Data Protection Agreement

This Data Protection Agreement ("DPA") forms part of the agreement between Onbordo, Inc. ("Processor" or "Onbordo") and the customer entity that subscribes to the Services ("Controller" or "Customer"). It applies when Onbordo processes personal data on behalf of Customer in connection with the Onbordo hiring platform.

1. Definitions

"Personal Data", "Processing", "Data Subject", and "Sub-processor" have the meanings given in applicable data protection law, including the GDPR.

2. Roles of the Parties

Customer is the Controller of personal data relating to its applicants, candidates, and hiring processes. Onbordo acts as Processor, processing such data only on documented instructions from Customer, except where required by law.

3. Subject Matter and Duration

Processing is limited to providing the Services under the Terms of Service for the term of the subscription and any post-termination export period.

4. Categories of Data and Data Subjects

  • Data subjects: job applicants, candidates, employees involved in hiring, and Customer users.
  • Categories: contact details, employment history, application materials, interview recordings and notes, assessment results, scheduling data, and related metadata.

5. Processor Obligations

Onbordo will process Personal Data only on Customer instructions, ensure personnel confidentiality, implement appropriate security measures, assist with data subject requests where feasible, notify Customer of personal data breaches without undue delay, and support Customer's compliance obligations.

6. Sub-processors

Customer authorizes Onbordo to engage Sub-processors for hosting, communications, analytics, and support. Onbordo maintains a list of Sub-processors and will provide notice of material changes. Customer may object on reasonable grounds relating to data protection.

7. International Transfers

Where Personal Data is transferred outside the EEA/UK, Onbordo will ensure appropriate safeguards, including Standard Contractual Clauses where required.

8. Security

Onbordo maintains administrative, technical, and physical safeguards designed to protect Personal Data, aligned with industry standards such as SOC 2 and ISO 27001 practices.

9. Audits

Upon reasonable request, Onbordo will provide information necessary to demonstrate compliance and allow audits subject to confidentiality and frequency limits.

10. Deletion and Return

Upon termination, Onbordo will delete or return Personal Data per Customer instructions and our retention policy, unless retention is required by law.

11. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service, except where prohibited by applicable law.

12. Executed DPA

Enterprise customers may request a countersigned version of this DPA for their records. Contact privacy@onbordo.com or our sales team.