FirstStage Data Processing Agreement
FirstStage is owned and operated by OpenDigital Limited
Last changed 13th December 2024
Introduction
1.1 This Agreement specifies the parties' data protection obligations, which arise from the Data Processor's processing of personal data on behalf of the Data Controller under the service agreement between the parties.
1.2 You may request a signed copy of this agreement by contacting privacy [at] firststage.co
Definitions
2.1 Unless otherwise defined herein, the following terms shall have the following meaning:
- "Agreement" means this Data Processing Agreement and all addendums.
- "Data Processor" has the meaning given to it in the UK GDPR.
- "Data Controller" has the meaning given to it in the UK GDPR.
- "Data Protection Legislation" means all applicable data protection and privacy legislation in force in the UK and any guidance or codes of practice issued by the Supervisory Authority.
- "Data Subject" has the meaning given to it in the UK GDPR.
- "Individual Rights Request" means a request made by, or on behalf of, a Data Subject in accordance with the Data Subject's rights under Data Protection Legislation.
- "Personal Data" means any Personal Data Processed on behalf of the Data Controller.
- "Personal Data Breach" has the meaning given to it in the UK GDPR.
- "Processing" has the meaning given to it in the UK GDPR, and the terms "Process" and "Processed" shall be construed accordingly.
- "Sub-Processor" means any third party appointed to process personal data on behalf of the Processor.
- "Supervisory Authority" has the meaning given to it in the UK GDPR.
- "UK GDPR" has the meaning given to it in section 3(10) of the Data Protection Act 2018.
2.2. Clause, addendum, and paragraph headings shall not affect the interpretation of this Agreement.
2.3. The addendums form part of this Agreement and shall have effect as if set out in full in the body of this Agreement.
2.4. In the case of any ambiguity between any provision contained in the main of this Agreement and any provision contained in the addendums, the provision in the main body shall take precedence.
Purpose for processing
3.1. The purpose for Processing Personal Data is the performance of the services pursuant to a contract between the Data Controller and Data Processor.
Processing of personal data
4.1. The Data Processor shall:
- 4.1.1. Comply with all applicable Data Protection Legislation when Processing Personal Data on behalf of the Data Controller.
- 4.1.2. Only Process Personal Data for the agreed permitted purposes and in accordance with this Agreement including any future written instructions or scope of work.
- 4.1.3. Promptly inform the Data Controller, if in the Data Processor's opinion, any request or instruction regarding the Processing of Personal Data is in breach of Data Protection Legislation.
Processor personnel
5.1. The Data Processor shall:
- 5.1.1. Take reasonable steps to ensure the reliability of any employee who may have access to the Data Controllers Personal Data.
- 5.1.2. Ensure that access is strictly limited to those individuals who need to access the Personal Data.
- 5.1.3. Ensure that such individuals are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential.
- 5.1.4. Ensure that all personnel have received appropriate training and are aware of their responsibilities when Processing Personal Data.
Security
6.1. The Data Processor shall continue to implement and maintain appropriate technical and organisational security to preserve confidentiality and to protect Personal Data Processed on behalf of the Data Controller.
Subprocessing
7.1. The Data Controller hereby authorises the Data Processor to engage the Sub-Processors listed in "Addendum 1" of this agreement.
7.2. The Data Processor shall not engage another Sub-Processor, unless required to maintain or improve the service provided, without prior authorisation from the Data Controller.
7.3. The Data Processor shall ensure that any Sub-Processor it engages shall be held to the same terms, or suitably similar, as contained in this Agreement.
Data subject rights
8.1. The Data Processor shall provide reasonable assistance to the Data Controller to enable it to respond to:
- 8.1.1. Any request from a Data Subject to exercise any of its rights under the UK GDPR.
- 8.1.2. Any other correspondence, enquiry or complaint received from a Data Subject.
8.2. In the event that any such request, correspondence, enquiry or complaint is made directly to the Data Processor, the Data Processor shall:
- 8.2.1. Inform the Data Controller within 5 working days of receipt.
- 8.2.2. Ensure that it does not respond to that request except on the documented instructions of the Data Controller, or as required by law to which the Data Processor is subject. Where no instructions are received, the Data Processor shall, to the extent permitted by law, respond to the Data Subject and inform the Data Controller of their response.
Personal data breach
9.1. In the event of Personal Data Breach that poses a high risk to Data Subjects, the Data Processor shall:
- 9.1.1. Notify the Data Controller without undue delay, and no later than 48 hours.
- 9.1.2. Provide the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach.
- 9.1.3. Cooperate with the Data Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
- 9.1.4. Cooperate with the Supervisory Authority and make available all records required to assist with any investigation.
Data retention
10.1. Upon termination of the services referred to in clause 3.1 of this Agreement, the Data Processor will retain Personal Data for a period of 12 months, after which it will be destroyed.
Compliance
11.1. Upon request, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this agreement and allow for and contribute to audits and inspections.
11.2. The Data Controller may at its own expense conduct an audit which will be:
- 11.2.1. Limited in scope to matters specific to the Data Controller and agreed in advance with the Data Processor.
- 11.2.2. Carried out during UK business hours and upon reasonable notice which shall be no less than 4 weeks unless an identifiable issue has arisen.
- 11.2.3. Conducted in a way which does not interfere with the Data Processors day-to-day business. The Data Processor may charge a fee, based on its reasonable time and costs, for assisting with any audit. The Data Processor will provide the Data Controller with details of any applicable fee, including the basis of its calculation, in advance of any such audit.
Liability
12.1. The limitations on liability set out in the FirstStage business terms & conditions apply to all claims made pursuant to any breach of this Agreement.
12.2. The parties agree that the Data Processor shall be liable for any breaches of this Agreement caused by the acts or negligence of its Sub-Processors to the same extent the Data Processor would be liable if performing the services.
International Transfers
13.1. The Data Processor facilitates international transfers to its Sub-Processors
13.2. The Data Processor confirms and warrants that all international transfers undertaken under this Agreement have all required safeguards in place in accordance with data protection law and ICO guidance &em; for example using an adequacy decision, established privacy exchange such as the EU to US Data Privacy Framework, or additional safeguards such as Standard Contractual Clauses or International Data Transfer Agreement as may be required.
Addendum 1
Subprocessors
| Company | Purpose | Location | Details |
|---|---|---|---|
| Amazon | Cloud computing and storage | United States* | Link |
| Authentication and analytics | United States | Link | |
| Hotjar | User testing and feedback | United States | Link |
| OpenAI | Data processing by large language models | United States | Link |
| Postmark | Email sending and processing | United States | Link |
| Sentry | Application monitoring and logging | United States | Link |
| Stripe | Payment processing | United States | Link |
| Vercel | Cloud computing and logging | United States* | Link |
*Both Vercel and Amazon host the FirstStage application and data in Dublin, Ireland.
Addendum 2
Details of processing
| Description | Details |
|---|---|
| Subject matter of the processing | The personal data of the Data Controller's job applicants and limited personal data relating to Data Controller Employees using FirstStage |
| Duration of the processing | The duration of the processing will be from the beginning date of the Agreement until 12 months after termination unless otherwise specified by the Data Controller |
| Nature and purposes of the processing | Advertising of jobs Collection of job application data from job applicants Summarise, categorise, assess and otherwise process job applications Communication with both Data Controller and its job applicants to support the hiring process |
| Type of Personal Data | Job applicant name, contact details, application answer responses, documents including CVs, assessment data (scores, reasoning, cited evidence), and metadata relating to their job application Employee name, job title, image, and business email address |
| Categories of Data Subject | Job applicants to Data Controller Data Controller Employees using FirstStage |
| Plan for return and destruction of the data once the processing is complete* | Secure destruction 12 months after agreement termination Data to be returned in either JSON or CSV upon request |
*Unless requirement under union or member state law to preserve that type of data.
