CyberHire
Request invitation

Legal

Data Processing Addendum

Last updated: 20 April 2026

1. Introduction

This Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Service between CyberHire Limited ("CyberHire", "Processor") and the Customer ("Controller"). It governs the processing of Personal Data that CyberHire carries out on the Controller's behalf in connection with the CyberHire platform.

This DPA is drafted to satisfy the requirements of Article 28 of the UK GDPR and the Data Protection Act 2018. Where the Controller processes personal data subject to the EU GDPR, this DPA applies with the equivalent EU provisions treated as incorporated, and the EU Commission's Standard Contractual Clauses (where relevant) take precedence over any conflicting term.

By accepting the Terms of Service, the Controller accepts this DPA. No signed copy is required; however, CyberHire will provide a countersigned copy on request to legal@cyber-hire.com.

2. Definitions

Terms defined in the Terms of Service have the same meaning here. "Controller", "Processor", "Personal Data", "Data Subject", "Processing", "Personal Data Breach", "Special Category Data", "Supervisory Authority" have the meanings given in the UK GDPR.

"Sub-processor" means a third party engaged by CyberHire to process Personal Data in connection with the platform.

3. Subject-matter and duration

The subject-matter of the processing is the operation of the CyberHire technical screening platform. The duration is the Subscription Term, extended by (a) the 30-day post-termination data-export window and (b) any further period required for CyberHire to comply with a legal retention obligation or to delete the data from back-ups in the ordinary course.

4. Nature, purpose and categories

4.1 Nature and purpose

CyberHire processes Personal Data as a Processor to provide the platform to the Controller: hosting accounts, delivering assessment invitations, running challenges, capturing integrity signals, generating AI-assisted content at the Controller's request, and producing result reports. Details of processing activities are set out in Annex I.

4.2 Data subjects

  • The Controller's Admin Users;
  • Candidates invited by the Controller.

4.3 Categories of Personal Data

  • Identity data: name, email, optional profile picture;
  • Authentication data: password hashes, MFA secrets (encrypted);
  • Professional data: company association, job title, role context provided to an Assessment;
  • Assessment data: answers, scores, timestamps, commands issued inside challenge VMs;
  • Integrity signals: tab switches, paste events, screen count, browser fingerprint, session events (see Annex I and the Candidate Privacy Notice);
  • Webcam snapshots (if the Controller enables Proctor mode and the Candidate consents);
  • Technical data: IP address, User-Agent, approximate geolocation (country / city level, from an offline database);
  • Audit logs: login events, admin actions, impersonation sessions.

4.4 Special Category Data

CyberHire does not seek or require Special Category Data. Webcam snapshots may incidentally contain personal characteristics that could be considered Special Category Data if used to infer race, health or similar; CyberHire does not perform such inference. The Controller must not upload or otherwise submit Special Category Data to the platform other than webcam snapshots necessary for Proctor mode, and warrants that where Proctor mode is used, it has a valid Article 9 UK GDPR condition for any incidental processing.

5. Controller and Processor obligations

5.1 Controller

The Controller represents and warrants that:

  • It has a valid lawful basis under Article 6 UK GDPR (and Article 9 where applicable) for the processing it instructs;
  • Its instructions to CyberHire comply with data-protection law;
  • It has provided appropriate privacy information to Data Subjects, including the information in the Candidate Privacy Notice and any additional information its own processing requires;
  • Where Proctor mode is used, the Controller has obtained any required consent from the Candidate and has offered a reasonable alternative to Candidates who decline.

5.2 Processor

CyberHire will:

  • Process Personal Data only on the Controller's documented instructions, including those set out in the Terms of Service, this DPA, and the Controller's configuration of the platform (choice of Plan, integrity mode, challenge selection, etc.);
  • Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations;
  • Implement the technical and organisational measures set out in Annex II;
  • Assist the Controller, taking into account the nature of the processing and the information available, in fulfilling its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data-protection impact assessments, prior consultation);
  • At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete copies unless retention is required by law;
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits under section 10 below.

CyberHire will inform the Controller immediately if, in its opinion, an instruction infringes the UK GDPR or other data-protection law.

6. Data Subject rights

CyberHire will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as is possible, to fulfil Data Subject rights requests under Chapter III UK GDPR.

If CyberHire receives a Data Subject request directed at the Controller's data, CyberHire will not respond directly unless authorised in writing to do so. CyberHire will:

  • Forward the request to the Controller without undue delay;
  • Not disclose the Personal Data in response without the Controller's instruction;
  • Where appropriate, help the Controller identify, export, or delete the relevant data via the platform's built-in tools or, where those tools are insufficient, by reasonable manual assistance.

7. Security

CyberHire will implement and maintain the technical and organisational measures set out in Annex II. CyberHire may update those measures from time to time provided that the overall level of protection does not decrease. Material reductions in the level of protection will be notified in advance to the Controller.

8. Personal Data Breach

In the event of a Personal Data Breach affecting the Controller's Personal Data, CyberHire will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware;
  • Provide the information required under Article 33(3) UK GDPR (nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed);
  • Cooperate with the Controller in its investigation, mitigation, and any required notification to the Supervisory Authority or Data Subjects.

CyberHire's notification is not an admission of fault or liability. The obligation to notify the Information Commissioner's Office (and, where required, Data Subjects) remains with the Controller as the decision-maker.

9. Sub-processors

9.1 Prior authorisation

The Controller gives CyberHire general written authorisation to engage Sub-processors for the processing of Personal Data, subject to this section.

9.2 Current list

The current list of Sub-processors, including names, services and processing locations, is maintained at Sub-processors.

9.3 Contract

CyberHire will impose on each Sub-processor contractual obligations equivalent to those in this DPA (in particular, Article 28 UK GDPR terms), and will remain fully liable to the Controller for the performance of each Sub-processor's obligations.

9.4 Changes

CyberHire will give the Controller at least 30 days' advance notice of the intended addition or replacement of a Sub-processor. The Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to agree a resolution. If no resolution can be reached within 30 days of the objection, the Controller may terminate the affected Subscription Term and receive a pro-rated refund of any Fees prepaid for the unused portion. Objection is the Controller's sole remedy in these circumstances.

10. Audits

CyberHire will, on reasonable prior written request (not more than once in any 12-month period unless required by law or following a Personal Data Breach), make available to the Controller:

  • The most recent independent audit or certification reports CyberHire holds (e.g. penetration-test summaries, SOC 2, ISO 27001 - to the extent CyberHire holds any such at the relevant time); and
  • Written answers to reasonable audit questions.

On-site audits may be arranged where the Controller reasonably determines that the above is insufficient, on 60 days' prior written notice, at the Controller's cost, during business hours, and subject to CyberHire's security and confidentiality requirements. CyberHire may charge its reasonable costs for on-site audits.

11. International transfers

Where CyberHire transfers Personal Data outside the United Kingdom, it relies on one or more of the following safeguards:

  • A UK adequacy regulation covering the receiving jurisdiction;
  • The UK International Data Transfer Agreement (IDTA);
  • The UK Addendum to the EU Standard Contractual Clauses;
  • The EU-US Data Privacy Framework and its UK Extension, where the recipient is certified.

The Controller authorises CyberHire to execute the relevant transfer mechanism with each Sub-processor on the Controller's behalf where this is the most practical route.

12. Deletion / return on termination

On termination or expiry of the Terms of Service, and subject to the Controller's choice:

  • Within the 30-day post-termination export window stated in the Terms of Service, the Controller may request export of its Personal Data in a machine-readable format;
  • After that window, CyberHire will delete Personal Data from live systems within 30 days and from back-ups within the ordinary back-up cycle (maximum 90 days);
  • Where retention is required by law, CyberHire will retain the minimum necessary and apply access restrictions.

13. Liability

Each party's liability under this DPA is subject to the limits set out in section 12 of the Terms of Service. Nothing in this DPA excludes or limits a party's liability for breach of UK GDPR that cannot be excluded under law.

14. Conflicts

In the event of conflict between this DPA and the Terms of Service, this DPA governs matters concerning data protection.

15. Governing law

This DPA is governed by the laws of England and Wales and subject to the jurisdiction clause in the Terms of Service.

Annex I - Processing details

A. Categories of Data Subjects

  • The Controller's Admin Users;
  • Candidates invited by the Controller.

B. Categories of Personal Data

See section 4.3 of this DPA.

C. Nature and purpose of processing

  • Hosting and maintenance of Controller accounts and Admin User access;
  • Sending invitation and notification emails;
  • Provisioning ephemeral Linux challenge environments;
  • Capturing integrity signals during Assessments in accordance with the mode selected by the Controller;
  • Scoring, report generation, and export;
  • AI-assisted Challenge generation on Controller request, with the prompt (which may include Controller-provided job specs) processed by Anthropic;
  • Platform security, fraud detection, and abuse prevention;
  • Storage, retention, export, and deletion.

D. Frequency

Continuous for the duration of the Subscription Term.

E. Duration

As set out in section 3 of this DPA.

Annex II - Technical and organisational measures

CyberHire applies the following technical and organisational measures. Details may evolve without decreasing the overall level of protection. A summary follows; we will provide more detail on request under section 10.

A. Access control and authentication

  • Passwords stored as bcrypt hashes;
  • Optional multi-factor authentication (TOTP) for all accounts;
  • SSO via Google and Microsoft, using OAuth 2.0 and OpenID Connect;
  • Role-based access control; principle of least privilege;
  • Administrative access restricted to named personnel; support-operator impersonation sessions are time-limited and fully audit-logged;
  • Session timeouts and bot protection on authentication endpoints.

B. Encryption

  • TLS 1.2 or above for all data in transit;
  • Encryption at rest for production databases and file storage (managed by our infrastructure providers);
  • MFA secrets encrypted at rest with keys separated from the primary datastore.

C. Segregation and tenancy

  • Customer data is logically segregated by tenant identifier in every collection;
  • Challenge environments run in dedicated ephemeral VMs provisioned per Candidate attempt and destroyed on completion;
  • No cross-tenant data sharing.

D. Integrity and availability

  • Automated regular back-ups of primary databases;
  • Multi-machine deployment for the admin API with rolling-deploy capability;
  • Health checks on every deployment; automatic rollback on failure.

E. Monitoring and logging

  • Structured application logs covering authentication, administrative actions, impersonation sessions and integrity signals;
  • Retention of audit logs for at least 24 months;
  • Log review processes for security-relevant events.

F. Vulnerability and change management

  • Dependency-vulnerability scanning as part of our CI pipeline;
  • Peer code review for changes to security-relevant surfaces;
  • Periodic penetration testing (frequency and scope depend on platform maturity at the relevant time).

G. People

  • Confidentiality obligations in every personnel contract;
  • Security awareness training for personnel with access to production data;
  • Prompt revocation of access on role change or departure.

H. Incident response

  • Documented incident-response procedure;
  • Internal 72-hour notification commitment aligned with section 8 of this DPA;
  • Post-incident review and corrective-action tracking.

I. Sub-processor controls

  • Written DPAs with all Sub-processors including Article 28 UK GDPR terms and equivalent TOMs;
  • Transfer mechanisms for any Sub-processor outside the UK;
  • Public list of Sub-processors maintained at cyber-hire.com/legal/sub-processors.

Questions?

Contact our Data Protection Officer, Michael Carthy, at legal@cyber-hire.com .