Legal
Data Processing Agreement
Last updated: 2026-05-24
This DPA forms part of, and is incorporated into, the Master Services Agreement between Augustova Limited (“Processor”) and the Customer (“Controller”).
1. Scope and roles
This DPA applies wherever the Processor processes Personal Data on the Controller’s behalf in the course of providing the Services. Terms used here (“Personal Data”, “Processing”, “Data Subject”, “Supervisory Authority”) have the meanings given in the UK GDPR and the Data Protection Act 2018.
The Controller determines the purposes and means of Processing the Personal Data and is responsible for the lawfulness of Processing, including for ensuring it has a valid lawful basis under Article 6 UK GDPR (and where applicable Article 9) and that Data Subjects have received the required transparency information.
The Processor processes Personal Data only on the documented instructions of the Controller, as set out in the MSA, any Order Form, the Acceptable Use Policy, this DPA, and the operational choices the Controller makes when configuring its workspace (including retention settings, screening templates, and integrations enabled).
Some activities fall outside this DPA because the Processor acts as an independent controller. These are limited to: (i) account and billing data of the Controller’s administrators; (ii) security logs and abuse-prevention telemetry; and (iii) aggregated, de-identified usage statistics used to operate, secure and improve the Platform. The Processor’s processing in those capacities is governed by the Privacy Notice.
2. Subject matter and nature of processing
Annex I — Description of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Onrolo recruitment platform to the Controller. |
| Nature of processing | Collection, storage, organisation, structuring, retrieval, use, disclosure (to the Controller’s authorised users), transmission, restriction, erasure, and AI-assisted analysis of candidate data. |
| Purpose | To enable the Controller to source, screen, evaluate and manage candidates for vacancies the Controller is recruiting for. |
| Duration | The Subscription Term plus the post-termination data return / deletion window set out in clause 12 of the MSA (typically 30 days). |
| Categories of Data Subjects | Candidates and applicants for vacancies the Controller publishes; the Controller’s own users (recruiters, hiring managers, admins). |
| Categories of Personal Data | Identification (name, email, phone), CV / résumé content, screening responses (text, voice or chat transcripts), AI-generated competency scores and rationale, application status, interview scheduling metadata, calendar invites, recruiter notes. |
| Special-category data (Art. 9) | Not solicited. Where it appears voluntarily in free-text fields or CVs, it is processed only as ancillary to the recruitment purpose and never used as an input to AI scoring. |
| Children’s data | The Platform is not designed for processing data about persons under 16. |
| Retention | Set by the Controller. Default retention applies where the Controller has not configured a period; see the Privacy Notice §7. |
3. Processor obligations (Article 28 UK GDPR)
The Processor will:
- Process on documented instructions.Process Personal Data only on the Controller’s documented instructions, including with regard to transfers, unless required to do otherwise by UK or EU law; in that case the Processor will inform the Controller of that legal requirement before processing (unless the law prohibits such notice on important grounds of public interest).
- Confidentiality. Ensure that personnel authorised to process the Personal Data are bound by appropriate confidentiality obligations and are trained on data-protection requirements.
- Security.Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in §6 (Annex II) below.
- Sub-processors.Engage sub-processors only on the terms set out in §4 below.
- Assistance with Data Subject rights. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to Data Subject requests under Chapter III UK GDPR. The Platform provides in-app tools that the Controller can use to action access, rectification, restriction, portability and erasure requests directly; where a request requires engineering action the Processor will assist within 7 working days at no additional cost.
- Assistance with compliance obligations.Assist the Controller in ensuring compliance with Articles 32–36 UK GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of Processing and information available to the Processor.
- Breach notification. Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Controller data, providing sufficient information to enable the Controller to meet its own Article 33 obligation to notify the ICO within 72 hours.
- Deletion or return.At the Controller’s choice, delete or return all Personal Data after the end of the provision of Services relating to Processing, and delete existing copies unless UK or EU law requires storage. The Platform provides standard export tools; bulk-delete is automated 30 days after termination unless the Controller requests immediate deletion in writing.
- Audit rights.Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for, and contribute to, audits including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits will be conducted no more than once per 12-month period (unless required by a Supervisory Authority or following a Personal Data Breach), on at least 30 days’ written notice, during normal business hours, in a manner that does not interfere with the Processor’s operations, and subject to the confidentiality obligations of the MSA. The Processor may discharge this obligation by providing the Controller with copies of its most recent independent third-party audit reports (where available) and a written response to the Controller’s questionnaire.
- Informed instructions. Immediately inform the Controller if, in its opinion, an instruction from the Controller infringes UK GDPR or other applicable data-protection law.
4. Sub-processors
The Controller grants general authorisation for the Processor to engage the sub-processors listed at onrolo.ai/sub-processors. The Processor will give the Controller at least 30 days’prior notice by email to the Controller’s designated administrator contact of any intended addition or replacement of sub-processors.
During that 30-day period the Controller may object on reasonable data-protection grounds. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected Services on written notice and receive a pro-rata refund of Fees pre-paid for the unused portion of the Subscription Term as its sole remedy.
The Processor remains fully liable to the Controller for the performance of any sub-processor it engages, and will impose contractual obligations on each sub-processor that are no less protective than those set out in this DPA.
5. International transfers
Where Personal Data is transferred outside the UK, we rely on UK International Data Transfer Agreements (IDTA) executed with each sub-processor, or where appropriate the EU Standard Contractual Clauses (Module 2 or 3) together with the UK International Data Transfer Addendum. Details, including the specific transfer mechanism for each sub-processor, are provided in the Sub-processor List.
Where required by applicable law, the Processor will complete a Transfer Risk Assessment using the UK ICO template before relying on the chosen mechanism, and will make a copy available on reasonable written request.
6. Security
Annex II — Technical and organisational measures
The Processor implements the following technical and organisational measures, reviewed at least annually and updated to remain appropriate to the risk:
- Encryption. TLS 1.2 minimum (TLS 1.3 preferred) in transit on every public endpoint, with HSTS enforced. AES-256 at rest across Supabase Postgres, Storage, and Upstash cache.
- Pseudonymisation. Identifiers in product analytics, error logs and trace spans are pseudonymised and stripped of direct identifiers (names, emails, phone numbers, CV content) by server-side Sentry scrubbers before leaving the Platform.
- Tenant isolation. Row-level security policies on every multi-tenant table, enforced by Supabase Postgres. Access via the service role is gated to a small set of audited admin RPCs.
- Access control.Role-based access for the Controller’s users; mandatory MFA on internal Processor admin accounts; least-privilege engineering access reviewed quarterly; leaked-password protection enabled on Supabase Auth.
- Network and infrastructure security. Hosted on Vercel (US/EU edge) and Supabase (EU, AWS eu-west-1). Cloudflare Turnstile on public forms. Upstash rate limiting on all AI routes. Webhooks verified by signature (Stripe, Supabase, Resend, Retell, Inngest) before any state change.
- Secret management. All keys and credentials are held in Vercel and Supabase environment vaults; never in source control; rotated when an individual with access departs or on confirmed compromise.
- Logging and monitoring. Application-level audit logs of admin actions; Sentry for error and performance monitoring; Supabase audit log for database role changes.
- Resilience. Encrypted backups taken by Supabase, retained on a 30-day rolling basis; point-in-time recovery available for the production database.
- Personnel. All personnel with access to Personal Data are bound by confidentiality obligations and complete data-protection training on onboarding.
- Vendor management. Each sub-processor is assessed against the UK ICO Transfer Risk Assessment template before onboarding and reviewed at least annually.
- Incident response. Documented playbook covering detection, triage, containment, eradication, recovery, and post-incident review; ICO notification within 72 hours of becoming aware of a notifiable Personal Data Breach (Article 33).
- Vulnerability disclosure. Security researchers and customers can report issues to security@onrolo.ai; acknowledgement within 2 working days.
7. DPA template (full text)
The full executed DPA template is available as a PDF for enterprise customers. Contact legal@onrolo.ai to request a signed copy or to negotiate bespoke terms.