This Data Protection Agreement ("DPA") forms part of the agreement between Onbordo, Inc. ("Processor" or "Onbordo") and the customer entity that subscribes to the Services ("Controller" or "Customer"). It applies when Onbordo processes personal data on behalf of Customer in connection with the Onbordo hiring platform.
1. Definitions
"Personal Data", "Processing", "Data Subject", and "Sub-processor" have the meanings given in applicable data protection law, including the GDPR.
2. Roles of the Parties
Customer is the Controller of personal data relating to its applicants, candidates, and hiring processes. Onbordo acts as Processor, processing such data only on documented instructions from Customer, except where required by law.
3. Subject Matter and Duration
Processing is limited to providing the Services under the Terms of Service for the term of the subscription and any post-termination export period.
4. Categories of Data and Data Subjects
- Data subjects: job applicants, candidates, employees involved in hiring, and Customer users.
- Categories: contact details, employment history, application materials, interview recordings and notes, assessment results, scheduling data, and related metadata.
5. Processor Obligations
Onbordo will process Personal Data only on Customer instructions, ensure personnel confidentiality, implement appropriate security measures, assist with data subject requests where feasible, notify Customer of personal data breaches without undue delay, and support Customer's compliance obligations.
6. Sub-processors
Customer authorizes Onbordo to engage Sub-processors for hosting, communications, analytics, and support. Onbordo maintains a list of Sub-processors and will provide notice of material changes. Customer may object on reasonable grounds relating to data protection.
7. International Transfers
Where Personal Data is transferred outside the EEA/UK, Onbordo will ensure appropriate safeguards, including Standard Contractual Clauses where required.
8. Security
Onbordo maintains administrative, technical, and physical safeguards designed to protect Personal Data, aligned with industry standards such as SOC 2 and ISO 27001 practices.
9. Audits
Upon reasonable request, Onbordo will provide information necessary to demonstrate compliance and allow audits subject to confidentiality and frequency limits.
10. Deletion and Return
Upon termination, Onbordo will delete or return Personal Data per Customer instructions and our retention policy, unless retention is required by law.
11. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service, except where prohibited by applicable law.
12. Executed DPA
Enterprise customers may request a countersigned version of this DPA for their records. Contact privacy@onbordo.com or our sales team.