This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller", "you") and Sensiq ("Processor", "we", "us") governing the Customer's use of the Sensiq recruitment platform ("Service"). It sets out the obligations of each party in relation to the processing of Personal Data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Definitions
"Personal Data"
Any information relating to an identified or identifiable natural person processed through the Service, including (but not limited to): CVs, résumés, contact details, assessments, interview responses, AI-generated insights, and job application metadata.
"Controller"
The Customer, determining the purposes and means of processing Personal Data.
"Processor"
Sensiq, processing Personal Data on behalf of the Controller.
"Sub-processor"
A third party appointed by Sensiq to process Personal Data on its behalf.
"Data Subject"
An individual whose Personal Data is processed—typically job candidates.
"Applicable Law"
UK GDPR, Data Protection Act 2018, and any applicable data-protection regulations.
2. Scope and Purpose of Processing
Sensiq processes Personal Data solely to provide, maintain, and improve the Service, which includes:
- CV/résumé parsing, enrichment, and structured extraction
- AI-powered interviews and communication
- Candidate scoring, job-fit analysis, and competency evaluation
- Sensiq Assistant assistance and contextual insights
- Recruitment analytics, dashboards, and job-pipeline management
- Storage, retrieval, and organisation of candidate data
- Platform optimisation, troubleshooting, and security functions
Additional AI-related processing, including model development under legitimate interest, is governed separately by Sensiq's AI Processing Notice, which forms part of the contractual documents.
For clarity, any improvements, optimisations, or developments to the Service, including AI models, system behaviour, workflows, or outputs, are performed solely by Sensiq for its own internal purposes and remain the exclusive intellectual property of Sensiq.
Nothing in this DPA grants the Controller any rights to access, inspect, reuse, replicate, or derive insights from such improvements, except as expressly permitted under the Terms of Service or a separate written agreement.
3. Controller Obligations
As the Data Controller, you agree to:
- Ensure a lawful basis for processing candidate Personal Data.
- Provide all required notices to Data Subjects, including AI processing disclosures.
- Obtain consents where required by law or your internal policies.
- Upload only Personal Data you are authorised to process.
- Comply with retention, deletion, and minimisation obligations.
- Respond to Data Subject rights requests.
- Configure your organisational settings, permissions, and retention policies appropriately.
Sensiq provides tools to assist with data export and deletion but does not respond to Data Subjects directly unless required by law.
4. Processor Obligations
Sensiq will:
- Process Personal Data only on documented instructions from the Controller, except:
- where required by law;
- where processing is performed as a controller for internal legitimate-interest purposes (as outlined in the AI Processing Notice).
- Ensure all authorised personnel are subject to confidentiality obligations.
- Implement appropriate technical and organisational security measures, including:
- encryption at rest and in transit,
- access controls,
- monitoring and logging,
- multi-tenant data segregation,
- continuous security testing.
- Assist the Controller in responding to Data Subject rights requests.
- Assist with compliance obligations, including breach notifications and DPIA support.
- Delete or return Personal Data upon termination as instructed by the Controller.
- Make available records necessary to demonstrate compliance with this DPA.
Assistance provided under this section is limited to data-protection compliance and does not require Sensiq to disclose proprietary information, source code, model logic, system architecture, scoring methodologies, or other confidential or trade-secret information.
5. Sub-processors
5.1 Approved Sub-processor Categories
Sensiq engages the following categories of Sub-processors:
- Cloud hosting and infrastructure providers (compute, storage, backup, delivery)
- AI processing providers (model inference, embeddings, enrichment)
- Email and communication service providers
- Security and monitoring tools
Each Sub-processor is subject to written data-processing terms imposing obligations no less protective than those in this DPA.
5.2 Changes to Sub-processors
We will notify you of any intended addition or replacement of Sub-processors with at least 30 days' notice. You may object on reasonable data-protection grounds.
6. Security Measures
Sensiq implements industry-leading security measures including:
- Encryption of Personal Data in transit and at rest
- Access-control systems with role-based permissions
- Continuous security logging and monitoring
- Regular audits, penetration tests, and vulnerability assessments
- Incident response plans and disaster recovery procedures
- Data segregation within multi-tenant environments
- Confidentiality agreements with all personnel
These measures reflect the state of the art and are updated periodically.
7. Data Subject Rights
Sensiq will provide reasonable assistance to enable the Controller to respond to:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to portability
- Right to object
The Controller remains responsible for responding to Data Subjects. Tools for export, correction, and deletion are provided within the platform.
8. Personal Data Breach Notification
In the event of a Personal Data Breach affecting Controller data, Sensiq will:
- Notify the Controller without undue delay, typically within 72 hours
- Provide details of the breach, impact, and mitigation
- Cooperate with the Controller's investigation and response
The Controller is responsible for notifying regulators or Data Subjects unless otherwise required by law.
9. International Data Transfers
Where Personal Data is transferred outside the UK or EEA, Sensiq ensures appropriate safeguards, including:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Addendum
- Contractual, organisational, and technical protections
We maintain transparency regarding transfer locations.
10. Audits and Compliance Support
Upon reasonable notice, and no more than once per year (unless required by law or following a breach), Sensiq will:
- Provide documentation demonstrating compliance
- Permit audits or inspections by the Controller or its appointed auditor
- Ensure audits respect confidentiality, security, and operational constraints
Audits are conducted at the Controller's expense.
11. Data Retention and Deletion
We retain Personal Data only as long as necessary to:
- Provide the Service
- Maintain platform security and integrity
- Comply with legal obligations
Upon termination of the Service:
- The Controller may export data for 30 days
- Sensiq will delete or anonymise Personal Data thereafter
- Backup copies are overwritten and removed within 90 days
Additional deletion requests may be made through Sensiq Support.
12. Liability
Liability under this DPA is subject to the limitations set out in the main Service Agreement / Terms of Service.
In the event of any inconsistency between this DPA and the Terms of Service or any applicable confidentiality or non-use agreement, the Terms of Service or such agreement shall prevail with respect to intellectual property, confidentiality, and permitted use.
13. Term and Termination
This DPA remains in effect for the duration of the Service Agreement. Termination triggers data-deletion obligations as outlined in Section 11.
14. Data Protection Contact
For data protection matters, including breach notifications or compliance queries:
Sensiq – Data Protection Contact