Skip to main content

1. Parties and Relationship

This Data Processing Agreement (DPA) forms part of the agreement between DWEET LTD and the customer entity that has either (a) accepted the Nova Terms of Service, or (b) entered into an Order Form or Master Services Agreement that incorporates this DPA (in each case, the “Agreement”). Capitalised terms not defined in this DPA have the meanings given in the Agreement. Controller is the controller of Personal Data. Processor processes Personal Data on behalf of Controller to provide the Nova services as described in the Agreement. Nova is a software-as-a-service product owned and operated by DWEET LTD.

2. Definitions

  • Applicable Data Protection Law means all laws and regulations relating to data protection, privacy, and the use of personal data applicable to the processing under this DPA, including the EU GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), comparable United States state privacy laws, and national implementations thereof.
  • EU GDPR means Regulation (EU) 2016/679.
  • UK GDPR means the EU GDPR as incorporated into UK law by the Data Protection Act 2018, as amended.
  • Personal Data, Data Subject, Controller, Processor, Processing have the meanings given in Applicable Data Protection Law.
  • Sub-processor means any processor engaged by Processor to process Personal Data on behalf of Controller.
  • Security Incident means any unauthorised access to the Services or systems. Security Incidents that do not result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data are not Personal Data Breaches.
  • Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data that is transmitted, stored or otherwise processed.
  • De-identified Data means data created from Personal Data by removing direct and indirect identifiers so that the data cannot reasonably be used to identify a person, household, or device, and that is subject to technical and organisational controls designed to prevent reidentification.
  • Aggregated Data means data that is combined with other data and presented in summary form that does not identify a person, household, organisation, or device.

3. Scope and Instructions

3.1 Processor will process Personal Data only on the documented instructions of Controller, as described in the Agreement and this DPA, unless required to do so by Applicable Data Protection Law. In such a case, Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 3.2 Details of the processing (categories of data, data subjects, purpose, duration) are set out in Annex I (Processing Details). 3.3 Processor does not decide the purposes or means of processing Personal Data except as described in this DPA and the Agreement. 3.4 Controller is responsible for ensuring that it has a lawful basis and any required notices or consents to provide Personal Data to Processor and to use the Services. 3.5 Where Controller activates candidate enrichment or fraud detection features, Controller instructs Processor to obtain role-relevant professional information and verification data about candidates from the external sources described in Annex I. Controller remains responsible for ensuring that such processing is covered by its legal basis and candidate notices under Applicable Data Protection Law.

4. Special Categories and Sensitive Data

4.1 Processor does not intentionally request or require special categories of Personal Data for the operation of the Service. However, resumes, cover letters, free text application answers, interview notes, transcripts and other candidate supplied documents from Controller’s ATS and related systems may contain such information. 4.2 Processor processes such content only to provide the Service as configured by Controller (for example parsing, indexing, search, scoring, generating interview support) and does not purposefully create profiles based on protected characteristics. 4.3 Controller remains responsible for ensuring a lawful basis under Article 9 GDPR or equivalent provisions where special categories of data are present, including providing any required notices to candidates and configuring its processes and criteria in a compliant manner.

5. Restrictions on Use

5.1 Processor will not:
  • sell or share Personal Data as those terms are defined in Applicable Data Protection Law;
  • process Personal Data for cross-context behavioural advertising;
  • retain, use, or disclose Personal Data outside the direct business relationship with Controller or beyond what is necessary to provide the Services or comply with law; or
  • combine Personal Data with data Processor collects for its own purposes, except as necessary to provide, secure, and improve the Services.
5.2. Processor will not use Controller’s Personal Data itself (that is, identifiable personal data) to train general models. Processor may create and use Aggregated or De-identified Data derived from customer Personal Data to operate, secure, and improve the Services and to train and evaluate models used to provide the Services and other general models, as described in the AI Terms and Privacy Policy. Processor will not attempt to re-identify such Aggregated or De-identified Data. 5.3 Where Processor uses Third-Party AI Services as part of the Services, Processor configures those services so that Customer Personal Data is not used by those third parties to train their own general models.

6. Confidentiality and Personnel

6.1 Processor will ensure that persons authorised to process Personal Data are under appropriate confidentiality obligations. 6.2 Processor will ensure that access to Personal Data is limited to personnel who require such access for the performance of the Services under the Agreement.

7. Security Measures

7.1 Processor will implement and maintain appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, including the measures described in Annex II (Technical and Organisational Measures). 7.2 Processor will regularly test, assess, and evaluate the effectiveness of TOMs and make improvements as necessary.

8. Sub-processors

8.1 Controller authorises Processor to engage Sub-processors. Current Sub-processors and their roles are listed on Processor’s Sub-processors page which Processor keeps current and accessible to Controller. 8.2 Processor will provide at least 7 days notice of intended changes to Sub-processors by updating the Sub-processors page and, for material changes, by email or in-product notification. 8.3 Controller may object to a new Sub-processor on reasonable data protection grounds. If the parties do not agree on a resolution within 30 days, Controller may terminate the affected Services without penalty. 8.4 Processor will impose data protection terms on Sub-processors that provide at least the same level of protection as this DPA and remains liable for each Sub-processor’s performance. 8.5 To object to a new Sub-processor, Controller may reply to the change notice or email privacy@dweet.com within the notice period set out in Section 8.2, including the reasonable data protection grounds for the objection. Processor will promptly engage with Controller to seek a resolution consistent with Section 8.3.

9. International Transfers

9.1 Personal Data is primarily hosted in the United Kingdom (AWS region eu-west-2, London). Transfers from the EEA to the United Kingdom rely primarily on the European Commission’s adequacy decision for the UK. Where processing by Processor or its Sub-processors involves a transfer outside the United Kingdom or EEA, or where adequacy no longer applies, such transfer will be governed by appropriate safeguards, including the EU Standard Contractual Clauses and the UK IDTA, as described in Annex IV (Transfer Mechanisms). 9.2 Processor will provide reasonable information to support Controller’s transfer impact assessments on request. 9.3 Processor will notify Controller without undue delay of any binding governmental or law-enforcement request for Personal Data, unless legally prohibited, will limit disclosures to the minimum required, and will challenge unlawful or overbroad requests where legally permissible and reasonably practical.

10. Assistance to Controller

10.1 Processor will assist Controller with Data Subject requests (for example access, correction, deletion, portability) through available export and deletion tools for Nova user and candidate data, and will handle other sources (such as synced ATS or enrichment data) on a best-effort basis, to the extent required by Applicable Data Protection Law. Processor will not respond directly to a requester except to acknowledge receipt and redirect them to Controller, unless legally required to do so. 10.2 Processor will provide reasonable information to support Controller’s data protection impact assessments, consultations with supervisory authorities, and transfer impact assessments relating to the Services, including information about processing activities, TOMs, Sub-processors, transfer mechanisms, and relevant data locations. 10.3 Where Controller requests assistance that is unusually burdensome, the parties will agree on reasonable cost reimbursement.

11. Personal Data Breach

11.1 Processor will notify Controller without undue delay and, where feasible, not later than 72 hours after becoming aware of a Personal Data Breach affecting Controller Personal Data. The initial notice will include known facts, likely impact, and mitigation steps, and Processor will provide updates as additional information becomes available. 11.2 Processor will promptly take steps to contain, investigate, and remediate the breach, keep Controller informed, and cooperate with Controller’s reasonable requests and regulatory obligations.

12. Records and Audit

12.1 Processor will maintain records of processing activities as required by Applicable Data Protection Law and make them available to Controller upon request. 12.2 Processor shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, in respect of Processor’s processing of Personal Data and compliance with this DPA and Applicable Data Protection Law. 12.3 Audits will be remote-first and based on current independent reports, penetration test summaries, and security questionnaires. On-site audits are not offered. Where on-site access is legally required and reports do not reasonably address substantiated concerns, the parties will agree on alternative reasonable verification methods. 12.4 Audits occur no more than once every 12 months, with 30 days notice, during business hours, and subject to confidentiality. Audits are at Controller’s cost unless a material non-compliance is found, in which case Processor will bear reasonable and proportionate audit costs. 12.5 The parties will execute a confidentiality and access protocol before any audit. Findings are confidential information.

13. Deletion

13.1 Upon termination of the Agreement, customer data export is available for 30 days. Processor deletes production copies within 60 days, with backups overwritten on their normal cycle. Controller may request a shorter or longer retention in the admin settings where supported, subject to legal retention requirements. Notwithstanding the foregoing, Processor may retain and use De-identified Data and Aggregated Data created from customer Personal Data prior to or in connection with termination, provided that such data (a) cannot reasonably be used to identify a person, household, organisation, or device, (b) is subject to technical and organisational controls designed to prevent reidentification, and (c) is used only for the purposes described in Section 5.2 of this DPA and the Agreement.

14. Liability and Precedence

14.1 As between the parties, limitations and exclusions of liability are governed by the Agreement. For clarity, the total aggregate liability of each party under or in connection with this DPA is subject to the same limitations and exclusions of liability set out in the Agreement. This DPA does not increase either party’s liability beyond the Agreement. Nothing in this DPA limits a party’s liability where such limitation is not permitted by law. Enterprise customers may agree different liability caps or structures in their Order Form or MSA, which will apply to this DPA to the extent of conflict. 14.2 In case of conflict between this DPA and the Agreement, this DPA controls for personal data processing topics. Otherwise, the Agreement controls.

15. Governing Law and Jurisdiction

15.1 This DPA is governed by the laws of England and Wales without regard to conflict of laws principles. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, subject to mandatory Applicable Data Protection Law.

16. Contact

Processor’s data protection contact: privacy@dweet.com

Annex I - Processing Details

1. Subject matter of Processing Provision and improvement of the Nova AI-powered recruitment platform for internal hiring and talent workflows, including candidate evaluation and ranking, talent rediscovery, search, analytics, and related recruitment tooling. 2. Data Subjects
  • Job applicants and candidates whose data is stored in Controller’s ATS and related recruitment systems.
  • Individuals whose Personal Data appears in ATS records or candidate supplied content, such as referees, managers, or colleagues mentioned in documents.
  • Employees, contractors, and other personnel of Controller who use Nova in their professional capacity (for example recruiters, hiring managers, administrators).
3. Categories of Personal Data Candidate and application data sourced from Controller’s ATS and related systems, which may include:
  • Identifiers and contact details: names, email addresses, phone numbers, postal addresses, online profile links, candidate or application identifiers used by Controller.
  • Professional and education information: employment history, roles, responsibilities, seniority, education history, qualifications, skills and competencies, languages, certifications.
  • Application level metadata: job applied for, requisition identifiers, application status and stage history, timestamps, sources and campaigns, referral information, rejection reasons, tags and labels, salary expectations, availability and notice periods.
  • Evaluation and workflow data: scorecards and ratings, interview feedback, comments and notes, interviewer and panel details, structured responses to screening questions, internal recruiter notes and disposition codes.
  • Communication and content data: free text answers to application questions, cover letters, resumes and CVs, candidate supplied attachments and portfolios, internal and external interview notes, summaries of calls or meetings, and, where enabled, interview recordings and transcripts processed by or via the Service.
  • Account and usage data for Controller’s users: names, business contact details, role, permissions, and product usage and audit logs to the extent they relate to identifiable individuals.
  • Job and requisition data (which may be linked to candidates): job titles, locations, descriptions, requirements, compensation ranges, employment type and related attributes.
  • External professional profile data (optional): Where Controller enables enrichment features, publicly available professional information from external sources such as LinkedIn, or GitHub (for example profile headline, current and past roles and employers, education history, skills, and profile URL) linked to candidate records.
4. Special Categories of Personal Data
  • Processor does not intentionally request or require special categories of Personal Data for the operation of the Service. However, resumes, cover letters, free text application answers, interview notes, transcripts and other candidate supplied documents may contain special categories of Personal Data in free text (for example information revealing health, union membership, beliefs or other protected characteristics).
  • Processor processes such content only to provide the Service as configured by Controller and does not purposefully create profiles based on protected characteristics.
  • Controller remains responsible for ensuring a lawful basis under Article 9 GDPR or equivalent provisions where special categories of data are present, including providing any required notices to candidates and configuring its processes and criteria in a compliant manner.
5. Purpose of Processing
  • Providing and improving the Nova recruitment platform for internal hiring and talent workflows, including candidate evaluation and ranking, search and rediscovery of candidates, and optional enrichment of ATS data with role-relevant information from external professional sources and fraud prevention signals where configured by Controller.
  • Supporting interview preparation and execution, including generation of interview questions and guides and, where enabled, processing of interview notes, recordings, and transcripts.
  • Providing recruitment analytics, dashboards, and insights for Controller’s internal use.
  • Operating, maintaining, and securing the Service, including troubleshooting, support, prevention of abuse and fraud, and security and compliance logging.
  • Evaluating and improving models and features used to provide the Service, using De-identified or Aggregated Data as described in the Agreement, AI Terms, and this DPA. 6. Duration of Processing
For the term of the Agreement and for 60 days thereafter (post-termination deletion window), except where longer retention is required by law or as configured by Controller within supported retention options. 7. Nature and Frequency of Processing Continuous collection, receipt, storage, organisation, analysis by AI inference and other logic, retrieval, combination, transmission to authorised recipients, and deletion of Personal Data. Processing occurs on-demand as Controller’s ATS and other enabled systems send data to the Service and as users of Nova interact with the Service. 8. Data Sources
  • Personal Data is primarily sourced from Controller’s ATS via API or webhooks and from inputs provided by users in Nova (for example notes, tags, configuration data, and internal comments).
  • Optional enrichments and integrations (for example geocoding, LinkedIn enrichment, PDF conversion, additional HR or recruitment systems, and any interview recording or transcription services) are used only where explicitly enabled by Controller and documented in the Services or in integration documentation.
  • Where Controller activates enrichment or fraud detection features, Processor may obtain role-relevant professional information from external networking and developer platforms such as LinkedIn, or GitHub and from verification services designated by Controller or described in this Annex.
  • Processor does not use personal or entertainment focused social media sites (such as Facebook, Instagram, or TikTok) as data sources for the Services.

Annex II - Technical and Organisational Measures (TOMs)

Processor maintains technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, secure development and change management, logging and monitoring, vulnerability management, and disaster recovery. Security controls include, without limitation:
  • Pseudonymisation and encryption: Encryption in transit (TLS 1.2 or higher, targeting TLS 1.3). At rest: databases and search indexes encrypted using cloud-managed service keys by default (or customer-managed keys where configured); file storage with server-side encryption. Key rotation follows cloud-managed policies or customer rotation schedules where used. Pseudonymisation is applied where feasible (for example internal identifiers for candidate records).
  • Access controls: Multi-factor authentication for administrative access; role-based access; least-privilege and time-bound elevation; application-layer authorisation for personal data.
  • Secrets management: Long-lived credentials (for example OAuth refresh tokens and API keys) are stored in secure secret management systems with encryption at rest and environment scoping. Access tokens are short-lived and cached ephemerally with defined expiry.
  • Application security: Code review, automated checks in continuous integration, and change control for high-risk changes, with rollback procedures.
  • Network security: Cloud firewalls and security groups; database ingress limited to application security groups and, where used, allowlisted IP ranges; temporary human access via short-lived allowlists recorded and revoked after use; monitoring and alerting; clock synchronisation for accurate log timestamps.
  • File access: File operations are gated behind presigned URLs with short expirations; job-level authorisation is enforced; public access is blocked; cross-origin resource sharing is restricted to Nova production domains.
  • Data management: Data minimisation, classification, retention and deletion procedures; exports to support data subject access requests.
  • Telemetry and logging: Processor collects application and infrastructure logs and traces as part of operating, securing, and improving the Services. Logs may include Personal Data and portions of application content where reasonably necessary for those purposes and are protected by encryption, access controls, and defined retention periods. Logs are stored in Processor-controlled systems and, where necessary, in monitoring or error tracking tools listed as Sub-processors.
  • Operational resilience: Backups and point-in-time recovery for databases; file versioning where appropriate; regular snapshots for search indexes; maintenance windows; disaster recovery planning.
  • Workforce measures: Confidentiality agreements; security and privacy training at onboarding and at least annually.
  • Incident response: Documented runbooks; customer notification commitment upon becoming aware of a Personal Data Breach; investigation and remediation steps.

Annex III - Sub-processors

Processor’s current Sub-processors and their roles, locations, and transfer mechanisms are listed on the public Sub-processors page. That page is incorporated by reference and kept current.

Annex IV - Transfer Mechanisms

  1. EU Standard Contractual Clauses (SCCs) The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference for restricted transfers under EU GDPR. Module 2 (Controller to Processor) applies to Controller to Processor transfers. Module 3 (Processor to Sub-processor) applies to Processor to Sub-processor transfers.
  2. UK Addendum to the SCCs (IDTA) The UK International Data Transfer Addendum to the EU SCCs is incorporated by reference for restricted transfers under UK GDPR. The parties complete the Addendum with information in Annexes I to III. The Addendum takes precedence for UK transfers.
  3. Swiss Addendum (FADP) For transfers governed by Swiss data protection law, the parties apply the SCCs with the following modifications: references to “Member State” include Switzerland; references to “GDPR” are understood as references to Swiss data protection law where applicable; the competent authority is the Swiss Federal Data Protection and Information Commissioner; governing law and forum for SCC-related disputes is Switzerland.