Data Processing Agreement (DPA)

Last Updated : June 04, 2026

‍

This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement (the “Agreement”) between Recooty Inc. and its affiliate Recooty Tech Private Limited (together, “Recooty”, “we”, “us”) and the customer that has subscribed to the Services (“Subscriber”, “you”). It applies to the extent that Recooty processes Personal Data on behalf of the Subscriber in the course of providing the Services, and reflects the parties’ agreement with respect to such processing.

Where there is any conflict between this DPA and the Agreement on the subject of the processing of Personal Data, this DPA prevails. Capitalised terms not defined here have the meaning given in the Agreement.

‍

1. Definitions

“Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, India’s Digital Personal Data Protection Act, 2023, and applicable U.S. state privacy laws.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Supervisory Authority” have the meanings given in the GDPR. “Sub-processor” means any third party engaged by Recooty to process Personal Data on behalf of the Subscriber.

‍

2. Roles of the Parties

The parties acknowledge that, with respect to the processing of Personal Data submitted to the Services, the Subscriber acts as the Controller (or as a Processor acting on behalf of a third-party Controller) and Recooty acts as the Processor (or, where the Subscriber is a Processor, as a Sub-processor). Recooty will process Personal Data only as a Processor acting on the Subscriber’s behalf.

‍

3. Scope and Details of Processing

The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are described in Annex I to this DPA.

‍

4. Recooty’s Obligations as Processor

Recooty shall:

1. process Personal Data only on the documented instructions of the Subscriber, including with regard to international transfers, unless required to do otherwise by law (in which case Recooty will, where legally permitted, inform the Subscriber of that requirement before processing);
2. ensure that persons authorised to process Personal Data are bound by appropriate obligations of confidentiality;
3. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex II and in accordance with Article 32 of the GDPR;
4. respect the conditions in Section 6 for engaging Sub-processors;
5. taking into account the nature of the processing, assist the Subscriber by appropriate technical and organisational measures, insofar as possible, in fulfilling the Subscriber’s obligation to respond to requests from Data Subjects exercising their rights;
6. assist the Subscriber in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments and prior consultation (Articles 32 to 36 of the GDPR), taking into account the information available to Recooty;
7. at the choice of the Subscriber, delete or return all Personal Data after the end of the provision of the Services, and delete existing copies unless storage is required by law (see Section 8); and
8. make available to the Subscriber the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.

‍

5. Subscriber’s Obligations

The Subscriber is responsible for the lawfulness of the Personal Data it provides to Recooty and of the processing instructions it gives, including having a valid legal basis, providing required notices to Data Subjects, and obtaining any necessary consents. The Subscriber shall not provide Recooty with special categories of Personal Data except as contemplated by the ordinary use of the Services and in compliance with Data Protection Laws.

‍

6. Sub-processors

The Subscriber provides a general authorisation for Recooty to engage Sub-processors to process Personal Data, provided that Recooty: (i) maintains an up-to-date list of Sub-processors at recooty.com/subprocessors; (ii) imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA; and (iii) remains liable for the acts and omissions of its Sub-processors. Recooty will provide notice of the addition or replacement of a Sub-processor and an opportunity to object on reasonable, good-faith data-protection grounds, as described on the sub-processors page.

‍

7. International Transfers

Where Recooty processes or transfers Personal Data originating from the EEA, the United Kingdom or Switzerland to a country that has not received an adequacy decision, such transfers will be governed by an appropriate transfer mechanism, including the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed as set out in Annex III. The parties will, where required, carry out and document a transfer impact assessment.

[Drafting note for counsel: confirm the controller-to-processor (Module Two) and processor-to-processor (Module Three) SCC modules to be used, the docking-clause and audit options, and complete Annex III accordingly.]

‍

8. Deletion and Return of Personal Data

Upon termination or expiry of the Agreement, Recooty will, at the Subscriber’s choice, delete or return the Personal Data processed on the Subscriber’s behalf and delete existing copies, unless applicable law requires continued storage, in which case Recooty will protect the Personal Data and process it only to the extent and for the period required by that law. Personal Data held in routine backups will be deleted in accordance with Recooty’s backup retention cycle.

‍

9. Audits

Recooty will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality obligations, will allow for and contribute to audits, including inspections, conducted by the Subscriber or an auditor mandated by the Subscriber, no more than once per year (except where required by a Supervisory Authority or following a Personal Data Breach). Recooty may satisfy this obligation by providing relevant third-party certifications or audit reports (such as ISO/IEC 27001 or SOC reports) where available.

‍

10. Personal Data Breach

Recooty will notify the Subscriber without undue delay after becoming aware of a Personal Data Breach affecting the Subscriber’s Personal Data, and will provide the Subscriber with information reasonably required to meet the Subscriber’s own breach-notification obligations under Data Protection Laws.

‍

11. Liability and Term

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA takes effect on the date the Subscriber accepts the Agreement and remains in force for as long as Recooty processes Personal Data on the Subscriber’s behalf.

‍

Annex I – Description of Processing

• Categories of Data Subjects: the Subscriber’s candidates/applicants, employees, hiring managers, and other personnel and contacts entered into the Services.
• Categories of Personal Data: identification and contact details, employment and recruitment information (e.g. CVs, work history, application responses), account and usage data, and any other Personal Data the Subscriber chooses to submit.
• Special categories of data (if any): only as may be contained in candidate-submitted documents and processed on the Subscriber’s instructions.
• Nature and purpose of processing: hosting, storage and processing of Personal Data to provide the recruitment Services described in the Agreement.
• Duration of processing: for the term of the Agreement and as described in Section 8.

‍

Annex II – Technical and Organisational Security Measures

Recooty maintains technical and organisational measures designed to protect Personal Data, which may include encryption in transit and at rest, access controls and authentication, network and application security, logging and monitoring, secure software development practices, personnel confidentiality obligations, and business continuity and backup procedures. [Drafting note for counsel: align this list with Recooty’s actual security measures and any certification (e.g. ISO/IEC 27001) status.]

‍

Annex III – Sub-processors and Transfer Mechanisms

The current list of Sub-processors is maintained at recooty.com/subprocessors. Recooty processes Personal Data primarily in the United States and engages its affiliate Recooty Tech Private Limited (India) as a Sub-processor; processing by this affiliate constitutes an onward transfer. Such transfers are governed by the controller-to-processor (Module Two) and, as between Recooty and its affiliate, processor-to-processor (Module Three) Standard Contractual Clauses, together with the UK Addendum where applicable. The Standard Contractual Clauses and UK Addendum referenced in Section 7 are completed using the party details in Annex I and the descriptions in this DPA. [Drafting note for counsel: attach or link the executed SCCs / UK Addendum with module selections and elected options, and confirm India and United States processing locations.]

‍

This DPA is provided as part of Recooty's legal terms and should be reviewed by your own legal counsel. It does not constitute legal advice.

‍