New: AI now shows you why each candidate was ranked.Try it free

Data Processing Agreement

Effective Date: June 8, 2026 · Last Updated: June 8, 2026

Version: 2026-06-08

This DPA template forms part of the HeadHonta Terms of Service and applies where HeadHonta processes personal data on behalf of a customer (controller) subject to GDPR, UK GDPR, or the NDPA. To execute a countersigned copy for your organisation, contact legal@headhonta.com.

This Data Processing Agreement ("DPA") governs the processing of personal data carried out by HeadHonta ("Processor," "we," "us," or "our") on behalf of the customer ("Controller," "you," or "your") in connection with the HeadHonta platform, an AI-powered talent operations and applicant tracking service (the "Service"). Where personal data is transferred outside the European Economic Area ("EEA") or the United Kingdom, the applicable Standard Contractual Clauses ("SCCs") approved by the European Commission and the UK International Data Transfer Addendum are incorporated into this DPA by reference and form an integral part of it.

1. Definitions

Terms used in this DPA have the meanings given in Article 4 of the GDPR. In particular:

  • Controller — the natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processor — the natural or legal person that processes personal data on behalf of the Controller.
  • Personal data — any information relating to an identified or identifiable natural person ("data subject").
  • Sub-processor — any third party engaged by the Processor to process personal data on the Controller's behalf.
  • Data subject — the identified or identifiable natural person to whom the personal data relates.
  • Processing — any operation performed on personal data, whether or not by automated means.
  • Applicable Data Protection Law — the GDPR, the UK GDPR, the Nigeria Data Protection Act 2023 ("NDPA"), and any other data protection law applicable to the processing under this DPA.

2. Roles of the Parties

With respect to personal data processed under the Service, the customer acts as the Controller and HeadHonta acts as the Processor. HeadHonta processes personal data only on the documented instructions of the Controller, including with regard to transfers of personal data, unless required to do otherwise by applicable law, in which case HeadHonta will inform the Controller of that legal requirement before processing (unless prohibited from doing so by law). The Controller's use and configuration of the Service, together with this DPA and the Terms of Service, constitute the Controller's complete and final documented instructions. HeadHonta will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

3. Subject Matter & Duration

The subject matter of the processing is the personal data uploaded to or generated within the Service by the Controller and its authorised users. The processing continues for the term of the Controller's subscription to the Service and ends upon termination of that subscription, subject to the deletion and return provisions in Section 14.

4. Nature & Purpose of Processing

HeadHonta processes personal data for the purpose of providing the Service, namely an AI-powered talent-operations and applicant tracking system. This includes:

  • Storing and organising candidate and applicant data.
  • AI-assisted candidate matching, CV/resume analysis, and talent scoring.
  • Facilitating communications between the Controller and candidates.
  • Recording and transcribing interviews where the Controller enables the interview assistant feature.
  • Maintaining pipelines, evaluations, notes, and related workflow data on behalf of the Controller.

5. Categories of Data Subjects

  • The Controller's candidates and applicants.
  • Referees and references provided by candidates.
  • The Controller's own users (recruiters, hiring managers, and other team members with access to the Service).

6. Categories of Personal Data

  • Identity and contact details — names, email addresses, phone numbers, and location.
  • CV/resume content — uploaded resumes, cover letters, and parsed profile information.
  • Employment and education history — past roles, qualifications, and skills.
  • Application and pipeline data — application status, stage, scores, evaluations, and notes.
  • Interview transcripts — recordings and transcriptions where the interview assistant is enabled.

The Controller is responsible for ensuring that no special category data (Article 9 GDPR) is submitted to the Service except where the Controller has a lawful basis and has configured the Service appropriately.

7. Processor Obligations

HeadHonta, as Processor, undertakes to:

  • Process personal data only on the Controller's documented instructions.
  • Ensure that persons authorised to process the personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR (see Section 10).
  • Assist the Controller, taking into account the nature of the processing, in responding to data-subject requests (Section 11) and in meeting its breach-notification obligations (Section 12).
  • Make available to the Controller information necessary to demonstrate compliance with its processing obligations (Section 13).
  • At the Controller's choice, delete or return all personal data on termination of the Service (Section 14).

8. Sub-processors

The Controller provides a general authorisation for HeadHonta to engage the sub-processors listed on our sub-processor page. HeadHonta requires each sub-processor, by written agreement, to be bound by data protection obligations no less protective than those set out in this DPA. HeadHonta will give the Controller prior notice of any intended addition or replacement of a sub-processor, allowing the Controller a reasonable opportunity to object on legitimate data-protection grounds. HeadHonta remains fully liable to the Controller for the performance of each sub-processor's obligations.

9. International Transfers

Personal data may be transferred to and processed in countries outside the EEA or the United Kingdom. Where such transfers occur, HeadHonta ensures appropriate safeguards are in place, including the Standard Contractual Clauses approved by the European Commission and, for UK transfers, the UK International Data Transfer Addendum, which are incorporated into this DPA by reference. Where the European Commission or the UK has issued an adequacy decision for the destination country, transfers may instead rely on that decision.

10. Security Measures

HeadHonta maintains technical and organisational measures designed to protect personal data, including:

  • Encryption of data in transit (TLS 1.2 or higher).
  • Encryption of data at rest at the infrastructure level.
  • Role-based access controls (RBAC).
  • Audit logging of access and administrative actions.
  • Least-privilege access for personnel.
  • Logical tenant isolation so that each Controller's data is segregated from that of other customers.

11. Data-Subject Rights Assistance

HeadHonta provides candidate self-service tooling enabling data subjects to export their personal data and request erasure directly from the candidate portal. Taking into account the nature of the processing, HeadHonta assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to data-subject requests under Applicable Data Protection Law. If HeadHonta receives a request directly from a data subject, it will, where legally permitted, refer the request to the Controller rather than respond itself.

12. Personal Data Breach

HeadHonta will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. HeadHonta will cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

13. Audit & Inspection

HeadHonta makes available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits are subject to reasonable prior notice, confidentiality obligations, and arrangements designed to minimise disruption to the Service and to other customers.

14. Deletion or Return of Data

On termination of the Service, HeadHonta will, at the Controller's choice, delete or return all personal data processed on the Controller's behalf and delete existing copies, unless retention is required by applicable law. Copies of personal data held in routine backups are overwritten as those backups age out of rotation.

15. Liability & Governing Law

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the HeadHonta Terms of Service. This DPA is governed by, and construed in accordance with, the governing law and jurisdiction specified in the Terms of Service, except where Applicable Data Protection Law requires otherwise.

16. Contact

For questions about this DPA or to request a countersigned copy, contact us at: