Legal

Data Processing Agreement

Last updated 25 May 2026.

This Data Processing Agreement ("DPA") forms part of the Subscription Agreement between Candid HQ Limited ("Processor", "CandidHQ") and the customer that has agreed to that Subscription Agreement ("Controller", "Customer") and governs the processing of personal data by CandidHQ on the Customer's behalf. It is drafted to satisfy Article 28 of the UK GDPR and the EU GDPR and incorporates the European Commission's Standard Contractual Clauses for transfers to third countries where applicable.

1. Definitions

Terms not defined here have the meanings given in the UK GDPR / EU GDPR. "Personal Data" means personal data (as defined in those regulations) processed by CandidHQ on the Customer's behalf under the Subscription Agreement. "Sub-processor" means any third party engaged by CandidHQ to process Personal Data; the current list is published at candidhq.tech/subprocessors.

2. Subject matter and duration

CandidHQ processes Personal Data to provide the Service described in the Subscription Agreement (operating branded candidate portals on behalf of the Customer). Processing continues for the duration of the Subscription Agreement and any period required to comply with deletion or return obligations under Section 11.

3. Nature and purpose of processing

Storing, retrieving, transmitting, and displaying Personal Data inside the Service; generating notifications and email; running rate-limit and audit infrastructure; serving an AI prep assistant grounded in Customer-supplied content; producing aggregate analytics for the Customer's own use.

4. Categories of data subject and types of Personal Data

Data subjects: the Customer's job candidates, and the Customer's own staff who use the Service.

Types of Personal Data:

  • Identifiers: name, business email, hashed authentication credentials, user IDs.
  • Hiring-process metadata: current stage, recruiter notes about the candidate.
  • Candidate-authored content: notes typed into the portal, questions submitted to the AI prep assistant.
  • Behavioural telemetry: portal visit timestamps, sections viewed, bookmarks, IP addresses recorded for security and rate-limiting.
  • Communications metadata: subjects and delivery status of operational emails.

CandidHQ does not solicit or store special-category data (Art. 9 UK GDPR / EU GDPR). If the Customer instructs CandidHQ to process special-category data (for example by uploading it into a portal field), the Customer is responsible for establishing an appropriate Art. 9(2) condition.

5. CandidHQ's obligations

CandidHQ shall:

  • Process Personal Data only on the Customer's documented instructions, including the Subscription Agreement, this DPA, and any subsequent written instructions.
  • Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organisational measures described at candidhq.tech/trust, which collectively satisfy Art. 32 UK GDPR / EU GDPR.
  • Assist the Customer, taking into account the nature of processing, with its obligations under Arts. 32-36 (security, breach notification, impact assessments, prior consultation) by providing reasonable information and access on request.
  • Notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting Customer Personal Data.
  • Make available to the Customer the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits as described in Section 10.

6. Sub-processors

The Customer authorises CandidHQ to engage the sub-processors listed at candidhq.tech/subprocessors as of the effective date of this DPA. CandidHQ may engage additional sub-processors, provided that it:

  • Updates the published list at least 14 days before the new sub-processor begins processing Customer Personal Data, except where a shorter notice is required for security or legal reasons.
  • Imposes on each sub-processor data protection obligations no less protective than those in this DPA.
  • Remains liable to the Customer for the acts and omissions of its sub-processors.

The Customer may object to a new sub-processor on reasonable data-protection grounds by writing to privacy@candidhq.tech within the notice period. If the parties cannot reach an accommodation, the Customer may terminate the affected portion of the Service.

7. International transfers

Where CandidHQ transfers Personal Data outside the United Kingdom or the European Economic Area, that transfer is made under an appropriate safeguard within Art. 46 GDPR / Art. 46 UK GDPR. For transfers to the United States (notably Anthropic, PBC for the AI prep assistant), CandidHQ relies on Module 3 of the European Commission's 2021 Standard Contractual Clauses (processor-to-processor) and, for UK transfers, the UK International Data Transfer Addendum issued by the Information Commissioner's Office. The Customer hereby instructs CandidHQ to enter into those clauses with the relevant sub-processors on its behalf.

8. Data subject rights

Taking into account the nature of processing, CandidHQ shall provide the Customer with tools and reasonable assistance to fulfil requests from data subjects exercising rights under Arts. 15-22 UK GDPR / EU GDPR. The primary tool is the recruiter-facing privacy console inside the admin, which supports one-click data export and erasure for a given candidate. Where a data subject contacts CandidHQ directly, CandidHQ will redirect the request to the Customer without responding substantively, except to confirm receipt.

9. Personal-data breach notification

CandidHQ shall notify the Customer at the email address on the Customer's admin account without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting Customer Personal Data. The notification shall describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed, and a contact point for further information, in sufficient detail to enable the Customer to meet its own Art. 33 notification obligation.

10. Audits

CandidHQ makes available, on written request and no more than once per calendar year, sufficient information to allow the Customer to verify compliance with this DPA. That information includes the current sub-processor list, the technical and organisational measures at candidhq.tech/trust, any third-party security audit reports CandidHQ holds, and reasonable answers to a written security questionnaire. Where a Customer reasonably believes that the foregoing is not sufficient, CandidHQ will work in good faith to agree the scope, timing, and reasonable cost of an on-site or virtual audit, which shall be conducted during business hours with at least 30 days' notice and subject to confidentiality.

11. Return or deletion at end of services

On termination of the Subscription Agreement, the Customer may export Personal Data through the in-product export tools for 30 days. At the end of that period, or earlier on written instruction from the Customer, CandidHQ will delete the Personal Data from its systems within 90 days, except to the extent that retention is required by applicable law (notably tax-law obligations on billing records). On request, CandidHQ will certify in writing that deletion has occurred.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Subscription Agreement. Nothing in this DPA limits a party's liability where such limitation is not permitted by law.

13. Order of precedence

In the event of a conflict between this DPA and the Subscription Agreement on matters of data protection, this DPA prevails.

14. Governing law

This DPA is governed by the laws of Scotland, United Kingdom, and the parties submit to the exclusive jurisdiction of the Scottish courts, save that either party may seek injunctive relief in any competent court.

15. Signature and acceptance

Customers who have accepted the Subscription Agreement at sign-up are deemed to have accepted this DPA. Customers requiring a countersigned copy on letterhead should write to privacy@candidhq.tech with the legal entity name, registered address, and the email address of the signatory.

See also: Privacy Policy, Sub-processors, Trust & Security.