Data Processing Agreement
Key Terms
Agreement: This DPA supplements the Outhire Terms of Service at https://outhire.ai/terms-conditions
Provider: Outhire Pty Ltd, ABN 27 664 806 679
Provider Security Contact: security@outhire.ai
EU Representative: Prighter Ltd – Appointed as EU privacy representative pursuant to Article 27 of the GDPR
UK Representative: Prighter Ltd – Appointed as UK privacy representative pursuant to Article 27 of the UK GDPR
Description of Processing
Service: An AI-powered platform that automates 24/7 phone and video interviews, helping recruiters save time and make faster, more informed hiring decisions through automated candidate screening.
Categories of Data Subjects: Customer's end users or candidates
Categories of Personal Data:
Name
Contact information (email, phone number, address)
Professional or biographic information (resume, CV)
User activity and analysis (device information, IP address)
Location information
Special Category Data Processed: No
Frequency of Transfer: Continuous
Nature and Purpose of Processing:
Receiving data (collection, accessing, retrieval, recording, data entry)
Holding data (storage, organization, structuring)
Using data (analysis, consultation, testing)
Updating data (correcting, adaptation, alteration, alignment, combination)
Protecting data (restricting, encrypting, security testing)
Erasing data (destruction, deletion)
Duration of Processing: Provider will process Customer Personal Data as long as required to conduct the processing activities or as required by applicable laws.
Parties to Transfer
Data Exporter
Name: The Customer agreeing to the Terms of Service
Role: Controller
Data Importer
Name: Outhire Pty Ltd
Role: Processor
Governing Member State for UK Transfers: England
Competent Supervisory Authority: The supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.
Technical and Organisational Security Measures
Pseudonymisation and Encryption
Automatic removal of names and identifying information before AI processing
Encryption at rest (AES-256) and in transit (TLS 1.2+)
Availability and Resilience
Automated encrypted backups with geographic redundancy
Documented disaster recovery procedures
Security Testing
Continuous AI bias and fairness audits
Third-party penetration testing
Regular vulnerability assessments and security updates
Access Control
Role-based access control with principle of least privilege
Regular access reviews and automated deprovisioning
Session management with automatic timeouts
Data in Transit
TLS 1.2+ encryption for all data transmissions
Secure API authentication and rate limiting
Data at Rest
AES-256 encryption for all stored data
Encrypted database instances
Secure key management with regular rotation
Logging and Monitoring
Comprehensive audit logging of all data access and AI processing
Configuration and Governance
Hardened system configurations
Automated configuration management
Regular security patching schedule
Documented information security policies and procedures
Regular security awareness training for all staff
Data Minimisation and Quality
No collection or processing of demographic characteristics
Automatic data retention limits
Privacy by design architecture
Regular model accuracy testing
Feedback loops for continuous improvement
Retention and Accountability
Automated retention policies aligned with recruitment cycles
Customer-configurable retention settings
Documentation of AI processing activities
Bias monitoring
Portability and Erasure
API access for data export in standard formats
Support for GDPR right to erasure requests
AI-Specific Safeguards
Assessment based solely on transcribed interview responses
No processing of voice characteristics or accents
No processing of video data characteristics
Exclusion of all demographic indicators from evaluation
Full interview transcripts available alongside AI analysis
CCPA Service Provider Relationship
To the extent the California Consumer Privacy Act ("CCPA") applies, the parties acknowledge that Provider is a service provider receiving Personal Data from Customer to provide the Service, which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer. Provider will not retain, use, or disclose any Personal Data except as necessary for providing the Service or as permitted by applicable data protection laws. Provider certifies that it understands these restrictions and will comply with all applicable data protection laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.
Standard Terms
1. Processor and Subprocessor Relationships
1.1 Provider as Processor. Where Customer is a Controller of Customer Personal Data, Provider is a Processor processing Personal Data on behalf of Customer.
1.2 Provider as Subprocessor. Where Customer is a Processor of Customer Personal Data, Provider is a Subprocessor.
2. Processing
2.1 Processing Details. The Description of Processing section describes the subject matter, nature, purpose, and duration of processing, as well as the categories of Personal Data and Data Subjects.
2.2 Processing Instructions. Customer instructs Provider to process Customer Personal Data: (a) to provide and maintain the Service; (b) as further specified through Customer's use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Provider. Provider will abide by these instructions unless prohibited by applicable laws and will immediately inform Customer if unable to follow the processing instructions. Customer will only give instructions that comply with applicable laws.
2.3 Processing by Provider. Provider will only process Customer Personal Data in accordance with this DPA. If Provider updates the Service, Provider may change the processing details as needed by notifying Customer.
2.4 Customer Processing. Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all applicable laws that apply to Customer's processing of Customer Personal Data.
2.5 Consent to Processing. Customer has complied and will continue to comply with all applicable data protection laws concerning its provision of Customer Personal Data to Provider, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards.
2.6 Subprocessors.
(a) Provider will not transfer Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The Approved Subprocessors list is set out above. Provider will inform Customer at least 10 business days in advance and in writing of any intended changes to Approved Subprocessors. Customer has 30 days after notice to object, otherwise Customer is deemed to accept the changes. If Customer objects within 30 days, the parties will cooperate in good faith to resolve Customer's objection.
(b) Provider will have a written agreement with each Subprocessor ensuring the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and consistent with the Agreement.
(c) If the GDPR applies, the data protection obligations in this DPA are also imposed on Subprocessors, and Provider's agreements with Subprocessors will incorporate these obligations. Provider will share copies of Subprocessor agreements at Customer's request (with redactions to protect confidential information).
(d) Provider remains fully liable for all obligations subcontracted to Subprocessors. Provider will notify Customer of any failure by Subprocessors to fulfil material obligations.
3. Restricted Transfers
3.1 Authorisation. Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant territory as necessary to provide the Service. If Provider transfers Customer Personal Data to a territory without an adequacy decision, Provider will implement appropriate safeguards consistent with applicable data protection laws.
3.2 Ex-EEA Transfers. If the GDPR protects the transfer of Customer Personal Data from within the EEA to Provider outside the EEA, and the transfer is not governed by an adequacy decision, the parties are deemed to have signed the EEA SCCs, incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, completed as follows:
(a) Module Two (Controller to Processor) applies when Customer is a Controller and Provider is a Processor.
(b) Module Three (Processor to Sub-Processor) applies when Customer is a Processor and Provider is a Subprocessor.
(c) For each module:
The optional docking clause in Clause 7 does not apply
In Clause 9, Option 2 (general written authorisation) applies, with 10 business days minimum notice for Subprocessor changes
In Clause 11, the optional language does not apply
In Clause 17 (Option 1), the EEA SCCs are governed by the laws of England
In Clause 18(b), disputes will be resolved in the courts of England
This DPA contains the information required in Annex I, Annex II, and Annex III
(d) Provider has appointed Prighter Ltd as its EU representative pursuant to Article 27 of the GDPR.
3.3 Ex-UK Transfers. If the UK GDPR protects the transfer of Customer Personal Data from within the United Kingdom to Provider outside the United Kingdom, and the transfer is not governed by an adequacy decision, the parties are deemed to have signed the UK Addendum, incorporated by reference. Any such transfer is made pursuant to the UK Addendum:
(a) Section 3.2 of this DPA contains the information required in Table 2 of the UK Addendum.
(b) Neither party may end the UK Addendum as set out in Section 19; if the ICO issues a revised Approved Addendum under Section 18, the parties will work in good faith to revise this DPA accordingly.
(c) This DPA contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.
(d) Provider has appointed Prighter Ltd as its UK representative pursuant to Article 27 of the UK GDPR.
3.4 Swiss Transfers. For transfers where Swiss law applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act, and the supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.
4. Security Incident Response
Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay, and no later than 72 hours after becoming aware; (b) provide timely information as it becomes known or as reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate. Provider's notification or response will not be construed as an acknowledgment of fault or liability.
5. Audit and Reports
5.1 Audit Rights. Provider will give Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits to assess compliance. Provider may restrict access to information if access would negatively impact Provider's intellectual property rights, confidentiality obligations, or other legal obligations. Provider will maintain records of compliance for 3 years after the DPA ends.
5.2 Security Reports. Upon written request, Provider will give Customer, on a confidential basis, a summary copy of its then-current security audit reports so Customer can verify compliance.
5.3 Security Due Diligence. Provider will respond to reasonable requests for information made by Customer to confirm compliance with this DPA, including responses to security questionnaires. Requests must be in writing to the Provider Security Contact and may only be made once per year.
6. Cooperation
6.1 Response to Inquiries. If Provider receives any inquiry or request about Customer Personal Data from third parties, Provider will notify Customer and will not respond without Customer's prior consent (unless prohibited by law). Provider will follow Customer's reasonable instructions and assist Customer in fulfilling valid data subject requests under applicable data protection laws. Provider will cooperate with and provide reasonable assistance to Customer, at Customer's expense, in any response to third-party requests.
6.2 DPIAs and DTIAs. If required by applicable data protection laws, Provider will reasonably assist Customer in conducting data protection impact assessments or data transfer impact assessments, taking into consideration the nature of the processing.
7. Deletion of Customer Personal Data
7.1 Deletion by Customer. Provider will enable Customer to delete Customer Personal Data consistent with the functionality of the Service. Provider will comply as soon as reasonably practicable except where further storage is required by law.
7.2 Deletion at Expiration. After this DPA expires, Provider will return or delete Customer Personal Data at Customer's instruction unless further storage is required or authorised by law. If return or destruction is impracticable or prohibited, Provider will prevent additional processing and continue to protect any remaining Customer Personal Data. Provider will only provide certification of deletion if Customer requests it.
8. Limitation of Liability
8.1 Liability Caps. To the maximum extent permitted by applicable data protection laws, each party's total cumulative liability arising out of or related to this DPA is subject to the limitations stated in the Agreement.
8.2 Related-Party Claims. Claims against Provider arising from this DPA may only be brought by the Customer entity that is party to the Agreement.
8.3 Exceptions. This DPA does not limit any liability to an individual about their data protection rights, or any liability between the parties for violations of the EEA SCCs or UK Addendum.
9. Conflicts Between Documents
This DPA forms part of and supplements the Agreement. If there is any inconsistency, the following order of precedence applies: (1) the EEA SCCs or UK Addendum, (2) this DPA, (3) the Agreement.
10. Term
This DPA starts when Customer agrees to the Terms of Service and continues until the Agreement expires or is terminated. Both parties remain subject to obligations in this DPA and applicable data protection laws until Customer stops transferring Customer Personal Data to Provider and Provider stops processing Customer Personal Data.
Definitions
"Applicable Laws" means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to a party.
"Applicable Data Protection Laws" means the applicable laws that govern how the Service may process an individual's personal data.
"Controller" has the meaning given in applicable data protection laws for the entity that determines the purpose and means of processing Personal Data.
"Customer Personal Data" means Personal Data that Customer uploads or provides to Provider as part of the Service and that is governed by this DPA.
"EEA SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.
"European Economic Area" or "EEA" means the member states of the European Union, Norway, Iceland, and Liechtenstein.
"GDPR" means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.
"Personal Data" has the meaning given in applicable data protection laws.
"Processing" or "Process" has the meaning given in applicable data protection laws for any use of, or computer operation on, Personal Data.
"Processor" has the meaning given in applicable data protection laws for the entity that processes Personal Data on behalf of the Controller.
"Report" means audit reports prepared by third-party auditors on behalf of Provider.
"Restricted Transfer" means (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country not subject to adequacy regulations.
"Security Incident" means a Personal Data Breach as defined in Article 4 of the GDPR.
"Service" means the product and services described in the Agreement.
"Special Category Data" has the meaning given in Article 9 of the GDPR.
"Subprocessor" has the meaning given in applicable data protection laws for an entity that, with Controller approval, assists the Processor in processing Personal Data on behalf of the Controller.
"UK GDPR" means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom's European Union (Withdrawal) Act of 2018.
"UK Addendum" means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner for parties making Restricted Transfers under S119A(1) Data Protection Act 2018.
Last Updated: October 1, 2025