Legal

Data Processing Agreement (DPA)

For candidate data the customer is the data controller and Candit is the data processor. This agreement sets out the parties' data protection obligations.

1. Parties and Roles

This Data Processing Agreement (DPA) is entered into between the employer customer using Candit and Selenly LLC ("Candit"), the operator of the platform. For candidate and prospective-candidate personal data, the Customer is the data controller and Candit is the data processor. For processing carried out for Candit's own purposes — platform security, logging, fraud prevention — Candit acts as an independent controller.

2. Subject Matter and Scope

Candit processes candidate personal data only on the Customer's documented instructions and for the purpose of providing the service. Candidate data is not used to train models or products.

3. Candit's Obligations (Processor)

Processing on instructions only; confidentiality commitments for personnel; appropriate technical and organisational security measures; notifying the Customer without undue delay (at the latest within 72 hours) after becoming aware of a data breach; assisting with data subject requests; and deleting or returning personal data at the end of the agreement.

4. Customer's Obligations (Controller)

The Customer is responsible for establishing the legal basis for processing candidate data, providing privacy notices and obtaining any required consents, ensuring the lawfulness of the instructions given to Candit, and entering the correct data controller identity in the platform settings.

5. Subprocessors

The Customer grants general authorisation for the following subprocessors used to deliver the service: Supabase (database and storage), OpenAI and Anthropic (AI-assisted evaluation), ElevenLabs (voice interviews), Resend (email), Stripe (payments; no candidate data is transferred) and Google (opt-in calendar). Subprocessor changes are notified within a reasonable period in advance; the Customer may object on justified grounds.

6. International Transfers

The production infrastructure is hosted in the United States; transfers are carried out with appropriate safeguards under applicable data protection law, such as standard contractual clauses. Consent alone is not relied upon as the basis for systematic transfers.

7. Data Security

Encryption in transit (TLS), role-based access control and additional verification for administrator sign-in, audit trails, security event monitoring, tenant isolation and at-rest encryption of sensitive credentials are applied.

8. Retention and Deletion

Voice interview recordings are retained for a maximum of 180 days and talent pool records for a maximum of 2 years, after which they are automatically deleted. Relevant data is also deleted upon the data subject's request.

9. Data Subject Rights

Data subjects may exercise their rights through the channels provided by the Customer or by contacting destek@candit.ai. Candit provides the Customer with technical assistance in fulfilling these requests.

10. Effect and Governing Law

This DPA enters into force upon the Customer's acceptance when creating an account or using the service and forms an integral part of the service agreement. It is governed by the applicable law agreed between the parties in the service agreement, together with the data protection law applicable to the processing.