DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement ("DPA") forms part of the agreement between Socially Recruited Ltd, trading as Gaia ("Gaia") and the customer ("Customer").

1. Purpose & Scope

  • This DPA applies when Gaia processes personal data on behalf of the Customer under the UK GDPR, EU GDPR, and applicable data protection laws.
  • Gaia acts as a Data Processor when providing GaiaPages or GaiaChat services. Gaia is not a Data Processor for GaiaAttract, as no candidate data is processed through this service.
  • The Customer acts as the Data Controller, determining the purposes and means of processing candidate data.

2. Processing Details

  • Subject Matter: Processing of candidate applications through GaiaPages and GaiaChat.
  • Duration: For the term of the Customer’s subscription.
  • Nature of Processing: Collection, storage, and transmission of candidate applications.
  • Types of Personal Data: Name, email, phone number, CV, and any other data submitted by candidates.
  • Data Subjects: Job applicants engaging with the Customer.

3. Customer Responsibilities

  • The Customer is responsible for ensuring it has a lawful basis for processing candidate data.
  • The Customer must provide adequate privacy notices to candidates.
  • The Customer must handle data subject rights requests (e.g., access, erasure, rectification).

4. Gaia’s Responsibilities as a Data Processor

  • Process data only on documented instructions from the Customer.
  • Ensure appropriate technical and organisational measures (ISO 27001-level security).
  • Assist with data subject requests upon request.
  • Notify the Customer within 72 hours of any data breach.
  • Ensure that personnel handling data are subject to confidentiality agreements.

5. Subprocessors

  • Gaia engages approved subprocessors for hosting, authentication, and AI-driven recruitment technology.
  • The current subprocessor list is available at [www.iamgaia.com/subprocessors].
  • Gaia will notify the Customer of any material subprocessor changes.

6. International Data Transfers

  • Transfers outside the UK/EU follow the Standard Contractual Clauses (SCCs, 2021) and UK IDTA.
  • Gaia hosts all customer data in AWS UK data centres.

7. Security & Compliance

  • Gaia maintains ISO 27001 certification and undergoes regular security audits.
  • Data encryption is applied at rest and in transit.
  • Access to data is restricted on a least-privilege basis.

8. Termination & Deletion of Data

  • Upon termination, Gaia will delete or return all personal data unless retention is required by law.
  • Data backups will be securely erased within 90 days.

9. Governing Law & Dispute Resolution

  • This DPA is governed by English law.
  • Disputes shall be resolved under LCIA arbitration in London, England.

For full details on Gaia’s data processing practices, visit [www.iamgaia.com/dpa].