead directly or indirectly to sites with unlawful content. This is without prejudice to the customer’s payment obligation. StepStone is required to remove such unlawful content only as stipulated by statutory provisions and at the customer’s request. If a claim is made against StepStone on the grounds of unlawful content or any other breaches of the law for which the customer is responsible, the customer will indemnify StepStone at the first time of asking. The indemnification will also include the necessary legal costs.
StepStone In particular, the right to refuse shall also exist if the following requirements are not met by the customer:
- If a self-employment or freelance work is advertised, it must be clearly indicated as such in the text.
- If the candidate has to make advance payments or financial investments of his own (including participation in training and travel expenses), this must be clearly stated in the text. The same applies if the successful advertisement of new members is commissioned by a self-contained system.
- The content must refer to a free position or activity. Advertising for club or association memberships is not permitted. Furthermore, advertising for participation in illegal structural distribution is not permitted (§ 16 UWG).
- Websites that are named or sent to StepStone for linking must comply with the legal minimum requirements, and in particular must have an imprint that complies with the legal principles and the principles developed by the jurisdiction.
- Permitted links are only permitted as so-called “no follow” links, i.e. they are to be set up in such a way that they are not to be used by search engines to calculate link popularity.
- All contents of an advertisement must be directly visible to the user. As far as they are not explicitly offered by StepStone as part of special ad products, the customer’s own tracking codes and interactive elements that are controllable by clicks or mouse-over, for example, are not permitted. Excluded from this are links to other pages and e-mail addresses that otherwise meet the requirements of this clause. In any case, links must be designed in such a way that it is recognizable when they link to external pages.
- The requirements of the German Equal Treatment Act (AGG) must be complied with.
- Even if the above requirements are met, no content that is not relevant to the job search, such as competitions, events without career reference, pure advertising campaigns, etc., may be published in addition to content relating to the position or activity.
- If these requirements are not met, the contents shall be deemed to be inadmissible contents with consequences from part B., section 1.3.1.
StepStone only transmits messages from the customer to the applicant as a messenger. The customer guarantees that it will provide StepStone with all legally required messages for transmission to applicants and that the provided messages do not violate applicable law. In particular, reference is made in this context to the obligation to state reasons for severely disabled applicants in accordance with section 81 of book 9, German Social Code (SGB IX). In the event of unlawfully omitted or unlawful messages from the customer to applicants, the customer shall indemnify StepStone against all third-party claims at the first time of asking, and StepStone reserves the right to disclose the customer’s contact details to the third party.
We point out that there may also be certain statutory requirements and prohibitions for job adverts in other countries. Such requirements must be complied with. It is the sole responsibility of the customer to inform itself of any special features and restrictions.
StepStone constantly endeavours to optimise the response to the customer’s job adverts and to increase the quantity and quality of the accessible offers. This also includes:
a) Entering into cooperations in all media (including online, offline, TV, mobile, moving image products and new types of use). The customer agrees that the service elements may be published by StepStone online and/or offline in print, sound or image, including in print or online media of cooperation partners. In all cooperations StepStone will be mindful of the image and quality of the cooperation partner;
b) Ensuring user-friendly readability on all devices by optimising the display of the advert.
c) StepStone reserves the right to amend or change the categorisation or classification of job adverts at its own discretion at any time. The customer has no right to publication of its job adverts in any specific category or classification of its choosing.
In order to improve the quality of the advert across all devices, StepStone reserves the right to change the layout of the advert accordingly.
The customer is aware that the content published on the Internet will be searched by search engines such as Google and others and these search engines will archive the published content on their systems. StepStone will specify in the metadata of the adverts that the adverts should not be archived. However, if an advert is nonetheless archived by a search engine, StepStone is no longer responsible. Any requests for erasure of the archived data should be addressed to the search engine.
We advise that StepStone cannot prevent the unauthorised publication of job adverts by third parties. However, StepStone will make every effort to prevent such publications within the realms of what is legally and technically possible. The customer declares its agreement with this.
The customer shall transfer to StepStone all property rights to databases that it passes to StepStone for publication in conjunction with multiple adverts. In particular, StepStone shall have the exclusive right to exploit the economic property in its job advert database vis-à-vis third parties.
Any offer by StepStone quoted at a lower price than in the price list is only valid under the specific conditions for the specific customer. It is not possible for a third party, such as an agency, to act as contractual partner instead of the customer.
The transfer of the contract to a third party by the customer (“reselling”) requires Stepstone’s prior consent.
1.4 Box number adverts
StepStone offers the option to publish the job advert as a box number advert. Box number adverts don’t show the author of the advert. The requirements and obligations pursuant the aforementioned provisions (Part B, section 1) apply accordingly.
2. Job Agent Ad
On behalf of the customer, StepStone will publish an advert specified by the customer in StepStone’s regularly published Job Agent (hereafter: “Job Agent Ad”). This will consist of a text advert and a banner. The Job Agent Ad will be published in a StepStone Job Agent in accordance with the requirement under press law to separate adverts from editorial content and may contain a link to job adverts, job description, company portraits or recruiting events.
Unless otherwise agreed, Job Agents are published as follows depending on the order:
1. Once per edition of the Job Agent to a specific target group.
2. Once per edition of the Job Agent to all candidates who have registered to receive the Job Agent.
3. Daily in each edition on seven consecutive days to all candidates who have registered for the Job Agent. This ensures that every candidate who has ever registered for the Job Agent receives at least one edition with the booked Job Agent Ad.
4. Daily in each edition on seven consecutive days to a specific target group.
Only one Job Agent Ad is published per Job Agent. The customer has to send the advertising material to StepStone in complete and correct form at the same time as the booking, or alternatively no later than two days before the planned publication date. If the advertising material is not received by StepStone in time and in the complete and correct form, the right to publication will expire without replacement. This is without prejudice to StepStone’s claim for payment.
The customer is aware that the Job Agent is only sent to subscribers. Subscribers can register to receive the Job Agent free of charge, whereby they will only receive an edition if it contains at least job advert which matches the profile specified. Subscribers can unsubscribe and apply explicit blocking notices. StepStone therefore cannot guarantee the number of recipients.
3. Direct Mail
StepStone sends an e-mail designed in the customer’s individual layout in the customer’s name to selected candidates from the StepStone CV database (hereinafter referred to as “Direct Mail”). The content of the Direct Mail may be a special job offer, the announcement of career-related events or the presentation of the customer’s company with a link to vacant positions. The customer has to send the advertising material to StepStone in complete and correct form at the same time as the booking, or alternatively no later than two days before the planned publication date. If the advertising material is not received by StepStone in time and in the complete and correct form, the right to publication will expire without replacement. This is without prejudice to StepStone’s claim for payment. The customer is aware that the Direct Mail is only sent to subscribers. The subscribers can register free of charge to receive the Direct Mail, as well as deregister and deploy explicit blocking notices. StepStone therefore cannot guarantee the number of recipients.
4. Highlight job
The service performed in respect of the highlight job is the coloured highlighting of the job adverts in the results list published in the customer’s name in the first seven days of publication to emphasise the job adverts. The highlighting has no influence on the ranking of the job adverts in the results list.
5. E-mail push
StepStone sends an e-mail designed in the layout specified by StepStone in the customer’s name to selected candidates from the StepStone CV database or to subscribers of the StepStone Job Agent who have previously expressly consented to receive this type of information (hereinafter referred to as “Mail Push”). The content of this Mail Push is to address an active job advert that is published by StepStone for at least five more days to what StepStone considers to be suitable candidates. The Direct Push is sent to a maximum of 500 candidates. However, StepStone does not guarantee a minimum number of recipients as the pool of potential recipients depends on the individual settings and information provided by the candidates.
6. Company Hub
The customer’s company portrait may be published in the Company Hub. StepStone provides input fields that the company can fill out itself. Links to webpages and content of competitors, or the use of content from competitors of StepStone, are not permitted unless the customer is a competitor of StepStone itself and links to its own web content.
If a customer does not create a Company Hub for its company, StepStone itself reserves the right to fill in the input fields with publicly accessible company information, unless the company expressly objects in writing.
The Company Hub may also be visible to users on StepStone’s platforms beyond the Running Time of a job advert.
7. StepStone Emotions
StepStone Emotions make the customer’s company tangible to its business partners, employees and potential applicants.
StepStone Emotions consist of photo and video products of the customer’s company. Everyday life in the company, the working environment and/or the customer’s workspaces may be depicted and its employees and vacant positions in the company presented.
StepStone produces the particular product variant selected by the customer, or StepStone commissions third parties to produce it, and provides the customer with the finished product variant in accordance with the product-specific usage right. Third parties within the meaning of this section are photographers and/or camera operators or companies that employ such people.
The recordings used to produce StepStone Emotions are made at a time agreed with the customer (“Recording Date”) at the place agreed with the customer (“Recording Place”).
7.2 StepStone Emotions – Lite
7.2.1 Video tour
The purpose of the video tour is to film the customer’s premises. The focus is on the customer’s workspaces and environment. Tour videos are made available via an embedded link.
7.2.2 Job Pitch video
The Job Pitch video entails the filming of the presentation of a vacant position in the customer’s company. The focus is on the description of the company and the job. Job Pitch videos are made available via an embedded link.
StepStone will produce 20 photos at the customer’s premises that portray the workspace. Photo products are made available in JPEG format.
7.3 StepStone Emotions – Pure
7.3.1 Insight Film
The Insight Film provides an authentic portrait of the customer’s company. The Insight Film is produced on the basis of a script individually conceived for the customer. Insight Films are made available via an embedded link.
7.3.2 Emotional Image Film
The Image Film provides an expressive and authentic portrait of the customer’s company. The Image Film is produced on the basis of a script individually conceived for the customer with the customer’s participation. The focus is on the company, its goals, employees and the company’s way of working. The Image Film is made available in MP4 format.
7.4 Usage rights
StepStone grants to the customer the right to use the photo and video products in the supplied form in accordance with the individually contractually agreed, product-specific usage right. The usage right is granted for an indefinite period of time and applies to the final file or version.
The usage right does not cover the alteration and/or retrospective editing of the photos and videos. In particular, the customer is not permitted to cut videos into smaller parts and reassemble them and/or to truncate them.
The customer is not entitled to grant sublicences to third parties. Companies affiliated with the customer as set forth in sections 15 et seq. German Stock Corporation Act (AktG) are not deemed third parties.
StepStone is the originator of the photo and video products and the holder of all associated exploitation and usage rights. StepStone reserves the right to edit the photo and video products retrospectively, in particular to cut videos into smaller parts and reassemble them and/or to truncate them and also to alter the image section of photos.
As the rights holder, StepStone is entitled to grant sublicences. However, StepStone undertakes not to licence the photo and video products for the use of third parties. Companies affiliated with StepStone as set forth in sections 15 et seq. AktG are not deemed third parties.
StepStone shall use the photo and video products for internal purposes and also as an example of outcomes for other customers. Video sequences of multiple customers may be combined for this purpose.
StepStone publishes photo and video products on the StepStone websites, in particularly on the Company Hub and in the customer’s job adverts.
StepStone uses the photo and video products at external events, such as job fairs.
7.5 Customer’s obligations
The customer undertakes to ensure that all persons depicted in the recordings have validly granted their consent to the use of their image for the production and use of the photos or videos for the contractually agreed purpose between StepStone and the customer – in particular use pursuant to clause 126.96.36.199 of these terms – and that no third-party or property rights were infringed at the Recording Place or that corresponding permits were issued.
In terms of the forms of use implemented by the customer within the framework of the customer’s respective usage right, the customer bears sole responsibility for compliance with applicable provisions under data protection law and advertising considerations and for the preservation of third-party interests.
The customer undertakes to ensure that the recordings and the results and their use and exploitation do not breach statutory provisions, official prohibitions, third-party rights or the principles of common decency. In particular, the customer warrants that it is the holder of the provided logos, slogans and other intellectual property rights, or of the corresponding usage right for the creation and use of the contractual products.
The customer is required to ensure that no products of the customer and information related to their manufacture in respect of which the customer’s employees are subject to a confidentiality obligation (“commercial secrets”) are depicted on the recordings. The customer waives any claims arising from the publication of such information.
The customer undertakes to indemnify StepStone against third-party claims that are asserted as a result of a breach of the foregoing obligations.
7.6 Editing and warranty
The editing of the photo and video recordings is done following the Recording Date. The editing does not extend beyond the retouching of the photos using the image parameters and small corrections, such as removing small blotches or shadows. Where videos are produced, editing entails technical steps, in particular cutting the individual sequences of video and audio. The customer acknowledges the artistic and editorial freedom in the creation of photos and videos. There is no entitlement to post-editing of the photos and videos.
In the case of StepStone Emotions video products of category PURE (clause 7.3), the customer has the option to communicate any change requests to StepStone within thirty (30) days of the product being made available. On delivery of the corrected video (“1st correction run”), StepStone shall implement further change requests of the customer that are made within fourteen (14) days following the 1st correction run (“2nd correction run”).
8. Applicant database (DirectSearch Database)
8.1 Description of service
StepStone maintains online databases containing CVs of job seekers (“candidates”). Candidates can store their profiles or CVs in these databases. On activation, the candidate publishes these in the StepStone database either in a form in which only certain data is disclosed (“partially active profile”), or in such a way that all data from their profile can be viewed directly in the database (“open profile”). Customers who book access to the applicant database may directly view personal data associated with open profiles in the database and enter a message, or a contact request in the case of partially active profiles, which StepStone then forwards to the candidate by e-mail.
Furthermore, as a free additional service, the customer may save comments in its account related to candidates whose profiles it can view anonymously or publicly. StepStone stores and processes these comments on the customer’s behalf in accordance with Art. 28 GDPR. This is subject to the product-specific terms for StepStone contract data processing. For the avoidance of doubt it is noted that the remaining services within the context of the DirectSearch Database are not performed as contract data processing. In this case, StepStone merely provides the content that the applicant stores with StepStone and remains the data controller under data protection law. The customer may be an additional data controller to the extent it uses such data.
Access to the applicant database is highly personal and only granted to the customer for its own use. Access to the applicant database and the viewed profiles must not be forwarded to third parties. Access for the purpose of soliciting our customers is not permitted. The customer must not set up any hyperlinks (“deep links”) from its website to StepStone’s applicant database. StepStone reserves the right to prosecute any breach of these stipulations without undue delay and with no prior warning.
If a candidate deletes or deactivates their CV, the candidate is automatically deleted from the DirectSearch Database and access is no longer possible. The comment stored pursuant to clause 8.1.2 is then also no longer available.
The applicant database may not be used to search for candidates using search criteria that are in breach of the German Equal Treatment Act (AGG).
The customer has read access to a specific, contractually determined quantity of profiles in the applicant database. Up to 500 profiles may be e-mailed within 30 days with the goal of filling a concrete position, either directly in the case of open profiles or via a prior request for partially active profiles. A maximum of 99 profiles may be contacted at a given time. Bulk e-mails and promotional e-mails are not permissible. StepStone reserves the right to block the customer’s access in the event of non-compliance.
Candidates with partially active profiles can block certain companies. In these cases the customer in question is no longer able to contact the candidate.
8.2. Obligations on the customer
The customer is required to act in accordance with the applicable legal regulations, laws that protect third parties and the principles of common decency.
In particular, the customer undertakes not to pass on personal data of candidates, unless this is necessary to fill a specific vacant position, to treat such data confidentially and to comply with all data protection regulations. Candidate data may only be processed in connection with the filling of a specific vacant position and candidates may only be contacted for this purpose. StepStone assumes that storage is necessary for a maximum of twelve months, also taking into account possible defence of claims under the AGG, so that the customer undertakes to delete any data of the data subject that is stored and received from StepStone no later than twelve months after access to the data. StepStone reserves the right to block the customer’s access in the event of non-compliance.
If a candidate asks StepStone to delete his or her data and StepStone notifies the customer accordingly, the customer is required to delete all copies, files or data belonging to a given candidate without undue delay.
Candidate information is provided solely by the candidates themselves, meaning that StepStone cannot guarantee its completeness, correctness, accuracy or availability. Similarly, StepStone cannot guarantee a specific number of responses.
The customer is aware that special rules apply to the transfer of data from outside of the European Union or the EEA. Accordingly, the customer shall only transfer personal data to third countries in accordance with the provisions of Articles 44-49 GDPR.
The customer shall indemnify StepStone against all losses, costs, claims, damages and other expenses incurred by StepStone due to non-compliance with the customer’s obligations.
9. Video Job Interview Function
If Stepstone provides the Customer with the free Video Job Interview function, the following applies: the Video Job Interview function may only be used to conduct interviews with candidates who have applied via Stepstone or a company affiliated with Stepstone for an open job listing of the Customer. Otherwise, the Customer shall be obliged to indemnify Stepstone from any third party claims and to compensate StepStone for any damages resulting therefrom. Stepstone will limit the cost-free usage for clients to 100 interviews per month. The promotion is valid until the 30th of May 2020.
10.1 Description of service
JobFeed is an interface created by StepStone in participation of the customer. Through this interface, StepStone will retrieve the contents of the job advert to be published by the customer and publish them on the StepStone websites according to the current quality standards. The customer undertakes to provide such duties of cooperation and to create such preconditions for successful use that are set down in the specifications following a separate agreement.
10.2 Booking and Term
Each job advert that is transferred to StepStone by the customer via the JobFeed, represents a booking of a job advert with a placement period of 30 days and entitles StepStone to invoice the customer. The same shall apply in the event that content is available through the JobFeed after this period of time and represents a new booking of a job advert.
Unless otherwise agreed, the JobFeed data comparison is performed once per day.
If the customer removes the content of a job advert from the database accessed by the JobFeed, it will no longer be displayed as a job advert on the StepStone websites.
11. StepStone Recruiter Space
11.1 Description of service
StepStone grants to the customer the non-exclusive and non-transferable right limited to the contractual period to use the Recruiter Space job advert tool. StepStone shall provide the Recruiter Space job advert tool for 20 hours out of 24 daily at http://www.stepstone.de/corporate/index.cfm for use by the customer. The Recruiter Space tool enables the customer to create adverts itself and to publish them.
StepStone shall issue the customer with a user ID and a password for logging on to the server. The customer may change the password at any time. Within its general area of responsibility, the customer is responsible for ensuring that the user ID and the password can only be used by people who are authorised to access the StepStone Recruiter Space. The customer shall also observe any additional security criteria of which it is made aware. If an agency is acting for or on behalf of the customer, the same rules apply. StepStone shall also issue the agency with access rights to job adverts of the agency’s customers on request so that the agency can maintain the adverts for its customers and create new adverts for them. To this end the agency will also be given access to statistics and current contrast data as well as sight of old adverts published for the customer. To do so, the agency shall obtain the customer’s consent and provide evidence to StepStone on request. The agency shall be liable to StepStone if any claim is made against StepStone for any unauthorised forwarding of the customer’s access rights and information.
If an application has been transmitted to the customer’s specific applicant administration account within the StepStone Recruiter Space pursuant to clause 1.1.2, the customer can view the application there and also enter notes on the respective candidate and, if necessary, depending on the functionality, record the status of the application and communicate with the applicant.
In connection with the application, the customer may also access any MyStepStone profile the applicant might have via applicant administration. However, the MyStepStone profile can only be accessed as long as it is active, that is, if the applicant changes their settings or deletes their profile, it is no longer possible to access the profile. Applicant data sent by the applicant is not affected as a result.
11.2 Data protection
Within the scope of the services pursuant to clause 10.1.3, StepStone processes personal data on behalf of the customer within the meaning Art. 28 GDPR; the terms regarding data processing from part C of these GTC apply in this respect. Services described in clause 10.1.4 do not constitute contract data processing; StepStone merely provides content the applicant has saved with StepStone and remains the controller for data protection purposes. If the customer uses such data it may become an additional data controller.
12. Customer disclosure obligations
12.1 Pursuant to section 312i BGB, Art. 246c of the Introductory Act to the German Civil Code (EGBGB), StepStone will provide the following information:
The customer will be guided to the contract for advert placement by the following individual technical steps:
- Customer completes the order form including advertising copy
- For job adverts in the standard layout, an advert preview can be generated on certain pages up to placement of the order. Before completing the order, the order can be checked for input errors by clicking on the “Check order” button. Corrections can be made by returning to the previous steps by clicking the corresponding button.
- Customer reads and accepts the GTC
- Customer clicks “Place order”
- Electronic confirmation of receipt of the order by StepStone (this is not a confirmation of the order, but serves as confirmation of receipt of the order)
- Order confirmation by StepStone
The contract has now been entered into pursuant to clause 3 of part A of these GTC. The advert is now placed online.
The customer will be guided to the contract for applicant database access by the following individual technical steps:
- Customer completes contact details form
- Customer reads and accepts the GTC
- Customer clicks “Place order”
- Electronic confirmation of receipt of the order by StepStone (this is not a confirmation of the order, but serves as confirmation of receipt of the order)
- Order confirmation by StepStone
The contract has now been entered into pursuant to clause 3 of part A of these GTC.
These terms and conditions of business (General Terms and Conditions of Business, product-specific terms for adverts or the product-related terms for applicant database (DirectSearch Database), product-related terms for online input) contain the full contractual text both for publishing an advert online and online booking of access to the applicant database. The price for online input will be as stated in the price list which is published on the StepStone websites at http://www.stepstone.de/ at the time the contract offer made to the customer of StepStone is prepared. The legal relationships which are established by the (free) visit to the StepStone website are explained in more detail and defined in our terms and conditions of use. After the conclusion of the contract, in the case of online input we store the customer’s entries. After the conclusion of the contract, the data input will not be available to the customer. Furthermore, we point out that we always publish only the current GTC and price lists online and that the GTC and price lists current at the time the contract is concluded will also no longer be available to the customer when they are subsequently updated.
Pursuant to clause 312i (1) (1) no. 3 BGB, StepStone will provide the technical means so that input errors can be identified and corrected before placement of the order. The most important element in the online placement of adverts is the advert preview on each of the three form pages.
The language available for the conclusion of contract is German.
StepStone is bound by the German data protection standards as well as the codes set out in StepStone’s terms and conditions of use and data protection declaration.
13. StepStone FollowAd
13.1 Description of service
The StepStone FollowAd enables the customer to publish banner adverts in formats defined by StepStone on third-party websites that are visited by users who have previously searched for or accessed job adverts for specific professional categories on StepStone’s sites. To do so, the customer selects specific professional categories defined by StepStone and provides StepStone with banner advertising for products that the customer regards as potentially interesting to such users of the StepStone sites who have visited job adverts in these specific professional categories on the StepStone websites. StepStone displays this banner advertising specifically to users who have visited such job categories on the StepStone sites on third-party websites as part of a partner network selected by StepStone. If a budget has been specified under clause 12.3.1, the banner advert will be displayed until the budget is exhausted. Otherwise the banner advertising runs for the whole of the term pursuant to clause 12.4.
StepStone can only display the banner advertising if the respective user accepts the cookies required for the Follow Ad and does not delete them. Further, the individual users may object to the display of the targeted advertising on the third-party websites or to the operator of the partner network.
Individual users are allocated to a professional group based on their search behaviour and the adverts and pages they visit. StepStone has no way of knowing whether the user actually works in these professional categories or that the user has any actual interests there. StepStone is therefore liable neither for a particular interest of the users in the banner advertising nor a specific reaction of the user to the banner advertising.
13.2 Obligations on the customer
The customer undertakes to provide the banner advertising to StepStone in the formats defined by StepStone no later than X working days prior to the scheduled launch of the campaign. If it selects the option “Powered by Stepstone”, it is required to integrate the graphic elements supplied by StepStone into its advertising materials at the specified place at the specified size.
The content of the banner advertising must not promote any competitor of StepStone. Additionally, the banner advertising must not contain any disallowed content as set down at part A, clause 7 of these GTC, to which full reference is made.
13.3 Remuneration and billing
StepStone is remunerated for the publication of the FollowAd on a TAI basis. That means that StepStone receives the remuneration agreed in the contract for a thousand views of the banner advertising.
StepStone and the customer can agree a budget in the contract. This budget is either expressed as a maximum number of thousand impressions or as a sum that is expressed as the product of the TAI and the maximum number of thousand impressions. If the budget is reached, the customer shall not owe any remuneration for any banner adverts that StepStone publishes in excess of this budget.
Billing is performed on the basis of the reports by the partner network selected by StepStone. Its reports are binding both on StepStone and the customer. If the customer has any objections regarding the reports, StepStone shall exercise its rights of review at the customer’s express written request to which StepStone is entitled under its agreement with the partner network, provided the customer accepts the resulting costs incurred by StepStone.
The term of the respective FollowAd is specified in the contract between StepStone and the customer. During this term, StepStone shall publish the banner advertising either a) until the budget is exhausted or b) until the end of the term. If the agreed delivery quantity is not achieved within the agreed period, StepStone reserves the right to retrospectively provide the difference within a reasonable period.
C. Data Processing
1 Contract data processing
In the context of the comment function within the applicant database (also known as ‘DirectSearch Database’) as referred to in Part B, clause 8.1.2 and the note function in the StepStone Customer Centre as referred to in Part B, clause 10.1.3 and the Video Job Interview Function, StepStone processes personal data for the purpose specified in the respective clause and in the manner specified in the respective clause on the customer’s behalf within the meaning of Art. 28 General Data Protection Regulation (GDPR) observing with the following provisions.
StepStone processes personal data only under a contract and in accordance with the customer’s documented instructions, unless a derogation within the meaning of Art. 28 (3) (a) GDPR applies.
Contract data processing is performed exclusively in Member States of the European Union or in another Contracting State to the Agreement on the European Economic Area, unless instructions to the contrary have been issued and transmission is permitted in accordance with the provisions of Art. 44 to 49 GDPR. Upon conclusion of the contract, the instruction is given to transfer personal data to the other processor Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA as part of the measures to be implemented in accordance with Part C, clause 3.3 as provided in section 6 below. This transfer is permitted under Art. 45 GDPR as Akamai Technologies, Inc. is Privacy Shield certified and therefore has an adequate level of data protection under Commission Implementing Decision (EU) 2016/1250 (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016D1250&from=EN). The certification can be viewed at https://www.privacyshield.gov/participant?id=a2zt0000000Gn4RAAS&status=Active.
The duration of the contract data processing shall be equivalent to the duration of the use of the Customer Centre. If a contract governing the publication of job adverts and/or the use of the applicant database comes to an end (DirectSearch Database), corresponding access (to the Customer Centre and the applicant database resp. the Video Job Interview Function) will be deactivated. If a new contract is concluded, access will be re-activated, provided the contract governing use of the Customer Centre has not ended beforehand.
In the context of applicant management, data subjects are persons who have applied for an open position with the customer via the StepStone application form or the Video Job Interview Function. In the context of the DirectSearch Database, data subjects are persons who have created a StepStone profile.
Data that can be viewed by the customer and StepStone in the context of applicant management is all the personal data that has been provided and transmitted by the candidate as well as such data that can be used to identify the candidate. This therefore generally encompasses all CV-related data, such as name, address, telephone number, date of birth and details concerning education and professional experience. Furthermore, data captured by the customer regarding the application may be added to such data. This includes information that the customer makes when using the comment function or note function or by assigning an application status as well as in case of using the Video Job Interview Function the recorded candidate videos.
In the context of applicant management, the object and purpose of processing is the transmission of data provided by the applicant to the customer. Transmission takes place by providing the application data in the customer-specific account in the StepStone Customer Centre. For the customer to be able to view the data, the customer has to be logged in. If the customer creates a note, a comment or assigns a status to the application, this information is likewise saved in the Customer Centre. Insofar as a status can be assigned to the application through the Customer Centre, the customer entrusts StepStone to directly inform the applicant of this status.
Within the scope of the Video Job Interview function, the object and purpose of the processing is to transmit the Video Interview created by the applicant to the customer. The transmission takes place by making the videos available in the customer-specific account.
In the context of DirectSearch, the object and purpose of processing is the management of applications.
2 Obligations of the customer as client
Pursuant to Art. 4 No. (7) GDPR, the customer is the controller under data protection law for personal data collected and processed by StepStone in accordance with the terms of the contract.
The customer shall comprehensively inform StepStone without undue delay if it discovers errors or irregularities with regard to data protection regulations when reviewing the results of the processing.
The customer shall keep a record of processing activities pursuant to Art. 30 (1) GDPR.
3 Duties of StepStone as contractor
StepStone shall inform the customer without undue delay if StepStone is of the opinion that an instruction from the customer breaches applicable laws. StepStone may suspend implementation of the instruction until it has been confirmed as being permitted or modified by the customer.
StepStone shall comply with the provisions of this data processing agreement and relevant applicable data protection laws, in particular the GDPR.
StepStone shall take appropriate organisational and technical measures in accordance with the relevant data protection laws, including the GDPR and in particular Art. 32 thereof, to protect the personal data of the data subjects and their rights and freedoms, taking into account implementation costs, the state of the art, nature, scope and purpose of processing as well as the likelihood of occurrence and severity of the risk. These protective measures are recorded in the overview of technical and organisational measures, which can be referred to in Annex 2. The technical and organisational measures are subject to technical progress and further development. In this respect, StepStone is required to check the effectiveness of the measures and adapt them accordingly as technology progresses. Alternative protective measures are permitted as long as they do not fall below the protective level of the defined measures. Significant changes must be documented and reported to the customer without undue delay. If the measures are changed in such a way that, from the customer’s point of view, StepStone cannot guarantee equivalent or higher protection of the data, the customer has the right to extraordinary termination after unsuccessful issuance of instructions with regard to the services covered by these additional conditions for contract data processing. The same applies if notice of such changes is not provided.
StepStone shall provide the customer with the information necessary for the record of processing activities pursuant to Art. 30 (1) GDPR and shall keep a separate list of all categories of processing activities carried out on behalf of the customer pursuant to Art. 30 (2) to (5) GDPR.
All persons who can access personal data processed on behalf of the customer in accordance with the customer’s contract shall be bound to confidentiality in accordance with Art. 28 (3) (b) GDPR and shall be informed of the special data protection obligations resulting from the contract as well as the existing binding instructions and/or purpose.
StepStone is required to appoint a company data protection officer. The current contact details are easily accessible from StepStone’s website.
StepStone guarantees protection of data subject rights and supports the customer to the necessary extent in responding to requests to exercise data subject rights pursuant to Art. 12 – 23 GDPR. StepStone shall inform the customer without undue delay if a data subject contacts StepStone directly for the purpose of providing access, rectification, erasure or restricting the processing of their personal data.
StepStone shall support the customer in carrying out data protection impact assessments pursuant to Art. 35 GDPR and the resulting consultation of the supervisory authority pursuant to Art. 36 GDPR to the necessary extent. StepStone shall support the customer with regard to compliance with reporting and notification obligations in the event of data protection breaches within the meaning of Art. 33 and 34 GDPR.
StepStone shall inform the customer in text form without undue delay in the event of operational disruptions, suspected personal data breaches pursuant to Art. 4 No. 12 GDPR in connection with data processing or other irregularities in the processing of the data for the customer. In consultation with the customer, StepStone shall take appropriate measures to secure the data and to minimize possible adverse consequences for data subjects insofar as the personal data breach was StepStone’s responsibility.
In the event that the data protection authorities investigate StepStone, the customer must be informed without undue delay to the extent the investigation relates to the subject matter of the contract.
In the event that StepStone intends to process data from the customer – including transfer to a third country or an international organisation – without having been instructed to do so by the customer, i.e. because StepStone is required to do so pursuant to Art. 28 (3) first sentence (a) GDPR, StepStone will inform the customer without undue delay of the purpose, legal basis and data concerned, unless and to the extent that such a notification is prohibited by law.
4 Audits including inspections
StepStone shall provide the customer all necessary information to verify the obligations set out in the contract. StepStone shall permit the customer to conduct audits, including inspections in accordance with Art. 28 (3) (h) GDPR, before the commencement and during the term of this agreement after reasonable prior notice and during normal business hours (9:00-18:00). The customer is entitled to satisfy itself directly, or through suitable third parties bound to professional secrecy, of the observance of the technical and organisational measures before commencement and during contract data processing, after timely notification at the business premises during normal business hours without disturbing the course of business. The result of these audits shall be documented and signed by both parties.
As verification of the technical and organisational measures, StepStone may also submit current certificates, reports or report extracts from independent bodies (e.g. auditors, internal auditors, data protection officers, IT security department, data protection auditors, quality auditors) or a suitable certification by IT security or data protection audit (e.g. in accordance with BSI baseline protection).
5 Additional processors
The subcontractors included in the list of subcontractors available in Annex 1 are approved as subcontractors upon award of the contract. StepStone may award contracts to other processors (subcontractors) by informing the customer in advance of the inclusion or replacement of new subcontractors by notification in text form of the change to the subcontractor list, provided the customer does not object within four weeks. If the customer does object, StepStone is entitled to discontinue the comment function in the context of the DirectSearch Database as referred to in Part B, clause 8.1.2 or the services in the context of the Customer Centre as referred to in Part B, clause 10.1.3.
StepStone will impose the same data protection obligations on the subcontractors as those set out in this data processing agreement, so that the processing complies with the requirements of the GDPR.
Further outsourcing by the subcontractor requires the express consent of the primary contractor (at least in text form); all contractual provisions in the contract chain must also be imposed on the additional subcontractor.
Services used by third parties as ancillary services to assist in the execution of the contract processing shall not be deemed to be subprocessors. These include, for example, telecommunications services, maintenance and user service, cleaning staff, inspectors or the disposal of data media. StepStone is, however, required to make appropriate and lawful contractual agreements as well as take control measures with such service providers for the assurance of the protection and security of the customer’s data; this also applies to outsourced ancillary services.
6 Erasure and return
the end of StepStone Customer Centre contract, StepStone shall erase the data
contained in the applicant management system. Otherwise, StepStone will erase
the data at the latest one year after receipt of the application in the
applicant management system and otherwise upon request of the client.
Annex 1 to StepStone Data Processing Agreement
List of subcontractors
StepStone’s subcontractors listed below are deemed to have been approved when the contract is awarded:
StepStone GmbH, Völklinger Str. 1, 40215 Düsseldorf, Germany
– Hosting and related security services
– Back-up services
– Customer-service troubleshooting support
StepStone Continental Europe GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany
– Hosting and related security services
– Back-up services
– Customer-service troubleshooting support
StepStone N.V., Koningsstraat 47 Rue Royale, 1000 Brussels, Belgium
– Hosting and related security services
– Back-up services
– Customer-service troubleshooting support
StepStone Services sp. z o.o., ul. Domaniewska 50, 02-672 Warsaw, Poland
– Customer-service troubleshooting support
Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany
StepStone uses Akamai as a Web Application Firewall as part of its technical and organisational protection measures and therefore delivers content to website visitors via Akamai in order to protect its systems.
Akamai Technologies, Inc., 150 Broadway, Cambridge, 02142 MA, USA
Services: see Akamai Technologies GmbH, Akamai Technologies GmbH uses Akamai Technologies, Inc. as a subcontractor.
Amazon Webservices, Inc., 410 Terry Drive Ave North, WA 98109-5210 Seattle, USA
Hosting and related security services (provided exclusively within the EU).
Cammio GmbH, Philipp-Franck-Weg 19, 14109 Berlin, Germany
StepStone uses Cammio to conduct Video Job Interviews.
Annex 2 to the StepStone
Data Processing Agreement
Technical and organisational measures
1 Confidentiality (Art. 32 (1) (b) GDPR)
Physical access control: No unauthorized physical access to the data-processing facilities, ensured as follows:
The data centres have a multi-layered security structure. The exterior areas of the data centres are equipped with high-security fences and walls. The entrances are protected by security personnel 24 hours a day, seven days a week. The facilities are monitored by security cameras. Access to the server rooms is secured by magnetic cards. The systems are stored in locked server cabinets.
Comprehensive security measures are also in place at the respective StepStone sites. Access is only possible by means of magnetic cards and visitors must be granted special access.
System access control: No unauthorized system use, ensured as follows:
The customer can only access the data processed on its behalf after logging into the customer area using the password it has specified. StepStone only stores the log-in details in encrypted form.
By default, the data flow between users and the system is end-to-end encrypted using the Transport Layer Security (TLS) protocol.
StepStone uses Akamai’s services as a Web Application Firewall for its systems.
StepStone has an internal password policy for its employees that requires, among other things, that passwords must be at least eight characters long and be changed regularly, must not be identical or similar to the user name, must contain at least three of the four following characters: i) upper-case letters, ii) lower-case letters, iii) digits, iv) symbols.
Data access control: No unauthorized reading, copying, changing or removal within the system, ensured as follows:
The data access rights of the customer are strictly limited to the data that is actually processed on behalf of the respective customer. Only specifically defined StepStone personnel can access data that is processed on behalf of the customer, provided this is required for system administration and customer service purposes at the request of the respective customer.
The system logs all events related to data processing on behalf of the customer.
Separation control: Separate processing of data collected for different purposes, ensured as follows:
The StepStone Customer Centre is multi-client capable, so that every logged-in customer can only see the data that is connected to its account.
Pseudonymisation (Art. 32 (1) (a) GDPR; Art. 25 (1) GDPR): Not relevant, as the customer requires non-pseudonymised access to the data.
2 Integrity (Art. 32 (1) (b) GDPR)
Transfer control: No unauthorized reading, copying, changing or removal during electronic transfer or transport, ensured as follows:
All data sent over publicly accessible networks is end-to-end encrypted using the Transport Layer Security (TLS) protocol.
Input control: Determining if and by whom personal data has been entered, modified or removed within data processing systems, ensured as follows:
The StepStone system logs the activities of each log-in and log-out as well as any processing, addition, modification and deletion of data by the respective user, as well as the relevant time (by time stamp).
3 Availability and resilience (Art. 32 (1) (b) GDPR)
Availability control: Protection from accidental or intentional destruction or loss, ensured as follows:
Anti-virus programs and firewalls are used. StepStone uses Akamai’s services as a Web Application Firewall for its systems. The hosting environment is equipped with fire detectors, water leakage detectors and raised floors. Temperature and humidity are constantly monitored to maintain predefined values. There is an uninterruptible power supply for at least 72 hours.
Timely restoration (Art. 32 (1) (c) GDPR), ensured by
– Back-up procedures;
– Uninterruptible power supply (UPS);
– Separate storage;
– Virus protection and firewalls;
– Emergency and contingency plans;
– Employee training.
4 Procedures for regular testing, assessment and evaluation (Art. 32 (1) (d) GDPR; Art. 25 (1) GDPR), ensured as follows:
StepStone organizes regular audits with external service providers to check its data security standards and processes. Network penetration tests are carried out regularly.
We track and verify protocols on two levels before the request reaches our application servers. This is done on a firewall and a web application firewall level. This allows us to analyze and block any unusual queries to the database at the data provisioning level, preventing SQL injection attempts. The system itself logs incorrect log-in attempts if the request was made through firewall and WAF.
Our data protection measures are continuously reviewed in a PDCA cycle.Download PDF
Last revised: 30. March 2020