This DPA governs the processing of personal data by RecruitPilot AI Limited, encompassing services such as our Web app, Custom GPTs and the Chrome extension. The DPA ensures compliance with data protection laws and provides transparency on how personal data is handled within these services.

• Controller: The entity that determines the purposes and means of processing personal data, typically users who utilize RecruitPilot's services.
• Processor: RecruitPilot AI Limited, the entity that processes personal data on behalf of the Controller.
• Data Subject: An identifiable natural person whose personal data is processed, including end-users interacting with RecruitPilot's products.
• Personal Data: Any information relating to a Data Subject, such as names, contact details, user interactions, and other data provided through the use of RecruitPilot's services.
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• Sub-Processor: Any third party appointed by the Processor to process personal data on behalf of the Controller.

• The Processor processes personal data solely on behalf of the Controller to provide services such as Web application, Custom GPTs and the Chrome extension. This includes processing data to enhance service features, maintain service quality, and provide customer support.
• The Controller is responsible for ensuring all necessary consents are obtained and for compliance with applicable data protection laws when instructing the Processor to process personal data.
• The Processor will only process personal data on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless otherwise required by law.
• The Processor provides AI-powered tools that may involve open-ended prompts, autonomous agent workflows, and structured orchestration via frameworks such as LangGraph. These tools assist Controllers with recruitment workflows but do not make or dictate employment decisions. All AI-driven features are scoped, auditable, and subject to human oversight. Controllers remain responsible for how AI-generated content is used.
• Some services operate on a usage-based model involving tokens or credits. The Processor may log user interactions and outputs to meter feature access and maintain billing accuracy. These logs may include metadata such as timestamp, feature used, credit deduction, and model version, but will not be used to train models or create behavioural profiles. Logs are retained securely and only for operational, billing, or compliance purposes.
• The Controller may amend processing instructions at any time by providing written notice to the Processor. The Processor shall comply with the amended instructions within a reasonable timeframe, not exceeding 7 days, unless such instructions conflict with applicable laws.

• Confidentiality: The Processor ensures that its personnel engaged in processing personal data are informed of the confidential nature of the data and adhere to strict confidentiality agreements.

• Security: The Processor implements appropriate technical and organizational measures to protect personal data, including but not limited to:

  • Encryption: Data in transit is protected using SSL/TLS, and data at rest is encrypted using AES-256.
  • Access Controls: Access to personal data is restricted to authorized personnel who require access for their duties.
  • Network Security: Use of firewalls, intrusion detection systems, and other security measures to prevent unauthorized access.
  • Regular Audits: Conduct regular security audits and assessments to identify and address potential vulnerabilities.
  • Data Minimization: Ensure that only the minimum amount of personal data necessary for the purposes is processed.
  • Multi-Factor Authentication (MFA): Requiring MFA for access to systems processing personal data.
  • Encryption key management practices include regular key rotation and secure storage of keys.
  • The Processor maintains an incident response plan and reports any security incidents to the Controller within 72 hours.

• Data Subject Rights: The Processor assists the Controller in fulfilling obligations related to Data Subject requests, including access, correction, deletion, data portability, and objection rights. The Processor notifies the Controller of any such requests and does not respond without prior written consent. If processing involves automated profiling (e.g., candidate scoring), the Processor supports the Controller under GDPR Article 22 by providing information on the logic involved, enabling human intervention, and supporting contesting of automated decisions.

• Data Breach Notification: The Processor will notify the Controller without undue delay, and no later than 72 hours after becoming aware of a personal data breach, providing details of the breach, its impact, and mitigation measures. If sensitive data is affected, the Processor will also notify affected data subjects when required by law or instructed by the Controller.

RecruitPilot is committed to adhering to global data protection regulations, including but not limited to:

• The Processor may engage Sub-Processors to provide certain services. Sub-Processors are bound by the same data protection obligations as the Processor under this DPA. A list of Sub-Processors can be provided upon request, and the Controller will be notified of any changes.
• The Processor remains fully liable for the actions of any Sub-Processor it engages.
• A detailed list of sub-processors, including their functions and locations, will be provided to the Controller upon request. The Controller has the right to object to the addition or change of sub-processors within 7 days of notification. The Processor shall refrain from engaging the new sub-processor until the Controller's objections are resolved.
• Where the Processor integrates with third-party APIs such as LinkedIn, all processing is subject to that platform's data usage terms and technical constraints. The Processor shall ensure that any API-based processing complies with LinkedIn's Developer Policies and API Terms of Use and will not persistently store, repurpose, or share LinkedIn data beyond user-authorised scopes.

The Processor will not transfer personal data outside the European Economic Area (EEA) without the prior written consent of the Controller, unless such transfer is subject to appropriate safeguards, such as standard contractual clauses approved by the European Commission or other lawful mechanisms. The Processor shall provide evidence of such safeguards upon request by the Controller.

Upon termination of the Agreement, the Processor will, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies, unless storage of the personal data is required by law. The methods of data deletion will include secure erasure techniques to ensure that data cannot be recovered.

• The Processor will provide the Controller with all necessary information to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits must be conducted during regular business hours with reasonable notice and minimal disruption to the Processor's operations. The Controller shall bear any costs associated with the audit.
• Audits may be conducted once per year, unless otherwise required by applicable law or triggered by a significant data protection incident. The costs of audits shall be borne by the Controller, except where non-compliance by the Processor is identified, in which case the Processor shall bear the costs.

• The Processor will be liable for any damage caused by processing that does not comply with this DPA or applicable data protection laws. The Controller agrees to indemnify the Processor against any claims arising from the Processor's compliance with the Controller's instructions, provided that such instructions are in violation of applicable data protection laws. The Processor maintains insurance coverage for liabilities arising from data breaches or other incidents.
• The total aggregate liability of the Processor under this DPA shall not exceed £8,700,000, except in cases of gross negligence, wilful misconduct, or breaches of confidentiality.

• The Processor shall assist the Controller in conducting DPIAs and prior consultations with data protection authorities, as required by GDPR Article 35. This includes providing necessary information and access to systems, as well as identifying and mitigating potential risks associated with data processing activities.

• If applicable, the Processor will provide the contact details of the Data Protection Officer (DPO), who can provide additional support and information on data protection practices.

• This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Englandand Wales.

• We may update this Data Processing Agreement from time to time to reflect changes in our data processing practices, legal requirements, or services. The most current version will always be available at https://recruitpilot.ai/dpa, with the effective date clearly stated at the top.
• Material changes (such as changes to sub-processing practices, data transfer mechanisms, or legal rights) will be communicated via email or through our platform at least 14 days before taking effect, unless legally required sooner.
• Continued use of the Services after the effective date of a revised DPA will constitute your acknowledgement of the updated terms. If you object to any material changes, you may terminate your agreement in accordance with the Terms of Service.