Data Processing Agreement

Version v1.0 · Last updated 17 May 2026

Legal review status: this DPA is a substantive executable draft prepared by the operator. Final clauses (in particular Annex I parties section, Annex II security technical details and Annex III sub-processor list) should be confirmed by your own counsel before signature. The DPA incorporates the EU Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor) by reference; the full SCC text is available at eur-lex.europa.eu.

Parties

This Data Processing Agreement (“DPA”) is entered into between:

(1) The Clientidentified in Annex I (the “Client” or “Controller”), and

(2) Sodasoft LLC, a limited liability company organised under the laws of the State of Wyoming, United States, with its principal office at 30 N Gould St, Sheridan, Wyoming 82801, United States, operating the KICKFIND platform (“Sodasoft” or “Processor”),

each a “Party” and together the “Parties”.

Recitals

(A) The Client and Sodasoft have entered into, or intend to enter into, a commercial agreement under which Sodasoft provides the KICKFIND recruitment platform and related services (the “Principal Agreement”).

(B) In connection with the Principal Agreement, Sodasoft processes personal data on behalf of the Client and is a processor within the meaning of Regulation (EU) 2016/679 (the “GDPR”).

(C) The Parties wish to set out the terms on which Sodasoft will process personal data on behalf of the Client and to incorporate the Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor) (the “SCCs”), where applicable.

(D) This DPA applies in addition to, and is incorporated into, the Principal Agreement. In the event of a conflict between this DPA and the Principal Agreement on a matter of personal-data processing, this DPA prevails.

1. Definitions

Terms used and not defined in this DPA have the meaning given in the GDPR. In addition:

“Personal Data” means personal data (as defined in Article 4(1) GDPR) processed by Sodasoft on behalf of the Client in connection with the Principal Agreement.
“Sub-processor” means any third party engaged by Sodasoft to process Personal Data on behalf of the Client.
“Data Subject”means the natural person to whom Personal Data relates, including the Client's workspace users and the candidates the Client interacts with through KICKFIND.
“Personal Data Breach” has the meaning given in Article 4(12) GDPR.
“Restricted Transfer” means a transfer of Personal Data from the EEA to a country that is not the subject of an EU adequacy decision.

2. Subject matter and scope

Sodasoft will process Personal Data only on the documented instructions of the Client (which the Client's configuration and use of the KICKFIND platform constitute) and only for the purposes, and to the extent, set out in Annex I, except where required by applicable law to which Sodasoft is subject (in which case Sodasoft will inform the Client of that legal requirement before processing, unless prohibited by that law on important grounds of public interest).

3. Duration

This DPA takes effect on the later of (i) the date the last Party signs it or (ii) the effective date of the Principal Agreement, and continues for so long as Sodasoft processes Personal Data on behalf of the Client. Termination of the Principal Agreement does not terminate this DPA in respect of obligations relating to Personal Data already processed.

4. Processor obligations

Sodasoft will:

(a) process Personal Data only on the Client's documented instructions, including with regard to transfers, unless required to do so by Union or member state law;
(b) ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement the technical and organisational measures set out in Annex II;
(d) respect the conditions for engaging Sub-processors set out in clause 5;
(e) taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures for the fulfilment of the Client's obligation to respond to requests for exercising Data Subject rights (Chapter III GDPR);
(f) assist the Client in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification and DPIA);
(g) at the choice of the Client, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by Union or member state law;
(h) make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, as set out in clause 8.

5. Sub-processors

The Client gives Sodasoft general written authorisation to engage the Sub-processors listed in Annex III. Sodasoft may engage further Sub-processors subject to the following conditions:

Sodasoft will inform the Client in writing (which may include via email to the workspace owner) of any intended addition or replacement of Sub-processors at least thirty (30) days before the change takes effect;
During that period the Client may object to the change on reasonable grounds relating to the protection of Personal Data; if Sodasoft and the Client cannot agree a workaround, the Client may terminate the affected service without penalty;
Sodasoft will impose by contract data-protection obligations on each Sub-processor that are no less onerous than those imposed on Sodasoft by this DPA;
Sodasoft remains fully liable to the Client for the performance of each Sub-processor's obligations.

6. Personal Data Breach

Sodasoft will notify the Client of any Personal Data Breach affecting the Client's Personal Data without undue delay after becoming aware of it, and in any event within seventy-two (72) hours of becoming aware. The notification will at minimum describe:

(a) the nature of the breach, including categories and approximate number of Data Subjects and records affected;
(b) the name and contact details of Sodasoft's privacy contact;
(c) the likely consequences of the breach;
(d) the measures taken or proposed to address the breach and mitigate its effects.

Where information is not available within seventy-two (72) hours, Sodasoft will provide an initial notification within that period with what is known and supplement it without undue delay. Sodasoft will assist the Client with breach notifications to supervisory authorities under Article 33 GDPR and, where required, to Data Subjects under Article 34 GDPR.

7. International transfers

Where Sodasoft processes Personal Data outside the EEA, the Standard Contractual Clauses (SCCs) Module 2 (Controller to Processor), Commission Implementing Decision (EU) 2021/914, apply and are incorporated by reference into this DPA, with:

The Client as the “data exporter”;
Sodasoft as the “data importer”;
The optional Clause 7 (docking clause) selected;
Clause 9, option 2 (general written authorisation) selected with the 30-day notice period in clause 5 of this DPA;
Clause 11(a) optional language not selected;
The governing law for Clause 17 being the law of Ireland;
The competent court for Clause 18 being the courts of Ireland;
Annex I to the SCCs populated with the content of Annex I to this DPA;
Annex II to the SCCs populated with the content of Annex II to this DPA;
Annex III to the SCCs populated with the content of Annex III to this DPA.

Where Sodasoft uses Sub-processors that have self-certified under the EU-US Data Privacy Framework (DPF), the DPF supplements (but does not replace) the SCCs.

8. Audits

The Client may, once per calendar year and on at least thirty (30) days' written notice, audit Sodasoft's compliance with this DPA. Audits will be conducted remotely on the basis of evidence packages (security questionnaires, third-party audit reports where available, sub-processor lists) provided by Sodasoft. On-site audits are permitted by mutual agreement following a material Personal Data Breach demonstrably affecting the Client. The Client bears the cost of audits it initiates, save where the audit reveals a material non-compliance by Sodasoft, in which case Sodasoft bears the reasonable cost.

9. Assistance with Data Subject rights

Sodasoft will provide reasonable assistance to the Client to fulfil the Client's obligations to respond to Data Subject requests under Chapter III GDPR (access, rectification, erasure, restriction, objection, portability and rights related to automated processing). The KICKFIND platform provides Data Subject self-service tools that candidates can use directly. Where assistance from Sodasoft is nevertheless required, it will be provided within fifteen (15) business days, free of charge for reasonable volumes; manifestly excessive or repetitive requests may be charged at Sodasoft's then-current professional services rate.

10. Return or deletion of data

On termination or expiry of the Principal Agreement, Sodasoft will, at the Client's choice within thirty (30) days, either return all Personal Data to the Client in a commonly used machine-readable format or securely delete the Personal Data. Where Union or member state law requires Sodasoft to retain Personal Data (e.g. for accounting and tax records), Sodasoft will preserve it under appropriate security and confidentiality controls for the minimum period required and then delete it.

11. Liability

Liability arising from or in connection with this DPA is subject to the limitation-of-liability provisions of the Principal Agreement, save that nothing in this DPA or the Principal Agreement excludes or limits liability that cannot lawfully be excluded or limited, including liability for breach of GDPR by either Party to the extent the breach is attributable to that Party. Each Party is liable to Data Subjects for the damage it has caused by processing that infringes the GDPR (Article 82 GDPR).

12. Severability and survival

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in force. The Parties' obligations in respect of Personal Data already processed survive termination.

Annex I — Parties and processing description

A. List of Parties

Data exporter (Controller): the Client identified in the executed signature block at the end of this DPA. Address, contact person, role and signature are recorded in the signature block.

Data importer (Processor): Sodasoft LLC, 30 N Gould St, Sheridan, Wyoming 82801, United States. Contact: privacy@kickfind.com. Role: Processor. Sodasoft acts as Processor in respect of Personal Data processed on the Client's instructions on the KICKFIND platform.

B. Description of processing

Categories of Data Subjects:(i) the Client's workspace users (employees, contractors and authorised representatives of the Client who have a KICKFIND account); (ii) candidates the Client interacts with through KICKFIND (those submitted to the Client by Sodasoft and any candidates the Client uploads, references or adds to a shortlist).
Categories of Personal Data: identification and contact data (name, email, phone); professional history (job titles, employers, dates, descriptions); profile URLs (LinkedIn, GitHub, portfolio); GRC role family, specialties, seniority, years of experience; salary expectations, currency, notice period and work preference; CVs, cover letters and supporting documents; screening-question answers; interview notes; feedback and decisions.
Sensitive data:KICKFIND does not actively process special categories of personal data under Article 9 GDPR or criminal-records data under Article 10 GDPR. Incidental Article 9 data appearing in a CV is processed on the basis of the candidate's explicit consent for recruitment.
Frequency of processing: continuous, for the duration of the Principal Agreement.
Nature of processing: hosting, structuring, retrieval, retrieval-augmented AI generation (CV parsing, fit scoring, brief drafting), human review, communication via email, analytics, storage, deletion.
Purpose of processing: operating the KICKFIND recruitment platform on behalf of the Client - sourcing, screening, shortlist composition, candidate-brief storage, interview tracking, feedback management, billing.
Period of retention: as set out in the Privacy Policy section 10, summarised in Annex II of this DPA.

C. Competent supervisory authority

For the purposes of Clause 13 of the SCCs, the competent supervisory authority is the supervisory authority of the EU member state in which the Client's representative is established. If the Client has no EU establishment but is subject to GDPR under Article 3(2), the competent supervisory authority is the Irish Data Protection Commission (DPC).

Annex II — Technical and organisational measures

1. Encryption

TLS 1.2+ for all data in transit.
Encryption at rest enforced by Supabase (Postgres) and Supabase Storage.
HSTS preload-eligible header on all responses.

2. Confidentiality and access controls

Row-Level Security policies enforce per-user access scope at the database layer.
Three-account-type design (candidate, client, internal) with policy boundaries.
Multi-factor authentication available on all account types via Supabase Auth.
Least-privilege role design for Sodasoft staff.
Service-role keys held in environment-secret stores; never client-side; rotated on staff departure.
Full audit log of staff actions inside the admin console; 24-month retention.

3. Integrity and availability

Daily automated backups of the primary database by Supabase.
Point-in-time recovery available for the database.
Geographically redundant edge delivery via Vercel.
Defense-in-depth response headers: X-Content-Type-Options, X-Frame-Options DENY, Permissions-Policy, Referrer-Policy strict-origin-when-cross-origin, HSTS, CSP (Report-Only during rollout).

4. Resilience and recovery

Documented incident-response procedure with named on-call escalation.
Recovery time objective (RTO): 4 hours for full restoration of the platform.
Recovery point objective (RPO): less than 1 hour data loss for the primary database.
Quarterly tabletop tests of incident-response procedure.

5. Pseudonymisation and minimisation

Public job pages select only safe columns; internal columns are not returned to public surfaces.
Audit logs reference user IDs rather than email addresses where practicable.
Inactive candidate profiles anonymised after 24 months of inactivity.

6. Vulnerability management and secure development

Continuous dependency vulnerability scanning; npm audit gate at build.
Internal pentest pass before each major release; findings remediated before launch.
Production deployments require type-check + build verification.
All payment-handling code review-gated; no PAN data stored.

7. Personal Data Breach response

Sodasoft notifies the Client of any Personal Data Breach affecting the Client's Personal Data within 72 hours of awareness.
Sodasoft notifies the competent supervisory authority within 72 hours where Sodasoft is the controller (Article 33 GDPR).
Sodasoft assists the Client with breach notification obligations under Article 33 and 34 GDPR.

8. Retention

Active candidate profiles: while account is active.
Inactive candidate profiles: 24 months from last activity, then anonymised or deleted.
Client workspace data: while engagement is active + 36 months after last placement.
Application records: 24 months for unsuccessful candidates; longer for placed candidates per the Principal Agreement.
Invoices and payment records: 7-10 years per applicable tax law.
Audit logs: 24 months.

Annex III — Sub-processors

As of the version date of this DPA, Sodasoft engages the following Sub-processors:

Sub-processor	Service	Location	Safeguards
Supabase Inc.	Database, authentication, file storage	EU (Frankfurt) primary	EU region (no Restricted Transfer)
Vercel Inc.	Application hosting, edge delivery	EU + global edge	SCCs Module 2 + EU-US DPF
Resend Inc.	Transactional email delivery	United States	SCCs Module 2 + EU-US DPF
Stripe Payments Europe Ltd	Payments processing	Ireland (EU)	EU (no Restricted Transfer)
Anthropic PBC	AI processing (CV parsing, scoring, drafts)	United States	SCCs Module 2 + zero data retention by API

Material changes to the Sub-processor list are notified to the Client at least 30 days in advance, with a right to object on reasonable data-protection grounds as set out in clause 5 of this DPA.

Signature block

The Parties have agreed to this DPA by signature below. Counterparts and electronic signatures are valid.

For the Client (Controller)

Legal name: ______________________________

Address: ______________________________

Country: ______________________________

Signatory name: ______________________________

Signatory title: ______________________________

Email: ______________________________

Date: ______________________________

Signature: ______________________________

For Sodasoft LLC (Processor)

Legal name: Sodasoft LLC

Address: 30 N Gould St, Sheridan, WY 82801, United States

Country: United States

Signatory name: ______________________________

Signatory title: ______________________________

Email: privacy@kickfind.com

Date: ______________________________

Signature: ______________________________

To execute this DPA, download the PDF above, complete the Client signature block, sign and return by email to privacy@kickfind.com. Sodasoft will counter-sign and return the fully executed PDF within five business days. The DPA takes effect on the later of the two signature dates.

Related documents: Privacy policy, Terms of use, Candidate data notice.

Data Processing Agreement

Version v1.0 · Last updated 17 May 2026

Download executable PDF

Parties

This Data Processing Agreement (“DPA”) is entered into between:

(1) The Clientidentified in Annex I (the “Client” or “Controller”), and

each a “Party” and together the “Parties”.

Recitals

(B) In connection with the Principal Agreement, Sodasoft processes personal data on behalf of the Client and is a processor within the meaning of Regulation (EU) 2016/679 (the “GDPR”).

1. Definitions

Terms used and not defined in this DPA have the meaning given in the GDPR. In addition:

“Personal Data” means personal data (as defined in Article 4(1) GDPR) processed by Sodasoft on behalf of the Client in connection with the Principal Agreement.
“Sub-processor” means any third party engaged by Sodasoft to process Personal Data on behalf of the Client.
“Data Subject”means the natural person to whom Personal Data relates, including the Client's workspace users and the candidates the Client interacts with through KICKFIND.
“Personal Data Breach” has the meaning given in Article 4(12) GDPR.
“Restricted Transfer” means a transfer of Personal Data from the EEA to a country that is not the subject of an EU adequacy decision.

2. Subject matter and scope

3. Duration

4. Processor obligations

Sodasoft will:

(a) process Personal Data only on the Client's documented instructions, including with regard to transfers, unless required to do so by Union or member state law;
(b) ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement the technical and organisational measures set out in Annex II;
(d) respect the conditions for engaging Sub-processors set out in clause 5;
(e) taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures for the fulfilment of the Client's obligation to respond to requests for exercising Data Subject rights (Chapter III GDPR);
(f) assist the Client in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification and DPIA);
(g) at the choice of the Client, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by Union or member state law;
(h) make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, as set out in clause 8.

5. Sub-processors

The Client gives Sodasoft general written authorisation to engage the Sub-processors listed in Annex III. Sodasoft may engage further Sub-processors subject to the following conditions:

Sodasoft will inform the Client in writing (which may include via email to the workspace owner) of any intended addition or replacement of Sub-processors at least thirty (30) days before the change takes effect;
During that period the Client may object to the change on reasonable grounds relating to the protection of Personal Data; if Sodasoft and the Client cannot agree a workaround, the Client may terminate the affected service without penalty;
Sodasoft will impose by contract data-protection obligations on each Sub-processor that are no less onerous than those imposed on Sodasoft by this DPA;
Sodasoft remains fully liable to the Client for the performance of each Sub-processor's obligations.

6. Personal Data Breach

(a) the nature of the breach, including categories and approximate number of Data Subjects and records affected;
(b) the name and contact details of Sodasoft's privacy contact;
(c) the likely consequences of the breach;
(d) the measures taken or proposed to address the breach and mitigate its effects.

7. International transfers

The Client as the “data exporter”;
Sodasoft as the “data importer”;
The optional Clause 7 (docking clause) selected;
Clause 9, option 2 (general written authorisation) selected with the 30-day notice period in clause 5 of this DPA;
Clause 11(a) optional language not selected;
The governing law for Clause 17 being the law of Ireland;
The competent court for Clause 18 being the courts of Ireland;
Annex I to the SCCs populated with the content of Annex I to this DPA;
Annex II to the SCCs populated with the content of Annex II to this DPA;
Annex III to the SCCs populated with the content of Annex III to this DPA.

Where Sodasoft uses Sub-processors that have self-certified under the EU-US Data Privacy Framework (DPF), the DPF supplements (but does not replace) the SCCs.

8. Audits

9. Assistance with Data Subject rights

10. Return or deletion of data

11. Liability

12. Severability and survival

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in force. The Parties' obligations in respect of Personal Data already processed survive termination.

Annex I — Parties and processing description

A. List of Parties

Data exporter (Controller): the Client identified in the executed signature block at the end of this DPA. Address, contact person, role and signature are recorded in the signature block.

B. Description of processing

Categories of Data Subjects:(i) the Client's workspace users (employees, contractors and authorised representatives of the Client who have a KICKFIND account); (ii) candidates the Client interacts with through KICKFIND (those submitted to the Client by Sodasoft and any candidates the Client uploads, references or adds to a shortlist).
Categories of Personal Data: identification and contact data (name, email, phone); professional history (job titles, employers, dates, descriptions); profile URLs (LinkedIn, GitHub, portfolio); GRC role family, specialties, seniority, years of experience; salary expectations, currency, notice period and work preference; CVs, cover letters and supporting documents; screening-question answers; interview notes; feedback and decisions.
Sensitive data:KICKFIND does not actively process special categories of personal data under Article 9 GDPR or criminal-records data under Article 10 GDPR. Incidental Article 9 data appearing in a CV is processed on the basis of the candidate's explicit consent for recruitment.
Frequency of processing: continuous, for the duration of the Principal Agreement.
Nature of processing: hosting, structuring, retrieval, retrieval-augmented AI generation (CV parsing, fit scoring, brief drafting), human review, communication via email, analytics, storage, deletion.
Purpose of processing: operating the KICKFIND recruitment platform on behalf of the Client - sourcing, screening, shortlist composition, candidate-brief storage, interview tracking, feedback management, billing.
Period of retention: as set out in the Privacy Policy section 10, summarised in Annex II of this DPA.

C. Competent supervisory authority

Annex II — Technical and organisational measures

1. Encryption

TLS 1.2+ for all data in transit.
Encryption at rest enforced by Supabase (Postgres) and Supabase Storage.
HSTS preload-eligible header on all responses.

2. Confidentiality and access controls

Row-Level Security policies enforce per-user access scope at the database layer.
Three-account-type design (candidate, client, internal) with policy boundaries.
Multi-factor authentication available on all account types via Supabase Auth.
Least-privilege role design for Sodasoft staff.
Service-role keys held in environment-secret stores; never client-side; rotated on staff departure.
Full audit log of staff actions inside the admin console; 24-month retention.

3. Integrity and availability

Daily automated backups of the primary database by Supabase.
Point-in-time recovery available for the database.
Geographically redundant edge delivery via Vercel.
Defense-in-depth response headers: X-Content-Type-Options, X-Frame-Options DENY, Permissions-Policy, Referrer-Policy strict-origin-when-cross-origin, HSTS, CSP (Report-Only during rollout).

4. Resilience and recovery

Documented incident-response procedure with named on-call escalation.
Recovery time objective (RTO): 4 hours for full restoration of the platform.
Recovery point objective (RPO): less than 1 hour data loss for the primary database.
Quarterly tabletop tests of incident-response procedure.

5. Pseudonymisation and minimisation

Public job pages select only safe columns; internal columns are not returned to public surfaces.
Audit logs reference user IDs rather than email addresses where practicable.
Inactive candidate profiles anonymised after 24 months of inactivity.

6. Vulnerability management and secure development

Continuous dependency vulnerability scanning; npm audit gate at build.
Internal pentest pass before each major release; findings remediated before launch.
Production deployments require type-check + build verification.
All payment-handling code review-gated; no PAN data stored.

7. Personal Data Breach response

Sodasoft notifies the Client of any Personal Data Breach affecting the Client's Personal Data within 72 hours of awareness.
Sodasoft notifies the competent supervisory authority within 72 hours where Sodasoft is the controller (Article 33 GDPR).
Sodasoft assists the Client with breach notification obligations under Article 33 and 34 GDPR.

8. Retention

Active candidate profiles: while account is active.
Inactive candidate profiles: 24 months from last activity, then anonymised or deleted.
Client workspace data: while engagement is active + 36 months after last placement.
Application records: 24 months for unsuccessful candidates; longer for placed candidates per the Principal Agreement.
Invoices and payment records: 7-10 years per applicable tax law.
Audit logs: 24 months.

Annex III — Sub-processors

As of the version date of this DPA, Sodasoft engages the following Sub-processors:

Sub-processor	Service	Location	Safeguards
Supabase Inc.	Database, authentication, file storage	EU (Frankfurt) primary	EU region (no Restricted Transfer)
Vercel Inc.	Application hosting, edge delivery	EU + global edge	SCCs Module 2 + EU-US DPF
Resend Inc.	Transactional email delivery	United States	SCCs Module 2 + EU-US DPF
Stripe Payments Europe Ltd	Payments processing	Ireland (EU)	EU (no Restricted Transfer)
Anthropic PBC	AI processing (CV parsing, scoring, drafts)	United States	SCCs Module 2 + zero data retention by API

Material changes to the Sub-processor list are notified to the Client at least 30 days in advance, with a right to object on reasonable data-protection grounds as set out in clause 5 of this DPA.

Signature block

The Parties have agreed to this DPA by signature below. Counterparts and electronic signatures are valid.

For the Client (Controller)

Legal name: ______________________________

Address: ______________________________

Country: ______________________________

Signatory name: ______________________________

Signatory title: ______________________________

Email: ______________________________

Date: ______________________________

Signature: ______________________________

For Sodasoft LLC (Processor)

Legal name: Sodasoft LLC

Address: 30 N Gould St, Sheridan, WY 82801, United States

Country: United States

Signatory name: ______________________________

Signatory title: ______________________________

Email: privacy@kickfind.com

Date: ______________________________

Signature: ______________________________

Related documents: Privacy policy, Terms of use, Candidate data notice.