C2 is an all-in-one HRIS platform built for European SMEs (10–500 employees). It combines recruiting, onboarding, employee management, performance, learning, and a built-in AI assistant – everything in one simple, GDPR-compliant system with data hosted in Europe.

European small and medium businesses that want to replace spreadsheets and fragmented tools with one modern, affordable HR platform. Ideal for teams of 10 to 500 people who need quick ROI without enterprise complexity.

Transparent pricing with no hidden fees or long-term commitments: - Start-up — from €4 per person/month - SME — from €7 per person/month - Enterprise — from €10 per person/month Includes all core features, support, and regular updates. Book a demo to see exact pricing for your team size.

How does the AI assistant in C2 help?

C2’s AI assistant instantly answers employee and manager questions about policies, benefits, leave balances, and procedures – 24/7 in natural language. It reduces HR tickets by up to 60% while keeping all answers accurate and compliant.

How much time does C2 actually save?

Most HR teams save 20–30 hours per week through automation of onboarding, leave requests, reviews, and documents – plus the AI assistant that handles routine queries instantly.

Is C2 GDPR compliant and secure?

Yes. Fully GDPR-compliant with data hosted in Europe for true data sovereignty. Built-in tools help you stay compliant with training, policies, and audit-ready reporting.

Trust Center: Security, Privacy & Compliance for GDPR, EU Data Residency

Legal Documents

Download & Review Our Legal Agreements

All documents are available for download and review before you commit. No request required.

📄

Data Processing Agreement

Our Art. 28 GDPR-compliant DPA: how C2 processes personal data on your behalf, covering ROPA, DSARs, breach notification, sub-processors, and data deletion. Accepted automatically on signing your subscription.

Version 1.0 · April 2026 · Dutch law

↓ Download DPA (PDF) .docx

📋

Terms and Conditions

The master subscription agreement governing your use of C2: licence grant, fees, warranties, limitation of liability, and governing law (Netherlands).

Last updated: May 2025 · Dutch law

View Terms →

🔒

Privacy Policy

How Agile Futurist collects and processes personal data as a controller for website visitors, prospects, and contacts (separate from customer tenant data).

Available on request

Request via DPO →

Note: Acceptance of the C2 Terms of Service incorporates this DPA by reference. You do not need to sign a separate DPA unless your internal policy requires a countersigned copy. For countersigned DPA requests, contact dpo@cognitis.cloud.

Sub-processor Register

Third Parties We Use to Deliver the Platform

In line with Art. 28(3)(d) GDPR, we maintain a public register of all sub-processors. You will receive at least 30 days advance notice of any additions or changes.

Sub-processor Category	Purpose	Processing Location	Transfer Mechanism	DPA Status
Cloud Infrastructure & Hosting	Primary compute, storage, networking and databases underpinning the platform.	European Union	N/A (EEA)	Signed, Art. 28
Email Delivery Service	Transactional and notification emails: DSAR alerts, onboarding flows, system notifications.	EU / EEA	N/A or SCC Module 3	Signed, Art. 28
AI Model Provider	Processing of AI HR Assistant queries. No training on customer data.	EU preferred	N/A (EEA) or SCC Module 2	Signed, Art. 28 + AI Act
Platform Monitoring & Observability	Application performance monitoring and error tracking. Pseudonymised data only.	European Union	N/A (EEA)	Signed, Art. 28
Customer Support Platform	Management of support tickets from your users. Restricted to support personnel only.	EU / EEA	N/A or SCC Module 3	Signed, Art. 28

Last updated: April 2026. To receive sub-processor change notifications by email, contact dpo@cognitis.cloud with subject “Sub-processor notifications”.

Security Measures

Technical & Organisational Measures (TOMs)

A summary of our security measures as defined in Schedule 2 of the DPA. The full Schedule is available in the downloadable DPA above.

Access Control

Role-based access (RBAC), least privilege
MFA enforced for admin accounts
Session timeout, unique credentials
Privileged access management

Encryption

In transit: TLS 1.2+ (TLS 1.3 preferred)
At rest: AES-256
Database-level encryption
Annual key rotation

Tenant Isolation

Strict logical separation between tenants
Tenant identity enforcement at ORM layer
Automated isolation tests on every deployment

Infrastructure

EU-only hosting (ISO 27001 data centres)
Network segmentation, IDS/IPS, WAF
DDoS mitigation in place

Vulnerability Management

Annual third-party penetration testing
Automated dependency scanning (CI/CD)
Critical patches within 72 hours

Availability & Recovery

99.5% uptime SLA
Daily backups, 30-day retention
Quarterly DR testing

Incident Response

72-hour breach notification to controller
Documented incident response plan
Real-time SIEM alerting
Art. 33(5) breach register maintained

Privacy by Design

Data minimisation in all features
DPIA required before high-risk deployments
Automated retention enforcement

Compliance & Certifications

Our Certification Roadmap

We are transparent about where we are on the path to independent verification. Track our progress here.

✓

GDPR Art. 28 Compliance Live

Full DPA published, sub-processor register maintained, DPO designated. All processing on documented controller instructions only.

✓

EU Data Residency Live

All customer data stored and processed exclusively in EU-based infrastructure. No cross-border transfers without explicit safeguards and customer consent.

↻

NIS 2 Directive Review In Progress

Internal review of NIS 2 obligations applicable to C2 as a digital service provider. Policy updates underway.

↻

Annual Penetration Test Planned 2026

Independent third-party penetration test commencing in 2026. Executive summary available to Enterprise tier customers under NDA on request.

↻

ISO 27001 Certification Gap Assessment 2026

ISO 27001 gap assessment commencing in 2026. Target certification within 18 months. The recognised standard for information security management, mapping directly to GDPR Art. 32.

○

ISO 27701 Certification Roadmap

The privacy management extension to ISO 27001, directly mapping to GDPR obligations. Targeted following ISO 27001 certification. C2 will be among the first SME HRIS platforms in Europe to hold this certification.

○

GDPR Art. 42 Certification Monitoring

Tracking accredited Art. 42 GDPR certification schemes in the Netherlands and EU (including EuroPriSe). Will pursue once a mature scheme for SaaS processors is established.

Document History

Legal Document Change Log

Material changes are communicated to existing customers at least 30 days before they take effect.

v1.0 April 2026 Current

Initial DPA publication. Full Art. 28 compliance. Schedules: Details of Processing, TOMs, Sub-processor Register. Governing law: Netherlands. Processor: Agile Futurist.

To receive legal update notifications, email dpo@cognitis.cloud with subject “Legal update notifications”.

Data Protection

Contact Our Data Protection Team

For questions about data protection, GDPR compliance, the DPA, or to exercise data subject rights.

Data Protection Officer

dpo@cognitis.cloud

GDPR queries, DPA questions, data subject rights, DSAR submissions.

Security & Incidents

support@cognitis.cloud

Security concerns, suspected breaches, vulnerability disclosures.

Legal & Contractual

c2.hris@cognitis.cloud

Countersigned DPA requests, sub-processor objections, legal correspondence.

Customer Support