Data Processing Addendum

Last updated: January 27, 2026

This Data Processing Addendum ("DPA") is incorporated by reference into, and forms part of, the SorsX SaaS Master Terms of Service and/or other applicable agreement between SorsX LLC ("Company" or "SorsX") and the Customer ("Customer").

This DPA applies to the Processing of Personal Data by Company on behalf of Customer in connection with the Services where Customer is a Controller (or Business) and Company is a Processor (or Service Provider/Processor) under applicable Data Protection Laws.

1. Definitions

  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means the entity that processes Personal Data on behalf of and on the instructions of the Controller.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Company on behalf of Customer in connection with the Services.
  • "Processing" has the meaning given in applicable Data Protection Laws.
  • "Sub-processor" means any third party engaged by Company to process Personal Data on behalf of Customer.
  • "Data Protection Laws" means all applicable laws relating to the processing, privacy, and use of Personal Data, including GDPR, UK GDPR, CCPA/CPRA, other U.S. state privacy laws, Türkiye Law No. 6698 (KVKK), UAE PDPL, KSA PDPL, and successor legislation.
  • Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

2. Scope and Applicability

  • This DPA applies only to Personal Data processed by Company acting as a Processor on behalf of Customer.
  • Customer is the Controller and Company is the Processor for purposes of this DPA.
  • Processing details are set forth in Schedule 1.
  • Company’s security measures are described in Schedule 2.
  • Excluded Data / Independent Controller Processing:This DPA does not apply to candidate profiles in the SorsX Candidate Database, publicly available data collected independently, aggregated or de-identified data, or Personal Data processed by Company as an independent controller.

3. Processing Instructions

  • Company shall process Personal Data only on documented instructions from Customer.
  • Instructions are defined by the Agreement, this DPA, and Customer’s use of the Services.
  • Company shall inform Customer if an instruction infringes Data Protection Laws.

4. Confidentiality

Company shall ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

5. Security Measures

Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Security measures are described in Schedule 2 and will not be materially reduced during the Term.

6. Sub-processors

  • Customer grants general authorization for Company to engage Sub-processors.
  • Company will provide notice of material Sub-processor changes.
  • Sub-processors are bound by obligations no less protective than this DPA.
  • Company remains responsible for Sub-processor performance as required by law.

7. Data Subject Rights

Company shall assist Customer in responding to Data Subject requests and shall not respond directly unless instructed or required by law.

8. Personal Data Breach Notification

Company shall notify Customer without undue delay and, where feasible, within twenty-four (24) hours after becoming aware of a Personal Data breach and provide reasonable assistance thereafter.

9. Data Protection Impact Assessments

Company shall provide reasonable assistance with DPIAs and regulatory consultations where required.

10. International Transfers

Company will implement appropriate safeguards for cross-border transfers and provide information upon reasonable request.

11. Audits and Inspections

Company shall make compliance information available and may satisfy audit requests through third-party certifications where available.

12. Data Return and Deletion

Upon termination, Company shall return or delete Personal Data at Customer’s choice, subject to legal retention requirements.

13. Liability

Liability under this DPA is subject to the limitation of liability provisions in the Agreement.

14. Term and Termination

This DPA remains in effect for the duration of the Agreement and survives as necessary.

15. Governing Law

This DPA shall be governed by the same law as the Agreement unless Data Protection Laws require otherwise.

Schedule 1 – Processing Details

Subject matter: Provision of AI recruiting and hiring platform Services.

Duration: Term of the Agreement plus reasonable retention periods.

Nature of Processing: Collection, storage, use, disclosure, and deletion.

Purpose: Provide, secure, support, and improve the Services.

Data Subjects: Authorized users, candidates, and applicants.

Personal Data: Contact details, resumes, interview data, recordings, transcripts, evaluations, and usage data.

Schedule 2 – Technical and Organizational Security Measures

  • Encryption in transit and at rest where applicable
  • Role-based access controls and authentication
  • Logging and monitoring of administrative access
  • Incident response and breach management procedures
  • Backups and disaster recovery processes
  • Security awareness training