Data Processing Agreement

Last Updated: 29 October 2025

This Data Processing Agreement ("DPA") forms part of the service agreement between TALENT SCORE LTD ("Processor") and the client organization ("Controller") in accordance with UK GDPR Article 28.

1. Scope of Processing

Personal Data Processed:

  • Candidate names, contact details, CVs, employment history, skills, qualifications, salary expectations, references, AI-generated assessments

Data Subjects:

  • Candidates introduced to the Client

Purpose:

  • Recruitment and candidate evaluation

Legal Basis:

  • Contract performance (providing recruitment services)
  • Legitimate interests (recruitment and candidate evaluation)

Special Category Data:

  • Processor uses AI-powered systems to detect and filter sensitive personal data (health information, ethnicity, religion, etc.) that may appear in candidate CVs
  • Controller remains responsible for ensuring lawful processing of any special category data under UK GDPR Article 9, including obtaining explicit consent where required

Duration:

  • While service agreement is active and for 12 months after candidate introduction

2. Processor Obligations

2.1 Processing Instructions

  • Process data only on Client's documented instructions via platform functionality
  • Inform Client if instructions appear to violate UK GDPR

2.2 Confidentiality

  • All personnel accessing data are bound by confidentiality obligations

2.3 Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security audits
  • Backup and disaster recovery

2.4 Sub-processors

Sub-processorPurposeLocation
CloudflareInfrastructure, database, storageUSA, UK, EU
GoogleAuthenticationUSA, EU
ResendEmail deliveryUSA
AnthropicAI CV parsingUSA

All sub-processors have Standard Contractual Clauses and DPAs in place.

Changes: 30 days' notice for new sub-processors. Client may object on reasonable grounds.

2.5 International Transfers

Data may be processed in UK, EU, and USA. Standard Contractual Clauses approved by the ICO are in place. UK GDPR rights remain fully enforceable.

2.6 Data Subject Rights Assistance

  • Provide access to data in Client's account
  • Enable data export (JSON, CSV)
  • Facilitate rectification or deletion
  • Respond within 5 business days

2.7 Data Breach Notification

  • Notify Client within 24 hours
  • Include nature of breach, affected data, consequences, and remediation measures
  • Client remains responsible for notifying ICO and candidates

2.8 Audit Rights

  • Client may audit compliance once per year with reasonable notice
  • Processor will provide documentation within 30 days
  • Client may accept third-party audit reports (SOC 2, ISO 27001)

3. Controller Obligations

  • Ensure lawful basis for processing under UK GDPR
  • Maintain own privacy policy
  • Respond to data subject rights requests
  • Implement appropriate security measures
  • Report any data breaches to Processor within 24 hours
  • Delete data when no longer needed for recruitment
  • Not share data with third parties without candidate consent
  • Not use data for purposes other than recruitment
  • Ensure compliance with UK GDPR Article 9 regarding special category data (health, ethnicity, religion, etc.) identified in candidate information
  • Provide reasonable assistance to Processor to enable compliance with Data Protection Laws

4. Data Retention and Deletion

Retention:

  • Active candidates: Until deletion requested
  • Inactive candidates: 3 years, then deleted
  • Introduced candidates: Until Client deletes or 12 months after introduction
  • Financial records: 6 years (UK tax law)

On Termination:

  • Within 30 days: Provide data export
  • Within 90 days: Delete all data unless legal obligations require retention
  • Certification provided upon request

5. Liability

Each party is liable for its own UK GDPR compliance failures.

Processor Liability Cap:

  • Direct damages: Greater of £100,000 or total fees paid in preceding 12 months
  • Regulatory fines and security breaches: Uncapped for willful or grossly negligent violations

6. Term and Termination

Term: Effective on Client acceptance of Terms of Service until service agreement terminates and all data is deleted.

Termination: Either party may terminate immediately for material GDPR breach not remedied within 30 days.

Survival: Confidentiality, data deletion obligations, and liability survive termination.

7. General

Governing Law: England and Wales

Amendments: 30 days' notice for material changes

Contact:

  • TALENT SCORE LTD
  • 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB
  • legal@talentscore.pro

By using TalentScore's services, you agree to act as Data Controller for candidate data and comply with UK GDPR and this DPA.