Data Processing Agreement
Last updated: July 10, 2026
Recruiter1 has not yet engaged legal counsel for review of this document. When counsel is retained, this page will be revised and the review notice removed.
This Data Processing Agreement ("DPA") forms part of the Recruiter1 Terms of Service and applies to all Customers who process personal data through the Service in jurisdictions governed by GDPR, UK GDPR, CCPA/CPRA, or similar data protection laws.
Customer acts as the data controller (or business under CCPA/CPRA). Recruiter1 acts as the data processor (or service provider under CCPA/CPRA).
Subject matter: Processing of Candidate Data submitted by Customer to the Service for the purpose of candidate evaluation, job matching, resume analysis, and recruitment facilitation.
Duration: For the term of the Customer's subscription, plus 90 days for data export and deletion.
Nature & purpose: Storing, transmitting, and processing Candidate Data to provide AI-powered recruitment features as described in the Terms of Service.
Personal data types: Candidate names, contact information, resumes, employment history, skills, assessment results, and communications.
Data subjects: Candidates whose data is submitted by Customer (agencies, enterprises) to the Service.
Recruiter1 processes personal data only on documented instructions from the Customer, as described in the Terms of Service and this DPA. Recruiter1 will not process personal data for any purpose other than providing the Service to the Customer.
Recruiter1 will promptly inform the Customer if, in its opinion, an instruction infringes applicable data protection law. Recruiter1 may suspend execution of the infringing instruction until the Customer confirms or modifies it.
Recruiter1 ensures that personnel authorized to process personal data are subject to confidentiality obligations and have received appropriate training on data protection and security. Access to personal data is restricted to authorized personnel on a need-to-know basis.
Recruiter1 implements and maintains appropriate technical and organizational security measures in accordance with GDPR Article 32, including:
- Encryption in transit (TLS 1.2+) for all network communications
- Encryption at rest for sensitive data including messages, credentials, and recovery materials
- HttpOnly, SameSite cookies for authentication and session management
- CSRF protection on selected authenticated state-changing requests
- End-to-end encryption (E2EE) for candidate signal messages
- Passkey-based authentication (WebAuthn) available alongside traditional password authentication
- Role-based access control with least-privilege principles
- Rate limiting on selected sensitive API endpoints
- Audit logging for administrative and privileged actions
Recruiter1 engages sub-processors to provide components of the Service. A current list of sub-processors is maintained at /r1/legal/sub-processors.
Recruiter1 provides at least 30 days' advance notice of material changes to the sub-processor list. The Customer may object to a new sub-processor by notifying Recruiter1 within 30 days of the notice. If the Customer objects, Recruiter1 may suspend the affected processing or the Customer may terminate the affected portion of the Service.
Recruiter1 enters into written agreements with all sub-processors imposing data protection obligations no less protective than those in this DPA.
Recruiter1 assists the Customer in responding to data subject rights requests (access, rectification, erasure, portability, objection, and automated decision-making rights) by providing tools for data export and deletion within the Service.
Recruiter1 responds to Customer data subject assistance requests within 5 business days of receipt. This is an internal assistance SLA and does not affect the Customer's statutory one-month deadline under GDPR Article 12(3). The Customer is responsible for verifying the identity of the data subject and communicating the response.
Recruiter1 notifies the Customer of a personal data breach without undue delay after becoming aware of the breach, to enable the Customer to meet its own notification obligations under GDPR Article 33. Notification includes:
- The nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
- The name and contact details of the data protection contact
Recruiter1 documents all breaches and provides the Customer with relevant information for the Customer's notification to supervisory authorities and affected data subjects, where required.
Upon termination of the Service, Recruiter1 deletes or returns all personal data processed on behalf of the Customer within 90 days, unless applicable law requires longer retention. The Customer may request earlier deletion by contacting [email protected].
The Customer may export their data at any time during the subscription term through the Service's data export functionality.
Recruiter1 makes available to the Customer information necessary to demonstrate compliance with this DPA through:
- Security documentation and SOC 2 / ISO 27001 reports where available
- Responses to reasonable security questionnaires
- Annual summary of security measures and incident reports
On-site audits are available with 30 days' written notice, during business hours, and subject to confidentiality obligations. The Customer bears the cost of the audit unless it reveals a material non-compliance by Recruiter1.
For transfers of personal data outside the EEA, UK, or Switzerland, the parties agree to the Standard Contractual Clauses (SCCs) as adopted by the European Commission, Module 2 (Controller-to-Processor), incorporated herein by reference.
For transfers subject to UK GDPR, the UK International Data Transfer Addendum applies. For transfers subject to Swiss law, the Swiss version of the SCCs applies with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent authority.
Under CCPA/CPRA, Recruiter1 acts as a service provider to the Customer. Recruiter1 certifies that it:
- Does not sell personal data, as defined by CCPA
- Does not share personal data for cross-context behavioral advertising
- Does not combine personal data received from the Customer with personal data from other sources, except as permitted by CCPA
- Processes personal data only for the limited and specified business purposes of providing the Service
- Will notify the Customer if it determines it can no longer meet its obligations under CCPA
- Will delete or return all personal data after the business purpose is completed
For DPA-related inquiries, contact [email protected].
This page was last updated on July 10, 2026 and is currently under review by Recruiter1 and pending engagement of outside counsel. The terms below apply to your use of the Service. If you have questions about a specific provision, contact [email protected].