Skip to main content
Redsun Platform

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Redsun Innovations Ltd ("Processor") and the customer ("Controller") for the provision of recruitment platform services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means Redsun Innovations Ltd, which processes Personal Data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Protection Laws" means GDPR, UK GDPR, and all applicable data protection legislation.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the recruitment platform services. The purpose of processing includes:

  • Hosting and managing candidate data on the Controller's branded portal
  • Facilitating job applications and candidate communications
  • Generating anonymized market insights and analytics
  • Providing AI-assisted candidate matching and recommendations
  • Integrating with the Controller's existing HR and ATS systems

3. Categories of Data Subjects

  • Job applicants and candidates
  • Employees of the Controller
  • Hiring managers and recruiters
  • References and referrals

4. Types of Personal Data

  • Contact information (name, email, phone, address)
  • Professional information (CV, work history, skills, qualifications)
  • Recruitment data (applications, interview notes, assessments)
  • Salary and compensation information
  • Account credentials and authentication data

5. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without prior written consent of the Controller
  • Assist the Controller in responding to data subject requests
  • Delete or return all Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance

6. Security Measures

The Processor implements the following security measures:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication
  • Monitoring: Continuous security monitoring and audit logging
  • Infrastructure: ISO 27001 certified data centers
  • Personnel: Background checks and security training for staff
  • Incident Response: Documented procedures for security incidents

7. Sub-processing

The Controller authorizes the use of sub-processors listed on our Subprocessors page. The Processor shall:

  • Maintain an up-to-date list of sub-processors
  • Provide 30 days' notice before adding new sub-processors
  • Enter into written agreements with sub-processors containing equivalent obligations
  • Remain liable for sub-processors' compliance with this DPA

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Response timeframe: Within 5 business days of receiving a request from the Controller.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and within 72 hours of becoming aware
  • Provide details of the breach, categories of data affected, and approximate number of data subjects
  • Describe likely consequences and measures taken or proposed to address the breach
  • Cooperate with the Controller's investigation and notification obligations

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor shall provide access to relevant documentation, systems, and personnel. Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations.

11. International Transfers

Where Personal Data is transferred outside the UK/EEA, the Processor ensures adequate protection through:

  • Transfers to countries with adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the UK/EU authorities
  • Additional technical measures where required by transfer impact assessments

12. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • The Processor shall delete or return all Personal Data within 30 days
  • The Controller may request a certificate of deletion
  • The Processor may retain data where required by law, subject to continued confidentiality

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without prejudice to mandatory data protection laws applicable to the Controller.

14. Contact

For questions about this DPA or to request a signed copy, please contact: