top of page

DataVertex Data Processing Addendum (DPA)

Last Updated: November 17th, 2025

This Data Processing Addendum (“Addendum”) is incorporated into and forms part of the agreement, order form, or other commercial contract (“Agreement”) entered into between:

DataVertex LLC (“DataVertex”), and the customer identified in the Agreement (“Customer”).

DataVertex and Customer are collectively referred to as the “Parties.”

 

1. Purpose and Scope

This Addendum governs the processing and sharing of Candidate Data through DataVertex’s Candidate API Product and On-Demand Sourcing Service (the “Services”). For purposes of this Addendum, Candidate Data refers to personal data relating to identified or identifiable individuals whose information relates to professional, employment, and recruiting contexts.

This Addendum supplements, and does not limit, the Agreement.

2. Roles of the Parties

  1. Each Party acts as an Independent Controller (or “Business” under applicable U.S. state privacy laws) with respect to Candidate Data.

  2. Neither Party acts as a Processor, Joint Controller, Service Provider, or Contractor to the other under this Addendum.

  3. Each Party independently determines the means, purposes, lawful bases, and retention periods for Candidate Data held in its own systems.
     

3. Customer Permitted Use

Customer may use Candidate Data solely for legitimate recruiting, candidate sourcing, employment-related outreach, and workforce planning purposes, which may include direct communication with candidates or sharing with a qualified hiring stakeholder (defined below).

Customer may share Candidate Data only with:

a) its internal employees and contractors on a need-to-know; and

b) its direct recruiting-related clients (e.g., corporate employers, hiring managers, recruiters, sourcers, staffing agencies) (“Qualified Hiring Stakeholders”).

c) users of their HR product with candidate sourcing, communication, analytics features (e.g. Application Tracking Systems, Candidate Relationship Management, talent sourcing, recruitment marketing, HCM software, etc)

Prohibited Uses

Customer shall not:

  • resell or redistribute Candidate Data as a standalone data product;

  • use Candidate Data for non-employment-related consumer advertising;

  • use Candidate Data for credit, insurance, housing, or other FCRA-regulated decisions

  • publish Candidate Data in a public database or open directory.

 

4. DataVertex Operations & CCPA Status

  1. DataVertex is a Business under the California Consumer Privacy Act as amended by CPRA and may sell, share, and combine Candidate Data consistent with applicable law and its public Privacy Notice.
     

  2. Customer acknowledges and agrees that DataVertex may:

    • improve, enhance, validate, score, or otherwise enrich Candidate Data;

    • combine Candidate Data with additional data sources;

    • license, distribute, or make Candidate Data available in accordance with its business model and legal compliance framework.
       

5. Data Subject Requests & Cooperation

Data subjects may submit privacy requests by emailing privacy@data-vertex.com.

If the Customer receives a request on deleting a person’s data applicable to DataVertex’s processing, the customer shall forward the request in a timely manner and, where feasible, collaborate in good faith. DataVetex shall process the request in a timely manner and confirm completion of the request.

 

6. Retention & Deletion

  1. For individuals subject to EU or UK laws, DataVertex will delete, depersonalize, or refresh records on a 36-month cycle.

  2. For all other data subjects, DataVertex may apply its standard retention policies in accordance with lawful business interests.

  3. Each Party maintains independent retention schedules.
     

7. Security Measures

DataVertex implements commercially reasonable organizational, administrative, and technical safeguards, including, but not limited to:

  • Encryption in transit & at rest

  • Access control & authentication

  • Event logging & monitoring

  • Infrastructure security reviews

  • Business continuity & incident response procedures
     

Customer remains responsible for securing downloaded, exported, uploaded, or internally-stored Candidate Data.

8. Subprocessors & Third-Party Providers

DataVertex may engage third-party vendors to support hosting, storage, operations, analytics, and service delivery (“Subprocessors”).

Current key infrastructure provider(s) include:

Amazon Web Services, Inc., Hosting & infrastructure, United States

Google Workspace / Drive, Productivity & secure file operations, United States

DataVertex may update this list based on operational needs.

9. International Data Transfers

Candidate Data is primarily stored and processed in the United States.

Where required under GDPR, DataVertex may implement transfer mechanisms such as Standard Contractual Clauses (SCCs) and associated addenda.

 

10. Breach Notification

In the event of a confirmed security incident affecting Candidate Data within DataVertex’s control, DataVertex will notify Customer without undue delay and provide information reasonably required to support assessment and mitigation.

11. Liability

Each Party is independently responsible for compliance with Applicable Data Protection Law for its own systems, decisions, and data uses.

Neither Party shall indemnify or be liable for the other Party’s non-compliance.

12. Term & Survival

This Addendum:

  • becomes effective on the date of execution of the Agreement;

  • shall remain in effect so long as either Party retains Candidate Data;

  • survives termination of the Agreement.
     

13. Governing Law

This Addendum is governed by the governing law stated in the Agreement unless required otherwise by Applicable Data Protection Laws.

bottom of page