Data Processing Addendum

This DPA is between the Customer identified in the applicable Order Form (“Controller”) and [ENTITY NAME] doing business as SourceHire (“Processor” or “we”). It applies to the Personal Data of natural persons who submit applications to jobs posted by the Controller through the Services. It is incorporated by reference into the Terms of Service.

With respect to applications submitted to a Controller's jobs, the Controller is the data controller and Processor is a data processor acting on the Controller's documented instructions. With respect to Personal Data submitted directly to the talent network for discoverability purposes (rather than to a specific Controller's job), Processor acts as the data controller as described in the Privacy Policy.

The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are described in Annex I below. Processing continues for the duration of the Controller's subscription to the Services, plus any wind-down period agreed in the Order Form.

Processor shall:

• Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the technical and organizational measures described in Annex II.
• Engage subprocessors only in accordance with Section 6 and impose on each subprocessor obligations equivalent to those set out in this DPA.
• Assist the Controller, taking into account the nature of the processing and the information available, in fulfilling its obligations to respond to data subject requests and to comply with GDPR Articles 32 to 36.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits in accordance with Section 11.

The Controller's use of the Services constitutes its documented instructions to Processor to process Personal Data. Additional instructions may be communicated through configuration choices in the Services or in writing to privacy@sourceunlimited.co. Processor will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

The Controller authorizes Processor to engage the subprocessors listed in Annex III. Processor will give the Controller at least thirty (30) days' advance notice of any addition or replacement of subprocessors. The Controller may object on reasonable data-protection grounds within fifteen (15) days; if the parties cannot resolve the objection, the Controller may terminate the affected portion of the Services with a pro-rata refund.

Processor remains fully liable to the Controller for the performance of each subprocessor's data-protection obligations.

See Annex II below.

Processor will notify the Controller without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data breach affecting the Controller's Personal Data, with the information required by GDPR Article 33(3) to the extent then known. Processor will provide updates and assistance as additional information becomes available.

Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures to fulfill its obligation to respond to requests for exercising the data subject's rights. The candidate self-service surface at /apply/me provides direct Article 15 access without operator involvement, which satisfies most access requests.

Where Processor transfers Personal Data of EEA, UK, or Swiss data subjects to a third country, the parties incorporate the Standard Contractual Clauses (Decision (EU) 2021/914) Module Two (Controller to Processor), the UK International Data Transfer Addendum, and the Swiss FADP adaptations, as applicable. The parties agree the Standard Contractual Clauses prevail in the event of conflict with this DPA as to transfers.

Processor will respond to reasonable written audit requests by the Controller. The Controller may exercise its audit right by (a) reviewing the most recent third-party audit report, security questionnaire responses, and policy summaries that Processor publishes or makes available on request, and (b) once per calendar year, requesting a written response to a custom security questionnaire. On-site audits are available where required by applicable law or by a documented data-protection authority request, on at least sixty (60) days' notice and subject to Processor's reasonable security and confidentiality requirements.

On termination of the Services, the Controller may, within thirty (30) days, request export of all Personal Data processed for Controller (the Migration Hub at /admin/migration generates the bundle in CSV or JSON). Thirty (30) days after termination (or as otherwise agreed in writing), Processor will delete or de-identify Controller's Personal Data, except as required to be retained by applicable law. Backups age out per the retention schedule in the Privacy Policy.

Each party's liability arising under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service.

SourceHire may, from time to time, share organizational metadata about Customer with named third-party data partners listed at sourcehire.app/legal/data-partners. Organizational metadata covered by this Section includes: Customer's legal entity name, Employer Identification Number (EIN) or equivalent jurisdictional tax identifier, industry vertical, employee-count band, the titles of job postings Customer has published on the Services, and aggregated metrics derived from Customer's activity on the platform.

Customer acknowledges that this metadata may, if combined with Candidate data also shared with the same data partner, allow that partner to identify which Candidates applied to which Customers. Customer accepts this consequence as part of the consideration for the platform's data-partner program, which subsidizes platform pricing.

Customer's opt-out. Customer may opt out of organizational metadata sharing at any time by notifying SourceHire in writing at privacy@sourceunlimited.co. Opt-out is effective within seven (7) days. Upon opt-out:

• SourceHire will exclude Customer's organizational metadata from all future data-partner transfers within seven (7) days;
• SourceHire will request deletion of previously-transferred organizational metadata from each named data partner, subject to the partner's contractual deletion SLA (typically 72 hours);
• Customer's subscription pricing may be re-rated to reflect the loss of data-partner-program subsidy, with thirty (30) days' written notice before any price change takes effect.

Confidentiality carve-out. The organizational metadata described in this Section is excluded from any general confidentiality obligations in this DPA, the Terms of Service, or any associated Order Form. All other Customer confidential information remains protected as described in the confidentiality provisions of the Terms of Service.

Effective date. This Section becomes effective for Customer on the later of (a) thirty (30) days after Customer is notified in writing of this amendment, or (b) Customer's affirmative acceptance via the in-app acknowledgment screen or signed addendum.

In the event of a conflict between this DPA and any other agreement between the parties, the order of precedence as to data protection is: (a) Standard Contractual Clauses where incorporated, (b) this DPA, (c) the Terms of Service, (d) the Order Form.

• Encryption. TLS 1.2 or higher in transit; encryption at rest for the database and the file blob store.
• Access control. Role-based access control with the strict role hierarchy viewer < recruiter < reviewer < admin. Recruiters are scoped to jobs they posted. Reviewers see PII masked by default with audit-logged unmask.
• Authentication. Magic-link or password-based (Argon2id-equivalent or stronger) authentication for operators; magic-link only for candidates.
• Audit logging. Append-only operator audit log with actor, action, subject, IP, and user agent.
• Consent integrity. Per-candidate hash-chained consent ledger with chain verification.
• Backups. Daily encrypted backups retained for 30 days; restoration controls.
• Network. All traffic served over HTTPS; HSTS; standard CSP and security headers.
• Vendor management. Each subprocessor under a DPA at least as protective as this DPA.
• Incident response. Documented runbook; breach notification per Section 8.
• Personnel. Background-checked, confidentiality- bound personnel; least-privilege provisioning; periodic access review.

See the live list in the Privacy Policy at /legal/privacy#subprocessors. Material additions or replacements are notified to Controllers per Section 6.