PYNEA

Data Processing Agreement

Last updated: 11 May 2026

This DPA forms part of the contractual arrangement between the Hirer ("Controller") and Pynea ("Processor") based on the terms at pynea.com/hirer-terms relating to the provision of the Services ("Principal Agreement"). This DPA outlines the terms and conditions regarding the processing of Personal Data in compliance with applicable Data Protection Laws.

  1. Definitions and interpretation

    Capitalised terms and expressions used in this DPA shall have the following meaning and definitions used in the Principal Agreement also apply in this DPA:

    DPA: means this Data Processing Agreement and all Annexes.

    Data Protection Laws: means:

    1. to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
    2. to the extent the EU GDPR applies, the law of the European Union or any Member State of the European Union to which the Controller or Processor is subject, which relates to the protection of Personal Data.

    EEA: means the European Economic Area.

    EU GDPR: means the EU General Data Protection Regulation 2016/679.

    Services: means the services the Processor provides to the Controller, specifically those defined as the "Services" in the Principal Agreement.

    Subprocessor: means any person appointed by or on behalf of the Processor to process Personal Data of the Controller in connection with the DPA.

    UK GDPR: means as described in section 3(10) of the Data Protection Act 2018.

    The terms "Data Subject", "Member State", "Personal Data", "Personal Data Breach" "Processing" and "Supervisory Authority" shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

  2. Processing of Personal Data
    1. The Processor shall:
      1. comply with all applicable Data Protection Laws in the Processing of the Personal Data in scope of this DPA;
      2. only process Personal Data in accordance with this DPA and Controller's instructions (unless legally required to do otherwise); and
      3. inform the Controller immediately if (in its opinion) any instructions infringe Data Protection Laws.
    2. The Controller instructs the Processor to process Personal Data as aligned to the categories of Personal Data, the categories of Data Subjects and the purposes of the Processing set out in Annex 1 and will comply with applicable Data Protection Laws to ensure the Processor can process the Personal Data.
  3. Controller's obligations
    1. The Controller shall:
      1. provide clear instructions to the Processor in relation to the processing of Personal Data;
      2. ensure that it has all necessary licences, permissions and consents from Data Subjects; and
      3. ensure it has an applicable lawful basis for the transfer of Personal Data to the Processor and the processing of that Personal Data by the Processor.
  4. Processor personnel

    The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable Data Protection Laws, including ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  5. Security
    1. Taking into account state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, the measures as outlined in Annex 2.
    2. In assessing the appropriate level of security, the Processor shall take into account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.
  6. Subprocessing
    1. The Controller authorises the Processor to engage Subprocessors when processing Personal Data. The Processor's existing Subprocessors are listed pynea.com/subprocessors.
    2. The Processor will:
      1. require its Subprocessors to comply with equivalent terms as the Processor's obligations in this DPA;
      2. ensure appropriate safeguards are in place before internationally transferring Personal Data to its Subprocessors; and
      3. be liable for any acts, errors or omissions of its Subprocessors as if they were a party to this DPA.
    3. The Processor may appoint new Subprocessors provided it provides the Controller with 14 days written notice.
    4. The Controller may reasonably object in writing to any future Subprocessor within the timeframe specified at clause 5.3. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.
  7. Data Subject rights
    1. Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
    2. The Processor shall:
      1. promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of the Personal Data; and
      2. ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable Data Protection Laws in which case the Processor shall, to the extent permitted by applicable Data Protection Laws, inform the Controller of that legal requirement before the Processor responds to the request.
  8. Personal Data Breach
    1. The Processor shall notify the Controller within 48 hours upon the Processor becoming aware of a Personal Data Breach affecting Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the applicable Data Protection Laws.
    2. The Processor shall co-operate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
  9. Data protection impact assessment and prior consultation

    The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by the applicable Data Protection Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

  10. Deletion or return of Personal Data

    Upon termination or expiry of the Principal Agreement, the Processor shall delete or, upon written request from the Controller, return all Personal Data to the Controller within 10 Business Days, unless:

    1. such Personal Data is in the Processor's archives or back-up systems and are not reasonably accessible; or
    2. any law, regulation, or government or regulatory body requires the Processor to retain Personal Data.
  11. Audit rights

    Upon 30 days' written notice from the Controller, the Processor shall:

    1. make available to the Controller all information necessary to demonstrate compliance with this DPA; and
    2. contribute to an audit, including an inspection, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Personal Data by the Processor. Audits are limited to once a year and during Normal Business Hours.
  12. Data transfer

    The Processor may only process, or permit the Processing, of the Personal Data outside the UK/EEA under the following conditions:

    1. the Processor is processing the Personal Data in a territory which is subject to adequacy regulations or decisions under the applicable Data Protection Law that the territory provides adequate protection for the privacy rights of individuals;
    2. the Processor participates in a valid cross-border transfer mechanism under the applicable Data Protection Legislation (such as EU-approved standard contractual clauses or the EU-US Data Privacy Framework (DPF) with UK extension), so that the Processor can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals; or
    3. the transfer otherwise complies with the Data Protection Law.
  13. Liability

    Each party's aggregate liability under this DPA will not exceed the liability caps as set out in the Principal Agreement.

  14. Notices

    All notices and communications given under this DPA must be delivered in accordance with clause 16.11 of the Principal Agreement.

  15. Governing law and jurisdiction
    1. This DPA is governed by the laws of England and Wales.
    2. Any dispute arising in connection with this DPA, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales.

Annex 1 - Personal Data Details

1. Purpose of Processing

The purpose of the Processor's Processing of Personal Data on behalf of the Controller is to enable the Controller to use the Pynea platform to manage its recruitment activities, including posting roles, receiving and managing applications, evaluating candidates, and communicating with candidates.

2. Nature of Processing

The Processing shall mainly pertain to:

  • Hosting, storage and organisation of Personal Data within the platform
  • Processing candidate application data submitted to specific roles or hiring processes
  • Enabling the Controller to review, assess, and manage candidates (including shortlisting, status tracking and progression through hiring stages)
  • Facilitating communication between the Controller and candidates
  • Processing Personal Data to provide recruitment-related functionality (including filtering, sorting, ranking and matching within the Controller's hiring workflows)
  • Maintaining system security, access controls, and data integrity

3. Types of Personal Data

For the purposes of this Annex:

"Candidate Profile Data" means Personal Data relating to a candidate that is collected, generated, or maintained by Pynea independently of any specific role, vacancy, or hiring process operated by a Hirer, including:

  1. information provided by the candidate when registering for and maintaining an account on the Platform, such as name, contact details (email address, telephone number), date of birth, CV, employment history, qualifications, skills, and audio recordings submitted during account setup or general profile completion;
  2. data generated by Pynea in respect of (a), including AI-generated summaries, skill identifications, attribute indicators, match scores, and rankings; and
  3. any updates or revisions to the above made by the candidate outside the context of a specific application.

For clarity, Candidate Profile Data does not include Personal Data submitted, generated, or exchanged in the context of a specific role, vacancy, or hiring process operated by a Hirer.

3.1 Personal Data processed by Pynea on behalf of the Controller (processor role)

In its role as processor, Pynea processes the following categories of Personal Data on the documented instructions of the Controller (Hirer):

  • Hirer-generated data relating to candidates (such as notes, evaluations, ratings, feedback, shortlist decisions, and status information)
  • Communication data between the Controller and candidates exchanged through the Platform in connection with a specific role or hiring process
  • Job posting and role-related data created by the Controller
  • Candidate application responses submitted to a specific role or hiring process operated by the Controller
  • Technical data necessary for platform operation (such as IP address, device and browser information) to the extent associated with the categories above and processed on the Controller's instructions

For clarity, this does not include Candidate Profile Data that is controlled independently by Pynea and made available across multiple hirers.

3.2 Personal Data shared by Pynea with the Controller on a controller-to-controller basis

The following categories of Personal Data are processed by Pynea as an independent controller and made available to the Controller (Hirer), who acts as an independent controller in respect of its own use of such data. The processing of this data is not governed by this Annex or by the processor obligations in the DPA, but by the controller-to-controller terms set out in the Hirer Terms of Service / separate Data Sharing Schedule:

  • Candidate profile data (such as CVs, employment history, skills, qualifications, and audio submissions provided by the candidate independently of any specific role)
  • Candidate contact details (such as name, email address, telephone number)
  • Insights, summaries, skill identifications, match indicators and rankings generated by Pynea's AI Functions in respect of candidate profile data

Each party acts as an independent controller in respect of the data referred to in this paragraph 3.2 and is responsible for its own compliance with applicable data protection laws, including establishing its own lawful basis, providing transparency to data subjects, and handling data subject rights requests in respect of its own processing.

4. Special Categories of Personal Data

Special categories of Personal Data are not intentionally collected as part of the Processing. However, such data may be included in candidate application materials at the discretion of the candidate or the Controller.

5. Categories of Data Subjects

The Processing includes Personal Data relating to:

  • Candidates applying to roles posted by the Controller
  • Individuals whose Personal Data is included within the Controller's recruitment activities via the platform

6. Locations of Processing

The Processor's Processing of Personal Data takes place in:

  • United Kingdom
  • European Economic Area (EEA)
  • United States of America

7. Duration of Processing

Processing shall continue for the duration of the Agreement and for any applicable retention period in accordance with the Agreement.

Annex 2 – Technical and Organisational Measures

1. Physical Access Controls

The Processor shall take reasonable physical security measures to prevent unauthorised persons from gaining access to systems and infrastructure processing Personal Data.

2. Access Controls

  • Role-based access controls to restrict access to Personal Data
  • Authentication mechanisms, including secure password policies and, where applicable, multi-factor authentication
  • Documented access authorisation and access management processes
  • Restriction of direct database and application access rights
  • Logging and monitoring of access at appropriate levels
  • Processes to ensure access rights are regularly reviewed and revoked when no longer required

3. Transmission Controls

  • Measures to ensure Personal Data cannot be read, copied, modified or removed without authorisation during transmission
  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Controls to ensure that data transfers are made only to authorised recipients

4. Input Controls

  • Measures to enable verification of whether and by whom Personal Data has been entered, modified or removed within systems
  • Logging and audit trails for key data processing activities

5. Encryption and Data Protection

  • Encryption of Personal Data at rest using industry standard encryption (e.g. AES-256 or equivalent)
  • Pseudonymisation of Personal Data where appropriate and feasible
  • Measures to ensure Personal Data is protected against unauthorised access and disclosure

6. Confidentiality

  • Personnel with access to Personal Data are subject to confidentiality obligations
  • Access to Personal Data is limited to authorised personnel on a need-to-know basis

7. Integrity, Availability and Resilience

  • Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Regular backups of Personal Data
  • Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident

8. Security Testing and Monitoring

  • Regular testing, assessment and evaluation of the effectiveness of technical and organisational measures
  • Monitoring systems to detect and respond to security incidents

9. Incident Management

  • Processes in place to detect, report and respond to Personal Data breaches
  • Procedures to notify the Controller without undue delay in the event of a Personal Data breach

10. Training and Awareness

  • Staff with access to Personal Data receive appropriate training on data protection and privacy obligations

11. Data Minimisation and Retention

  • Processing of Personal Data limited to what is necessary for the purposes set out in Annex 1
  • Retention policies to ensure Personal Data is not kept longer than necessary