Skip to main content

Data Processing Agreement

This Data Processing Agreement (DPA) outlines how SkillThrive processes personal data on behalf of our business customers in compliance with GDPR and UK GDPR.

Effective Date: August 01, 2024

Version: 2.1

Download DPA

Download a signed copy of our Data Processing Agreement for your records.

1. Parties and Definitions

Data Controller (Customer)

The entity that determines the purposes and means of processing personal data. This includes companies posting jobs and managing recruitment processes through our platform.

Data Processor (SkillThrive)

Asterix Technologies LLP processes personal data on behalf of the Data Controller in accordance with documented instructions and this DPA.

Key Definitions

Personal Data: Any information relating to an identified or identifiable natural person

Processing: Any operation performed on personal data

Data Subject: An individual whose personal data is processed

GDPR: General Data Protection Regulation (EU) 2016/679

UK GDPR: UK General Data Protection Regulation

Sub-processor: Third party engaged by SkillThrive to process data

2. Details of Processing

Subject Matter and Duration

SkillThrive provides recruitment and talent management services, processing candidate and employee data as necessary to deliver these services.

Duration: For the term of the service agreement and retention period

Nature: Recruitment, applicant tracking, candidate management

Purpose: Enable hiring processes and talent acquisition

Frequency: Continuous during active use of services

Categories of Data Subjects

  • • Job applicants and candidates
  • • Current and former employees
  • • Company representatives and contacts
  • • References and referrers
  • • Interview panel members

Categories of Personal Data

  • • Identity data (name, contact details)
  • • Professional information (CV, qualifications)
  • • Employment history and references
  • • Assessment and interview data
  • • Communication records

Special Categories (if applicable)

Processing of special category data only occurs with explicit consent or where legally required:

  • • Equality monitoring data (with consent)
  • • Health data for reasonable adjustments
  • • Criminal conviction data (where legally permitted)

3. Processor Obligations

Processing Instructions

  • • Process only on documented instructions
  • • Notify if instructions violate GDPR
  • • Ensure authorized personnel only
  • • Maintain confidentiality obligations

Security Measures

  • • Implement appropriate technical safeguards
  • • Encryption in transit and at rest
  • • Regular security testing and audits
  • • Access controls and monitoring

Data Subject Rights Support

SkillThrive will assist the Controller in responding to data subject rights requests:

  • • Right of access (Subject Access Requests)
  • • Right to rectification
  • • Right to erasure ("right to be forgotten")
  • • Right to restrict processing
  • • Right to data portability
  • • Right to object to processing
  • • Rights related to automated decision-making
  • • Response within required timeframes

4. Sub-processors

General Authorization

The Controller provides general authorization for SkillThrive to engage sub-processors, subject to the conditions outlined below.

Current Sub-processors

Sub-processorServiceLocationSafeguards
AWSCloud hosting & storageEU/UKStandard Contractual Clauses
StripePayment processingEU/USAdequacy Decision (US), DPA
SendGridEmail deliveryUSStandard Contractual Clauses

Sub-processor Changes

  • • 30 days advance notice for new sub-processors
  • • Controller may object within 30 days
  • • Updated list maintained at: skillthrive.io/legal/sub-processors
  • • All sub-processors bound by equivalent data protection obligations

5. International Data Transfers

Transfer Safeguards

Any transfers of personal data to third countries will be protected by appropriate safeguards:

  • • EU Commission adequacy decisions
  • • Standard Contractual Clauses (SCCs)
  • • Binding Corporate Rules (BCRs)
  • • Certification schemes
  • • Codes of conduct
  • • Explicit consent (where appropriate)

Primary Processing Locations

  • Primary: European Economic Area (EEA)
  • Secondary: United Kingdom
  • Third Country: United States (with adequate safeguards)
  • Backup/DR: Canada (adequacy decision)

6. Data Breach Notification

Incident Response Procedure

1

Detection & Assessment

Within 1 hour of discovery

2

Controller Notification

Within 24 hours maximum

3

Documentation & Follow-up

Detailed incident report

Information Provided

  • • Nature of the breach
  • • Categories and number of data subjects affected
  • • Likely consequences of the breach
  • • Measures taken to address the breach

Ongoing Support

  • • Reasonable assistance with regulatory notifications
  • • Cooperation with investigations
  • • Documentation and evidence provision
  • • Remediation and prevention measures

7. Audit Rights and Compliance

Audit and Inspection Rights

The Controller has the right to audit SkillThrive's compliance with this DPA:

  • • Annual compliance reports provided
  • • Third-party audit certifications (SOC 2, ISO 27001)
  • • On-site audits (with reasonable notice)
  • • Remote audits and questionnaires
  • • Access to relevant documentation
  • • Reasonable costs borne by Controller

Compliance Documentation

  • • Data processing records maintained
  • • Security policies and procedures documented
  • • Staff training records
  • • Incident logs and breach records
  • • Sub-processor management documentation

8. Data Return and Deletion

End of Processing

Upon termination of the services or at the Controller's request, SkillThrive will:

Data Return Options

  • • Return all personal data in commonly used format
  • • Secure data transfer methods
  • • Data integrity verification
  • • Export completed within 30 days

Data Deletion

  • • Secure deletion of all copies
  • • Destruction certificates provided
  • • Backup and archive deletion
  • • Legal retention obligations respected

9. Contact Information

SkillThrive (Data Processor)

Company: Asterix Technologies LLP

Address: 167-169 Great Portland Street, 5th Floor, London W1W 5PF, UK

DPO Email: support@skillthrive.io

Legal Email: support@skillthrive.io

Customer (Data Controller)

Details to be completed when executing this DPA:

Company: _________________

Address: _________________

DPO/Contact: _________________

Email: _________________

Execute Data Processing Agreement

Contact our legal team to execute a customized DPA for your organization.

Contact Legal Team