Last Updated: July 6, 2025
This Data Processing Agreement ("DPA") is entered into between:
Customer ("Customer," "Controller," "you") - the entity that has entered into a service agreement with StackedHR, Inc. for the provision of hiring and recruitment services.
StackedHR, Inc. ("StackedHR," "Processor," "we," "us") - a Delaware C Corporation providing AI-powered hiring and recruitment platform services.
This DPA supplements and forms part of the service agreement between Customer and StackedHR (the "Agreement") and governs the processing of Personal Data by StackedHR on behalf of Customer in connection with the provision of StackedHR's services (the "Services").
In case of conflict between this DPA and the Agreement, this DPA shall take precedence with respect to data protection matters. For all other matters, the Agreement shall control.
This DPA becomes effective on the date Customer accepts the Agreement or begins using the Services, whichever is earlier, and remains in effect for the duration of the Agreement.
For purposes of this DPA, the following definitions apply:
"Applicable Data Protection Laws" means all applicable laws, regulations, and binding guidance relating to the processing of Personal Data, including without limitation:
- The EU General Data Protection Regulation (GDPR) (Regulation 2016/679)
- The UK Data Protection Act 2018 and UK GDPR
- The Swiss Federal Data Protection Act (FADP)
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Any successor or replacement legislation
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by StackedHR to process Personal Data on behalf of Customer.
"Supervisory Authority" means an independent public authority established by an EU Member State, the UK, or Switzerland to oversee compliance with data protection laws.
Customer as Controller: Customer acts as the Controller for all Personal Data of candidates, employees, and other individuals that Customer submits to or processes through the Services. Customer determines the purposes and means of processing such Personal Data.
StackedHR as Processor: StackedHR acts as a Processor for Customer Personal Data, processing such data solely on behalf of and in accordance with Customer's documented instructions as set forth in this DPA and the Agreement.
StackedHR as Controller: StackedHR acts as an independent Controller (not joint controller) for:
- Account information of Customer's users and administrators
- Usage data and analytics related to the Services
- Billing and payment information
- Communications with Customer
- Any other data processed for StackedHR's own business purposes as described in StackedHR's Privacy Policy
Personal Data processed under this DPA may relate to the following categories of Data Subjects:
- Job candidates and applicants
- Current and former employees of Customer
- Customer's users and administrators
- Interview participants and evaluators
- References and emergency contacts
- Other individuals whose Personal Data is submitted to the Services
The Personal Data processed may include:
- Identity Information: Names, addresses, phone numbers, email addresses
- Professional Information: Resumes, CVs, work history, education, skills, certifications
- Assessment Data: Interview responses, work samples, test results, evaluation scores
- Communication Data: Messages, feedback, notes, and correspondence
- Technical Data: IP addresses, device information, usage logs, session data
- Sensitive Data: Where permitted by law and with appropriate safeguards, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, or data concerning sex life or sexual orientation
StackedHR processes Personal Data for the following purposes on behalf of Customer:
- Facilitating recruitment and hiring processes
- Conducting candidate assessments and evaluations
- Providing AI-powered screening and matching services
- Generating reports and analytics on hiring activities
- Communicating with candidates and other Data Subjects
- Maintaining records and audit trails
- Ensuring platform security and integrity
- Complying with legal obligations
Customer warrants that:
- It has a lawful basis for processing Personal Data under Applicable Data Protection Laws
- It has obtained all necessary consents, provided required notices, and fulfilled other legal requirements for the processing
- The processing instructions provided to StackedHR are lawful and comply with Applicable Data Protection Laws
- It has the authority to provide the Personal Data to StackedHR for processing
StackedHR shall process Personal Data only:
- In accordance with Customer's documented instructions as set forth in this DPA and the Agreement
- As necessary to provide the Services and fulfill StackedHR's obligations under the Agreement
- As required by applicable law (with notice to Customer where legally permitted)
- As otherwise agreed in writing between the parties
Customer may provide additional or modified processing instructions by:
- Written notice to StackedHR (including email)
- Configuration changes within the Services (where available)
- Mutual agreement in writing
StackedHR will assess whether additional instructions are technically feasible and compliant with Applicable Data Protection Laws. If StackedHR determines that an instruction violates applicable law, it will inform Customer and may refuse to carry out the instruction.
Customer is responsible for:
- Responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection
- Providing Data Subjects with required privacy notices and information
- Obtaining and managing consents where required
- Ensuring the accuracy and completeness of Personal Data provided to StackedHR
StackedHR will provide reasonable assistance to Customer in fulfilling these obligations, including by providing access to relevant Personal Data and implementing technical measures to facilitate Data Subject rights.
StackedHR shall:
- Process Personal Data only in accordance with Customer's documented instructions
- Not use Personal Data for any purpose other than providing the Services
- Not disclose Personal Data to third parties except as authorized by this DPA
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to protect Personal Data
StackedHR implements and maintains appropriate technical and organizational security measures, including:
Technical Measures:
- Encryption of Personal Data in transit and at rest using industry-standard algorithms
- Access controls and authentication mechanisms
- Network security and firewall protection
- Regular security monitoring and incident detection
- Secure data backup and recovery procedures
Organizational Measures:
- Security policies and procedures
- Employee training and awareness programs
- Background checks for personnel with access to Personal Data
- Incident response and breach notification procedures
- Regular security assessments and audits
StackedHR ensures that all personnel who have access to Personal Data:
- Are bound by appropriate confidentiality obligations
- Receive adequate training on data protection requirements
- Have access only to Personal Data necessary for their role
- Are subject to disciplinary action for unauthorized disclosure or misuse
StackedHR will provide reasonable assistance to Customer with:
- Data Subject rights requests
- Data protection impact assessments
- Consultations with Supervisory Authorities
- Compliance with security and breach notification requirements
- Audits and inspections by Customer or authorized third parties
Customer authorizes StackedHR to engage Sub-processors to process Personal Data, subject to the requirements of this section.
StackedHR currently engages the following categories of Sub-processors:
Technology Infrastructure:
- Cloudflare: Content delivery network and security services
- Neon: Database hosting and management
- Vercel: Application hosting and deployment
AI and Analytics:
- OpenAI: Natural language processing and AI model services
- Google Cloud: AI and machine learning services
- Groq, Cerebras, Anthropic: Specialized AI processing services
Communication and Support:
- Resend: Email delivery services
- Clerk: Authentication and user management
- Inngest: Workflow automation and processing
Analytics and Monitoring:
- Statsig: Feature flags and A/B testing
- Vercel Analytics: Usage analytics and monitoring
StackedHR ensures that all Sub-processors:
- Are bound by data processing agreements with substantially similar obligations to this DPA
- Implement appropriate technical and organizational security measures
- Process Personal Data only for the purposes specified by StackedHR
- Provide adequate guarantees regarding compliance with Applicable Data Protection Laws
- Submit to regular audits and assessments of their data protection practices
StackedHR will:
- Provide at least 30 days' advance notice of any new Sub-processors or material changes to existing Sub-processors
- Maintain an up-to-date list of Sub-processors available to Customer upon request
- Allow Customer to object to new Sub-processors on reasonable data protection grounds
- Work with Customer to resolve objections or, if resolution is not possible, allow Customer to terminate the affected Services
StackedHR remains fully liable to Customer for the performance of Sub-processors' obligations under this DPA.
Customer acknowledges and agrees that StackedHR may transfer Personal Data to countries outside the European Economic Area (EEA), United Kingdom, and Switzerland as necessary to provide the Services.
StackedHR ensures that all international transfers of Personal Data are protected by appropriate safeguards:
Adequacy Decisions:
- Transfers to countries with European Commission adequacy decisions
- Transfers to countries with UK adequacy decisions (post-Brexit)
- Transfers to countries recognized as adequate by Swiss authorities
Standard Contractual Clauses (SCCs):
- EU Standard Contractual Clauses (Commission Implementing Decision 2021/914)
- UK International Data Transfer Agreement (IDTA) and Addendum
- Swiss-approved contractual clauses or equivalent mechanisms
Certification and Codes of Conduct:
- Binding corporate rules (where applicable)
- Approved certification mechanisms
- Approved codes of conduct with binding enforcement
StackedHR conducts transfer impact assessments to evaluate:
- The legal framework in destination countries
- Additional safeguards that may be necessary
- Risks to Data Subjects and mitigation measures
- Ongoing monitoring and review requirements
For transfers to the United States, StackedHR relies on:
- EU-US Data Privacy Framework (where applicable and certified)
- Standard Contractual Clauses with additional safeguards
- Derogations under Article 49 GDPR (where applicable)
- Other legally recognized transfer mechanisms
Where required, StackedHR implements additional technical and organizational measures:
- Enhanced encryption and access controls
- Data minimization and pseudonymization
- Regular security assessments and audits
- Contractual commitments from local service providers
- Transparency reporting on government access requests
StackedHR retains Personal Data only for as long as necessary to:
- Provide the Services as instructed by Customer
- Comply with legal obligations and regulatory requirements
- Resolve disputes and enforce agreements
- Fulfill legitimate business purposes with appropriate safeguards
Customer may specify retention periods for different categories of Personal Data through:
- Configuration settings within the Services
- Written instructions to StackedHR
- Data retention schedules agreed upon by the parties
Upon termination or expiration of the Agreement, StackedHR will:
- Return or delete all Personal Data as instructed by Customer
- Provide certification of deletion upon Customer's request
- Retain Personal Data only as required by applicable law
- Ensure secure deletion of all copies and backups (subject to legal requirements)
StackedHR may retain Personal Data beyond specified retention periods when:
- Required by applicable law or legal process
- Subject to litigation hold or regulatory investigation
- Necessary for the establishment, exercise, or defense of legal claims
- Required for compliance with audit or regulatory requirements
When Personal Data is deleted, StackedHR ensures:
- Secure overwriting or destruction of storage media
- Removal from all systems, including backups and archives
- Verification that data cannot be recovered or reconstructed
- Documentation of deletion procedures and completion
StackedHR maintains a comprehensive incident response program that includes:
- 24/7 monitoring and detection capabilities
- Rapid response and containment procedures
- Forensic investigation and root cause analysis
- Remediation and recovery planning
- Communication and notification protocols
In the event of a Personal Data breach, StackedHR will:
- Notify Customer without undue delay and in any case within 72 hours of becoming aware of the breach
- Provide all information necessary for Customer to assess the breach and fulfill its own notification obligations
- Assist Customer in investigating the breach and implementing remedial measures
- Cooperate with Customer in communications with Data Subjects and Supervisory Authorities
Breach notifications will include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further information
StackedHR will:
- Provide regular updates on the investigation and remediation efforts
- Share final incident reports and lessons learned
- Implement additional safeguards to prevent similar incidents
- Cooperate with any regulatory investigations or enforcement actions
Customer is responsible for:
- Assessing whether the breach requires notification to Supervisory Authorities
- Notifying Data Subjects when required by applicable law
- Cooperating with StackedHR in breach investigation and response
- Implementing any additional safeguards recommended by StackedHR
Customer has the right to audit StackedHR's compliance with this DPA, subject to the following:
- Audits must be conducted during normal business hours with reasonable advance notice
- Audits may be conducted by Customer or an independent third-party auditor
- Auditors must be bound by appropriate confidentiality obligations
- Audit scope must be reasonable and proportionate to the risks involved
- Routine audits may be conducted annually or as otherwise agreed
- Additional audits may be conducted in response to security incidents or regulatory requirements
- Audits may include review of policies, procedures, technical controls, and Sub-processor arrangements
- StackedHR may satisfy audit requirements by providing relevant certifications or third-party audit reports
StackedHR maintains relevant compliance certifications and assessments, including:
- SOC 2 Type II reports
- ISO 27001 certification (where applicable)
- Industry-specific compliance assessments
- Regular penetration testing and vulnerability assessments
- Customer bears the costs of audits it initiates
- StackedHR may charge reasonable fees for extensive audit support
- Costs of remediation for identified non-compliance issues are borne by StackedHR
- Emergency audits in response to security incidents are conducted at StackedHR's expense
If audits identify non-compliance issues, StackedHR will:
- Develop and implement a remediation plan within agreed timeframes
- Provide regular updates on remediation progress
- Submit to follow-up audits to verify compliance
- Bear the costs of necessary remediation measures
StackedHR will assist Customer in responding to Data Subject rights requests by:
- Providing access to relevant Personal Data within StackedHR's systems
- Implementing technical measures to facilitate data portability
- Enabling data rectification and restriction of processing
- Supporting data erasure requests (subject to legal and technical limitations)
- Providing information about automated decision-making and profiling
StackedHR maintains technical capabilities to:
- Search for and retrieve Personal Data by Data Subject identifier
- Export Personal Data in structured, machine-readable formats
- Modify or correct Personal Data upon instruction
- Restrict processing of specific Personal Data
- Delete Personal Data securely and completely
StackedHR will respond to Customer requests for assistance with Data Subject rights:
- Within 10 business days for routine requests
- Within 72 hours for urgent requests
- As otherwise agreed based on the complexity of the request
- In time for Customer to meet its own response obligations under applicable law
If StackedHR receives a Data Subject rights request directly:
- StackedHR will promptly forward the request to Customer
- StackedHR will not respond directly without Customer's authorization
- StackedHR will assist Customer in formulating an appropriate response
- StackedHR will implement Customer's instructions regarding the request
StackedHR will assist Customer in conducting Data Protection Impact Assessments (DPIAs) when required by:
- Providing information about the Services' data processing activities
- Describing technical and organizational security measures
- Identifying potential risks to Data Subjects' rights and freedoms
- Suggesting mitigation measures and safeguards
- Cooperating in consultations with Supervisory Authorities
StackedHR will notify Customer when it believes that processing activities may require a DPIA, including:
- Large-scale processing of sensitive Personal Data
- Systematic monitoring of Data Subjects
- Use of new technologies or innovative processing methods
- Processing that may result in high risk to Data Subjects' rights and freedoms
StackedHR will provide Customer with:
- Detailed descriptions of processing operations
- Technical specifications and security measures
- Risk assessments and mitigation strategies
- Evidence of compliance with data protection principles
- Information about Sub-processor arrangements and safeguards
This DPA terminates automatically upon:
- Expiration or termination of the Agreement
- Completion of all Services requiring Personal Data processing
- Mutual agreement of the parties in writing
- Material breach that remains uncured after 30 days' notice
Upon termination, Customer may choose to:
- Return: Receive copies of all Personal Data in a structured, machine-readable format
- Delete: Instruct StackedHR to securely delete all Personal Data
- Transfer: Direct transfer of Personal Data to a third-party service provider
- Combination: Different treatment for different categories of Personal Data
StackedHR will:
- Provide data return options and timelines within 30 days of termination notice
- Complete data return or deletion within 90 days of termination (unless extended by Customer)
- Provide certification of completion upon Customer's request
- Retain Personal Data only as required by applicable law
The following provisions survive termination of this DPA:
- Confidentiality obligations
- Liability and indemnification provisions
- Audit rights for completed processing activities
- Obligations related to legal retention requirements
- Dispute resolution and governing law provisions
Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement, except where such limitations are prohibited by applicable law.
StackedHR shall be liable for damages caused by its processing of Personal Data only where:
- StackedHR has not complied with obligations specifically directed to processors under Applicable Data Protection Laws
- StackedHR has acted outside or contrary to lawful instructions from Customer
- The damage was caused by StackedHR's negligent or wrongful acts or omissions
Customer shall indemnify and hold harmless StackedHR from and against any claims, damages, losses, and expenses arising from:
- Customer's violation of Applicable Data Protection Laws
- Customer's failure to obtain necessary consents or provide required notices
- Unlawful instructions provided by Customer to StackedHR
- Customer's breach of its obligations under this DPA
StackedHR shall indemnify and hold harmless Customer from and against any claims, damages, losses, and expenses arising from:
- StackedHR's material breach of this DPA
- StackedHR's violation of Applicable Data Protection Laws in its role as Processor
- Unauthorized disclosure of Personal Data by StackedHR or its Sub-processors
- Security incidents caused by StackedHR's negligence or wrongful acts
- Each party is responsible for regulatory fines and penalties resulting from its own violations of Applicable Data Protection Laws
- StackedHR is responsible for fines resulting from its processing activities as Processor
- Customer is responsible for fines resulting from its activities as Controller
- Shared responsibility may apply where both parties contribute to a violation
The parties agree to attempt to resolve any disputes arising under this DPA through good faith negotiations before initiating formal dispute resolution procedures.
If informal resolution is unsuccessful, disputes may be submitted to mediation under the rules of a mutually agreed mediation service or the American Arbitration Association.
Disputes not resolved through mediation may be submitted to binding arbitration in accordance with the dispute resolution provisions of the Agreement.
Both parties agree to cooperate fully with any investigations, inquiries, or enforcement actions by Supervisory Authorities, including:
- Providing requested information and documentation
- Participating in hearings and proceedings
- Implementing corrective measures as directed
- Paying applicable fines and penalties
Nothing in this section prevents either party from seeking emergency injunctive relief to protect Personal Data or prevent irreparable harm.
This DPA is governed by the laws of the State of Delaware, except where Applicable Data Protection Laws require application of different governing law.
For disputes not subject to arbitration, the parties submit to the jurisdiction of the courts of Delaware, except where Data Subjects or Supervisory Authorities have rights to bring actions in other jurisdictions under Applicable Data Protection Laws.
Where any provision of this DPA conflicts with Applicable Data Protection Laws, the requirements of such laws shall prevail to the extent of the conflict.
This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior agreements and understandings on this subject.
This DPA may be amended only:
- By written agreement signed by both parties
- As necessary to comply with changes in Applicable Data Protection Laws
- Through StackedHR's standard updates to reflect changes in Sub-processors or security measures (with appropriate notice)
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.
This DPA is written in English. Any translations are provided for convenience only, and the English version shall control in case of any conflict or ambiguity.
All notices under this DPA must be in writing and delivered to the addresses specified in the Agreement or as otherwise designated by the parties in writing.
Neither party may assign this DPA without the prior written consent of the other party, except that StackedHR may assign this DPA in connection with a merger, acquisition, or sale of all or substantially all of its assets.
No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced.
Neither party shall be liable for any failure or delay in performance under this DPA due to circumstances beyond its reasonable control, provided that such party uses reasonable efforts to minimize the impact of such circumstances.
Where required for international data transfers, the parties agree to be bound by the Standard Contractual Clauses adopted by the European Commission, UK authorities, or Swiss authorities, as applicable.
In case of conflict between this DPA and applicable Standard Contractual Clauses, the Standard Contractual Clauses shall take precedence to the extent required by law.
The parties will complete and execute the applicable Standard Contractual Clauses as separate agreements, incorporating the details and specifications set forth in this DPA.
For StackedHR:
Data Protection Officer
StackedHR, Inc.
Email: derek@stackedhr.ai
Address: 920 Jefferson Street
Hoboken, NJ 07030 US
For Customer:
[To be completed by Customer]
Data Protection Contact: **___**
Email: **___**
Address: **___**
Security incidents and Personal Data breaches should be reported immediately to:
- Email: derek@stackedhr.ai
- Phone: [Emergency Contact Number]
- Online: [Incident Reporting Portal]
For questions about this DPA or data processing practices:
- Email: derek@stackedhr.ai
- Address: StackedHR, Inc., 920 Jefferson Street
Hoboken, NJ 07030 US
- Job candidates and applicants
- Current and former employees of Customer
- Customer's users and administrators
- Interview participants and evaluators
- References and emergency contacts
- Contact information (names, addresses, phone numbers, email addresses)
- Professional information (resumes, work history, education, skills)
- Assessment data (interview responses, work samples, evaluation scores)
- Communication data (messages, feedback, notes)
- Technical data (IP addresses, device information, usage logs)
- Sensitive data (where permitted by law and with appropriate safeguards)
Where Customer provides sensitive Personal Data (special categories under GDPR), Customer warrants that:
- Processing is necessary for employment purposes and authorized by law
- Appropriate safeguards are in place to protect Data Subjects' rights
- Required notices have been provided to Data Subjects
- Necessary consents have been obtained where required
- Collection and recording of Personal Data
- Organization and structuring of data for hiring processes
- Storage and backup of Personal Data
- Retrieval and consultation for assessment purposes
- Analysis and evaluation using AI and machine learning
- Communication and disclosure to authorized parties
- Restriction, erasure, and destruction as instructed
- Active candidate data: Duration of hiring process plus 3 years
- Unsuccessful candidate data: 1-2 years after application (or as required by law)
- Employee data: Duration of employment plus 7 years
- Assessment data: 5 years for consistency and legal compliance
- Communication data: 3 years after completion
- Technical logs: 1 year for security and troubleshooting
Effective Date: July 6, 2025
Document Version: 1.0
This Data Processing Agreement is designed to ensure compliance with applicable data protection laws while enabling StackedHR's AI-powered hiring platform services. For specific legal advice regarding data protection obligations, please consult with qualified legal counsel.