CandooraGet Started Free

Version 2.0, effective April 2026

Data Processing Agreement

This DPA governs personal data processing by Candoora Ltd as Processor on behalf of business customers as Controllers. Individual consumer users are governed by the Privacy Policy.

1. Definitions

Controller

Business entity determining purposes and means of processing.

Processor

Candoora Ltd processing on behalf of the Controller.

Data Subject

Individual whose personal data is processed.

Personal Data

Any information relating to an identified or identifiable natural person.

Sub-processor

Third party engaged by Candoora to process Controller personal data.

SCCs

EU Standard Contractual Clauses, Commission Decision 2021/914.

IDTA

UK International Data Transfer Addendum, ICO version B1.0.

DPIA

Data Protection Impact Assessment.

2. Processing Details

Subject matter

Career data, CV content, and associated personal data processed through Candoora.

Duration

Term of the Master Service Agreement plus applicable retention periods.

Nature

Collection, storage, AI analysis, reporting, version history, and deletion.

Purpose

Providing Candoora platform features to Controller-designated users.

Data types

CV content, employment history, skills, career preferences, analysis outputs, and usage data.

Data subjects

Employees, contractors, or individuals designated by Controller as users.

3. Controller Obligations

Controller warrants that it has a lawful basis for sharing personal data with Candoora, has provided required notices to data subjects, has obtained necessary consents, has completed any required DPIA, and has authority to enter into this DPA.

4. Processor Obligations

  • Process personal data only on documented Controller instructions, except where required by law.
  • Ensure personnel with data access are bound by written confidentiality obligations.
  • Implement the security measures listed in Schedule 1.
  • Assist Controller in responding to data subject requests within statutory timeframes.
  • Notify Controller within 48 hours of becoming aware of a personal data breach affecting Controller data.
  • Assist with DPIAs and supervisory authority consultations where required.
  • Delete or return personal data within 30 days of service termination and provide written deletion confirmation.
  • Maintain records of processing activities for Controller data processing activities.
  • Provide 14 days’ prior written notice before engaging new sub-processors, with reasonable objection rights for Controller.

5. International Transfers

Where Candoora transfers Controller personal data outside the UK or EEA, it uses the mechanisms in Schedule 3, including SCCs, UK IDTA, adequacy decisions, and Transfer Impact Assessments. Executed SCCs and TIAs are available on request.

6. Audit Rights

Controller may audit Candoora’s compliance with this DPA once per calendar year with 30 days’ prior written notice. Audits occur during business hours and must not unreasonably disrupt operations. Controller may review Candoora’s most recent third-party audit report in lieu of a direct audit.

7. California Addendum

For CCPA/CPRA purposes, Candoora acts as a Service Provider. Candoora will not retain, use, or disclose personal information for purposes other than performing the services; will not sell or share personal information; will not improperly combine personal information; will assist with consumer rights requests; and will flow equivalent restrictions down to sub-processors.

8. Schedule 1: Security Measures

Encryption at rest

AES-256.

Encryption in transit

TLS 1.3.

Access control

RBAC, principle of least privilege, and MFA for privileged access.

Penetration testing

Annual third-party testing, with results available under NDA on request.

Breach notification

Controller notified within 48 hours of Candoora becoming aware.

Sub-processor security

Equivalent obligations in sub-processor contracts with annual review.

Employee training

Annual data protection training for personnel with personal data access.

Incident response

Documented incident response plan tested annually.

9. Schedule 2: DPIA Framework

Controllers processing sensitive career data at scale should complete a DPIA before deployment. The DPA framework covers the processing description, necessity and proportionality, risk identification, mitigation measures, residual risk assessment, supervisory authority consultation where high residual risk remains, and annual review.

10. Schedule 3: Transfer Mechanisms

Transfers to US sub-processors such as Anthropic, Stripe, and Pinecone use EU SCCs, UK IDTA, and EU-US Data Privacy Framework mechanisms where applicable. Brazil and Canada transfers rely on adequacy where applicable. Other countries require SCCs and a Transfer Impact Assessment before transfer.