How we handle data on your behalf

This DPA is between:

• You, the Customer — the data controller, who decides why and how personal data is processed
• Beagler — the data processor, which processes that data on your documented instructions

Beagler processes personal data solely to provide the recruitment services described in the Terms of Use. Processing continues for as long as you use the Service and ends when your workspace is closed and data is deleted in line with this DPA.

The personal data processed may include:

• Names
• Email addresses and phone numbers
• Postal addresses
• Resumes and supporting documents
• Salary expectations and availability
• Interview notes and scorecards
• Client and user contact details

• Job candidates
• Client contacts
• Your employees and workspace users

On your behalf, Beagler may:

• Store and organize recruitment data
• Manage job postings and candidate submissions
• Schedule interviews and record feedback
• Generate invoices, payroll and expenses
• Provide AI-assisted parsing, tagging and matching
• Send transactional emails and route the messages you send
• Perform backups and restores

As the controller, you:

• Confirm you have a lawful basis to process the data
• Obtain candidate consent or provide notice where required
• Are responsible for the accuracy of the data you enter
• Control access through roles and permissions
• Issue processing instructions only through lawful use of the Service

As the processor, Beagler will:

• Process personal data only on your documented instructions
• Ensure people authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject requests
• Notify you of personal data breaches without undue delay
• Delete or return personal data at the end of the Service, subject to legal obligations

Beagler uses a limited set of sub-processors to deliver the Service:

• Cloud hosting and infrastructure (within the European Union)
• Email delivery
• AI processing (such as Google)
• Subscription payment processing (Stripe)

All sub-processors are bound by contract to data-protection obligations no less protective than this DPA. We will give reasonable notice of new sub-processors so you can object on legitimate grounds.

Our safeguards include:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Hashed passwords and secure authentication tokens
• Role-based access control
• Logical isolation of every workspace
• Continuous activity logging and monitoring
• Regular, secure backups

Beagler will assist you, where reasonably possible, in responding to requests from data subjects to:

• Access their data
• Correct inaccurate data
• Delete their data
• Restrict or object to processing
• Receive a portable copy

If a personal data breach occurs, Beagler will:

• Notify you without undue delay after becoming aware of it
• Provide the information you reasonably need to meet your own notification obligations
• Take reasonable steps to contain and remediate the breach

• Data is retained for as long as you use the Service
• Archived records remain stored but inactive until restored or deleted
• On termination, you can request export or deletion of your data
• Residual copies may remain in encrypted backups for a limited period before being purged

Your data is hosted in the European Union and may be processed in other countries where Beagler or its sub-processors operate. Where data is transferred across borders, we apply appropriate safeguards (such as Standard Contractual Clauses) to keep it protected to the standard required by applicable law.

On reasonable written request, Beagler will make available the information necessary to demonstrate compliance with this DPA, and will contribute to audits conducted by you or an auditor you appoint, subject to confidentiality and without compromising the security of other customers.

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use.

This DPA is governed by the laws of the State of Delaware, United States, consistent with the Terms of Use, while applying the data-protection safeguards required by the GDPR and other applicable laws.

For any data-protection question, or to exercise rights under this DPA, contact our team: