Data Processing Agreement

GDPR-compliant data processing terms for our recruitment analysis services.

Note: This Data Processing Agreement forms part of your Terms of Service and applies when Employ Wizard Ltd processes personal data on your behalf as a data processor.

1. Parties

Controller: You (the customer/organisation using Employ Wizard services)

Processor: Employ Wizard Ltd, registered in England and Wales (Company No. 16704324), with registered office at 20 Wenlock Road, London, N1 7GU

2. Definitions

  • GDPR: The UK General Data Protection Regulation
  • Personal Data: Any information relating to an identified or identifiable natural person processed through the Service
  • Data Subject: The individual to whom Personal Data relates (typically job candidates)
  • Processing: Any operation performed on Personal Data, including collection, recording, storage, analysis, and deletion
  • Subprocessor: Any third party engaged by the Processor to process Personal Data

3. Subject Matter and Duration

This Agreement applies to the processing of Personal Data by the Processor on behalf of the Controller through the Employ Wizard recruitment analysis platform for the duration of the service agreement.

4. Nature and Purpose of Processing

The Processor will process Personal Data for the purpose of providing AI-powered CV analysis and candidate ranking services to support the Controller's recruitment activities. Processing includes:

  • Automated analysis of CV content using machine learning algorithms
  • Generation of suitability scores and candidate rankings
  • Identification of essential requirements and skill matching
  • Anonymisation of protected characteristics for bias reduction
  • Storage and retrieval of candidate data as instructed by the Controller

5. Types of Personal Data

The Processor may process the following types of Personal Data:

  • Identification data: names, contact details, candidate identifiers
  • Professional data: education, employment history, skills, qualifications
  • Special category data: protected characteristics (temporarily processed for anonymisation purposes only)
  • Assessment data: CV analysis results, scores, and rankings generated by the Service

6. Categories of Data Subjects

Primary categories of Data Subjects whose Personal Data may be processed:

  • Job candidates whose CVs are uploaded and analysed through the Service
  • Recruitment professionals using the Service
  • Other individuals as may be relevant to the recruitment process

7. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel authorised to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller of any Personal Data breaches without undue delay
  • Delete or return all Personal Data at the end of the service agreement
  • Maintain records of processing activities
  • Allow for audits by the Controller or their representative

8. Subprocessors

The Processor may engage the following subprocessors:

  • Mistral AI SAS: AI processing and analysis services (located in France, EU)
  • OVHcloud: Infrastructure and hosting services in the UK and France (ISO27001 certified datacentres)
  • Payment processors: Billing and payment processing (independent controllers)

The Processor will inform the Controller of any intended changes to subprocessors and allow reasonable time for objection.

9. Security Measures

The Processor implements the following security measures:

  • End-to-end encryption in transit and at rest (AES256)
  • ISO27001 certified infrastructure and processes
  • Role-based access controls and multi-factor authentication
  • Regular security audits and vulnerability assessments
  • Encrypted backups to secure offsite locations
  • 24/7 monitoring and incident response procedures

10. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject rights, including:

  • Right of access to Personal Data
  • Right to rectification of inaccurate data
  • Right to erasure (subject to legal obligations)
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

11. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

  • Notify the Controller without undue delay and within 72 hours where feasible
  • Provide details of the breach, likely consequences, and mitigation measures
  • Assist the Controller in notifying affected Data Subjects where required
  • Cooperate with relevant supervisory authorities as needed

12. International Data Transfers

All processing occurs within the United Kingdom and European Union. Where transfers are necessary, they are protected by:

  • EU adequacy decisions for relevant countries
  • Standard contractual clauses where applicable
  • Other appropriate safeguards as required by GDPR

13. Termination

Upon termination of the service agreement:

  • The Processor will delete or return all Personal Data to the Controller
  • Deletion will be confirmed in writing
  • The Processor may retain limited data for legal compliance purposes only

14. Governing Law

This Agreement is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the English courts.

15. Contact Information

For questions about this DPA or data processing activities:

Data Protection Officer: Dr. Faiz Haque
Email: info@employwizard.com
Address: 20 Wenlock Road, London, N1 7GU, United Kingdom

Last Updated: October 2025