Data Processing Agreement
This Data Processing Agreement (DPA) outlines how SkillThrive processes personal data on behalf of our business customers in compliance with GDPR and UK GDPR.
Effective Date: August 01, 2024
Version: 2.1
Download DPA
Download a signed copy of our Data Processing Agreement for your records.
1. Parties and Definitions
Data Controller (Customer)
The entity that determines the purposes and means of processing personal data. This includes companies posting jobs and managing recruitment processes through our platform.
Data Processor (SkillThrive)
Asterix Technologies LLP processes personal data on behalf of the Data Controller in accordance with documented instructions and this DPA.
Key Definitions
Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data
Data Subject: An individual whose personal data is processed
GDPR: General Data Protection Regulation (EU) 2016/679
UK GDPR: UK General Data Protection Regulation
Sub-processor: Third party engaged by SkillThrive to process data
2. Details of Processing
Subject Matter and Duration
SkillThrive provides recruitment and talent management services, processing candidate and employee data as necessary to deliver these services.
Duration: For the term of the service agreement and retention period
Nature: Recruitment, applicant tracking, candidate management
Purpose: Enable hiring processes and talent acquisition
Frequency: Continuous during active use of services
Categories of Data Subjects
- • Job applicants and candidates
- • Current and former employees
- • Company representatives and contacts
- • References and referrers
- • Interview panel members
Categories of Personal Data
- • Identity data (name, contact details)
- • Professional information (CV, qualifications)
- • Employment history and references
- • Assessment and interview data
- • Communication records
Special Categories (if applicable)
Processing of special category data only occurs with explicit consent or where legally required:
- • Equality monitoring data (with consent)
- • Health data for reasonable adjustments
- • Criminal conviction data (where legally permitted)
3. Processor Obligations
Processing Instructions
- • Process only on documented instructions
- • Notify if instructions violate GDPR
- • Ensure authorized personnel only
- • Maintain confidentiality obligations
Security Measures
- • Implement appropriate technical safeguards
- • Encryption in transit and at rest
- • Regular security testing and audits
- • Access controls and monitoring
Data Subject Rights Support
SkillThrive will assist the Controller in responding to data subject rights requests:
- • Right of access (Subject Access Requests)
- • Right to rectification
- • Right to erasure ("right to be forgotten")
- • Right to restrict processing
- • Right to data portability
- • Right to object to processing
- • Rights related to automated decision-making
- • Response within required timeframes
4. Sub-processors
General Authorization
The Controller provides general authorization for SkillThrive to engage sub-processors, subject to the conditions outlined below.
Current Sub-processors
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| AWS | Cloud hosting & storage | EU/UK | Standard Contractual Clauses |
| Stripe | Payment processing | EU/US | Adequacy Decision (US), DPA |
| SendGrid | Email delivery | US | Standard Contractual Clauses |
Sub-processor Changes
- • 30 days advance notice for new sub-processors
- • Controller may object within 30 days
- • Updated list maintained at: skillthrive.io/legal/sub-processors
- • All sub-processors bound by equivalent data protection obligations
5. International Data Transfers
Transfer Safeguards
Any transfers of personal data to third countries will be protected by appropriate safeguards:
- • EU Commission adequacy decisions
- • Standard Contractual Clauses (SCCs)
- • Binding Corporate Rules (BCRs)
- • Certification schemes
- • Codes of conduct
- • Explicit consent (where appropriate)
Primary Processing Locations
- • Primary: European Economic Area (EEA)
- • Secondary: United Kingdom
- • Third Country: United States (with adequate safeguards)
- • Backup/DR: Canada (adequacy decision)
6. Data Breach Notification
Incident Response Procedure
Detection & Assessment
Within 1 hour of discovery
Controller Notification
Within 24 hours maximum
Documentation & Follow-up
Detailed incident report
Information Provided
- • Nature of the breach
- • Categories and number of data subjects affected
- • Likely consequences of the breach
- • Measures taken to address the breach
Ongoing Support
- • Reasonable assistance with regulatory notifications
- • Cooperation with investigations
- • Documentation and evidence provision
- • Remediation and prevention measures
7. Audit Rights and Compliance
Audit and Inspection Rights
The Controller has the right to audit SkillThrive's compliance with this DPA:
- • Annual compliance reports provided
- • Third-party audit certifications (SOC 2, ISO 27001)
- • On-site audits (with reasonable notice)
- • Remote audits and questionnaires
- • Access to relevant documentation
- • Reasonable costs borne by Controller
Compliance Documentation
- • Data processing records maintained
- • Security policies and procedures documented
- • Staff training records
- • Incident logs and breach records
- • Sub-processor management documentation
8. Data Return and Deletion
End of Processing
Upon termination of the services or at the Controller's request, SkillThrive will:
Data Return Options
- • Return all personal data in commonly used format
- • Secure data transfer methods
- • Data integrity verification
- • Export completed within 30 days
Data Deletion
- • Secure deletion of all copies
- • Destruction certificates provided
- • Backup and archive deletion
- • Legal retention obligations respected
9. Contact Information
SkillThrive (Data Processor)
Company: Asterix Technologies LLP
Address: 167-169 Great Portland Street, 5th Floor, London W1W 5PF, UK
DPO Email: support@skillthrive.io
Legal Email: support@skillthrive.io
Customer (Data Controller)
Details to be completed when executing this DPA:
Company: _________________
Address: _________________
DPO/Contact: _________________
Email: _________________
Execute Data Processing Agreement
Contact our legal team to execute a customized DPA for your organization.