RecruitPilot AI Logo
Sign InJoin Free Beta
← Back to Home

Data Processing Agreement

Last Updated: 04/07/2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between RecruitPilot AI Limited (“RecruitPilot”) (“Processor”) and the User (“Controller”) for the processing of personal data. This DPA outlines the responsibilities and obligations of both parties concerning data protection and compliance with applicable laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant regulations. This DPA also includes compliance with other relevant data protection laws including, but not limited to, the Brazilian General Data Protection Law (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable global regulations.

1. Introduction

This DPA governs the processing of personal data by RecruitPilot AI Limited, encompassing services such as our Web app, Custom GPTs and the Chrome extension. The DPA ensures compliance with data protection laws and provides transparency on how personal data is handled within these services.

2. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data, typically users who utilize RecruitPilot's services.
  • Processor: RecruitPilot AI Limited, the entity that processes personal data on behalf of the Controller.
  • Data Subject: An identifiable natural person whose personal data is processed, including end-users interacting with RecruitPilot's products.
  • Personal Data: Any information relating to a Data Subject, such as names, contact details, user interactions, and other data provided through the use of RecruitPilot's services.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • Sub-Processor: Any third party appointed by the Processor to process personal data on behalf of the Controller.

3. Scope and Role

  • The Processor processes personal data solely on behalf of the Controller to provide services such as Web application, Custom GPTs and the Chrome extension. This includes processing data to enhance service features, maintain service quality, and provide customer support.
  • The Controller is responsible for ensuring all necessary consents are obtained and for compliance with applicable data protection laws when instructing the Processor to process personal data.
  • The Processor will only process personal data on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless otherwise required by law.
  • The Processor provides AI-powered tools that may involve open-ended prompts, autonomous agent workflows, and structured orchestration via frameworks such as LangGraph. These tools are designed to assist Controllers with recruitment workflows but do not make or dictate employment decisions. All AI-driven features are scoped, auditable, and subject to human oversight. Controllers remain responsible for how AI-generated content is used in employment contexts.
  • Some services operate on a usage-based model involving tokens or credits. The Processor may log user interactions and outputs to meter feature access and maintain billing accuracy. These logs may include metadata (e.g., timestamp, feature used, credit deduction, model version) but will not be used to train models or create behavioural profiles. Logs are retained securely and only for operational, billing, or compliance purposes.
  • The Controller may amend processing instructions at any time by providing written notice to the Processor. The Processor shall comply with the amended instructions within a reasonable timeframe, not exceeding 7 days, unless such instructions conflict with applicable laws.

4. Processor Obligations

  • Confidentiality: The Processor ensures that its personnel engaged in processing personal data are informed of the confidential nature of the data and adhere to strict confidentiality agreements.
  • Security: The Processor implements appropriate technical and organizational measures to protect personal data, including but not limited to:
    • Encryption: Data in transit is protected using Secure Sockets Layer (SSL) / Transport Layer Security (TLS), and data at rest is encrypted using AES-256.
    • Access Controls: Access to personal data is restricted to authorized personnel who require access to perform their job duties.
    • Network Security: Use of firewalls, intrusion detection systems, and other security measures to prevent unauthorized access.
    • Regular Audits: Conduct regular security audits and assessments to identify and address potential vulnerabilities.
    • Data Minimization: Ensure that only the minimum amount of personal data necessary for the purposes is processed.
    • Multi-Factor Authentication (MFA): Requiring MFA for access to systems processing personal data.
    • Encryption key management practices shall include regular key rotation and secure storage of keys. The Processor shall maintain an incident response plan and report any security incidents to the Controller within 72 hours.
  • Data Subject Rights: The Processor assists the Controller in fulfilling its obligations to respond to Data Subject requests, including access, correction, deletion, data portability, and objection rights. The Processor will notify the Controller of any such requests and will not respond to requests without the Controller's prior written consent. If the processing involves automated profiling or recommendations (e.g., candidate scoring or ranking), the Processor will support the Controller in fulfilling data subject rights under Article 22 of the GDPR. This includes providing information on the logic involved, enabling human intervention, and responding to requests to contest automated decisions.
  • Data Breach Notification: The Processor will notify the Controller without undue delay, and no later than 72 hours after becoming aware of a personal data breach, providing details of the breach, its impact, and any measures taken to mitigate it.
  • In the event of a data breach involving sensitive data, the Processor will also notify affected data subjects if required by law or the Controller, detailing the nature of the breach and the measures taken to mitigate its impact.

5. Sub-Processing

  • The Processor may engage Sub-Processors to provide certain services. Sub-Processors are bound by the same data protection obligations as the Processor under this DPA. A list of Sub-Processors can be provided upon request, and the Controller will be notified of any changes.
  • The Processor remains fully liable for the actions of any Sub-Processor it engages.
  • A detailed list of sub-processors, including their functions and locations, will be provided to the Controller upon request. The Controller has the right to object to the addition or change of sub-processors within 7 days of notification. The Processor shall refrain from engaging the new sub-processor until the Controller's objections are resolved.
  • Where the Processor integrates with third-party APIs such as LinkedIn, all processing is subject to that platform's data usage terms and technical constraints. The Processor shall ensure that any API-based processing complies with LinkedIn's Developer Policies and API Terms of Use and will not persistently store, repurpose, or share LinkedIn data beyond user-authorised scopes.

6. International Data Transfers

  • The Processor will not transfer personal data outside the European Economic Area (EEA) without the prior written consent of the Controller, unless such transfer is subject to appropriate safeguards, such as standard contractual clauses approved by the European Commission or other lawful mechanisms. The Processor shall provide evidence of such safeguards upon request by the Controller.

7. Data Retention and Deletion

  • Upon termination of the Agreement, the Processor will, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies, unless storage of the personal data is required by law. The methods of data deletion will include secure erasure techniques to ensure that data cannot be recovered.

8. Audit Rights

  • The Processor will provide the Controller with all necessary information to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits must be conducted during regular business hours with reasonable notice and minimal disruption to the Processor's operations. The Controller shall bear any costs associated with the audit.
  • Audits may be conducted once per year, unless otherwise required by applicable law or triggered by a significant data protection incident. The costs of audits shall be borne by the Controller, except where non-compliance by the Processor is identified, in which case the Processor shall bear the costs.

9. Liability and Indemnity

  • The Processor will be liable for any damage caused by processing that does not comply with this DPA or applicable data protection laws. The Controller agrees to indemnify the Processor against any claims arising from the Processor's compliance with the Controller's instructions, provided that such instructions are in violation of applicable data protection laws. The Processor maintains insurance coverage for liabilities arising from data breaches or other incidents.
  • The total aggregate liability of the Processor under this DPA shall not exceed £8,700,000, except in cases of gross negligence, wilful misconduct, or breaches of confidentiality.

10. Data Protection Impact Assessments (DPIAs)

  • The Processor shall assist the Controller in conducting DPIAs and prior consultations with data protection authorities, as required by GDPR Article 35. This includes providing necessary information and access to systems, as well as identifying and mitigating potential risks associated with data processing activities.

11. Data Protection Officer (DPO) Contact Information

  • If applicable, the Processor will provide the contact details of the Data Protection Officer (DPO), who can provide additional support and information on data protection practices.

12. Governing Law and Jurisdiction

  • This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Changes to this DPA

  • We may update this Data Processing Agreement from time to time to reflect changes in our data processing practices, legal requirements, or services. The most current version will always be available at https://recruitpilot.ai/dpa, with the effective date clearly stated at the top.
  • Material changes (such as changes to sub-processing practices, data transfer mechanisms, or legal rights) will be communicated via email or through our platform at least 14 days before taking effect, unless legally required sooner.
  • Continued use of the Services after the effective date of a revised DPA will constitute your acknowledgement of the updated terms. If you object to any material changes, you may terminate your agreement in accordance with the Terms of Service.

14. Contact Information

For any questions or concerns regarding this DPA, please contact:

RecruitPilot AI Limited
85 Great Portland Street
First Floor
London
W1W 7LT

Email: support@recruitpilot.ai