Skip to main content
Enterprise Agreement

Data Processing Agreement

Effective Date: March 30, 2026 | Last Updated: March 30, 2026

This Data Processing Agreement ("DPA") forms part of the DAKDAN Talent Terms of Service and governs the processing of Personal Data (as defined below) in compliance with GDPR Article 28, UK GDPR, CCPA, and other applicable data protection laws.

Download Signed DPA

Enterprise customers can request a signed Data Processing Agreement with Standard Contractual Clauses (SCCs) for GDPR compliance.

Request DPA

1. Definitions

1

Personal Data

Any information relating to an identified or identifiable natural person (e.g., candidate profiles, application data, employee information).

2

Controller

The entity that determines the purposes and means of processing Personal Data (typically the Customer/Employer using DAKDAN Talent).

3

Processor

The entity that processes Personal Data on behalf of the Controller (DAKDAN Talent when processing Customer data).

4

Sub-processor

A third-party processor engaged by DAKDAN Talent to assist in processing Personal Data (e.g., cloud hosting providers).

5

Data Subject

An identified or identifiable natural person whose Personal Data is processed (e.g., job candidates, employees).

6

GDPR

General Data Protection Regulation (EU) 2016/679 and UK GDPR as applicable.

7

Standard Contractual Clauses (SCCs)

European Commission-approved contractual terms for lawful international data transfers (2021 SCCs).

2. Roles and Responsibilities

Customer (Controller)

  • Determines purposes and means of processing
  • Ensures lawful basis for processing (GDPR Article 6)
  • Provides processing instructions to DAKDAN
  • Handles data subject rights requests
  • Maintains privacy notices and consent records

DAKDAN Talent (Processor)

  • Processes data only as instructed by Customer
  • Implements technical and organizational measures
  • Assists with data subject rights requests
  • Reports data breaches within 24 hours
  • Deletes or returns data upon contract termination

3. Scope of Processing

Categories of Personal Data Processed

Candidate Data

Names, contact details, resumes, education history, work experience, skills, assessments

Employee Data

Contact information, job titles, department, manager relationships, performance data

Application Data

Application status, interview notes, hiring decisions, rejection reasons

Communication Data

Messages, emails, scheduling data, interaction logs

Technical Data

IP addresses, device IDs, cookies, usage analytics, session logs

Payment Data (if applicable)

Billing information, payment methods (processed via third-party payment processors)

Categories of Data Subjects

Job Candidates
Current Employees
Former Employees
University Students
NIL Student-Athletes
STTR Researchers
SkillBridge Participants
Contractors/Freelancers

Processing Activities & Purposes

1

Recruitment & Hiring

Matching candidates to jobs, application tracking, interview scheduling

2

Talent Management

Employee onboarding, performance tracking, training recommendations

3

Communication

Email/messaging between employers and candidates

4

Analytics & Insights

Aggregated hiring trends, diversity metrics, platform usage statistics

5

Compliance & Legal

NIL compliance, STTR grant tracking, audit trails, regulatory reporting

6

Security & Fraud Prevention

Account security, anomaly detection, abuse prevention

4. Security Measures (GDPR Article 32)

DAKDAN Talent implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

Technical Measures

  • AES-256 encryption at rest, TLS 1.3 in transit
  • Multi-factor authentication (MFA)
  • Role-based access controls (RBAC)
  • Intrusion detection/prevention systems
  • Automated vulnerability scanning
  • Encrypted database backups

Organizational Measures

  • ISO 27001 certified ISMS
  • SOC 2 Type II annual audits
  • Employee security training (quarterly)
  • Confidentiality agreements with staff
  • Incident response plan (tested annually)
  • Business continuity & disaster recovery

Certifications: Full security documentation available at /legal/security

5. Sub-processors

Authorized Sub-processors

Customer authorizes DAKDAN Talent to engage the following sub-processors for Personal Data processing:

Sub-processorPurposeLocationSafeguards
Amazon Web Services (AWS)Cloud hosting & infrastructureUS (us-east-1), EU (eu-west-1)EU-US DPF, SCCs
VercelHosting & edge functionsUS, EUDPA, SOC 2
CloudflareCDN, DDoS protection, WAFGlobal networkEU-US DPF, SCCs
SendGrid (Twilio)Transactional email deliveryUSEU-US DPF, DPA
StripePayment processingUS, EUPCI-DSS, SCCs
DataDogMonitoring & analyticsUSEU-US DPF, DPA

Changes to Sub-processors

DAKDAN will provide 30 days advance notice of any new sub-processors via email and at dakdantalent.com/legal/subprocessors. Customer may object to new sub-processors within 14 days.

6. International Data Transfers

Transfer Mechanisms

For transfers of Personal Data from the EEA/UK to the United States or other third countries:

EU-US Data Privacy Framework (Primary)

DAKDAN Talent is certified under the EU-US Data Privacy Framework (Certification ID: ZA123.45678). See Data Privacy Framework Notice.

Standard Contractual Clauses (Fallback)

We incorporate the European Commission's Standard Contractual Clauses (2021) for data transfers, specifically:

  • • Module Two: Controller to Processor
  • • Module Three: Processor to Processor (for sub-processors)
  • • UK International Data Transfer Agreement (UK IDTA) for UK transfers

UK International Data Transfer Addendum

For UK data transfers, the UK IDTA to the EU SCCs is incorporated and takes precedence for UK-originating data.

7. Data Subject Rights Assistance

DAKDAN Talent shall assist Customer in responding to Data Subject rights requests:

Right to Access (Article 15)

Provide data export within 30 days

Right to Rectification (Article 16)

Enable profile editing; bulk updates on request

Right to Erasure (Article 17)

Delete data within 30 days (subject to legal holds)

Right to Restriction (Article 18)

Flag data as restricted; limit processing

Right to Data Portability (Article 20)

JSON/CSV export in machine-readable format

Right to Object (Article 21)

Cease processing for specified purposes

Request Process

Data Subjects submit requests via Data Request Portal. DAKDAN forwards Controller requests to Customer within 2 business days. Customer instructs DAKDAN on fulfillment.

8. Data Breach Notification (GDPR Article 33-34)

24-Hour Notification

DAKDAN will notify Customer of any Personal Data breach without undue delay and, where feasible, within 24 hours of becoming aware.

Breach Notification Contents

  • 1.Nature of the breach (unauthorized access, loss, destruction)
  • 2.Categories and approximate number of Data Subjects affected
  • 3.Categories and approximate number of Personal Data records
  • 4.Likely consequences of the breach
  • 5.Measures taken or proposed to address the breach
  • 6.Contact point for further information

Customer Responsibility: Customer (as Controller) must notify supervisory authorities within 72 hours and affected Data Subjects if required under GDPR Article 33/34.

9. Audit and Inspection Rights

Customer has the right to audit DAKDAN's compliance with this DPA:

Standard Audits (No Cost)

  • Annual SOC 2 Type II report (available under NDA)
  • ISO 27001 certificate (public)
  • Security questionnaires (e.g., SIG, CAIQ)
  • Penetration test summaries (annual)

On-Site Audits (Enterprise)

  • Once per year with 30 days notice
  • Reasonable scope and duration
  • NDA and audit protocol required
  • Cost-sharing for on-site inspections

10. Data Return and Deletion

Upon termination or expiration of the Services Agreement:

1

Data Export (Optional)

Customer may request a complete export of all Personal Data in JSON or CSV format within 30 days of termination. DAKDAN provides export at no additional cost for standard formats.

2

Secure Deletion

After the export period (or immediately if no export requested), DAKDAN will delete or anonymize all Personal Data within 90 days, including backups, except where retention is required by law (e.g., tax records, audit trails).

3

Certification of Deletion

DAKDAN provides written certification of deletion upon request, confirming the date and method of destruction.

Legal Retention Exceptions

DAKDAN may retain certain data for legal compliance (e.g., 7 years for financial records, audit logs for investigations, data required by court order or regulatory inquiry).

11. Liability and Indemnification

Processor Liability (GDPR Article 82)

DAKDAN is liable for damages caused by processing that violates GDPR or fails to comply with lawful Controller instructions. Liability is limited per the main Services Agreement, except for gross negligence or willful misconduct.

Data Protection Indemnity

Each party indemnifies the other for:

  • • Supervisory authority fines or penalties caused by the indemnifying party's breach
  • • Data Subject compensation claims arising from the indemnifying party's violation
  • • Third-party claims related to unlawful processing by the indemnifying party

Cap: Total liability under this DPA is capped at the amount specified in the Services Agreement (typically 12 months of fees or $1M, whichever is greater).

DPA Questions & Execution

Data Protection Officer

dpo@dakdantalent.com

Legal & Contracts

legal@dakdantalent.com

Version: 3.0 | Effective Date: March 30, 2026 | Last Updated: March 30, 2026
Incorporates EU SCCs (2021), UK IDTA, and EU-US Data Privacy Framework
Privacy Policy | Security Measures | Data Privacy Framework