Data Processing Agreement

1. Purpose of this DPA

This DPA governs the processing of Personal Data by TradingPlus Inc. on behalf of the Controller in connection with the HiFinity recruitment and AI-assisted hiring platform.

It ensures compliance with:

• EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679)
• UK GDPR (where applicable)

2. Roles of the Parties

• The Controller determines the purposes and means of processing candidate data.
• TradingPlus Inc. acts solely as a Data Processor.
• The Processor does not sell, reuse, or exploit Personal Data for its own purposes.

3. Categories of Data Processed

Depending on customer usage:

Candidate Data

• Name, email, phone
• CV/resume content
• Interview recordings or transcripts
• Evaluation notes and AI scoring

Customer User Data

• Account identity and login details
• Usage logs and audit trails

4. Nature of Processing

Processing includes:

• Storage and organization of recruitment data
• AI-assisted analysis of CVs and interviews
• Secure access by authorized customer users
• Export or deletion upon request

Processing occurs only on documented instructions from the Controller.

5. Security Measures (GDPR Art. 32)

TradingPlus Inc. implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS) and at rest
• Role-based access control (RBAC)
• Authentication safeguards and optional MFA
• Infrastructure hosted with GDPR-compliant cloud providers (AWS EU regions)
• Logging, monitoring, and incident detection
• Regular backups and disaster recovery procedures

6. Sub-processors

TradingPlus Inc. may engage trusted sub-processors such as:

• Cloud infrastructure providers
• Email delivery services
• AI model providers

All sub-processors are bound by:

• Written data protection obligations
• Confidentiality requirements
• GDPR-compliant transfer safeguards

A public sub-processor list will be maintained and updated.

7. International Data Transfers

Where Personal Data is transferred outside the EU/EEA, TradingPlus Inc. ensures lawful safeguards through:

• Standard Contractual Clauses (SCCs), and/or
• Providers certified under the EU-US Data Privacy Framework.

8. Assistance with Data Subject Rights

The Processor will assist the Controller in responding to requests to:

• Access Personal Data
• Rectify inaccuracies
• Delete data ("right to be forgotten")
• Export data (portability)
• Restrict or object to processing

9. Personal Data Breach Notification

TradingPlus Inc. will:

• Notify the Controller without undue delay
• Provide relevant breach details
• Support regulatory notification obligations

Target notification window: within 72 hours of awareness.

10. Data Retention & Deletion

Upon termination of services, TradingPlus Inc. will:

• Delete or return all Personal Data
• Complete deletion within 30 days, unless legally required otherwise

Backups are deleted according to secure retention schedules.

11. Audit Rights

The Controller may request reasonable documentation demonstrating GDPR compliance.

Formal audits:

• Limited to once per year
• Subject to confidentiality and reasonable notice

12. Liability

Each party's liability is governed by the HiFinity Terms of Service, except where GDPR mandates otherwise.

13. Governing Law

This DPA is governed by the laws of Ireland, without regard to conflict of law principles, providing consistency and credibility for EU enterprise clients. For dispute resolution, the parties submit to the exclusive jurisdiction of the courts of Ireland, unless GDPR mandates otherwise.

14. Contact for Privacy Matters