Legal

Data processing addendum

Effective July 12, 2026. This Data Processing Addendum forms part of the agreement between the customer and OneNeural, Inc. and governs the processing of personal data that OneNeural carries out on the customer's behalf.

1. Introduction

This Data Processing Addendum (the DPA) supplements and forms part of the Terms of Service or other written agreement (the Agreement) between OneNeural, Inc. (OneNeural, we) and the customer identified in the Agreement (the Customer, you) for use of RecruitIQ (the Service). It applies to the extent OneNeural processes Personal Data on the Customer's behalf and that processing is subject to Data Protection Laws. If there is a conflict between this DPA and the Agreement about the processing of Personal Data, this DPA controls.

2. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, as applicable, the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and US state privacy laws including the California Consumer Privacy Act as amended (CCPA). The terms Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach, and Sub-processor have the meanings given in the Data Protection Laws; where the CCPA applies, Business, Service Provider, Sell, Share, and related terms have the meanings given in the CCPA. Standard Contractual Clauses or SCCs means the clauses approved by the European Commission for transfers of Personal Data to third countries.

3. Roles of the parties

For Personal Data contained in Customer hiring data, the Customer is the Controller (or a Processor acting for another Controller) and OneNeural is the Processor (a Service Provider under the CCPA). OneNeural processes such Personal Data only on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's use of the Service, unless required to act otherwise by law, in which case OneNeural will inform the Customer unless legally prohibited. Details of the processing are set out in Annex I.

4. Customer obligations

The Customer is responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired it, for establishing and maintaining a lawful basis for the processing, and for providing all notices to and obtaining all consents from Data Subjects required by Data Protection Laws, including any notices required for AI-assisted hiring tools. The Customer warrants that its instructions, including its use of the Service, comply with Data Protection Laws.

5. OneNeural obligations

OneNeural will:

  • process Personal Data only on the Customer's documented instructions;
  • ensure that persons authorized to process Personal Data are bound by confidentiality and have received appropriate training;
  • implement and maintain the technical and organizational security measures described in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;
  • not sell or share Personal Data, and not retain, use, or disclose it for any purpose other than performing the Service and the business purposes specified in this DPA, or as otherwise permitted by Data Protection Laws; OneNeural certifies that it understands and will comply with these restrictions; and
  • not combine Personal Data received from the Customer with personal data from other sources, except as permitted by Data Protection Laws to provide the Service.

6. Sub-processing

The Customer provides general authorization for OneNeural to engage Sub-processors to process Personal Data. A current list of Sub-processors is set out in Annex III and is available on request. OneNeural imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA and remains responsible for its Sub-processors' performance. OneNeural will give the Customer notice of any intended addition or replacement of a Sub-processor and a reasonable opportunity to object on reasonable data protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.

7. Assistance to the Customer

Taking into account the nature of the processing, OneNeural will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligations to respond to Data Subject requests to exercise their rights, and, taking into account the information available to OneNeural, in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities. If OneNeural receives a request from a Data Subject in relation to Customer Personal Data, it will, unless legally prohibited, promptly direct the Data Subject to the Customer.

8. Personal data breach

OneNeural will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations. OneNeural will take reasonable steps to mitigate and, where possible, remediate the breach. OneNeural's notification is not an acknowledgement of fault or liability.

9. Audits and information

OneNeural will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To the extent available, OneNeural may satisfy audit requests by providing third-party certifications, audit reports, or a completed security questionnaire. Audits will occur no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), on reasonable prior notice, during business hours, and subject to confidentiality.

10. International transfers

The Customer authorizes OneNeural to transfer Personal Data to countries outside the country of origin, including the United States, as necessary to provide the Service. Where such a transfer is subject to the GDPR, UK GDPR, or Swiss law and is made to a country without an adequacy decision, the Standard Contractual Clauses (Module Two, Controller to Processor, or Module Three where OneNeural acts as a Processor for another Processor) are incorporated into this DPA by reference and are completed by the details in Annex I, together with the UK International Data Transfer Addendum and the Swiss adaptations as applicable. In the event of a conflict, the Standard Contractual Clauses prevail with respect to the relevant transfer.

11. Deletion and return

On termination or expiry of the Agreement, and at the Customer's choice, OneNeural will delete or return the Personal Data it processes on the Customer's behalf and delete existing copies, unless Data Protection Laws require continued storage. As described in the Privacy Policy, OneNeural makes data available for export for 30 days after termination and then deletes or de-identifies it in the ordinary course, subject to routine backups that are purged on a rolling basis and to any legal hold.

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit rights that a Data Subject may have under Data Protection Laws or the Standard Contractual Clauses.

Annex I: Description of processing

  • Parties. Data exporter: the Customer (Controller). Data importer: OneNeural, Inc. (Processor).
  • Subject matter and duration. Provision of the Service for the term of the Agreement and any wind-down period.
  • Nature and purpose. Hosting, storage, structuring, scoring, scheduling, analysis, transmission, and display of Personal Data to operate an agentic applicant tracking system, and related support and security.
  • Categories of Data Subjects. Job applicants and candidates; the Customer's authorized users and personnel; and any individuals referenced in Customer hiring data.
  • Categories of Personal Data. Identifiers and contact details; resume and application content, including employment history, education, skills, and qualifications; interview notes, evaluations, and scores; account and usage data. The Customer controls what it submits and should not submit special categories of Personal Data unless it has a lawful basis to do so.
  • Frequency and retention. Continuous, for the duration of the Agreement, retained as described in Section 11 and the Privacy Policy.
  • Competent supervisory authority. As determined by the Customer's establishment or its EU or UK representative, where applicable.

Annex II: Technical and organizational measures

OneNeural maintains measures that include:

  • encryption of Personal Data in transit and at rest;
  • strict tenant isolation so every record is bound to its organization and every automated action is checked against that scope;
  • role-based access controls and least-privilege administrative access, with authentication through a managed identity provider;
  • malware scanning of uploaded files and validation of file types and sizes;
  • network, application, and infrastructure security controls;
  • logging, monitoring, and alerting for security-relevant events;
  • secure software development, change management, and vulnerability management practices;
  • personnel confidentiality obligations and security training; and
  • backup and recovery processes, with backups purged on a rolling basis.

Annex III: Sub-processors

OneNeural engages the following categories of Sub-processors to provide the Service: cloud hosting and storage and document extraction (Google Cloud, including Cloud Storage and Document AI); authentication and identity (WorkOS); model inference, under terms that prohibit training on OneNeural or Customer data (Anthropic, OpenAI, and Google Gemini); and email delivery. A current and specific list, including entity names and processing locations, is available on request.

Contact

To request the current Sub-processor list, the Standard Contractual Clauses, or a signed copy of this DPA, contact OneNeural, Inc. at legal@recruitiq.ai.