Data Processing Agreement

Last Updated: 22 January 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between TALENT SCORE LTD ("Processor") and the organization or individual user ("Controller") in accordance with UK GDPR Article 28.

When This DPA Applies

This DPA applies to you if you act as a Data Controller and use our platform as a Data Processor. This means:

You ARE a Data Controller if:

  • You collect personal data from individuals (e.g., CVs, contact details) and upload it to our platform for processing
  • You determine what data to collect and why
  • You instruct us to process that data on your behalf

You are NOT a Data Controller (and this DPA does not apply) if:

  • You operate a marketplace where users upload their own data directly to our platform
  • You only upload your own personal data (e.g., your own CV as a job seeker)
  • You are simply a customer using our platform services

If you're unsure whether this DPA applies to you, please contact legal@talentscore.pro

1. Scope of Processing

Personal Data Processed:

  • User names, contact details, profile information, uploaded documents, preferences, requirements, AI-generated assessments, match scores

Data Subjects:

  • Users of the platform and third parties whose data is uploaded

Purpose:

  • Matching and evaluation services within the platform

Legal Basis:

  • Contract performance (providing matching services)
  • Legitimate interests (matching and evaluation)

Special Category Data:

  • Processor acknowledges that special category data (health information, ethnicity, religion, etc.) may appear in uploaded documents and profiles
  • Controller remains responsible for ensuring lawful processing of any special category data under UK GDPR Article 9, including obtaining explicit consent where required

Duration:

  • While service agreement is active and as specified in data retention terms

2. Processor Obligations

2.1 Processing Instructions

  • Process data only on Controller's documented instructions via platform functionality
  • Inform Controller if instructions appear to violate UK GDPR

2.2 Confidentiality

  • All personnel accessing data are bound by confidentiality obligations

2.3 Sub-processors

Sub-processorPurposeLocation
CloudflareInfrastructure, database, storageUSA, UK, EU
AWSInfrastructure, storageUSA, UK, EU
GoogleAuthenticationUSA, EU
ResendEmail deliveryUSA
AnthropicAI document processingUSA
OpenAIAI document processingUSA
GeminiAI document processingUSA, EU

All sub-processors have Standard Contractual Clauses and DPAs in place.

Controller authorizes use of sub-processors listed above. Processor may add sub-processors by updating this agreement. Current list available at the platform legal documentation.

2.4 International Transfers

Data may be processed in UK, EU, and USA. Standard Contractual Clauses approved by the ICO are in place. UK GDPR rights remain fully enforceable.

2.5 Data Subject Rights Assistance

  • Provide access to data processed on Controller's behalf
  • Enable data export in machine-readable format
  • Facilitate rectification or deletion
  • Respond in a timely manner to enable Controller to meet their GDPR obligations

2.6 Data Breach Notification

  • Notify Controller without undue delay
  • Include nature of breach, affected data, consequences, and remediation measures
  • Controller remains responsible for notifying ICO and affected users

2.7 Audit Rights

  • Controller may audit compliance once per year with reasonable notice
  • Processor will provide documentation in a reasonable timeframe

3. Controller Obligations

  • Ensure lawful basis for processing under UK GDPR
  • Maintain own privacy policy (where applicable)
  • Respond to data subject rights requests
  • Implement appropriate security measures
  • Report any data breaches to Processor promptly
  • Delete data when no longer needed for the agreed purposes
  • Not share data with third parties without user consent
  • Not use data for purposes other than the agreed platform operations
  • Ensure compliance with UK GDPR Article 9 regarding special category data (health, ethnicity, religion, etc.) identified in user information
  • Provide reasonable assistance to Processor to enable compliance with Data Protection Laws

4. Data Retention and Deletion

Retention:

  • As specified in the platform's data retention policy and service terms
  • Financial records: 6 years (UK tax law)

On Termination:

  • Provide data export in a reasonable timeframe
  • Delete all data unless legal obligations require retention
  • Certification provided upon request

5. Liability

Each party is liable for its own UK GDPR compliance failures.

Processor Liability Cap:

  • Direct damages: Greater of £1,000 or total fees paid in preceding 12 months
  • Regulatory fines and security breaches: Uncapped for willful or grossly negligent violations
  • Higher liability limits available for enterprise customers by separate agreement

6. Term and Termination

Term: Effective on Controller acceptance of Terms of Service until service agreement terminates and all data is deleted.

Termination: Either party may terminate for material GDPR breach not remedied within a reasonable cure period.

Survival: Confidentiality, data deletion obligations, and liability survive termination.

7. General

Governing Law: England and Wales

Amendments: Reasonable advance notice for material changes

Contact:

  • TALENT SCORE LTD
  • 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB
  • legal@talentscore.pro

By collecting and uploading personal data of third parties to our platform for processing, you confirm that you are acting as a Data Controller under UK GDPR and agree to comply with this DPA. This includes scenarios where you collect CVs or personal information from individuals and use our platform to process that data on your behalf.