Data Processing Addendum (DPA)

1 Definitions

Controller – The Customer who determines the purposes and means of the Processing of Personal Data.

Processor – Recruitment Room, the entity Processing Personal Data on behalf of the Controller.

Personal Data – Any information relating to an identified or identifiable natural person.

Processing – Any operation or set of operations performed on Personal Data.

Data Subject – The natural person to whom the Personal Data relates.

Personal Data Breach – A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2 Processing Details & Scope

Subject Matter: Provision of recruitment platform services including candidate matching, job posting, application management and communication.

Duration: Term of the main agreement plus applicable post-termination retention periods required by law.

Nature & Purpose: Collecting, storing, hosting, transmitting, matching, displaying, analysing and communicating Personal Data for recruitment and talent management purposes.

Types of Personal Data: Contact information, professional history, education, skills, CV/resume content, application data, usage metadata.

Categories of Data Subjects: Job candidates, employees of the Controller, recruiters, hiring managers and other platform users.

3 Obligations of the Processor

Recruitment Room undertakes to:

Process Personal Data only on documented instructions from the Controller (including regarding international transfers)
Ensure all persons authorised to process Personal Data are bound by confidentiality obligations
Implement and maintain appropriate technical and organisational measures to ensure data security
Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, etc.)
Notify the Controller of any Personal Data Breach within 48 hours of becoming aware of it
Assist with data protection impact assessments and prior consultations with supervisory authorities (where required)
At the Controller's choice, delete or return all Personal Data upon termination of services and delete existing copies unless law requires retention
Make available all information necessary to demonstrate compliance with these obligations

4 Sub-processors

The Controller provides general written authorisation for the use of the following sub-processors:

Amazon Web Services – Cloud hosting and storage
Google Cloud Platform – Analytics, email services, cloud infrastructure
SendGrid (Twilio) – Transactional email delivery
Cloudflare – Security, performance, and DDoS protection
Stripe – Payment processing (where applicable)

We will notify the Controller of any intended addition or replacement of sub-processors, giving reasonable opportunity to object.

5 International Data Transfers

Personal Data may be transferred to and processed in countries outside Kenya. Where such transfers occur to jurisdictions not deemed adequate under applicable law, we ensure appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by relevant authorities
Additional supplementary measures when necessary
Regular review of transfer mechanisms in light of legal developments

6 Security of Processing

We maintain a comprehensive information security program including but not limited to:

Encryption of data at rest and in transit
Strict access controls and multi-factor authentication
Regular security testing, vulnerability scanning, and penetration testing
Incident response and business continuity procedures
Personnel training and confidentiality agreements

7 Audit Rights

Upon reasonable advance notice and not more than once per year (unless a material breach is suspected), the Controller or its appointed auditor may conduct an audit of our compliance with this DPA during normal business hours, without unreasonably interfering with our operations.