Data Processing addendum.

1. Definitions

• “GDPR” means Regulation (EU) 2016/679; “UK GDPR” the UK incorporation of the same.
• “CCPA” means the California Consumer Privacy Act as amended by CPRA.
• “Controller” / “Processor” / “Subprocessor” have the meanings given in the GDPR.
• “Customer Data” means personal data that the Customer or its end users upload to or generate within the Service, including candidate resumes, screening columns, verdicts, and overrides.
• “Data Subject” means an identified or identifiable natural person whose personal data is included in Customer Data — typically a Candidate.
• “SCCs” means the Standard Contractual Clauses approved by EU Commission Implementing Decision 2021/914.

2. Roles and scope

• The Customer is the Controller of Customer Data. ShortlistTable is the Processor.
• This DPA covers all processing of Customer Data carried out to provide the Service.
• Each party will comply with applicable data-protection law.

3. Customer instructions

The Customer’s instructions to ShortlistTable are:

• To provide the Service (screening, ranking, export, audit logging) per the Terms;
• To act on configuration the Customer chooses in-product (retention, region, workspace boundaries);
• To respond to Data Subject requests we route to the Customer.

We will inform the Customer if, in our opinion, an instruction infringes applicable data-protection law. We may process Customer Data outside these instructions only where required by law, in which case we will notify the Customer first unless that notice is itself prohibited.

4. Confidentiality and personnel

• Access to Customer Data is limited to personnel who need it to deliver the Service.
• All personnel with access are bound by written confidentiality obligations.
• Background checks per local law for personnel handling production data.

5. Security

ShortlistTable will implement and maintain appropriate technical and organisational measures, including:

• Encryption in transit (TLS 1.2+) and at rest
• Workspace-level access control, principle of least privilege
• Audit logging of access to Customer Data
• Dependency scanning and patch management
• Annual third-party penetration testing [from launch + 6 months — confirm before referencing]
• Incident response plan with defined RTO/RPO targets
• SOC 2 Type 2 — [target date]

6. Subprocessors

The Customer authorises ShortlistTable to engage Subprocessors. The current list is published in our Privacy Policy and updated as it changes. Material changes are announced by email at least 30 days before they take effect; the Customer may object in writing during that window.

ShortlistTable remains liable for the acts and omissions of its Subprocessors as if they were its own.

7. International transfers

• Customer Data is stored in the region selected at workspace creation. EU-region workspaces keep data within the EU.
• Where Customer Data is transferred outside the EEA, the UK, or Switzerland, the EU SCCs (Module 2: Controller-to-Processor; Module 3: Processor-to-Subprocessor as applicable) are incorporated by reference, with:
  • Clause 7 (docking): not used
  • Clause 9 (subprocessors): Option 2, general written authorisation, 30-day notice
  • Clause 11 (redress): no independent dispute resolution option
  • Clause 17 (governing law): law of the EU member state where the data exporter is established
  • Clause 18 (forum): courts of that same EU member state
  • Annex I.A (parties), I.B (transfer description), I.C (supervisory authority) and Annex II (technical and organisational measures) are completed by reference to the Customer’s registration data and our Privacy Policy.
• For UK transfers, the UK International Data Transfer Addendum to the SCCs applies.

8. Data Subject requests

• If we receive a Data Subject request directly, we will not respond except to confirm the Service is operated on the Customer’s behalf and route the request to the Customer.
• We will assist the Customer with reasonable technical measures (export, deletion, audit-log retrieval) to respond to Data Subject requests within the timeframes required by law.

9. Personal data breach

• We will notify the Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer Data.
• The notification will describe the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed.
• We will cooperate with the Customer’s investigation and breach-notification obligations to supervisory authorities and Data Subjects.

10. Audit rights

• We will make available to the Customer the information necessary to demonstrate compliance with this DPA, including current SOC 2 / ISO certifications and our most recent penetration-test summary.
• The Customer may request an audit no more than once per twelve-month period (excluding audits triggered by a breach), on at least 30 days’ written notice, during business hours, at the Customer’s expense.

11. Return and deletion

• On termination of the Service, the Customer may export Customer Data via the CSV / XLSX export for 30 days.
• After 30 days, we will delete Customer Data and certify deletion on request, subject to legal-retention obligations (e.g. billing records).

12. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that nothing in this DPA limits a party’s liability where applicable law does not permit such limitation (e.g. for personal data breach claims under GDPR Article 82).

13. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails for matters of data protection. If there is a conflict between this DPA and the SCCs, the SCCs prevail.

13.1 Contact

DPA / SCC questions: legal@shortlisttable.ai.