Data Processing Agreement

1. Definitions

In this DPA, capitalised terms not otherwise defined herein shall have the meaning given to them in the Terms of Service or in Applicable Data Protection Law.

“Applicable Data Protection Law” means all laws relating to the processing of Personal Data that apply, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, each as amended from time to time.
“Approved Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under Section 119A of the Data Protection Act 2018.
“Controller” has the meaning given in Article 4(7) UK GDPR and refers to the Customer.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Edera AI” means Treegarden’s AI recruitment suite, classified as a High-Risk AI System under EU AI Act Annex III, Section 4(a).
“EU SCCs” means the standard contractual clauses approved in Commission Implementing Decision (EU) 2021/914.
“ICO” means the UK Information Commissioner’s Office.
“Personal Data” has the meaning given in Article 4(1) UK GDPR, limited to data processed by the Processor on behalf of the Controller.
“Processing” has the meaning given in Article 4(2) UK GDPR.
“Processor” has the meaning given in Article 4(8) UK GDPR and refers to Treegarden.
“Restricted Transfer” means a transfer of Personal Data from the UK to a country outside the UK not covered by an adequacy regulation.
“Sub-processor” means any third party appointed by the Processor to Process Personal Data on behalf of the Controller.
“UK GDPR” means the United Kingdom General Data Protection Regulation, as retained under the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

2. Scope and Purpose of Processing

2.1 This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Treegarden platform at app.treegarden.io.

2.2 The Controller is the data controller. The Processor shall Process Personal Data solely as a data processor acting on the Controller’s documented instructions, unless required by law.

2.3 The Processor shall immediately inform the Controller if an instruction infringes Applicable Data Protection Law.

2.4 Where the Edera AI module is engaged, such Processing constitutes deployment of a High-Risk AI System under the EU AI Act. The Processor shall comply with obligations set out in Section 8.

3. Duration of Processing

3.1 The Processor shall Process Personal Data for the duration of the Terms of Service, unless otherwise agreed or required by law.

3.2 Upon termination, the Processor shall comply with Section 16 (Return and Deletion of Data).

3.3 Certain obligations (confidentiality, security, deletion, cooperation) survive termination to the extent Personal Data remains in the Processor’s possession.

4. Nature and Purpose of Processing

Recruitment and Applicant Tracking — receiving, storing, organising, and managing job applications; parsing CVs; tracking candidate pipeline stages; facilitating team collaboration.
AI-Assisted Recruitment (Edera AI) — automated scoring, ranking, and evaluation of candidates; generation of screening and interview questions. Classified as a High-Risk AI System under the EU AI Act.
Interview Management — scheduling, tracking, and recording interview feedback and outcomes.
HR Administration — managing employee records, employment documents, and personnel lifecycle.
Communication — transactional emails including application confirmations, interview invitations, status updates, and system notifications.
Authentication — user identity verification and access management via email/password and OAuth (Google, LinkedIn, Microsoft).
Payment Processing — subscription payments and invoicing via Stripe.
Analytics — anonymised and pseudonymised usage data for platform improvement.
Audit and Compliance — maintaining audit trails and compliance records.

5. Types of Personal Data

Candidate Data

Identity data: full name, date of birth, gender, nationality, photograph
Contact data: email address, telephone number, postal address
Professional data: CVs, work history, employment references, job titles, employer names
Educational data: qualifications, degrees, certifications, institutions
Skills: technical skills, language proficiencies, professional certifications
Application data: cover letters, screening question responses, application status, pipeline stage
Assessment data: interview notes, AI scores and rankings, evaluation outcomes
Communication data: messages between candidates and the recruitment team

Employee Data (HR Module)

Full name, date of birth, employee ID, email, telephone, postal address, emergency contacts
Job title, department, start date, employment type, contracts, policy acknowledgements

User Data (Recruiters, HR Managers)

Full name, job title, business email, business phone
Login credentials (passwords stored as irreversible hashes only), OAuth tokens, session IDs
Audit trail records, login timestamps, IP addresses, actions performed

5.2 Special Categories. The Processor does not intentionally process special categories of data (Article 9 UK GDPR). However, such data may be incidentally included in CVs or documents uploaded by the Controller. The Controller is responsible for ensuring a lawful basis exists for any such processing.

6. Categories of Data Subjects

Candidates — individuals who apply for or are considered for job opportunities.
Employees and Workers — current and former employees and contractors managed via the HR module.
Authorised Users — the Controller’s recruiters, HR managers, hiring managers, and external collaborators.
Referees — individuals identified as professional references by candidates.
Interviewers — individuals involved in interview processes whose names and feedback are recorded.

7. Obligations of the Controller

The Controller warrants and undertakes that:

(a) It has determined the lawful basis for Processing under Article 6 (and where applicable, Article 9) UK GDPR.
(b) It has provided Data Subjects with all required privacy notices under Articles 13 and 14, including information about AI use in recruitment where Edera AI is enabled.
(c) It has obtained all necessary consents where consent is the lawful basis.
(d) It complies with all obligations under Applicable Data Protection Law.
(e) It has carried out any required Data Protection Impact Assessments, including for Edera AI automated decision-making.
(f) Where Edera AI is used, the Controller ensures meaningful human oversight of AI-generated outputs and does not rely solely on automated processing for decisions producing legal effects on Data Subjects.
(g) Its use of the platform complies with law and does not cause the Processor to violate Applicable Data Protection Law.

8. Obligations of the Processor

8.1 Processing Instructions

The Processor shall Process Personal Data only on the Controller’s documented instructions, including regarding international transfers, unless required by law. The Controller’s initial instructions are this DPA and the Terms of Service.

8.2 Confidentiality

All persons authorised to Process Personal Data are bound by confidentiality obligations. Access is limited to personnel who require it to perform the Services.

8.3 Security

The Processor implements appropriate technical and organisational measures proportionate to the risk. Specific measures are described in Annex B. The Processor regularly tests and evaluates the effectiveness of these measures.

8.4 Sub-processing

The Controller provides general authorisation for the Sub-processors listed in Annex C. The Processor shall provide thirty (30) days’ prior notice of any new Sub-processor, giving the Controller the opportunity to object. See Section 9 for full details.

8.5 Data Subject Rights

The Processor assists the Controller in fulfilling Data Subject requests under Chapter III UK GDPR. The platform includes built-in functionality for access, rectification, erasure, restriction, portability, and objection. The Processor shall not respond to Data Subject requests directly except on the Controller’s instructions.

8.6 Data Breach Notification

The Processor shall notify the Controller within forty-eight (48) hours of becoming aware of a Data Breach, including: (a) the nature of the breach; (b) contact details for the Processor’s data protection contact; (c) likely consequences; and (d) measures taken or proposed to mitigate. See Section 13 for full details.

8.7 DPIA Assistance

The Processor provides reasonable assistance with Data Protection Impact Assessments and prior consultations with Supervisory Authorities.

8.8 Compliance Demonstration

The Processor makes available all information necessary to demonstrate compliance with Article 28 UK GDPR and allows for audits under Section 15.

8.9 Records of Processing

The Processor maintains records of processing activities under Article 30(2) UK GDPR.

8.10 Data Protection Contact

Data protection matters: [email protected]

8.11 Data Localisation

Primary infrastructure is hosted by OVHcloud (OVH Groupe SAS) within the EU (Poland). All primary Personal Data storage occurs within the EU. The Processor shall not transfer Personal Data outside the UK/EEA without complying with Section 10.

8.12 EU AI Act Compliance (Edera AI)

The Processor acknowledges that Edera AI is a High-Risk AI System under EU AI Act Annex III, point 4(a). The Processor shall:

(a) Maintain technical documentation describing capabilities, limitations, and risk management;
(b) Ensure AI outputs are decision-support tools, not determinative outcomes;
(c) Implement bias detection and mitigation measures;
(d) Maintain audit logs of AI processing;
(e) Enable human oversight, including the ability to override AI-generated outputs;
(f) Provide information about AI functionality to support Controller transparency obligations;
(g) Cooperate with conformity assessments and fundamental rights impact assessments.

9. Sub-processing

9.1 The Controller authorises the Sub-processors listed in Annex C as of the effective date.

9.2 Each Sub-processor agreement imposes data protection obligations materially equivalent to this DPA, including: processing only on documented instructions; confidentiality; appropriate security measures; assistance with Data Subject rights and breach notification; deletion or return of data on termination.

9.3 The Processor has reviewed the DPAs, security certifications, and TOMs of each Sub-processor and determined they provide sufficient guarantees.

9.4 The Processor remains fully liable for the acts and omissions of its Sub-processors.

10. International Data Transfers

10.1 Primary data storage is within the EU (Poland), which benefits from a UK adequacy decision. Transfers from the UK to the EEA are not Restricted Transfers.

10.2 For any Restricted Transfer, the Processor ensures at least one of: (a) an adequacy decision; (b) the IDTA or Approved Addendum to EU SCCs; or (c) another permitted transfer mechanism under Chapter V UK GDPR.

10.3 For US-based Sub-processors:

EU-US Data Privacy Framework (with UK Extension): Where the Sub-processor participates in the DPF, certification serves as the transfer mechanism.
Standard Contractual Clauses: EU SCCs with the Approved Addendum are incorporated into Sub-processor agreements as a supplement or fallback.
Supplementary Measures: Additional technical, organisational, or contractual measures are implemented where required by transfer impact assessment.

10.4 Transfer impact assessments are documented and available to the Controller upon request.

11. Security Measures

The Processor implements appropriate technical and organisational measures as detailed in Annex B, including:

(a) Pseudonymisation and encryption of Personal Data;
(b) Measures to ensure ongoing confidentiality, integrity, availability, and resilience;
(c) Ability to restore availability and access in a timely manner following an incident;
(d) Regular testing and evaluation of security measures.

Full details of technical and organisational measures are also set forth in Treegarden’s Security Policy.

12. Data Subject Rights

The platform includes built-in functionality to support the Controller’s compliance with Data Subject rights:

Right of Access (Art. 15) — export complete records in machine-readable format
Right to Rectification (Art. 16) — update and correct Personal Data
Right to Erasure (Art. 17) — permanently delete Personal Data
Right to Restriction (Art. 18) — restrict processing of specific records
Right to Data Portability (Art. 20) — export in JSON, CSV, or XML
Right to Object (Art. 21) — opt Data Subjects out of specific processing, including AI evaluation
Automated Decision-Making (Art. 22) — review, override, and disable AI scores for individual candidates

The Processor responds to Controller instructions regarding Data Subject requests within ten (10) business days.

13. Data Breach Notification

13.1 The Processor shall notify the Controller within forty-eight (48) hours of becoming aware of a Data Breach.

13.2 The Processor shall: (a) take immediate steps to contain the breach; (b) conduct a thorough investigation; (c) preserve evidence; (d) provide regular updates; (e) cooperate with the Controller and any Supervisory Authority; (f) implement measures to prevent recurrence.

13.3 The Processor shall not notify Data Subjects or third parties without the Controller’s prior written consent, unless required by law.

13.4 The Processor maintains an incident response plan available to the Controller upon request.

14. Data Protection Impact Assessments

The Processor provides reasonable assistance with DPIAs under Articles 35 and 36 UK GDPR, including information about: processing operations, security measures, Sub-processors, international transfer safeguards, and Edera AI logic and bias mitigation.

Where the Controller’s use of Edera AI involves automated decision-making producing legal effects on Data Subjects, the Controller shall carry out a DPIA before commencing such processing.

15. Audit Rights

15.1 The Processor makes available all information necessary to demonstrate compliance with Article 28 UK GDPR.

15.2 Audits are subject to: (a) thirty (30) days’ prior written notice; (b) conducted during business hours; (c) auditor confidentiality agreement; (d) Controller bears its own costs; (e) one audit per twelve months (unless required by a Supervisory Authority or following a breach).

15.3 The Processor may satisfy audit rights by providing: third-party audit reports and certifications, security questionnaires, penetration test summaries, and Sub-processor compliance evidence.

16. Return and Deletion of Data

16.1 Within thirty (30) days of termination, the Controller may request the Processor to return Personal Data in a structured, machine-readable format, or delete all Personal Data and existing copies.

16.2 If no instruction is received within thirty (30) days, the Processor shall delete all Personal Data and certify deletion in writing.

16.3 Deletion completed within ninety (90) days of termination.

16.4 The Processor may retain data required by law, only for the required period and purpose, protected in accordance with this DPA.

16.5 Fully anonymised data is not subject to this Section.

17. Liability

17.1 Each Party’s liability under this DPA is subject to the limitations in the Terms of Service.

17.2 The Processor is liable for damage caused by processing that infringes this DPA or Applicable Data Protection Law (Article 82 UK GDPR).

17.3 Nothing limits liability for fraud, fraudulent misrepresentation, or liability that cannot be excluded under Applicable Data Protection Law, or fines imposed by a Supervisory Authority for a Party’s own infringement.

Annex A: Details of Processing

Item	Details
Subject Matter	Processing of Personal Data in connection with the Treegarden ATS and HR platform
Duration	Term of the Terms of Service, plus post-termination retention per Section 16
Nature	Collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, destruction — including automated processing via Edera AI
Categories of Data	Candidate Data, Employee Data, User Data (as described in Section 5)
Data Subjects	Candidates, Employees, Authorised Users, Referees, Interviewers (as described in Section 6)
Supervisory Authority	Information Commissioner’s Office (ICO), United Kingdom

Processing Purposes

Purpose	Description
Recruitment management	Receiving, storing, and managing job applications and candidate data
CV/resume parsing	Automated extraction of structured data from uploaded documents
AI candidate evaluation	Automated scoring, ranking, and assessment (Edera AI — High-Risk AI System)
Interview management	Scheduling, tracking, and recording interview processes and feedback
HR administration	Managing employee records, documents, and employment lifecycle
Communication	Transactional emails and platform notifications
Authentication	User identity verification and access management
Payment processing	Subscription payments via Stripe
Audit and compliance	Maintaining audit trails and compliance records

Annex B: Technical and Organisational Measures

B.1 Access Control

Physical: Hosted by OVHcloud (OVH Groupe SAS) in ISO/IEC 27001 and SOC 2 Type II certified data centres (Poland). 24/7 security, biometric access, CCTV, intrusion detection.
Logical: Role-based access control (RBAC); multi-factor authentication; unique credentials; automated lockout; session timeouts; IP-based restrictions.
Data access: Need-to-know basis; MFA for production systems; privileged access logged and monitored; regular access reviews.

B.2 Encryption

In transit: TLS 1.2 or higher for all data transmission. SSL/TLS certificates via Let’s Encrypt with automated renewal.
At rest: Database encryption at rest. Application-level AES-256 encryption for sensitive fields.
Key management: Keys stored separately from encrypted data; periodic rotation; restricted access.

B.3 Input Control and Audit Logging

Comprehensive audit logging of all data creation, modification, and deletion events
Append-only audit logs protected against tampering
Input validation and sanitisation against injection attacks (SQL injection, XSS)

B.4 Data Separation (Multi-Tenant Isolation)

Strict logical separation of Customer data in the multi-tenant architecture
Application-level access controls and database-level tenant identification
Testing and development environments use anonymised or synthetic data only

B.5 Availability and Resilience

Automated daily backups stored in geographically separate EU locations
Regular backup restoration testing
Infrastructure redundancy and failover capabilities
Availability monitoring with automated alerting

B.6 Network and Application Security

Firewalls, intrusion detection/prevention, WAF, DDoS mitigation, network segmentation
Security headers (HSTS, X-Frame-Options, CSP, X-Content-Type-Options)
CSRF protection, rate limiting, dependency vulnerability scanning
Secure SDLC with code review and security testing

B.7 Authentication Security

Passwords stored via bcrypt hashing; plaintext never stored or logged
OAuth 2.0 SSO with Google, Microsoft, and LinkedIn
Secure session management (HttpOnly, SameSite cookies)
Brute-force and credential-stuffing detection

B.8 Personnel Measures

Contractual confidentiality obligations for all personnel
Security awareness training
Prompt access revocation on termination or role change

B.9 Incident Response

Documented incident response plan (identification, containment, eradication, recovery, review)
Designated incident response team with escalation procedures
Regular testing and review of procedures

B.10 AI-Specific Measures (Edera AI)

AI outputs presented as recommendations, not determinative outcomes
Logging of AI model inputs and outputs for auditability
Bias monitoring and disproportionate impact detection
Ability to review, override, and disable AI recommendations per candidate
Data minimisation: only job-relevant data processed by AI

Annex C: List of Sub-processors

The following Sub-processors are authorised as of the effective date of this DPA. Treegarden provides thirty (30) days’ notice of any changes.

1. OVHcloud (OVH Groupe SAS)

Entity	OVH Groupe SAS (OVHcloud)
Country	France (EU) — data centre in Poland
Purpose	Cloud infrastructure hosting, data storage, backup services
Data Processed	All categories (infrastructure provider hosting the platform)
Data Location	EU (Poland: Warsaw)
Certifications	ISO/IEC 27001, SOC 1 Type II, SOC 2 Type II, HDS, PCI DSS
Transfer Mechanism	N/A — processing within EU (UK adequacy)

2. Stripe, Inc. / Stripe Payments Europe, Limited

Entity	Stripe, Inc. (USA); Stripe Payments Europe, Ltd (Ireland)
Country	USA / Ireland
Purpose	Payment processing, invoicing, fraud prevention
Data Processed	Billing contact names and emails; payment card details (processed directly by Stripe)
Data Location	EU (primary) and USA
Certifications	PCI DSS Level 1, SOC 1/2 Type II, ISO/IEC 27001
Transfer Mechanism	EU-US Data Privacy Framework (UK Extension) + EU SCCs with Approved Addendum

3. Google LLC / Google Ireland Limited

Entity	Google LLC (USA); Google Ireland Limited (Ireland)
Country	USA / Ireland
Purpose	OAuth 2.0 authentication; Google Analytics (anonymised usage data)
Data Processed	OAuth: email, display name, profile picture. Analytics: pseudonymised usage data
Data Location	Global / USA
Certifications	ISO 27001, 27017, 27018; SOC 1/2/3; FedRAMP
Transfer Mechanism	EU-US Data Privacy Framework (UK Extension) + EU SCCs with Approved Addendum

4. Microsoft Corporation / Microsoft Ireland Operations Limited

Entity	Microsoft Corporation (USA); Microsoft Ireland Operations Limited (Ireland)
Country	USA / Ireland
Purpose	OAuth 2.0 authentication; Microsoft Clarity (pseudonymised UX analytics)
Data Processed	OAuth: email, display name, profile picture. Clarity: pseudonymised behavioural data
Data Location	USA (Azure) / contracted via MIOL
Certifications	ISO 27001, 27701; SOC 1/2/3; CSA STAR; FedRAMP
Transfer Mechanism	EU-US Data Privacy Framework (UK Extension) + EU SCCs with Approved Addendum

5. LinkedIn Corporation / LinkedIn Ireland Unlimited Company

Entity	LinkedIn Corporation (USA); LinkedIn Ireland Unlimited Company (Ireland)
Country	USA / Ireland
Purpose	OAuth 2.0 authentication
Data Processed	Email, display name, profile picture, LinkedIn profile URL
Data Location	USA and EU (Ireland)
Certifications	ISO 27001, ISO 22301; SOC 2 Type II
Transfer Mechanism	EU-US Data Privacy Framework (UK Extension) + EU SCCs with Approved Addendum

6. Mailgun Technologies, Inc. (Sinch Email)

Entity	Mailgun Technologies, Inc. (USA); parent: Sinch AB (Sweden)
Country	USA / Sweden
Purpose	Transactional email delivery (application confirmations, interview invitations, notifications)
Data Processed	Candidate and user email addresses, names in email content, email metadata
Data Location	EU region (configured for EU data residency) and USA (account metadata)
Certifications	SOC 2 Type I/II; ISO/IEC 27001:2022 (Sinch group)
Transfer Mechanism	EU SCCs with Approved Addendum; parent entity in EEA

7. Internet Security Research Group (Let’s Encrypt)

Entity	Internet Security Research Group (ISRG)
Country	USA
Purpose	SSL/TLS certificate issuance for encryption of data in transit
Data Processed	Minimal technical data only: domain names, IP addresses, timestamps. No candidate, employee, or user PII
Data Location	USA
Certifications	WebTrust for Certificate Authorities
Transfer Mechanism	Minimal risk — technical data only; governed by ISRG privacy policy

Contact

Treegarden Software Limited (trading as Treegarden)
Company No. 17151699, registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom

Data Protection: [email protected]
Legal: [email protected]
Security: [email protected]

Terms of Service Privacy Policy Security Policy Service Level Policy Go to platform