This Data Processing Agreement ("DPA") forms part of the Terms of Service between Flintage, a product of Eldorado Node ("Processor"), and the subscribing corporate client ("Controller"). It governs the processing of personal data by Flintage on behalf of the Client in connection with the Hiring Intelligence System.
1. Definitions
- Controller: the corporate client who determines the purposes and means of processing candidate personal data
- Processor: Flintage, who processes personal data on behalf of the Controller
- Personal Data: any information relating to an identified or identifiable natural person, including candidate names, emails, CV content, and voice recordings
- Processing: any operation performed on personal data, including collection, transmission, analysis, storage, and deletion
- Sub-processor: a third party engaged by Flintage to process personal data
2. Subject Matter and Duration
Flintage processes personal data for the purpose of delivering AI-powered candidate evaluation services as described in the Terms of Service. Processing continues for the duration of the subscription and for such retention periods as specified in the Privacy Policy.
3. Nature and Purpose of Processing
| Data Category | Purpose | Storage Location |
|---|---|---|
| Candidate name and email | Identification, communication routing, report delivery | our cloud database (Controller's subscription) |
| CV documents | AI parsing for evaluation. Transmitted through a transient processing pipeline and delivered to Controller's Drive. Programmatically deleted from the Processor's service account immediately after confirmed delivery. Every deletion event is logged in an immutable deletion record (Eldorado_DeletionLog) with timestamp, GDPR compliance flag, and delivery confirmation status. | Client's designated cloud storage (not retained by Processor after delivery) |
| Interview recordings | AI transcription for evaluation. Transmitted through a transient processing pipeline and delivered to Controller's Drive. Programmatically deleted from the Processor's service account immediately after confirmed delivery. Deletion logged with timestamp and GDPR compliance flag. | Client's designated cloud storage (not retained by Processor after delivery) |
| Evaluation scores and metadata | Scoring results, compliance status, audit trail | our cloud database |
| Recruiter notes | Behavioral signal weighting in evaluation | our cloud database |
4. Processor Obligations
Flintage shall:
- Process personal data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA)
- Ensure that persons authorised to process the personal data have committed to confidentiality
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent (general authorisation is granted for the sub-processors listed in Schedule A)
- Assist the Controller in fulfilling data subject rights requests
- Delete or return all personal data upon termination of the subscription
- Make available all information necessary to demonstrate compliance with this DPA
- Notify the Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach
5. Controller Obligations
The Controller shall:
- Ensure there is a lawful basis for processing candidate personal data
- Provide candidates with appropriate privacy notices regarding AI-assisted evaluation where required by law
- Ensure candidates' data is accurate and up to date when submitted
- Not submit sensitive special category data beyond what is necessary for evaluation
- Review all INTERNAL REVIEW REQUIRED and COMPLIANCE HALT compliance status evaluations before making any hiring decisions. A COMPLIANCE HALT evaluation must not be acted upon until the flagged evaluation has been reviewed and manually cleared.
- Comply with applicable data protection law in their jurisdiction
6. Sub-processors
Schedule A: Approved Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| AI Language Processing Provider | AI evaluation: CV parsing and candidate scoring | Global Cloud Infrastructure |
| Cloud Storage and Data Management Provider | File routing and data storage | Global Cloud Infrastructure |
| Audio Intelligence Provider | Audio transcription (Deepgram Nova-3 as primary; Groq Whisper Large v3 Turbo as fallback) | Global Cloud Infrastructure |
| Professional Data Intelligence Provider | Professional footprint search | Global Cloud Infrastructure |
| Workflow Automation Infrastructure Provider | Workflow orchestration and automation | Global Cloud Infrastructure |
Flintage will notify the Controller of any intended changes to sub-processors by email at least 14 days in advance, giving the Controller the opportunity to object.
7. Security Measures
Flintage implements the following technical and organisational measures:
- Access control: API key authentication, session token management, rate limiting
- Encryption in transit: HTTPS/TLS for all data transmission
- Data minimisation: candidate documents not retained after upload to Controller's Drive
- Audit logging: immutable audit trail of all evaluation events
- Incident response: automated error monitoring with immediate alerts
- Access segregation: separate credentials per service component
8. Data Breach Notification
In the event of a personal data breach affecting candidate data, Flintage will:
- Notify the Controller within 72 hours of becoming aware
- Provide details of the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed
- Cooperate with the Controller in notifying supervisory authorities where required
9. Data Subject Rights
When a candidate exercises their rights under applicable data protection law, the Controller is responsible for responding. The Controller also has direct access to all candidate evaluation records and report PDFs through the client portal and their designated Google Drive folder.
Where the Controller requires additional data held in Processor systems (evaluation metadata, audit log entries, deletion log records), Flintage will assist by providing a structured export of all data attributable to the identified candidate within 5 business days of a written request from the Controller.
Note: Candidate CV files and audio recordings are not retained by the Processor after delivery. A data subject request for these files should be directed to the Controller, who holds them in their own Google Drive folder.
10. Data Transfers
Processing by sub-processors listed in Schedule A involves transfers of personal data to the applicable jurisdictions worldwide. These transfers are made under appropriate safeguards including the EU-US Data Privacy Framework (where applicable), Standard Contractual Clauses, or equivalent mechanisms recognised under applicable law.
11. Audit Rights
The Controller has the right to conduct audits of Flintage's data processing activities under this DPA upon reasonable written notice (minimum 30 days). Audits shall not unreasonably disrupt normal business operations.
12. Deletion on Termination
Upon termination of the subscription:
- Candidate documents (CV, audio): not retained by the Processor at termination. These files are programmatically deleted from the Processor's service account immediately after each evaluation is delivered, not at subscription end. Deletion is logged per evaluation in Eldorado_DeletionLog.
- Candidate evaluation records: retained for 12 months from the evaluation date, then eligible for deletion. This retention window applies regardless of subscription status, as evaluation records may be required for employment law compliance by the Controller.
- Audit log records: retained in anonymised form for up to 7 years for compliance purposes, as permitted under employment and data protection law.
- Client account data: deleted or anonymised within 30 days of subscription termination.
Where retention is required by applicable law, data will be retained for the minimum period necessary and in the most privacy-protective form available (anonymised where possible).
13. Governing Law
This DPA is governed by the same law as the Terms of Service. Where the Controller is established in the UK, this DPA incorporates the UK International Data Transfer Agreement (IDTA) as applicable. Where the Controller is established in the EEA, this DPA incorporates the EU Standard Contractual Clauses (Module 2: Controller to Processor).
14. Contact
For data protection enquiries:
Flintage, a product of Eldorado Node
Abuja, FCT, Nigeria
support@flintage.work
This DPA is incorporated by reference into the Terms of Service and takes effect upon subscription to the Hiring Intelligence System. No separate signature is required. If you require a signed DPA for enterprise compliance purposes, contact support@flintage.work.