Data Processing Agreement

Effective date: 14 April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Talent Tech Limited (trading as Talent Unlimited) (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) in relation to the use of the Talent Unlimited platform (“Platform”).

This DPA applies where we process Personal Data on your behalf in connection with your use of the Platform.

1. Definitions

Personal Data”, “Processing”, “Controller”, and “Processor” have the meanings given in the UK GDPR.

2. Roles of the Parties

For the purposes of this DPA:

  • You are the Data Controller of Personal Data relating to candidates and users.
  • Talent Unlimited acts as a Data Processor when processing Personal Data on your behalf.

Nothing in this DPA prevents Talent Unlimited from acting as an independent Data Controller where it determines the purposes and means of processing, as described in our Privacy Policy.

3. Scope of Processing and Instructions

We will process Personal Data only:

  • to provide and operate the Platform;
  • to support recruitment processes (including candidate screening, interviewing, and feedback);
  • in accordance with your documented instructions, unless required to do otherwise by law.

Your documented instructions are set out in:

  • the Platform Terms;
  • any applicable Commercial Terms;
  • and any other written instructions agreed between the parties.

4. Types of Data and Data Subjects

Data Subjects

  • Job applicants / candidates
  • Customer users (e.g. recruiters, hiring managers)
  • Individuals whose personal data may be included in customer-provided data

Categories of Personal Data

  • Contact details (name, email, phone number)
  • CVs and employment history
  • Interview responses (including voice/video recordings and transcripts)
  • Assessment outputs and feedback
  • Technical and usage data
  • Personal data contained within job descriptions, internal notes, or other information provided by the customer

5. Processor Obligations

Talent Unlimited will:

  1. process Personal Data only in accordance with your documented instructions and applicable law;
  2. ensure that persons authorised to process Personal Data are subject to confidentiality obligations;
  3. implement appropriate technical and organisational measures to protect Personal Data;
  4. assist you in responding to data subject rights requests;
  5. notify you without undue delay of any Personal Data breach;
  6. make available information necessary to demonstrate compliance with this DPA;
  7. delete or return Personal Data at your request, unless required to retain it by law.

6. Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • encryption of data in transit and at rest;
  • access controls and authentication mechanisms;
  • monitoring and logging of system activity;
  • regular review of security practices.

7. Subprocessors

You authorise us to engage subprocessors to support delivery of the Platform.

We will:

  • ensure subprocessors are subject to data protection obligations equivalent to those in this DPA;
  • remain responsible for their performance;
  • maintain an up-to-date list of subprocessors which can be shared on request.

8. International Transfers

Where Personal Data is transferred outside the UK or EEA, we will ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA);
  • Standard Contractual Clauses (SCCs);
  • or other lawful transfer mechanisms.

9. Data Subject Rights

Taking into account the nature of processing, we will assist you in fulfilling your obligations to respond to requests from data subjects exercising their rights under applicable data protection laws.

Where we receive a request directly, we will:

  • promptly notify you; or
  • respond where authorised by you.

10. Data Breach Notification

We will notify you without undue delay after becoming aware of a Personal Data breach and will provide reasonable assistance in investigating and mitigating the breach.

11. Audit and Compliance

We will make available information reasonably necessary to demonstrate compliance with this DPA, including through documentation, policies, and independent third-party audit reports or certifications where available.

The Controller agrees that such documentation and reports will generally satisfy any audit requirements.

The Controller may request additional information where reasonably necessary to verify compliance.

Any audit may only be conducted:

  • where required by applicable law or regulatory authority; or
  • where there is reasonable evidence of a material breach of this DPA;

and must be:

  • agreed in advance;
  • conducted on reasonable notice during normal business hours; and
  • carried out in a manner that does not unreasonably disrupt our operations.

Unless a material breach is identified, the cost of any audit shall be borne by the Controller.

12. Data Retention and Deletion

We will retain Personal Data processed on behalf of the Controller for the duration of the Controller’s use of the Platform.

Upon termination of the underlying agreement, we will:

  • delete or return Personal Data processed on behalf of the Controller upon written request; or
  • where no request is made, delete such Personal Data within 30 days of termination, unless retention is required by law.

This clause applies only to Personal Data processed by us as a Data Processor.

Where Personal Data has been collected or is retained by us in our capacity as an independent Data Controller (including for the purpose of providing TalentBank or future opportunity matching services), we may retain and continue to process such data in accordance with our Privacy Policy.

13. Order of Precedence

In the event of conflict:

  • the Commercial Terms take precedence;
  • this DPA takes precedence over the Platform Terms in relation to data protection matters;
  • the Platform Terms apply to all other matters.

14. Governing Law

This DPA is governed by the laws of England and Wales.