Data Processing Agreement Template — Agency and In-House HR Customers
Project: Sable AI Ltd — AI Governance Framework Stage: Stage 5 — Commercial Packaging Status: Draft Version: v1 Date: 2026-03-01 Assumptions: Built on outline assumptions — not verified against real Sable AI Ltd data
How to Use This Template
This file contains two complete Data Processing Agreement templates for Sable AI Ltd's two principal customer types:
- Appendix A — for recruitment agency customers who screen candidates on behalf of employer clients
- Appendix B — for in-house HR customers who use Scout for direct hiring
Selecting the correct appendix:
Use Appendix A where the customer is a recruitment agency that receives mandates from employer clients and uses Scout to screen candidate pools before presenting shortlists to those clients. Use Appendix B where the customer is an in-house HR or talent acquisition team operating within a single employing organisation.
Critical note on Appendix A — controller/processor status: [LEGAL REVIEW REQUIRED]
Appendix A includes both a standard controller-processor agreement (the primary operative terms, under UK GDPR Article 28) and an Article 26 Joint Controller Addendum. Which structure applies depends on the actual allocation of controller / processor responsibilities in the recruitment arrangement. In many cases the agency will act as controller and Sable AI Ltd as processor; in some cases a joint controller analysis may arise for parts of the processing; and in some agency–employer arrangements the agency's own role may itself require separate legal analysis. [LEGAL REVIEW REQUIRED]
Placeholder fields are shown in [SQUARE BRACKETS] throughout. All placeholders must be completed before execution.
This template is a draft for legal review. It does not constitute legal advice and must not be executed without review by a qualified UK solicitor familiar with UK GDPR, the Data (Use and Access) Act 2025, and commercial data processing agreements.
---
Appendix A — Data Processing Agreement: Recruitment Agency Customer
[ASSUMPTION: A-003] This appendix is drafted for the customer segment assumed to be recruitment agencies screening candidates on behalf of employer clients. This characterisation has not been verified against Sable AI Ltd's actual customer base.
Parties
Controller (the "Agency"): [FULL LEGAL NAME], a company incorporated in England and Wales (or [JURISDICTION]) with company number [NUMBER], whose registered office is at [ADDRESS] ("you", "your", the "Controller").
Processor (Sable AI Ltd): Sable AI Ltd, a company incorporated in England and Wales with company number [NUMBER — ASSUMPTION], whose registered office is at [ADDRESS — ASSUMPTION] ("we", "us", "our", the "Processor"). [ASSUMPTION: A-001]
Effective Date: [DATE]
This Agreement forms part of, and must be read alongside, the main services agreement or order form between the parties dated [DATE] (the "Services Agreement").
Recitals
A. The Agency has entered into the Services Agreement under which Sable AI Ltd provides access to the Scout AI-assisted CV screening and candidate shortlisting tool.
B. In operating Scout, Sable AI Ltd will process personal data relating to job candidates on behalf of the Agency.
C. The parties enter into this Agreement to record their respective obligations as controller and processor under UK GDPR Article 28 and the Data (Use and Access) Act 2025.
D. Controller/processor status: [LEGAL REVIEW REQUIRED] The primary structure of this Agreement is that the Agency acts as controller and Sable AI Ltd acts as processor. This characterisation applies where the Agency determines the purposes and means of processing candidate personal data and Sable AI Ltd processes that data strictly on the Agency's instructions. Where the parties exercise joint control over the purposes and means of processing, the Article 26 Joint Controller Addendum (set out at the end of this Appendix A) applies in addition to these operative terms. The parties agree to obtain legal advice before execution to determine which characterisation applies to their operational relationship.
1. Definitions
In this Agreement:
"Candidate Data" means personal data relating to job applicants and candidates processed by Sable AI Ltd under this Agreement, including CV content, contact details, employment history, educational qualifications, and skills information.
"Data Protection Legislation" means the UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025, the Data Protection Act 2018, and any successor legislation and binding guidance issued by the Information Commissioner's Office.
"ICO" means the Information Commissioner's Office, the UK supervisory authority for data protection.
"Personnel" means employees, contractors, agents, and consultants of a party who are authorised to access personal data under this Agreement.
"Scout" means Sable AI Ltd's AI-assisted CV screening and candidate shortlisting software service, as described in the Services Agreement. [ASSUMPTION: A-002]
"Sub-Processor" means any third party engaged by Sable AI Ltd to process personal data on its behalf under this Agreement.
"UK GDPR" means the General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data (Use and Access) Act 2025.
Capitalised terms not defined here have the meanings given in the Services Agreement or Data Protection Legislation.
2. Processing Particulars
The processing of personal data under this Agreement is described in Schedule A1. The parties acknowledge that Schedule A1 sets out the mandatory information required by UK GDPR Article 28(3) regarding the subject matter, duration, nature and purpose of the processing, the type of personal data, and the categories of data subjects.
3. Scope and Instructions
3.1 Sable AI Ltd shall process Candidate Data only on the documented instructions of the Agency, including instructions given through use of the Scout platform and any supplementary written instructions provided pursuant to the Services Agreement. This obligation covers any transfer of personal data to a third country or international organisation. [UK GDPR Art. 28(3)(a)]
3.2 If Sable AI Ltd is required by domestic law to process Candidate Data other than on the Agency's instructions, it shall inform the Agency of that legal requirement before processing, unless the relevant law prohibits such notification on important grounds of public interest.
3.3 Sable AI Ltd shall promptly notify the Agency if it believes any instruction given by the Agency infringes Data Protection Legislation. Sable AI Ltd is not required to act on an instruction it reasonably believes to be unlawful.
3.4 The Agency warrants that it has a valid lawful basis under UK GDPR Article 6 for all processing of Candidate Data instructed under this Agreement. [LEGAL REVIEW REQUIRED] The lawful basis applicable to screening and shortlisting of candidates in a recruitment context is likely to be legitimate interests (UK GDPR Art. 6(1)(f)) or, in some circumstances, the performance of pre-contractual steps at the request of the data subject (Art. 6(1)(b)). The Agency must confirm its lawful basis in writing before the Services Agreement commences. [ASSUMPTION: lawful basis has not been confirmed for any Sable AI Ltd customer]
3.5 Where Candidate Data may include special category personal data within the meaning of UK GDPR Article 9 — including health information, disability status, or information from which racial or ethnic origin could be inferred from CV content — the Agency is solely responsible for establishing and documenting a valid condition under Article 9(2) before instructing Sable AI Ltd to process such data. [LEGAL REVIEW REQUIRED] [ASSUMPTION: A-021]
4. Confidentiality
4.1 Sable AI Ltd shall ensure that all Personnel who have access to Candidate Data are subject to a binding obligation of confidentiality in respect of that data, whether by written contract, statutory duty, or professional obligation. [UK GDPR Art. 28(3)(b)]
4.2 Sable AI Ltd shall not disclose Candidate Data to any person other than authorised Personnel, authorised Sub-Processors (see Clause 6), or as required by law.
4.3 The obligations in this Clause 4 survive termination of this Agreement.
5. Security Measures
5.1 Sable AI Ltd shall implement and maintain appropriate technical and organisational security measures in respect of Candidate Data, in accordance with UK GDPR Article 32 and as described in Schedule A3. [UK GDPR Art. 28(3)(c)]
5.2 In assessing the appropriate level of security, Sable AI Ltd shall take into account: the state of the art; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risk of varying likelihood and severity to the rights and freedoms of candidates.
5.3 The measures in Schedule A3 must include, as a minimum: pseudonymisation and encryption of personal data where appropriate; measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability of personal data in a timely manner following a technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of security measures.
5.4 Sable AI Ltd may update the technical and organisational measures in Schedule A3 from time to time, provided that no update reduces the overall level of protection of Candidate Data below the standard required by Data Protection Legislation.
6. Sub-Processors
6.1 The Agency provides Sable AI Ltd with general written authorisation to engage the Sub-Processors listed in Schedule A2, subject to the conditions in this Clause 6. [UK GDPR Art. 28(2)]
6.2 Sable AI Ltd shall not engage any Sub-Processor not listed in Schedule A2 to process Candidate Data without providing prior written notice to the Agency of: (a) the identity of the proposed Sub-Processor; (b) the processing to be carried out; and (c) a reasonable opportunity for the Agency to object. If the Agency objects on demonstrable data protection grounds, Sable AI Ltd shall not engage that Sub-Processor for the relevant processing. [UK GDPR Art. 28(2)]
6.3 Sable AI Ltd shall impose on each Sub-Processor data protection obligations equivalent to those in this Agreement, by means of a written contract. Such obligations shall cover, as a minimum, all matters required by UK GDPR Article 28(3). [UK GDPR Art. 28(4)]
6.4 Sable AI Ltd remains fully liable to the Agency for the performance of any Sub-Processor's obligations under this Agreement if the Sub-Processor fails to fulfil its data protection obligations. [UK GDPR Art. 28(4)]
6.5 Anthropic (sub-processor): [ASSUMPTION: A-005] The parties acknowledge that Sable AI Ltd currently uses Anthropic, Inc. as a Sub-Processor for the generative AI functionality underlying the Scout tool. Anthropic processes Candidate Data (specifically, CV content and job description data submitted via the Scout API) solely for the purpose of generating shortlisting outputs. [ASSUMPTION: A-005] Anthropic does not use Candidate Data to train its AI models. Sable AI Ltd warrants that it has in place a written data processing agreement with Anthropic that satisfies UK GDPR Article 28 requirements. The processing carried out by Anthropic and the transfer mechanism relied upon are described in Schedule A2.
7. Data Subject Rights
7.1 Sable AI Ltd shall provide reasonable assistance to the Agency, taking into account the nature of the processing, to enable the Agency to fulfil its obligations to respond to requests from candidates exercising their rights under Data Protection Legislation, including rights of access (UK GDPR Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and the right to obtain human review, make representations, and contest significant automated decisions (UK GDPR Art. 22C(2), as amended by the Data (Use and Access) Act 2025). [UK GDPR Art. 28(3)(e)]
7.2 Sable AI Ltd shall promptly notify the Agency (and in any event within three business days) if it receives a data subject rights request from a candidate that appears to relate to personal data processed under this Agreement. Sable AI Ltd shall not respond to any such request on the Agency's behalf without the Agency's prior written authorisation.
7.3 Automated Decision-Making — Article 22C Safeguards: [LEGAL REVIEW REQUIRED] Where Scout's output constitutes a significant decision based solely on automated processing within the meaning of UK GDPR Articles 22A–22C (as amended by the Data (Use and Access) Act 2025, in force 5 February 2026), the Agency is responsible for ensuring that the required safeguards are in place: providing candidates with information about the decision; enabling them to make representations; enabling human intervention; and enabling them to contest the decision. [ASSUMPTION: A-007] The parties have assumed that mandatory human review by the Agency before any candidate contact is made ensures that Scout outputs do not constitute solely automated significant decisions. This conclusion has not been verified by qualified legal advice. If that assumption is incorrect, the Agency must implement additional safeguards before using Scout outputs.
8. Assistance Obligations
8.1 Sable AI Ltd shall provide reasonable assistance to the Agency in meeting its obligations under Data Protection Legislation in connection with: [UK GDPR Art. 28(3)(f)]
(a) Security: maintaining appropriate technical and organisational security measures under UK GDPR Article 32;
(b) Personal Data Breach Notification: notifying the ICO of a personal data breach affecting Candidate Data within 72 hours under UK GDPR Article 33, and notifying affected candidates where required under Article 34;
(c) Data Protection Impact Assessment (DPIA): carrying out a DPIA under UK GDPR Article 35, where the nature of the processing requires it;
(d) Prior Consultation: consulting the ICO under UK GDPR Article 36 where a DPIA indicates that the processing would result in a high residual risk that cannot be mitigated.
8.2 Personal Data Breach — Processor Notification: Without undue delay and in any event within 24 hours of becoming aware of a personal data breach affecting Candidate Data, Sable AI Ltd shall notify the Agency of: (a) the nature of the breach, including categories and approximate numbers of data subjects and records affected; (b) the name and contact details of the data protection officer or other contact point; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects. Sable AI Ltd shall document the breach and provide ongoing updates as further information becomes available.
8.3 The Agency remains responsible for reporting personal data breaches to the ICO and affected candidates in accordance with UK GDPR Articles 33 and 34. Sable AI Ltd's notification under Clause 8.2 is to assist the Agency in meeting those obligations.
9. International Transfers
9.1 To the extent that processing of Candidate Data by any Sub-Processor involves the transfer of that data to a country outside the United Kingdom, Sable AI Ltd shall ensure that such transfer is made in compliance with UK GDPR Article 44A (as amended by the Data (Use and Access) Act 2025, in force 5 February 2026): that is, only where the transfer is: (a) approved by regulations made by the Secretary of State under Article 45A; (b) made subject to appropriate safeguards in accordance with Article 46 (including the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses); or (c) made in reliance on a derogation under Article 49.
9.2 Transfer to Anthropic: [ASSUMPTION: A-004, A-005] [LEGAL REVIEW REQUIRED] Sable AI Ltd represents that Candidate Data submitted to Anthropic, Inc. (incorporated in the United States) is transferred subject to an appropriate transfer mechanism as described in Schedule A2. As at the date of this Agreement, the UK Government has not made regulations under UK GDPR Article 45A approving unrestricted transfers to the United States generally. Where the UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) applies and Anthropic is certified under it, Sable AI Ltd may rely on that approval for transfers of Candidate Data to Anthropic. Where Anthropic is not covered by an applicable approval, Sable AI Ltd shall rely on appropriate safeguards under Article 46, including an executed UK International Data Transfer Agreement or a UK Addendum to the EU Standard Contractual Clauses, and shall confirm to the Agency which transfer mechanism is in place before the Services Agreement commences. Sable AI Ltd shall notify the Agency promptly if the applicable transfer mechanism ceases to be available.
9.3 Sable AI Ltd shall not transfer Candidate Data to any other third country sub-processor or data centre other than as described in Schedule A2 without the Agency's prior written consent.
9.4 Sable AI Ltd shall, on request, provide the Agency with copies of executed transfer agreements and evidence that the relevant transfer mechanism meets the data protection test under UK GDPR Article 46(6) (as amended by the Data (Use and Access) Act 2025).
10. Audit and Evidence of Compliance
10.1 Sable AI Ltd shall make available to the Agency all information reasonably necessary to demonstrate compliance with its obligations under UK GDPR Article 28 and this Agreement. [UK GDPR Art. 28(3)(h)]
10.2 Sable AI Ltd shall allow for and contribute to audits and inspections of its data processing activities under this Agreement, carried out by the Agency or an auditor appointed by the Agency (who is not a competitor of Sable AI Ltd), on reasonable prior written notice of not less than [20 business days]. Audits shall be conducted: (a) no more than once per calendar year unless a personal data breach has occurred or there is reasonable grounds to suspect non-compliance; (b) at a time and in a manner that does not unreasonably disrupt Sable AI Ltd's operations; and (c) at the Agency's cost, subject to Sable AI Ltd's reasonable co-operation obligations.
10.3 Sable AI Ltd may satisfy audit obligations in Clause 10.2 by providing the Agency with up-to-date audit reports, certifications, or penetration test summaries prepared by qualified independent third parties, where such reports adequately address the subject matter of the requested audit.
11. Deletion and Return of Personal Data
11.1 On termination or expiry of the Services Agreement, or on the Agency's written request at any earlier time, Sable AI Ltd shall at the Agency's choice: (a) securely delete all Candidate Data processed under this Agreement and confirm deletion in writing within [30 days]; or (b) return all Candidate Data to the Agency in a mutually agreed format and delete any remaining copies within [30 days] of completed return. [UK GDPR Art. 28(3)(g)]
11.2 Sable AI Ltd shall ensure that any Sub-Processor holding Candidate Data deletes or returns that data in accordance with Clause 11.1.
11.3 Sable AI Ltd may retain Candidate Data beyond the period in Clause 11.1 only to the extent required by applicable domestic law. Sable AI Ltd shall notify the Agency of any such legal retention obligation before deletion is due and shall document the basis and duration of any such retention. Retained data remains subject to the confidentiality and security obligations in this Agreement.
11.4 [ASSUMPTION: A-022] Retention periods for Candidate Data during the term of the Services Agreement have not been confirmed. The Agency is responsible for specifying retention periods in its instructions and in Schedule A1. Sable AI Ltd will retain data until instructed otherwise.
12. Duration
This Agreement takes effect on the Effective Date and remains in force for the duration of the Services Agreement. The obligations in Clauses 4 (Confidentiality), 9 (International Transfers), and 11 (Deletion) survive termination.
13. Liability
The liability of each party under this Agreement is subject to the liability provisions of the Services Agreement, except that neither party may limit its liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited under applicable law, including obligations under Data Protection Legislation.
14. Governing Law
This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
15. Variation
This Agreement may be amended by the written agreement of both parties. Sable AI Ltd may update Schedule A3 (security measures) without the Agency's consent, provided the update does not reduce the overall level of protection below the minimum required by Data Protection Legislation, and Sable AI Ltd provides written notice of the update.
Schedule A1 — Processing Particulars
| Field | Detail |
|---|---|
| Subject matter | AI-assisted screening and shortlisting of job candidate CVs and applications |
| Duration | Duration of the Services Agreement |
| Nature of processing | Collection, storage, structuring, analysis, transmission to AI sub-processor, production of structured shortlisting outputs, deletion |
| Purpose of processing | Screening and ranking job candidates against role criteria specified by the Agency on behalf of its employer clients, to assist human recruiter review and candidate shortlisting [ASSUMPTION: A-003] |
| Types of personal data | Name, contact details (email, phone, address), employment history, educational qualifications, skills and competencies, any other information included by the candidate in their CV or application; potentially special category data where present in free-text CV sections (see Clause 3.5) [ASSUMPTION: A-021] |
| Categories of data subjects | Job applicants and candidates [ASSUMPTION: A-003] |
| Lawful basis | To be confirmed by the Agency before commencement of processing [LEGAL REVIEW REQUIRED] |
| Retention during term | As specified in the Agency's written instructions. Default: [TO BE COMPLETED BY AGENCY]. [ASSUMPTION: A-022] |
| Hosting | AWS UK Region (eu-west-2) [ASSUMPTION: A-004] |
| Sub-processors | See Schedule A2 |
Schedule A2 — Authorised Sub-Processors
| Sub-Processor | Entity | Country | Processing Carried Out | Transfer Mechanism |
|---|---|---|---|---|
| Anthropic, Inc. | Private company, USA | United States | Generative AI processing of CV and job description data to produce shortlisting output. [ASSUMPTION: A-005] Candidate data is not used to train Anthropic's AI models. | [LEGAL REVIEW REQUIRED] [ASSUMPTION: A-005] To be confirmed: UK-US Data Bridge (where Anthropic is certified) or UK International Data Transfer Agreement / UK Addendum to EU SCCs. Sable AI Ltd to confirm mechanism before execution. |
| Amazon Web Services (AWS) | Amazon.com, Inc. subsidiary | United Kingdom (eu-west-2) [ASSUMPTION: A-004] | Cloud infrastructure hosting (servers, storage, database). | Hosting in UK region — no international transfer. AWS EMEA SARL EU-UK SCCs addendum as fallback where applicable. |
Schedule A3 — Technical and Organisational Security Measures
[ASSUMPTION: The following measures are assumed for an early-stage UK cloud-hosted SaaS company. They must be verified against Sable AI Ltd's actual security posture before execution. Legal review required.]
| Category | Measure |
|---|---|
| Access control | Role-based access to processing systems; multi-factor authentication for administrative access; principle of least privilege; regular access review |
| Encryption | Candidate Data encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2 minimum) |
| Network security | Firewall and intrusion detection controls; network segregation; monitored API gateway for Anthropic integration |
| Logging and monitoring | Audit logging of access to Candidate Data; log retention for minimum [12 months]; alert thresholds for anomalous access patterns |
| Patch management | Security patches applied within [14 days] of release for critical vulnerabilities |
| Vulnerability management | Annual penetration test by qualified third party; vulnerability scanning programme |
| Incident response | Documented incident response plan; tested annually; 24-hour detection-to-notification capability for personal data breaches |
| Business continuity | Backup and recovery capability with RTO of [TO BE CONFIRMED]; data restoration tested [quarterly] |
| Personnel | Data protection training for all Personnel with access to Candidate Data; confidentiality obligations in employment/contractor contracts |
| Sub-processor oversight | Due diligence on Sub-Processor security before engagement; contractual security standards equivalent to this Schedule |
Article 26 Joint Controller Addendum — Recruitment Agency Customer
[THIS ADDENDUM APPLIES ONLY WHERE QUALIFIED LEGAL ADVICE CONFIRMS THAT A JOINT CONTROLLER ARRANGEMENT IS THE CORRECT CHARACTERISATION OF THE PARTIES' RELATIONSHIP. IT DOES NOT APPLY BY DEFAULT.] [LEGAL REVIEW REQUIRED]
Recital
The parties have obtained legal advice confirming that both Sable AI Ltd and the Agency jointly determine the purposes and means of processing Candidate Data within the meaning of UK GDPR Article 26(1). This Addendum records the arrangement required by UK GDPR Article 26(1)–(2) to determine each party's responsibilities in a transparent manner.
A26.1 Allocation of Responsibilities
The parties agree to the following allocation of their respective data protection responsibilities as joint controllers: [LEGAL REVIEW REQUIRED — the allocation below is indicative only and must be tailored to the actual operational relationship]
| Obligation | Responsible Party |
|---|---|
| Providing Art. 13/14 transparency information to candidates | The Agency (as the party with a direct relationship with candidates). Sable AI Ltd to provide model notice language upon request. |
| Maintaining a record of processing activities (Art. 30) | Each party for its own processing activities |
| Handling data subject rights requests from candidates | The Agency (primary contact). Sable AI Ltd to assist within 5 business days of notification. |
| Implementing Art. 22C safeguards for automated decisions | The Agency (as the party taking and communicating shortlisting decisions to candidates) [ASSUMPTION: A-007] |
| Security measures for processing systems | Each party for its own systems. Sable AI Ltd for Scout infrastructure and Anthropic integration. |
| ICO breach notification (Art. 33) | The Agency (as the lead controller for candidate data). Sable AI Ltd to provide support and breach information per Clause 8.2 above. |
| DPIA maintenance | Each party for its own processing; shared responsibility for joint processing |
| Sub-processor authorisation | Sable AI Ltd, subject to the Agency's general authorisation under Clause 6 above |
A26.2 Candidates' Rights Not Constrained
Irrespective of this Addendum, candidates may exercise their rights under Data Protection Legislation against either party. [UK GDPR Art. 26(3)] Each party shall handle rights requests directed to it and shall notify the other party within three business days.
A26.3 Essence Available to Candidates
The essence of this Joint Controller Addendum — specifically the allocation of transparency and rights-handling responsibilities in Article A26.1 — must be made available to candidates upon request. The Agency is responsible for including a reference to this allocation in its candidate-facing privacy notice.
A26.4 Relationship with Operative Terms
In the event of conflict between this Addendum and the operative terms of Appendix A, this Addendum prevails to the extent of the conflict.
---
Appendix B — Data Processing Agreement: In-House HR Customer
[ASSUMPTION: A-003] This appendix is drafted for in-house HR and talent acquisition teams at UK corporate organisations who use Scout for direct hiring. This customer segment characterisation has not been verified against Sable AI Ltd's actual customer base.
Parties
Controller (the "Customer"): [FULL LEGAL NAME], a company incorporated in [JURISDICTION] with company number [NUMBER], whose registered office is at [ADDRESS] ("you", "your", the "Controller").
Processor (Sable AI Ltd): Sable AI Ltd, a company incorporated in England and Wales with company number [NUMBER — ASSUMPTION], whose registered office is at [ADDRESS — ASSUMPTION] ("we", "us", "our", the "Processor"). [ASSUMPTION: A-001]
Effective Date: [DATE]
This Agreement forms part of, and must be read alongside, the main services agreement or order form between the parties dated [DATE] (the "Services Agreement").
Recitals
A. The Customer has entered into the Services Agreement under which Sable AI Ltd provides access to the Scout AI-assisted CV screening and candidate shortlisting tool.
B. In operating Scout, Sable AI Ltd will process personal data relating to the Customer's job candidates on behalf of the Customer.
C. Under this Agreement, the Customer is the sole controller of Candidate Data and Sable AI Ltd is the processor, within the meanings of UK GDPR Articles 4(7) and 4(8). The Customer determines the purposes and means of processing Candidate Data; Sable AI Ltd processes that data strictly on the Customer's documented instructions. This controller-processor characterisation is appropriate for in-house HR customers directing Scout to screen their own candidate pipelines for direct hire. [LEGAL REVIEW REQUIRED — confirm this characterisation applies to the specific operational relationship]
D. The parties enter into this Agreement to record their respective obligations as controller and processor under UK GDPR Article 28 and the Data (Use and Access) Act 2025.
1. Definitions
In this Agreement, the following terms have the same meanings as defined in Appendix A:
- Candidate Data
- Data Protection Legislation
- ICO
- Personnel
- Scout [ASSUMPTION: A-002]
- Sub-Processor
- UK GDPR
Capitalised terms not defined here have the meanings given in the Services Agreement or Data Protection Legislation.
2. Processing Particulars
The processing of personal data under this Agreement is described in Schedule B1. The parties acknowledge that Schedule B1 sets out the mandatory information required by UK GDPR Article 28(3) regarding the subject matter, duration, nature and purpose of the processing, the type of personal data, and the categories of data subjects.
3. Scope and Instructions
3.1 Sable AI Ltd shall process Candidate Data only on the documented instructions of the Customer, including instructions given through use of the Scout platform and any supplementary written instructions provided pursuant to the Services Agreement. This obligation covers any transfer of personal data to a third country or international organisation. [UK GDPR Art. 28(3)(a)]
3.2 If Sable AI Ltd is required by domestic law to process Candidate Data other than on the Customer's instructions, it shall inform the Customer of that legal requirement before processing, unless the relevant law prohibits such notification on important grounds of public interest.
3.3 Sable AI Ltd shall promptly notify the Customer if it believes any instruction given by the Customer infringes Data Protection Legislation. Sable AI Ltd is not required to act on an instruction it reasonably believes to be unlawful.
3.4 The Customer warrants that it has a valid lawful basis under UK GDPR Article 6 for all processing of Candidate Data instructed under this Agreement. [LEGAL REVIEW REQUIRED] In a direct-hire context, the lawful basis is most likely legitimate interests (Art. 6(1)(f)) or the performance of pre-contractual steps taken at the request of the data subject (Art. 6(1)(b)). The Customer must confirm its lawful basis in writing before the Services Agreement commences.
3.5 Where Candidate Data may include special category personal data within the meaning of UK GDPR Article 9, the Customer is solely responsible for establishing and documenting a valid condition under Article 9(2) before instructing Sable AI Ltd to process such data. [LEGAL REVIEW REQUIRED] [ASSUMPTION: A-021]
3.6 Sole Controller: The Customer confirms that it is the sole controller of Candidate Data processed under this Agreement. Sable AI Ltd does not determine the purposes or means of processing Candidate Data independently of the Customer's instructions. If Sable AI Ltd's use of Candidate Data for any purpose beyond performing the Services Agreement (including for AI model training or improvement) is proposed, the parties shall execute a separate written agreement and legal advice shall be obtained before such processing begins.
4. Confidentiality
4.1 Sable AI Ltd shall ensure that all Personnel who have access to Candidate Data are subject to a binding obligation of confidentiality in respect of that data, whether by written contract, statutory duty, or professional obligation. [UK GDPR Art. 28(3)(b)]
4.2 Sable AI Ltd shall not disclose Candidate Data to any person other than authorised Personnel, authorised Sub-Processors (see Clause 6), or as required by law.
4.3 The obligations in this Clause 4 survive termination of this Agreement.
5. Security Measures
5.1 Sable AI Ltd shall implement and maintain appropriate technical and organisational security measures in respect of Candidate Data, in accordance with UK GDPR Article 32 and as described in Schedule B3. [UK GDPR Art. 28(3)(c)]
5.2 In assessing the appropriate level of security, Sable AI Ltd shall take into account: the state of the art; the costs of implementation; the nature, scope, context, and purposes of the processing; and the risk of varying likelihood and severity to the rights and freedoms of candidates.
5.3 The measures in Schedule B3 must include, as a minimum: pseudonymisation and encryption of personal data where appropriate; measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability of personal data in a timely manner following a technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of security measures.
5.4 Sable AI Ltd may update the technical and organisational measures in Schedule B3 from time to time, provided that no update reduces the overall level of protection of Candidate Data below the standard required by Data Protection Legislation.
6. Sub-Processors
6.1 The Customer provides Sable AI Ltd with general written authorisation to engage the Sub-Processors listed in Schedule B2, subject to the conditions in this Clause 6. [UK GDPR Art. 28(2)]
6.2 Sable AI Ltd shall not engage any Sub-Processor not listed in Schedule B2 to process Candidate Data without providing prior written notice to the Customer of: (a) the identity of the proposed Sub-Processor; (b) the processing to be carried out; and (c) a reasonable opportunity for the Customer to object. If the Customer objects on demonstrable data protection grounds, Sable AI Ltd shall not engage that Sub-Processor for the relevant processing.
6.3 Sable AI Ltd shall impose on each Sub-Processor data protection obligations equivalent to those in this Agreement, by means of a written contract. Such obligations shall cover, as a minimum, all matters required by UK GDPR Article 28(3). [UK GDPR Art. 28(4)]
6.4 Sable AI Ltd remains fully liable to the Customer for the performance of any Sub-Processor's obligations under this Agreement if the Sub-Processor fails to fulfil its data protection obligations. [UK GDPR Art. 28(4)]
6.5 Anthropic (sub-processor): [ASSUMPTION: A-005] The parties acknowledge that Sable AI Ltd currently uses Anthropic, Inc. as a Sub-Processor for the generative AI functionality underlying the Scout tool. Anthropic processes Candidate Data (specifically, CV content and job description data submitted via the Scout API) solely for the purpose of generating shortlisting outputs. [ASSUMPTION: A-005] Anthropic does not use Candidate Data to train its AI models. Sable AI Ltd warrants that it has in place a written data processing agreement with Anthropic that satisfies UK GDPR Article 28 requirements. The processing carried out by Anthropic and the transfer mechanism relied upon are described in Schedule B2.
7. Data Subject Rights
7.1 Sable AI Ltd shall provide reasonable assistance to the Customer, taking into account the nature of the processing, to enable the Customer to fulfil its obligations to respond to requests from candidates exercising their rights under Data Protection Legislation, including rights of access (UK GDPR Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and the right to obtain human review, make representations, and contest significant automated decisions (UK GDPR Art. 22C(2), as amended by the Data (Use and Access) Act 2025). [UK GDPR Art. 28(3)(e)]
7.2 Sable AI Ltd shall promptly notify the Customer (and in any event within three business days) if it receives a data subject rights request from a candidate that appears to relate to personal data processed under this Agreement. Sable AI Ltd shall not respond to any such request on the Customer's behalf without the Customer's prior written authorisation.
7.3 Automated Decision-Making — Article 22C Safeguards: [LEGAL REVIEW REQUIRED] Where Scout's output constitutes a significant decision based solely on automated processing within the meaning of UK GDPR Articles 22A–22C (as amended by the Data (Use and Access) Act 2025), the Customer is responsible for ensuring that the required safeguards are in place: providing candidates with information about the decision; enabling them to make representations; enabling human intervention; and enabling them to contest the decision. As sole controller, the Customer must assess whether mandatory human review before any candidate contact is made is sufficient to prevent Scout outputs from constituting solely automated significant decisions. [ASSUMPTION: A-007]
7.4 The Customer confirms that it will provide candidates with a transparency notice describing the use of AI in the recruitment process before using Scout to process those candidates' CVs, in the form of the Candidate Transparency Notice Template (L4-5.2-Candidate-Transparency-Notice-v1.md) or an equivalent notice satisfying ICO requirements. [ICO AI in Recruitment Outcomes Report, November 2024]
8. Assistance Obligations
8.1 Sable AI Ltd shall provide reasonable assistance to the Customer in meeting its obligations under Data Protection Legislation in connection with: [UK GDPR Art. 28(3)(f)]
(a) Security: maintaining appropriate technical and organisational security measures under UK GDPR Article 32;
(b) Personal Data Breach Notification: notifying the ICO of a personal data breach affecting Candidate Data within 72 hours under UK GDPR Article 33, and notifying affected candidates where required under Article 34;
(c) Data Protection Impact Assessment (DPIA): carrying out a DPIA under UK GDPR Article 35, where the nature of the processing requires it. [The parties acknowledge that AI-assisted CV screening constitutes processing that is likely to result in high risk, and that a DPIA is required before deployment, consistent with ICO guidance on AI in recruitment and the risk assessment in L1-2.2-Risk-Classification-Framework-v1.md.]
(d) Prior Consultation: consulting the ICO under UK GDPR Article 36 where a DPIA indicates that the processing would result in a high residual risk that cannot be mitigated.
8.2 Personal Data Breach — Processor Notification: Without undue delay and in any event within 24 hours of becoming aware of a personal data breach affecting Candidate Data, Sable AI Ltd shall notify the Customer of: (a) the nature of the breach, including categories and approximate numbers of data subjects and records affected; (b) the name and contact details of the data protection officer or other contact point; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects. Sable AI Ltd shall document the breach and provide ongoing updates as further information becomes available. [Cross-reference: L3-4.3-Incident-Response-Plan-v1.md]
8.3 The Customer remains responsible for reporting personal data breaches to the ICO and affected candidates under UK GDPR Articles 33 and 34.
9. International Transfers
9.1 To the extent that processing of Candidate Data by any Sub-Processor involves the transfer of that data to a country outside the United Kingdom, Sable AI Ltd shall ensure that such transfer is made in compliance with UK GDPR Article 44A (as amended by the Data (Use and Access) Act 2025, in force 5 February 2026): that is, only where the transfer is: (a) approved by regulations made by the Secretary of State under Article 45A; (b) made subject to appropriate safeguards in accordance with Article 46 (including the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses); or (c) made in reliance on a derogation under Article 49.
9.2 Transfer to Anthropic: [ASSUMPTION: A-005] [LEGAL REVIEW REQUIRED] Same terms as Appendix A Clause 9.2 apply. Sable AI Ltd shall confirm the applicable transfer mechanism before execution of this Agreement. The mechanism must satisfy the data protection test under UK GDPR Article 46(6), as amended by the Data (Use and Access) Act 2025 (Sch. 7 para. 6(6)): that is, the protection afforded to Candidate Data after transfer must not be materially lower than the standard required by UK data protection law.
9.3 Sable AI Ltd shall not transfer Candidate Data to any other third country sub-processor or data centre other than as described in Schedule B2 without the Customer's prior written consent.
9.4 Sable AI Ltd shall, on request, provide the Customer with copies of executed transfer agreements and evidence that the relevant transfer mechanism meets the data protection test under UK GDPR Article 46(6).
10. Audit and Evidence of Compliance
10.1 Sable AI Ltd shall make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under UK GDPR Article 28 and this Agreement. [UK GDPR Art. 28(3)(h)]
10.2 Sable AI Ltd shall allow for and contribute to audits and inspections of its data processing activities under this Agreement, carried out by the Customer or an auditor appointed by the Customer (who is not a competitor of Sable AI Ltd), on reasonable prior written notice of not less than [20 business days]. Audits shall be conducted: (a) no more than once per calendar year unless a personal data breach has occurred or there is reasonable grounds to suspect non-compliance; (b) at a time and in a manner that does not unreasonably disrupt Sable AI Ltd's operations; and (c) at the Customer's cost, subject to Sable AI Ltd's reasonable co-operation obligations.
10.3 Sable AI Ltd may satisfy audit obligations in Clause 10.2 by providing the Customer with up-to-date audit reports, certifications, or penetration test summaries prepared by qualified independent third parties, where such reports adequately address the subject matter of the requested audit.
11. Deletion and Return of Personal Data
11.1 On termination or expiry of the Services Agreement, or on the Customer's written request at any earlier time, Sable AI Ltd shall at the Customer's choice: (a) securely delete all Candidate Data processed under this Agreement and confirm deletion in writing within [30 days]; or (b) return all Candidate Data to the Customer in a mutually agreed format and delete any remaining copies within [30 days] of completed return. [UK GDPR Art. 28(3)(g)]
11.2 Sable AI Ltd shall ensure that any Sub-Processor holding Candidate Data deletes or returns that data in accordance with Clause 11.1.
11.3 Sable AI Ltd may retain Candidate Data beyond the period in Clause 11.1 only to the extent required by applicable domestic law. Sable AI Ltd shall notify the Customer of any such legal retention obligation before deletion is due.
11.4 [ASSUMPTION: A-022] Retention periods for Candidate Data during the term of the Services Agreement have not been confirmed. The Customer is responsible for specifying retention periods in its instructions and in Schedule B1.
12. Duration
This Agreement takes effect on the Effective Date and remains in force for the duration of the Services Agreement. The obligations in Clauses 4, 9, and 11 survive termination.
13. Liability
The liability provisions of the Services Agreement apply to this Agreement, except that neither party may limit its liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited under applicable law, including obligations under Data Protection Legislation.
14. Governing Law
This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.
15. Variation
This Agreement may be amended by the written agreement of both parties. Sable AI Ltd may update Schedule B3 (security measures) without the Customer's consent, provided the update does not reduce the overall level of protection below the minimum required by Data Protection Legislation.
Schedule B1 — Processing Particulars
| Field | Detail |
|---|---|
| Subject matter | AI-assisted screening and shortlisting of job candidate CVs and applications for the Customer's direct-hire recruitment |
| Duration | Duration of the Services Agreement |
| Nature of processing | Collection, storage, structuring, analysis, transmission to AI sub-processor, production of structured shortlisting outputs, deletion |
| Purpose of processing | Screening and ranking job candidates against role criteria specified by the Customer's hiring managers, to assist human recruiter review and candidate shortlisting [ASSUMPTION: A-007] |
| Types of personal data | Name, contact details (email, phone, address), employment history, educational qualifications, skills and competencies, any other information included by the candidate in their CV or application; potentially special category data where present in free-text CV sections [ASSUMPTION: A-021] |
| Categories of data subjects | Job applicants and candidates applying to the Customer's vacancies |
| Lawful basis | To be confirmed by the Customer before commencement of processing [LEGAL REVIEW REQUIRED] |
| Retention during term | As specified in the Customer's written instructions. Default: [TO BE COMPLETED BY CUSTOMER]. [ASSUMPTION: A-022] |
| Hosting | AWS UK Region (eu-west-2) [ASSUMPTION: A-004] |
| Sub-processors | See Schedule B2 |
Schedule B2 — Authorised Sub-Processors
| Sub-Processor | Entity | Country | Processing Carried Out | Transfer Mechanism |
|---|---|---|---|---|
| Anthropic, Inc. | Private company, USA | United States | Generative AI processing of CV and job description data to produce shortlisting output. [ASSUMPTION: A-005] Candidate data is not used to train Anthropic's AI models. | [LEGAL REVIEW REQUIRED] [ASSUMPTION: A-005] To be confirmed: UK-US Data Bridge (where Anthropic is certified) or UK International Data Transfer Agreement / UK Addendum to EU SCCs. Sable AI Ltd to confirm mechanism before execution. |
| Amazon Web Services (AWS) | Amazon.com, Inc. subsidiary | United Kingdom (eu-west-2) [ASSUMPTION: A-004] | Cloud infrastructure hosting (servers, storage, database). | Hosting in UK region — no international transfer. |
Schedule B3 — Technical and Organisational Security Measures
[ASSUMPTION: The following measures are assumed for an early-stage UK cloud-hosted SaaS company. They must be verified against Sable AI Ltd's actual security posture before execution.]
| Category | Measure |
|---|---|
| Access control | Role-based access to processing systems; multi-factor authentication for administrative access; principle of least privilege; regular access review |
| Encryption | Candidate Data encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2 minimum) |
| Network security | Firewall and intrusion detection controls; network segregation; monitored API gateway for Anthropic integration |
| Logging and monitoring | Audit logging of access to Candidate Data; log retention for minimum [12 months]; alert thresholds for anomalous access patterns |
| Patch management | Security patches applied within [14 days] of release for critical vulnerabilities |
| Vulnerability management | Annual penetration test by qualified third party; vulnerability scanning programme |
| Incident response | Documented incident response plan; tested annually; 24-hour detection-to-notification capability for personal data breaches |
| Business continuity | Backup and recovery capability with RTO of [TO BE CONFIRMED]; data restoration tested [quarterly] |
| Personnel | Data protection training for all Personnel with access to Candidate Data; confidentiality obligations in employment/contractor contracts |
| Sub-processor oversight | Due diligence on Sub-Processor security before engagement; contractual security standards equivalent to this Schedule |
End of L4-5.1 — Data Processing Agreement Template