Data Processing Addendum

This Data Processing Addendum (“DPA”) governs the processing of Personal Data by FidForward, Inc. (“FidForward”) on behalf of customers (“Controller”) who use FidForward’s AI-powered talent sourcing and recruitment platform services.

Definitions and Interpretation
Scope and Applicability
Data Processing Details
Controller Obligations and Instructions
Sub-processors
Data Subject Rights
Data Security and Breach Notification
International Transfers
Data Return and Deletion
Limitation of Liability
Governing Law and Disputes
Term and Termination
Annex I - Details of Processing

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

For the purposes of this Data Processing Addendum (“DPA”):

“Applicable Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy, including without limitation: (i) Regulation (EU) 2016/679 (the “GDPR”); (ii) the UK Data Protection Act 2018 and UK GDPR; (iii) the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); (iv) any successor legislation; and (v) any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data.
“Controller” means the entity that determines the purposes and means of the processing of Personal Data.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by FidForward on behalf of Controller in connection with the Services.
“Processing” has the meaning given to it in the GDPR and includes any operation performed on Personal Data.
“Processor” means the entity that processes Personal Data on behalf of the Controller.
“Services” means FidForward’s AI-powered talent acquisition and recruiting platform services.
“Sub-processor” means any third party appointed by FidForward to process Personal Data.

1.2 Interpretation

This DPA forms part of and is incorporated into FidForward’s Terms of Service and service agreements with customers. In case of conflict between this DPA and other agreements, this DPA shall prevail with respect to data protection matters.

1.3 Acceptance and Effective Date

This DPA applies automatically upon a customer’s use of FidForward’s Services. No separate signature or specific action is required to enter into this agreement. By using FidForward’s Services, customers automatically accept and agree to be bound by the terms of this DPA.

2. SCOPE AND APPLICABILITY

2.1 Scope

This DPA applies to the processing of Personal Data by FidForward on behalf of customers in connection with the provision of FidForward’s Services.

2.2 Role of Parties

Customers act as Controllers and determine the purposes and means of processing Personal Data
FidForward acts as Processor and processes Personal Data solely on documented instructions from customers
FidForward may engage Sub-processors as detailed in Section 5

3. DATA PROCESSING DETAILS

3.1 Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

Job candidates and potential candidates
Customer’s employees and authorized users
Third-party contacts (e.g., referrers, networking contacts)

3.2 Categories of Personal Data

The Personal Data processed may include:

Identity Data: Names, professional titles, contact information
Professional Data: Work experience, skills, education, career history
Communication Data: Email addresses, phone numbers, social media profiles
Technical Data: IP addresses, device information, usage data
Behavioral Data: Platform interaction data, engagement metrics
Location Data: Geographic location (as disclosed in professional profiles)

3.3 Purposes of Processing

FidForward processes Personal Data for the following purposes:

Candidate sourcing and talent acquisition
Automated outreach and communication
Candidate matching and ranking
Performance analytics and reporting
Platform functionality and user experience improvement
Customer support and service delivery

3.4 Duration of Processing

Processing will continue for the duration of the customer’s service agreement with FidForward and as necessary to provide the Services, unless terminated earlier in accordance with this DPA.

4. CONTROLLER OBLIGATIONS AND INSTRUCTIONS

4.1 Lawful Instructions

FidForward will process Personal Data only on documented instructions from customers, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law.

4.2 Customer Representations

Customers represent and warrant that:

They have the legal right to transfer Personal Data to FidForward for processing
Their instructions comply with Applicable Data Protection Laws
They have implemented appropriate measures to ensure lawful processing

4.3 Additional Instructions

Any additional or alternative instructions must be agreed in writing between the parties.

5. SUB-PROCESSORS

5.1 Current Sub-processors

Customers acknowledge and agree that FidForward may engage the following Sub-processors:

Sub-processor	Purpose	Location	DPA Reference
Google Analytics	Website analytics and tracking	United States	Google DPA
Posthog	Website analytics and tracking	United States	Posthog DPA
Stripe	Payment processing	United States	Stripe DPA
Clerk	User authentication and access management	United States	Clerk DPA
PlusVibe	Cold email automation and outreach	United States	PlusVibe DPA (pending)
Resend	Email delivery services	United States	Resend DPA

5.2 Sub-processor Changes

FidForward may add or remove Sub-processors with 30 days’ prior written notice to customers. Customers may object to any new Sub-processor on reasonable grounds relating to data protection within 15 days of notification.

5.3 Sub-processor Requirements

FidForward ensures that all Sub-processors:

Are bound by data protection obligations equivalent to those in this DPA
Implement appropriate technical and organizational measures
Provide sufficient guarantees regarding data protection compliance

6. DATA SUBJECT RIGHTS

6.1 Assistance with Rights Requests

FidForward will provide reasonable assistance to customers in responding to Data Subject requests, including:

Access requests
Rectification requests
Erasure requests
Restriction of processing requests
Data portability requests
Objection to processing requests

6.2 Response Timeframe

FidForward will respond to customer requests for assistance within 15 business days, or as otherwise agreed.

7. DATA SECURITY AND BREACH NOTIFICATION

7.1 Technical and Organizational Measures

FidForward implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

Organizational Measures:

Comprehensive information security policy reviewed annually
Designated Data Protection Officer contactable at privacy [at] fidforward.com
Background checks and confidentiality agreements for all personnel
Mandatory data protection training for all employees
Role-based access control with principle of least privilege
Secure cloud infrastructure with certified providers
Due diligence on all Sub-processors before engagement

Technical Measures:

Strong encryption for all databases containing Personal Data
Secure transmission protocols for all data transfers
Multi-factor authentication required for administrative access
Network segmentation and firewall protection
Security monitoring and incident response
Automated daily backups with geographic distribution
Comprehensive audit logging with appropriate retention

7.2 Personal Data Breach Notification

In the event of a Personal Data Breach, FidForward will:

Notify affected customers without undue delay and in any event within 72 hours of becoming aware
Provide all relevant information about the breach
Assist customers in notifying supervisory authorities and Data Subjects as required
Take immediate measures to mitigate the breach

7.3 Security Reviews

Customers may conduct reasonable security reviews of FidForward’s data protection measures upon 30 days’ prior written notice.

8. INTERNATIONAL TRANSFERS

8.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA, UK, or other territories with adequacy decisions, FidForward ensures appropriate safeguards are in place to protect the data, including:

Adequacy decisions: Where applicable, transfers may rely on European Commission adequacy decisions
Supplementary measures: Additional technical and organizational measures to ensure data protection
Other legally recognized transfer mechanisms: Such as appropriate contractual arrangements as may be required or permitted by applicable law

FidForward implements robust security measures and regularly reviews its international data transfer practices to ensure compliance with applicable data protection laws.

8.2 Additional Safeguards

FidForward implements additional technical and organizational measures to ensure data protection standards equivalent to those required by applicable laws.

9. DATA RETURN AND DELETION

9.1 Data Return

Upon termination of the service agreement, FidForward will, at the customer’s choice:

Return all Personal Data to the customer in a commonly used electronic format
Securely delete all Personal Data from its systems

9.2 Exceptions

FidForward may retain Personal Data to the extent required by applicable law, with processing restricted to compliance purposes only.

9.3 Timeframe

Data return or deletion will be completed within 90 days of termination unless otherwise agreed or required by law.

10. LIMITATION OF LIABILITY

Except for damages arising from FidForward’s breach of this DPA, each party’s liability under this DPA is subject to the limitation of liability provisions in the main Agreement.

11. GOVERNING LAW AND DISPUTES

11.1 Governing Law

This DPA is governed by the same law as FidForward’s Terms of Service.

11.2 Dispute Resolution

Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions of FidForward’s Terms of Service.

12. TERM AND TERMINATION

This DPA will remain in effect for the duration of the customer’s service agreement with FidForward and will automatically terminate upon termination of such agreement, subject to the data return and deletion provisions in Section 9.

ANNEX I - DETAILS OF PROCESSING

A. LIST OF PARTIES

Data Controller (Customer):

Customers using FidForward’s services act as Data Controllers and determine the purposes and means of processing Personal Data.

Data Processor (FidForward):

Name: FidForward, Inc.
Address: 131 Continental Drive, Suite 305, Newark, DE 19713, United States
Contact: Data Protection Officer, privacy [at] fidforward.com

B. DESCRIPTION OF PROCESSING

Categories of data subjects:

Job candidates and potential recruits
Customer’s employees and HR personnel
Customer’s existing candidates and talent pool
LinkedIn users and professional profiles
Recipients of recruitment outreach campaigns

Categories of personal data processed:

Identification Data: First and last name, email addresses, phone numbers
Professional Data: Job titles, employment history, skills, educational background
Profile Data: LinkedIn profiles, professional experience, career history
Contact Data: Business email addresses, business phone numbers
Communication Data: Email sequences, outreach messages, candidate notes
Platform Usage Data: Search queries, campaign data, user interactions

Special categories of data (if applicable): None

Nature of the processing:

Collection, storage, and organization of candidate profiles
Search and matching of candidates to job requirements
Facilitation of recruitment outreach and communication
Analytics and reporting on recruitment activities
AI-powered candidate matching and scoring
Email campaign management and automation

Purpose(s) of the processing:

Provision of AI-powered talent sourcing and recruitment platform services
Enabling customers to discover and engage with job candidates
Facilitating recruitment outreach and communication
Providing analytics and insights for recruitment optimization

Duration of the processing:

For the duration of the customer’s service agreement with FidForward plus any retention period required by applicable law or as specified in FidForward’s Privacy Policy

Transfers to third countries:

Personal Data may be transferred to the United States and other countries where Sub-processors operate
FidForward implements appropriate safeguards to protect Personal Data during international transfers
These safeguards include technical security measures, organizational controls, and contractual arrangements as required by applicable law

DPA INQUIRIES

For questions about this Data Processing Addendum or to execute a formal agreement:

Contact: privacy [at] fidforward.com