Data Processing Agreement

    Between Human by Design Ltd. (Processor) and Subscriber (Controller). Governed by UK GDPR Article 28.

    Version 3  |  April 2026

    Amendment Note (v3): This version removes the separate execution page (Section 8) as the DPA is now incorporated by acceptance of the Services Agreement via checkbox at account creation. Section 3.1 has been amended to clarify the dual data controller / processor role of Human by Design Ltd. References to governing documents have been added accordingly.

    1. Definitions

    In this Agreement:

    • "Controller" means the Subscriber (the employer or recruiter) who determines the purposes and means of processing candidate personal data.
    • "Processor" means Human by Design Ltd. (trading as Humans.id), which processes personal data on behalf of the Controller.
    • "Personal Data" has the meaning given in the UK GDPR and includes all candidate data processed by the Processor in the course of providing the Services.
    • "Processing" has the meaning given in the UK GDPR.
    • "Services" means the recruiting and candidate management services provided by Human by Design Ltd. under the Services Agreement.
    • "Sub-processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf.
    • "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
    • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council where applicable to EU data subjects.

    2. Scope and Nature of Processing

    2.1 Subject Matter

    The Processor shall process Personal Data on behalf of the Controller for the purpose of providing AI-assisted candidate sourcing, assessment, and recruitment workflow services as described in the Services Agreement.

    2.2 Categories of Personal Data

    The Personal Data processed under this Agreement includes:

    • Professional profile data: name, job title, employment history, skills, qualifications, certifications
    • Contact data: email address, phone number, LinkedIn profile and other professional social media links
    • Application data: responses to role criteria, candidate assessments, AI-generated scores and summaries
    • Communication data: email correspondence between Subscriber and candidate where routed through the Services

    2.3 Categories of Data Subjects

    Data subjects are: employment candidates and professionals who are identified by the Controller as potential candidates for open roles, or who have applied for a role advertised by the Controller via the Services.

    2.4 Purposes of Processing

    Personal Data is processed for the following purposes only:

    • Sourcing and identifying candidates who match the Controller's role requirements
    • Generating AI-assisted assessments, summaries, and scores for the Controller's review
    • Facilitating communication between the Controller and candidates
    • Managing candidate pipeline, tracking, and recruitment workflow
    • Compliance with legal obligations applicable to the Processor

    2.5 Duration

    The Processor shall process Personal Data for the duration of the Services Agreement and, unless otherwise agreed, shall delete or return all Personal Data within 30 days of termination of the Services Agreement, unless retention is required by law.

    3. Processor Obligations

    3.1 Processing on Controller's Instructions Only

    [AMENDED v3] The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation. The Processor shall inform the Controller immediately if, in its opinion, any instruction infringes the UK GDPR or GDPR.

    For the avoidance of doubt, this clause applies solely to processing carried out by the Processor on behalf of the Controller under this Agreement. Where Human by Design Ltd. processes candidate personal data in its own capacity as an independent data controller, including for the purpose of candidate sourcing via third-party data providers, such processing is governed by Human by Design Ltd.'s own Privacy Policy, available at www.humans.id/privacy, and its Legitimate Interest Assessment maintained in accordance with UK GDPR Article 6(1)(f), and falls outside the scope of this Agreement.

    3.2 Confidentiality

    The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    3.3 Security

    The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

    • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256)
    • Storage of all Personal Data on Amazon Web Services (AWS) servers located in Frankfurt, Germany (eu-central-1 region)
    • Ongoing confidentiality, integrity, availability, and resilience of processing systems
    • Regular testing and evaluation of technical and organisational security measures
    • Access controls limiting Personal Data access to authorised personnel only

    3.4 Sub-processors

    The Controller grants general authorisation to the Processor to engage the following approved Sub-processors:

    Sub-processorPurposeLocationTransfer Mechanism
    Amazon Web Services (AWS)Cloud infrastructure and data storageGermany (eu-central-1)EU/UK adequacy — no transfer outside EU/UK
    Anthropic PBCAI-assisted candidate assessment via Claude APIUnited StatesStandard Contractual Clauses (UK/EU → US); Data Privacy Framework
    Apollo.ioCandidate data sourcing (relies on Apollo's own GDPR compliance as independent controller)United StatesApollo's own SCCs — Humans.id relies on Apollo's compliance
    Lusha SystemsCandidate data sourcing (relies on Lusha's own GDPR compliance as independent controller)United States / IsraelLusha's own SCCs and adequacy mechanisms
    ZoomInfoCandidate data sourcing (relies on ZoomInfo's own GDPR compliance as independent controller)United StatesZoomInfo's own SCCs and DPF compliance

    Note on third-party data providers (Apollo, Lusha, ZoomInfo): Humans.id sources candidate data from these providers as independent data controllers. Humans.id does not scrape LinkedIn or other platforms directly. Each provider operates under its own GDPR compliance programme, lawful basis, and data subject rights process. Humans.id relies on each provider's compliance for the initial collection of data. Humans.id's obligations under this DPA apply from the point at which that data enters the Humans.id platform.

    The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 14 days of notification.

    3.5 Data Subject Rights

    The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall forward any such requests received directly from data subjects to the Controller within 5 working days.

    3.6 Candidate Data Ownership, Withdrawal, and Deletion

    The parties acknowledge that candidates retain ownership of their personal data at all times. Two distinct actions are available to candidates, each carrying different obligations:

    3.6.1 Withdrawal from a Specific Role

    Where a candidate withdraws from a specific role application via the platform, the Processor shall:

    • Remove the candidate from that role's pipeline on the platform immediately upon receipt of the withdrawal
    • Notify the Controller of the candidate's withdrawal within 2 working days

    The Controller retains the right to contact that candidate about other current or future roles, provided the Controller has a lawful basis to do so, whether through the candidate's consent granted at the point of application (which covers future roles) or through any separate, pre-existing consent agreement between the Controller and the candidate that predates their use of the platform. The Controller is responsible for their own compliance with applicable data protection and employment law in relation to any candidate data they hold independently.

    3.6.2 Full Account Deletion

    Where a candidate requests full deletion of their account and all associated data, the Processor shall:

    • Delete all Personal Data relating to that candidate from the Processor's own systems within 5 working days of receiving the request, regardless of how the request was received
    • Confirm deletion to the candidate in writing within 7 working days

    Candidates should be aware that when they applied for roles via the platform, they consented to share their data directly with the relevant employer. That employer holds candidate data under their own independent lawful basis and is responsible for their own compliance with applicable data protection law. The Processor's obligations extend to data held within the Humans.id platform; they do not extend to data held independently by employers in their own systems.

    3.6.3 Candidate Consent at Point of Application

    When a candidate applies for a role via the platform, their consent encompasses sharing their personal data with the relevant Subscriber for the purpose of that specific role and potentially future roles with that Subscriber. This consent is made explicit to the candidate at the point of application. Withdrawal from a specific role does not automatically revoke the candidate's consent to be contacted about future roles, unless the candidate additionally requests full account deletion.

    3.7 Data Breach Notification

    The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting the Controller's data. Such notification shall include:

    • A description of the nature of the breach, categories and approximate number of data subjects and records concerned
    • The name and contact details of the data protection contact at the Processor
    • The likely consequences of the breach
    • Measures taken or proposed to address the breach

    3.8 Data Protection Impact Assessment

    The Processor shall provide reasonable assistance to the Controller in carrying out any data protection impact assessment required under Article 35 UK GDPR in relation to the Services.

    3.9 Deletion or Return of Data

    At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services, and shall delete existing copies unless EU/UK law requires storage of the Personal Data.

    3.10 Audit Rights

    The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable written notice of not less than 30 days.

    4. International Data Transfers

    4.1 Transfers to Anthropic PBC (US)

    Personal Data processed through the Anthropic Claude API is transferred to the United States. Such transfers are made under Standard Contractual Clauses approved by the European Commission and/or the UK Information Commissioner's Office. The Processor confirms that Anthropic PBC does not use Personal Data transmitted via the API to train or improve its general AI models. Data is retained by Anthropic for no longer than 30 days.

    4.2 Transfers to Non-EU Subscribers (Employers)

    Where the Controller is located outside the UK/EU, or where the Controller shares candidate Personal Data with a third party located outside the UK/EU, the following conditions must be met before any such transfer:

    • (a) The destination country benefits from an adequacy decision issued by the UK ICO or European Commission; OR
    • (b) Standard Contractual Clauses have been executed between the Processor and the Controller governing the onward transfer; OR
    • (c) The relevant candidate has provided explicit, specific, and informed consent to the transfer to that particular country, having been informed of the absence of adequate protection.

    The Controller is responsible for ensuring that any onward transfer of candidate Personal Data from the Controller's own systems complies with applicable data protection law. The Processor accepts no liability for transfers made by the Controller independently of the Services.

    5. Controller Obligations

    The Controller warrants that:

    • It has a lawful basis for processing candidate Personal Data and for instructing the Processor to process that data on its behalf
    • It will use the Services, including any AI-generated outputs, as a decision-support tool only and will not make automated hiring decisions without human review
    • It will comply with all applicable data protection law in its use of the Services and in any processing of candidate Personal Data on its own systems
    • It will remove candidates from specific role pipelines within 5 working days of notification of a role withdrawal by the Processor, and cease all contact with that candidate in relation to that specific role
    • It will not transfer candidate Personal Data to countries outside the UK/EU without ensuring appropriate safeguards are in place
    • It will not contact a candidate about a specific role from which they have withdrawn

    6. Liability

    Each party's liability under this Agreement is subject to the limitations set out in the Services Agreement. Notwithstanding the foregoing, neither party limits its liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be limited by law.

    7. Governing Law

    This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

    8. Execution

    [AMENDED v3] This Agreement is incorporated into and forms part of the Services Agreement accepted by the Subscriber at the point of account creation. Acceptance of the Services Agreement by the Subscriber constitutes acceptance of this Agreement and is effective as of the date on which the Subscriber's account is created. No separate signature is required.

    By accepting the Services Agreement via the account creation checkbox, the Subscriber confirms that the individual accepting the terms is authorised to bind the organisation on whose behalf they are acting, including the obligations as data controller under UK GDPR and EU GDPR where applicable.

    Humans.id is a trading name of Human by Design Ltd. Registered in England & Wales No. 13550402. VAT No. GB388 5871 28. Registered Office: 54 Portland Road, Bishop's Stortford, Hertfordshire, United Kingdom, CM23 3SJ.

    Humans.id  |  Data Processing Agreement  |  v3

    This is the current version. View previous versions of our legal documents.