Data Processing Agreement

1. Definitions

"Personal Data," "Data Subject," "Processing," "Controller," and "Processor" carry the meanings given in Article 4 GDPR. "Customer Data" has the meaning given in our Terms of Service. "Sub-processor" means any third party engaged by Recluto to process Personal Data on the Controller's behalf.

2. Subject matter and duration

Subject matter: provision of the Recluto SaaS platform, including AI-driven candidate screening, voice/video interviewing, scheduling, and recruiter workflows. Duration: for as long as Recluto processes Customer Data — typically the active subscription term plus 30 days for data export, after which data is deleted in accordance with the privacy policy.

3. Nature, purpose, and scope of processing

• Hosting and serving Customer Data to authorised Customer users via the web app, API, and mobile clients.
• Running automated CV parsing, screening, voice and video interviews, and scoring on Personal Data uploaded by candidates or imported via integrations.
• Sending transactional and notification emails on the Customer's behalf.
• Maintaining and improving the Service in aggregate; we do not train foundation models on Customer Data without explicit per-workspace opt-in.

4. Categories of Data Subjects and Personal Data

• Data Subjects: candidates who apply through the Customer's careers page or who are imported into a Recluto workspace; Customer's own employees who use Recluto as recruiters or hiring managers.
• Personal Data: contact identifiers (name, email, phone), CV content (employment history, education, skills, languages, certifications, optional photo), screening question responses, voice and video recordings, AI-generated transcripts, scoring outputs, IP address and access logs, billing-contact data for the Customer's own admins.

Recluto does not intentionally request or process Special Categories of Personal Data (Article 9 GDPR) such as health data, biometric identifiers used to uniquely identify, sexual orientation, religious beliefs, or political opinions. Where a candidate voluntarily includes such data in a CV or interview answer, it is processed under the Controller's lawful basis and the Controller is responsible for any additional Article 9 conditions.

5. Controller obligations

The Controller warrants that:

• It has a lawful basis under Article 6 GDPR (and where relevant Article 9) to process the Personal Data via Recluto.
• It has provided required notices to Data Subjects (e.g. job applicants) and obtained any required consents.
• Its instructions to Recluto via the Service comply with applicable law, including anti-discrimination, employment, and AI-decision laws (GDPR Art. 22, NYC Local Law 144 for AEDTs, Colorado AIA, EU AI Act).
• It will not use the Service for sham listings, lead-generation under the guise of hiring, or other deceptive practices.

6. Recluto's obligations

• Process Personal Data only on documented instructions from the Controller, except where Union or Member State law requires otherwise (in which case Recluto will inform the Controller unless prohibited).
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures to ensure security (Annex II below).
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests (Articles 12–22 GDPR), including by surfacing self-service tools where feasible.
• Assist the Controller with DPIAs (Article 35) and prior consultations (Article 36) for high-risk processing.
• Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting their data.
• Delete or return all Personal Data at the end of the engagement, at the Controller's choice, except to the extent required by law to retain it.
• Make available all information necessary to demonstrate compliance and submit to audits per Section 9.

7. Sub-processors

The Controller authorises Recluto to engage Sub-processors as listed in our privacy policy, which is updated as the list changes. Recluto will impose data-protection terms equivalent to this DPA on every Sub-processor. Recluto remains liable to the Controller for the acts and omissions of its Sub-processors.

Recluto will give Controllers at least 30 days' notice of any new or replacement Sub-processor by email to the workspace's privacy contact. The Controller may object on reasonable data-protection grounds within those 30 days; if no commercially reasonable alternative exists, the Controller may terminate the affected Service component and receive a pro-rated refund of pre-paid fees.

8. International transfers

Where Recluto transfers Personal Data outside the EEA, the UK, or Switzerland, it does so under the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (Controller to Processor) or Module Three (Processor to Sub-processor), with the following selections deemed made:

• Clause 7 (docking clause) — does not apply.
• Clause 9(a) — Option 2: general written authorisation, with the 30-day notice period in Section 7.
• Clause 11(a) — independent dispute resolution body — does not apply.
• Clause 17 (governing law) — laws of Ireland.
• Clause 18 (forum and jurisdiction) — courts of Ireland.
• Annex I.A — Controller is the Customer; Processor is Recluto AI, Inc.
• Annex I.B — categories of data subjects, personal data, and processing as set out in Sections 3–4.
• Annex I.C — competent supervisory authority: the data protection authority of the EU member state where the Controller is established.
• Annex II — technical and organisational measures: see Section 9 below.

For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum issued by the ICO (B1.0). For transfers from Switzerland, references to the GDPR are read as references to the revFADP and the supervisory authority is the FDPIC.

9. Technical and organisational measures (Annex II)

• Encryption: TLS 1.2+ in transit, AES-256 at rest with provider-managed keys rotated automatically.
• Access controls: role-based at the workspace level (owner, admin, recruiter, hiring manager, viewer). 2FA available on all recruiter accounts.
• Authentication: bcrypt password hashing; OAuth single sign-on for Google and Microsoft.
• Network: isolated VPCs, private subnets, mandatory bastion access for production hosts.
• Logging: every state-changing action journaled to an immutable activity log with 90-day retention.
• Backups: daily encrypted, off-site, 30-day rotation. Point-in-time recovery to any second within the last 7 days.
• Incident response: documented runbook, on-call rotation, RPO 1 hour and RTO 4 hours for the production database.
• Personnel: background checks where permitted by law; mandatory security training; least-privilege engineer access with audited break-glass workflows.
• Supplier diligence: every Sub-processor reviewed annually, current list published in the privacy policy.

Detailed technical measures are described on the security page and in our SOC 2 Type II preparation pack (available under NDA — email security@recluto.ai).

10. Audit

Recluto will make available to the Controller, on request and not more than once per year (except after a security incident affecting the Controller's data), the following:

• Our most recent SOC 2 Type II report (when available; currently SOC 2 Type II audit is in active preparation).
• A completed CAIQ-Lite questionnaire.
• A summary of penetration-test findings and remediation status.

The Controller may, on 30 days' written notice and at its own cost, conduct an on-site audit of Recluto's measures during business hours, subject to the auditor signing an NDA. The parties will work in good faith to minimise disruption.

11. Liability

Each party's liability under this DPA is subject to the limitations in the underlying Terms of Service. The aggregate liability of either party arising out of or related to this DPA and the Terms together does not exceed the cap stated in the Terms.

12. Order of precedence

In the event of conflict, the order is: (1) the SCCs (and UK IDTA, where applicable); (2) this DPA; (3) any signed Order Form; (4) the Terms of Service.

How to execute this DPA

Customers on Growth, Pro, and Enterprise plans accept this DPA by clicking the "Accept DPA" action in Settings → Legal within their workspace, after which a countersigned PDF is emailed to the workspace owner. For wet-ink or DocuSigned versions, email legal@recluto.ai.