Skip to main content

Data Processing Agreement

Last updated: January 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Marxel (“Processor”, “we”, “us”) and the customer agreeing to these terms (“Controller”, “you”).

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

1. Definitions

“Data Protection Laws” means all applicable laws relating to data protection, including UK GDPR, EU GDPR, the Data Protection Act 2018, and any successor legislation.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Service.

“Processing” means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, erasure, or destruction.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Sub-processor” means any third party engaged by us to process Personal Data on your behalf.

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

“Standard Contractual Clauses” or “SCCs” means the contractual clauses approved by the European Commission for international data transfers.

2. Scope and Roles

2.1 Roles of the Parties

  • You (Controller): You determine the purposes and means of processing Personal Data uploaded to the Service. You are responsible for compliance with Data Protection Laws as they apply to controllers.
  • Us (Processor): We process Personal Data on your behalf and in accordance with your documented instructions. We are responsible for compliance with Data Protection Laws as they apply to processors.

2.2 Scope of Processing

This DPA applies to all Personal Data processed by us on your behalf through the Service.

3. Details of Processing

3.1 Subject Matter

Provision of an applicant tracking system to manage recruitment processes.

3.2 Duration

Processing will continue for the duration of the agreement between us, plus any retention period required by law or as specified in Section 11.

3.3 Nature and Purpose of Processing

  • Storage of candidate information
  • Organisation and retrieval of recruitment data
  • Facilitating communication regarding applications
  • AI-powered analysis and screening (where enabled)
  • Reporting and analytics on recruitment activities

3.4 Categories of Data Subjects

  • Job candidates and applicants
  • Referees and emergency contacts (where provided)
  • Any other individuals whose data you upload to the Service

3.5 Types of Personal Data

  • Name and contact details (email, phone, address)
  • CV/resume content
  • Employment history
  • Education history
  • Skills and qualifications
  • Interview notes and assessments
  • Communication records
  • Any other personal data contained in uploaded documents

3.6 Special Category Data

You acknowledge that recruitment data may include special category data (e.g., health information, diversity data). You are responsible for ensuring you have a lawful basis to process such data and for implementing appropriate safeguards.

4. Obligations of the Processor

4.1 Processing Instructions

We will:

  • Process Personal Data only on your documented instructions, unless required by law
  • Inform you if we believe an instruction infringes Data Protection Laws
  • Not process Personal Data for any purpose other than providing the Service

4.2 Confidentiality

We will ensure that persons authorised to process Personal Data:

  • Are subject to confidentiality obligations
  • Process Personal Data only as necessary to provide the Service

4.3 Security Measures

We will implement appropriate technical and organisational measures to protect Personal Data, including:

MeasureDescription
Encryption in transitTLS 1.2+ for all data transmission
Encryption at restAES-256 encryption for stored data
Access controlsRole-based access, authentication required
Infrastructure securityHosted on SOC 2 compliant providers
Employee securityConfidentiality obligations, access on need-to-know basis
Incident responseDocumented procedures for security incidents

4.4 Sub-processing

We will:

  • Not engage a new Sub-processor without providing you with prior notice and opportunity to object (see Section 6)
  • Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
  • Remain liable for the acts and omissions of our Sub-processors

4.5 Data Subject Rights

We will:

  • Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
  • Notify you promptly if we receive a request directly from a Data Subject
  • Not respond to Data Subject requests directly unless authorised by you or required by law

4.6 Security Incidents

We will:

  • Notify you without undue delay (and within 48 hours where feasible) upon becoming aware of a Security Incident
  • Provide sufficient information to enable you to meet your breach notification obligations
  • Cooperate with your investigation of the Security Incident
  • Take reasonable steps to mitigate the effects of the Security Incident

Notification will include:

  • Nature of the incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences
  • Measures taken or proposed to address the incident

4.7 Data Protection Impact Assessments

We will provide reasonable assistance if you are required to conduct a data protection impact assessment or consult with a supervisory authority regarding processing performed through the Service.

4.8 Audit Rights

We will:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits conducted by you or your appointed auditor, subject to:
    • Reasonable advance notice (at least 30 days)
    • Audits conducted during normal business hours
    • Confidentiality obligations regarding any information disclosed
    • You bearing the costs of any audit
  • Provide audit reports or certifications (such as SOC 2) upon request, where available

5. Obligations of the Controller

5.1 Lawful Processing

You will:

  • Ensure you have a lawful basis for processing Personal Data
  • Provide appropriate privacy notices to Data Subjects
  • Obtain any necessary consents
  • Comply with Data Protection Laws applicable to controllers

5.2 Instructions

You will:

  • Provide documented instructions for processing
  • Ensure your instructions comply with Data Protection Laws
  • Be responsible for the accuracy, quality, and legality of Personal Data uploaded

5.3 Data Subject Requests

You will:

  • Handle Data Subject requests and complaints
  • Inform us of any requests that require our assistance

6. Sub-processors

6.1 Authorised Sub-processors

You authorise us to engage the Sub-processors listed in Annex 1 to this DPA.

6.2 Changes to Sub-processors

We will:

  • Maintain an up-to-date list of Sub-processors at marxel.co/subprocessors or upon request
  • Provide at least 14 days' notice before engaging a new Sub-processor
  • Allow you to object to a new Sub-processor on reasonable data protection grounds

6.3 Objection Process

If you object to a new Sub-processor:

  • You must notify us within 14 days of receiving notice
  • We will work with you to find a mutually acceptable solution
  • If no resolution is reached, you may terminate the affected Service with no penalty

7. International Data Transfers

7.1 Transfer Mechanisms

Personal Data may be transferred to countries outside the UK and EEA, including the United States.

For such transfers, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
  • Any successor mechanisms approved under Data Protection Laws

7.2 Additional Safeguards

We implement supplementary measures where appropriate, including:

  • Encryption of data in transit and at rest
  • Access controls limiting who can access Personal Data
  • Contractual commitments from Sub-processors

7.3 Transfer Impact Assessments

Upon request, we will provide information to assist you in conducting transfer impact assessments.

8. Standard Contractual Clauses

8.1 EU SCCs

For transfers of Personal Data from the EEA, the EU SCCs (Module Two: Controller to Processor) are incorporated by reference:

  • Clause 7: The optional docking clause is included
  • Clause 9: Option 2 (general written authorisation) applies, with 14 days' notice
  • Clause 11: The optional redress clause is not included
  • Clause 17: Option 1 applies; the SCCs are governed by the law of Ireland
  • Clause 18: Disputes shall be resolved by the courts of Ireland
  • Annex I.A: Data exporter is the Controller; data importer is the Processor
  • Annex I.B: As described in Section 3 of this DPA
  • Annex I.C: The competent supervisory authority is the data exporter's supervisory authority
  • Annex II: Technical and organisational measures as described in Section 4.3

8.2 UK IDTA

For transfers of Personal Data from the UK, the UK International Data Transfer Agreement or UK Addendum to the EU SCCs applies, with the information set out above.

9. Liability

9.1 Liability Cap

Our liability under this DPA is subject to the limitations set out in the Terms of Service.

9.2 Allocation

Each party is liable for damages caused by its own breach of Data Protection Laws. We are liable for damage caused by processing that does not comply with Data Protection Laws or this DPA.

10. Term and Termination

10.1 Term

This DPA commences when you start using the Service and continues until the agreement terminates.

10.2 Termination

This DPA automatically terminates when the Terms of Service terminate.

11. Data Return and Deletion

11.1 During the Agreement

You may export or delete your Personal Data at any time through the Service.

11.2 Upon Termination

Upon termination of the agreement:

  • You may request export of your Personal Data within 30 days
  • We will delete Personal Data within 30 days after termination (or after export, if requested)
  • Deletion includes all copies except where retention is required by law

11.3 Certification

Upon request, we will provide written confirmation that Personal Data has been deleted.

12. General

12.1 Conflict

In the event of conflict between this DPA and the Terms of Service, this DPA prevails regarding data protection matters.

12.2 Amendments

We may update this DPA to reflect changes in Data Protection Laws or our processing activities. Material changes will be notified in accordance with the Terms of Service.

12.3 Severability

If any provision of this DPA is found invalid, the remaining provisions continue in effect.

12.4 Governing Law

This DPA is governed by the laws of England and Wales, without prejudice to any mandatory data protection provisions.

13. Contact

For questions about this DPA or to exercise any rights:

Email: hello@marxel.co

Annexes

Annex 1: Authorised Sub-processors — List of third-party services that process data on your behalf

Annex 2: Technical and Organisational Measures — See Section 4.3 above

Annex 3: Data Subject Request Procedures — See Section 4.5 above

See also our Privacy Notice, Terms of Service, and Sub-processors or contact us with any questions.

We use cookies for analytics and to improve your experience.