Data Processing Addendum

Last updated: Nov 25th, 2025

This Data Processing Addendum ("DPA") is incorporated by reference into the SaaS Master Terms of Service between the Company and the Customer.

1. DEFINITIONS

a. "Controller" means the entity that determines the purposes and means of processing Personal Data.

b. "Data Protection Laws" means all applicable laws relating to the processing, privacy, and use of Personal Data, including: (i) the EU General Data Protection Regulation 2016/679 ("GDPR"); (ii) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (iii) the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); (iv) other applicable US state privacy laws; and (v) any successor or replacement legislation.

c. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

d. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Company on behalf of Customer in connection with the Services.

e. "Processing" has the meaning given in applicable Data Protection Laws.

f. "Processor" means the entity that processes Personal Data on behalf of and on the instructions of the Controller.

g. "Sub-processor" means any third party engaged by Company to process Personal Data on behalf of Customer.

2. SCOPE AND APPLICABILITY

a. This DPA applies only to Personal Data processed by Company acting as a Processor on behalf of Customer in connection with the AI Recruiter Services provided under the Proposal – these are referred to as “Services” in the Proposal.

b.The Customer acts as Controller and the Company acts as Processor for purposes of this DPA.

c. The subject matter, duration, nature and purpose of processing, categories of Personal Data, and categories of Data Subjects are set forth in Schedule 1 attached hereto.

d. Schedule 2 of this DPA outlines the technical and organisational security measures which the Company implements to ensure the security of Personal Data, in accordance with Article 32 GDPR and other applicable Data Protection Laws.

3. PROCESSING INSTRUCTIONS

a. Company shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by applicable law.

b. Customer's instructions are initially set out in this DPA and the Proposal and may be amended by additional written instructions agreed upon by both parties.

c. Company shall immediately inform Customer if, in Company's opinion, an instruction infringes applicable Data Protection Laws.

4. CONFIDENTIALITY

Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. SECURITY MEASURES

a. Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymization and encryption of Personal Data
  • Ongoing confidentiality, integrity, availability and resilience of processing systems
  • Regular testing, assessing and evaluating effectiveness of security measures
  • Measures to restore availability and access to Personal Data in a timely manner

b. Company maintains industry-standard security certifications and shall provide evidence of compliance upon reasonable request.

6. SUB-PROCESSORS

a. Customer provides general authorization for Company to engage Sub-processors, provided Company:

  • Maintains a current list of Sub-processors available to Customer
  • Provides 30 days' prior notice of any intended changes
  • Ensures Sub-processors are bound by data protection obligations equivalent to this DPA

b. Customer may object to a Sub-processor within 30 days of notice. If parties cannot resolve the objection, Customer may terminate the affected Services.

c. Company remains fully liable for Sub-processor performance.

7. DATA SUBJECT RIGHTS

a. Company shall assist Customer in responding to Data Subject requests by:

  • Implementing appropriate technical and organizational measures.
  • Providing relevant information within 10 business days of request.
  • Not responding directly to Data Subjects unless authorized by Customer.

b. Company shall assist Customer in ensuring compliance with Data Subject rights under applicable Data Protection Laws.

8. DATA BREACH NOTIFICATION

a. Company shall notify Customer without undue delay and in any event within 24 hours after becoming aware of a Personal Data breach.

b. Notification shall include:

  • Description of the breach and affected Data Subjects.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.
  • Contact information for further information.

c. Company shall provide reasonable assistance to Customer in meeting breach notification obligations to supervisory authorities and Data Subjects.

9. DATA PROTECTION IMPACT ASSESSMENTS

Company shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities where required.

10. INTERNATIONAL TRANSFERS

a. Company may transfer Personal Data outside the EEA/UK only:

  • To countries with adequacy decisions, or
  • Subject to appropriate safeguards (Standard Contractual Clauses, BCRs, etc.), or
  • Based on specific derogations under applicable law.

b. Company shall provide details of transfer mechanisms upon request.

11. AUDITS AND INSPECTIONS

a. Company shall make available to Customer information necessary to demonstrate compliance with this DPA.

b. Customer may conduct remote audits, including remote inspections, subject to:

  • Reasonable advance notice (minimum 30 days).
  • Normal business hours.
  • Confidentiality obligations.
  • Customer bearing costs unless material non-compliance found.

c. Company can satisfy audit requirements through third-party certifications or audit reports.

12. DATA RETURN AND DELETION

a. Upon termination of Services, Company shall:

  • Return all Personal Data to Customer in a commonly used format, or
  • Delete Personal Data if return is not reasonably possible.
  • Provide written certification of deletion.

b. Company may retain Personal Data as required by applicable law, subject to continued confidentiality obligations.

13. LIABILITY AND INDEMNIFICATION

a. Each party's liability under this DPA shall be subject to the limitation of liability provisions in the Proposal.

b. Company shall indemnify Customer against fines imposed by supervisory authorities resulting from Company's breach of this DPA, subject to:

  • Customer providing prompt notice and cooperation.
  • Company having sole control of defense.
  • Indemnification not applying to Customer's acts or omissions.

14. TERM AND TERMINATION

This DPA shall remain in effect for the duration of the Proposal and shall survive termination to the extent necessary to fulfil obligations hereunder.

15. GOVERNING LAW

This DPA shall be governed by the same law as the Proposal, except where Data Protection Laws require otherwise.