Skip to main content
Redsun Platform

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Redsun Innovations Ltd ("Processor") and the customer ("Controller") for the provision of recruitment platform services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means Redsun Innovations Ltd, which processes Personal Data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Protection Laws" means, as applicable to the parties: the UK General Data Protection Regulation and the Data Protection Act 2018 (United Kingdom); the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (the "CCPA/CPRA") and the consumer privacy and data protection laws of any other US state with effect from the date such law applies (including the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act and any successor legislation); and the Privacy Act 1988 (Cth) and the Australian Privacy Principles (Australia).

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the recruitment platform services. The purpose of processing includes:

  • Hosting and managing candidate data on the Controller's branded portal
  • Facilitating job applications and candidate communications
  • Generating anonymized market insights and analytics
  • Providing AI-assisted candidate matching and recommendations
  • Integrating with the Controller's existing HR and ATS systems

3. Categories of Data Subjects

  • Job applicants and candidates
  • Employees of the Controller
  • Hiring managers and recruiters
  • References and referrals

4. Types of Personal Data

  • Contact information (name, email, phone, address)
  • Professional information (CV, work history, skills, qualifications)
  • Recruitment data (applications, interview notes, assessments)
  • Salary and compensation information
  • Account credentials and authentication data

5. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without prior written consent of the Controller
  • Assist the Controller in responding to data subject requests
  • Delete or return all Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance

6. Security Measures

The Processor implements the following security measures:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication
  • Monitoring: Continuous security monitoring and audit logging
  • Infrastructure: ISO 27001 certified data centers
  • Personnel: Background checks and security training for staff
  • Incident Response: Documented procedures for security incidents

7. Sub-processing

The Controller authorizes the use of sub-processors listed on our Subprocessors page. The Processor shall:

  • Maintain an up-to-date list of sub-processors
  • Provide 30 days' notice before adding new sub-processors
  • Enter into written agreements with sub-processors containing equivalent obligations
  • Remain liable for sub-processors' compliance with this DPA

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Response timeframe: Within 5 business days of receiving a request from the Controller.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and within 72 hours of becoming aware
  • Provide details of the breach, categories of data affected, and approximate number of data subjects
  • Describe likely consequences and measures taken or proposed to address the breach
  • Cooperate with the Controller's investigation and notification obligations

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor shall provide access to relevant documentation, systems, and personnel. Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations.

11. International Transfers

Where Personal Data is transferred outside the United Kingdom, the Processor ensures adequate protection through:

  • transfers to countries with a UK adequacy regulation in force;
  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where required for transfers from the UK to a third country;
  • additional technical and organisational measures where required by a transfer risk assessment.

For transfers of personal information of California residents, the Processor acts as a "Service Provider" as defined in the CCPA/CPRA and shall not (a) sell or share personal information; (b) retain, use or disclose personal information for any purpose other than the business purposes specified in this DPA and the Agreement; or (c) combine personal information received from one Controller with personal information from another source, except as permitted by the CCPA/CPRA.

For disclosures of personal information of Australian residents to overseas recipients, the Processor takes reasonable steps to ensure that recipients comply with obligations equivalent to the Australian Privacy Principles in accordance with APP 8.

11A. CCPA/CPRA Service Provider Terms

The following terms apply where the Controller is a "Business" subject to the CCPA/CPRA. The Processor certifies that it understands and will comply with the restrictions in Cal. Civ. Code §§ 1798.140(ag), 1798.140(ai) and 1798.100 et seq.:

  • The Processor receives personal information from the Controller solely to provide the Services.
  • The Processor does not sell or share personal information.
  • The Processor does not retain, use or disclose personal information for any purpose other than the specific purpose of performing the Services, including for any commercial purpose, or outside the direct business relationship with the Controller, except as permitted by the CCPA/CPRA.
  • The Processor will assist the Controller in responding to verifiable consumer requests for access, correction, deletion, opt-out and limitation of use of sensitive personal information.
  • The Processor notifies the Controller if it determines it can no longer meet its obligations under the CCPA/CPRA.

11B. Australian Privacy Principles Terms

The Processor acknowledges that the Controller may be subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"). The Processor will:

  • handle Personal Data in a manner consistent with the APPs;
  • maintain reasonable steps to protect Personal Data from misuse, interference, loss and from unauthorised access, modification or disclosure (APP 11);
  • in the event of an "eligible data breach" within the meaning of Part IIIC of the Privacy Act, cooperate with the Controller's assessment and notification obligations under the Notifiable Data Breaches scheme without undue delay; and
  • take reasonable steps before disclosing Personal Data to an overseas recipient to ensure the recipient does not breach the APPs (APP 8.1).

12. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • The Processor shall delete or return all Personal Data within 30 days
  • The Controller may request a certificate of deletion
  • The Processor may retain data where required by law, subject to continued confidentiality

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without prejudice to mandatory data protection laws applicable to the Controller.

14. Contact

For questions about this DPA or to request a signed copy, please contact: