Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the service agreement between the subscribing organisation ("Customer", the controller) and CAREERSBAR LTD, company number 15319889, of 128 City Road, London, United Kingdom, EC1V 2NX ("Processor"). It applies whenever we process personal data on the Customer's behalf through careersstat.

To execute a countersigned copy for procurement, email privacy@careersbar.com with your organisation details — we will return a signature-ready PDF of these terms.

Processing covers personal data submitted by the Customer and its authorised users (account details, usage data, content of queries) for the duration of the subscription plus the deletion period below.

Nature and purpose: hosting, displaying, analysing, and exporting labour market intelligence; providing support; billing.

Data subjects: the Customer’s authorised users. Categories: identification and contact data, usage data, and any personal data the Customer chooses to include in queries or projects.

Process personal data only on documented instructions from the Customer, including for transfers, unless required by law (in which case we inform the Customer unless prohibited).

Ensure persons authorised to process the data are bound by confidentiality.

Implement appropriate technical and organisational measures: encryption in transit, encrypted secrets and phone numbers at rest, role-based access control, audit logging, rate limiting, and routine security testing.

Assist the Customer with data subject requests, security, breach notification, and data protection impact assessments, taking into account the nature of processing.

Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data.

Make available information necessary to demonstrate compliance and allow audits, subject to reasonable notice, confidentiality, and at most once per year unless required by a supervisory authority.

The Customer grants general authorisation for the subprocessors listed at /subprocessors. We will give at least 30 days' notice of additions or replacements, during which the Customer may object on reasonable data protection grounds.

We impose data protection obligations on subprocessors no less protective than this DPA and remain liable for their performance.

Transfers outside the UK rely on UK adequacy regulations where available, otherwise on the EU Standard Contractual Clauses supplemented by the UK International Data Transfer Addendum.

On termination, the Customer may export its data for 30 days. We then delete or anonymise Customer personal data within 60 days, except records we must retain by law (kept isolated and protected).

Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of England and Wales.