Agency Data Processing Addendum

This Data Processing Addendum forms part of the Agency Terms where SyncCV processes personal data on behalf of a Customer through SyncCV Agency.

The Customer is the controller of Customer-controlled personal data. SyncCV is the processor for that data when processing it to provide SyncCV Agency on the Customer's documented instructions.

This Addendum is intended to satisfy the written contract requirements for controller-to-processor processing under Article 28 of the UK GDPR.

SyncCV will process Customer-controlled personal data only on the Customer's documented instructions, including these Terms, product settings, workspace actions, support requests, and written instructions accepted by SyncCV.

SyncCV may process personal data where required by UK law, court, regulator, or public authority. Where legally permitted, SyncCV will notify the Customer before doing so.

SyncCV will tell the Customer if, in SyncCV's opinion, an instruction infringes applicable data protection law.

SyncCV will ensure that personnel authorised to process Customer-controlled personal data are subject to appropriate confidentiality obligations or statutory duties of confidence.

SyncCV will implement appropriate technical and organisational measures designed to protect Customer-controlled personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Measures may include encrypted transport, provider-managed encryption at rest, access controls, authentication controls, least-privilege administrative access, server-side ownership checks, logging, secure deployment practices, and incident investigation procedures.

The Customer remains responsible for configuring access appropriately, limiting authorised users, maintaining secure credentials, and reviewing outputs before disclosure.

The Customer gives SyncCV general written authorisation to use sub-processors needed to provide, secure, support, and improve SyncCV Agency.

Current categories may include hosting and deployment, cloud storage, authentication, AI processing, payment, email, monitoring, logging, analytics, support, and security providers.

SyncCV will impose data protection obligations on sub-processors that provide an equivalent level of protection for Customer-controlled personal data. SyncCV remains responsible to the Customer for sub-processor performance of those obligations.

SyncCV may update sub-processors from time to time. Where required, SyncCV will provide notice of material changes and a reasonable opportunity to object on data protection grounds.

Where SyncCV or its sub-processors make restricted transfers of Customer-controlled personal data outside the United Kingdom, SyncCV will use a lawful transfer mechanism such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, approved provider transfer terms, or another lawful mechanism.

Taking into account the nature of processing and information available to SyncCV, SyncCV will provide reasonable assistance to the Customer with data subject rights requests, security obligations, breach notifications, data protection impact assessments, and prior consultation requirements where required by UK data protection law.

The Customer is responsible for determining whether a DPIA is required for its recruitment use of SyncCV Agency and for documenting its lawful basis, transparency approach, fairness controls, and human review process.

SyncCV will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer-controlled personal data processed by SyncCV.

The notice will include available information reasonably required by the Customer to meet its own breach assessment and notification obligations. SyncCV may provide information in phases as investigation continues.

On termination or written request, SyncCV will delete or return Customer-controlled personal data where technically feasible and unless retention is required by law, billing, security, backup, dispute, or legitimate business reasons.

Backups and logs may retain limited data for a period before ordinary deletion cycles complete, subject to access controls and continued protection.

SyncCV will make available information reasonably necessary to demonstrate compliance with this Addendum, subject to confidentiality, security, legal privilege, trade secret, and third-party restrictions.

Audits must be reasonable, proportionate, non-disruptive, limited to the Customer's data, and preceded by written notice. SyncCV may satisfy audit requests through security summaries, policies, certifications, provider reports, or written responses where appropriate.