This DPA applies to all processing of personal data by ClarityHire in the course of providing the platform services (recruiting, assessment, interview coordination, integrity checking).

Duration: commences on the Effective Date and continues for the term of the Master Service Agreement, plus retention periods specified in the Customer’s data retention policies (default: 30 days for biometric data, 90 days for candidate PII unless extended).

ClarityHire processes the following data:

• Candidate personal data (name, email, phone, application responses, assessment answers)
• Biometric data (facial images, video recordings, keystroke timing, gaze tracking) for integrity verification
• Interview recordings (video, audio) and transcripts for assessment and audit purposes
• Interview event logs and system-generated metadata

Purposes:

• Execute hiring assessments and interviews per the Customer’s instructions
• Detect and prevent assessment integrity violations
• Generate reports and analytics for Customer use
• Maintain audit and compliance logs

Primarily candidates applying for positions or sitting for assessments or interviews conducted by the Customer. May also include interviewers, hiring managers, and platform administrators.

ClarityHire uses the following sub-processors to deliver the platform. Each processor has executed a Data Processing Amendment or equivalent; see our sub-processor register for jurisdictions, transfer mechanisms, and DPA links.

Personal data may be transferred to and processed in jurisdictions outside the EEA/UK, including the United States. Where required, ClarityHire ensures adequate safeguards via:

• EU-US SCCs: Standard Contractual Clauses adopted by the European Commission, enabling transfers under GDPR Article 46(2)(c)
• UK-US SCCs: International Data Transfer Agreement (IDTA) under UK GDPR Schedule 2, Part 2
• Switzerland: revFADP-compliant transfer agreements for Swiss data subjects

Customers may request EU/EEA-only residency via the dataResidencyRegion org setting; contact support for availability and pricing.

The Customer is responsible for fulfilling data subject requests under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, consent withdrawal). ClarityHire will:

• Provide reasonable technical assistance (e.g., data export, anonymization)
• Complete deletion of a data subject’s records within 30 days of a controller request
• Support audit log retrieval to demonstrate compliance with retention policies

ClarityHire implements technical and organizational measures to ensure appropriate security (Article 32 GDPR, revFADP Article 24):

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Bcrypt-hashed passwords; no plaintext storage
• Role-based access control (RBAC) and audit logging of administrative actions
• Regular security patches and vulnerability scanning
• Incident notification to the Customer within 48 hours of discovery