Data Processing Agreement

Last updated: March 31, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kit ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by Kit on behalf of the Customer.

This DPA is effective upon the earlier of (a) the Customer's acceptance of the Terms of Service, or (b) the Customer's first use of the Service. In the event of any conflict or inconsistency, the order of precedence shall be: (1) the applicable Standard Contractual Clauses; (2) this DPA; (3) the Terms of Service; (4) Kit's Privacy Policy. A countersigned copy of this DPA is available upon request for enterprise customers.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meaning given to them in the GDPR or in the Terms of Service.

  • Customer Data means any personal data that Kit processes on behalf of the Customer in the course of providing the Service. This includes candidate and applicant data, hiring team member data, and communication data submitted to or generated within the platform.
  • Account Data means personal data relating to the Customer's relationship with Kit, including billing information, usage analytics, and account administration data. Kit is the controller of Account Data under its Privacy Policy.
  • Controller means the natural or legal person which determines the purposes and means of the processing of personal data (the Customer).
  • Processor means the natural or legal person which processes personal data on behalf of the Controller (Kit).
  • Sub-processor means any third party engaged by the Processor to process Customer Data.
  • Data Subject means the identified or identifiable natural person to whom personal data relates.
  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
  • UK GDPR means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
  • Swiss FADP means the Swiss Federal Act on Data Protection (as revised 25 September 2020). References to "GDPR" in this DPA include, where applicable, the UK GDPR and the Swiss FADP.
  • Personal Data, Processing, Personal Data Breach, and Supervisory Authority have the meanings given to them in Article 4 of the GDPR.
  • SCCs means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914.
  • Data Protection Laws means the GDPR, the UK GDPR, the Swiss FADP, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and any other applicable data protection or privacy legislation.

2. Roles of the Parties

The parties acknowledge and agree that:

  • With respect to Customer Data, the Customer is the Controller and Kit is the Processor. This DPA governs Kit's processing of Customer Data.
  • With respect to Account Data, Kit is an independent Controller and processes such data in accordance with its Privacy Policy.

This distinction ensures clarity: your candidates' and applicants' personal data is processed solely under your instructions, while Kit independently manages the data necessary to maintain your account and provide the Service.

3. Scope and Purpose of Processing

Kit processes Customer Data solely for the purpose of providing the applicant tracking and recruitment management service as described in the Terms of Service and as further specified in Annex 1. Kit shall:

  • Process Customer Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by European Union or Member State law to which the Processor is subject (Article 28(3)(a) GDPR).
  • Immediately inform the Controller if, in Kit's opinion, an instruction infringes the GDPR or other applicable data protection provisions.

3.1 California and US State Privacy Laws

To the extent the California Consumer Privacy Act (CCPA) or other US state privacy laws apply to Kit's processing of Customer Data, Kit acts as a "service provider" (CCPA) or "processor" (as defined under applicable state law). Kit shall not sell or share Customer Data, retain, use, or disclose Customer Data except as necessary to provide the Service, or otherwise as permitted under applicable law.

4. Confidentiality

Kit ensures that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).

5. Security Measures

Kit implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are described in detail in Annex 2 and include, among others:

  • Encryption of personal data in transit (TLS 1.2+) and at rest
  • Multi-tenant data isolation through account-scoped database queries
  • Role-based access control within employer accounts
  • Application-level encryption of sensitive fields (Active Record Encryption)
  • EU-resident infrastructure (Hetzner Cloud, Nuremberg, Germany)
  • Regular security scanning and vulnerability management

Kit regularly reviews and updates these measures to maintain an appropriate level of protection. Measures described herein are consistent with industry-standard security practices; specific certifications, where obtained, will be referenced in Annex 2.

6. Sub-processors

6.1 General Authorisation

The Controller provides general written authorisation for Kit to engage Sub-processors to process Customer Data, subject to the conditions set out in this Section 6 (Article 28(2) GDPR).

6.2 Current Sub-processors

The current list of Sub-processors is set out in Annex 3. The Controller acknowledges and approves the Sub-processors listed therein as of the effective date of this DPA.

6.3 Notification of Changes

Kit will notify the Controller by email at least 30 days before engaging a new Sub-processor or replacing an existing one. The notification will identify the Sub-processor, its location, and the processing activities to be performed.

6.4 Objection Right

The Controller may object to the appointment of a new Sub-processor within 15 days of receiving notification by providing written notice to Kit with reasonable grounds for the objection. If Kit cannot reasonably accommodate the objection, the Controller may terminate the affected Service by providing written notice to Kit.

6.5 Sub-processor Obligations

Kit imposes on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA (Article 28(4) GDPR). Kit remains fully liable for the performance of each Sub-processor's obligations.

6.6 Customer-Designated Processors

Where the Customer configures integrations with third-party services using their own credentials or API keys (such as AI providers under a bring-your-own-key arrangement), these providers are Customer-Designated Processors. Kit facilitates the technical integration but does not select, control, or contract with these providers. The Customer is responsible for ensuring that their own agreement with such providers meets applicable data protection requirements.

7. Data Subject Rights

Kit assists the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (Article 28(3)(e) GDPR). These rights include the right of access, rectification, erasure, restriction of processing, data portability, and objection.

Kit provides the following platform features to support the Controller in responding to such requests:

  • Data export functionality for individual candidate records and account-wide exports
  • Candidate data deletion and anonymisation tools
  • Configurable data retention periods with automated expiry
  • Consent management with renewal and withdrawal tracking

Kit does not respond directly to Data Subject requests. Candidates and applicants should direct their requests to the Controller (the employer). Kit will promptly notify the Controller if Kit receives a request from a Data Subject directly.

8. International Data Transfers

Kit's primary infrastructure is located in the European Union (Hetzner Cloud, Nuremberg, Germany). Customer Data is stored and processed within the EU by default.

8.1 Transfer Mechanisms

Where Sub-processors are located outside the European Economic Area (EEA), Kit ensures that appropriate safeguards are in place for the transfer of personal data, including:

  • EU-US Data Privacy Framework (DPF): Where the Sub-processor is DPF-certified.
  • Standard Contractual Clauses (SCCs): The 2021 SCCs (Commission Decision 2021/914) are incorporated by reference where applicable.
  • Adequacy decisions: Where the European Commission has recognised the third country as providing adequate protection.

The specific transfer mechanism for each Sub-processor is identified in Annex 3.

8.2 SCC Module Selection

Where SCCs apply, the following modules are used:

  • Module 2 (Controller to Processor): Applies between the Customer (as Controller) and Kit where the Customer is established in the EEA and Kit processes Customer Data outside the EEA.
  • Module 3 (Processor to Sub-processor): Applies between Kit and its non-EEA Sub-processors listed in Annex 3.

For both modules: Clause 7 (docking clause) is included; Clause 9(a) Option 2 (general written authorisation) is selected; Clause 17 Option 1 (governing law of an EU Member State) is selected, with the law of Ireland governing.

8.3 UK and Swiss Transfers

For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner's Office) applies. For transfers subject to the Swiss FADP, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

8.4 Supplementary Measures

Kit has conducted transfer impact assessments for each non-EEA Sub-processor. As of the date of this DPA, Kit has not received any government access requests for Customer Data. Kit commits to challenging any government access request that it reasonably considers to be unlawful or disproportionate, and to notifying the Controller unless legally prohibited from doing so.

9. Data Breach Notification

Kit shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data (Article 28(3)(f) and Article 33 GDPR). The notification shall include:

  • A description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of Kit's point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Kit shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Protection Impact Assessments

Kit shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to Kit (Article 28(3)(f) GDPR).

11. Audit Rights

Kit makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (Article 28(3)(h) GDPR).

Audits are subject to the following conditions:

  • The Controller shall provide at least 30 days written notice of an audit request
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Kit's operations
  • The Controller shall bear its own costs associated with the audit
  • Audits are limited to once per twelve-month period, unless a Personal Data Breach has occurred or a Supervisory Authority requires an additional audit
  • Kit may satisfy audit requests by providing relevant documentation, security reports, penetration test summaries, or third-party audit reports where available

Kit maintains records of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR and retains such records for at least three (3) years.

12. Duration, Deletion and Return of Data

Kit processes Customer Data for the duration of the Terms of Service. Upon termination or expiry of the Terms of Service:

  • Kit provides a 30-day window during which the Controller may export all Customer Data using the platform's data export functionality
  • After the export window, Kit deletes all Customer Data from its systems, including from backup systems, within a reasonable timeframe unless European Union or Member State law requires further storage (Article 28(3)(g) GDPR)
  • The Controller may request deletion of specific Customer Data at any time during the term of the agreement using the platform's deletion and anonymisation tools

Anonymised and aggregated data that can no longer be attributed to a Data Subject does not constitute personal data and may be retained by Kit for product improvement and analytics purposes.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. The Processor's total aggregate liability arising out of or in connection with this DPA shall not exceed the total fees paid by the Controller to the Processor in the twelve (12) months preceding the event giving rise to the claim.

14. Governing Law

This DPA is governed by the same law that governs the Terms of Service, without regard to conflict of laws principles. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction specified in the Terms of Service.

15. Contact

For questions or requests relating to this DPA, please contact us at [email protected].

Annex 1: Processing Details

Categories of Data Subjects

  • Job candidates and applicants
  • Employer users (hiring team members, recruiters, administrators)
  • Interviewers and reviewers

Categories of Personal Data

  • Identity data: name, email address, phone number, profile photo
  • Application data: resume/CV, cover letter, application form responses, portfolio materials
  • Assessment data: interview notes, evaluation scores, review comments, code assignment submissions
  • Communication data: email correspondence, internal notes, Slack channel messages (where integrated)
  • Employment-related data: current employer, job title, LinkedIn profile, work history
  • Technical data: IP address (encrypted), browser/device information for consent records
  • Documents and attachments: uploaded files associated with applications

Special Categories of Data

Kit does not intentionally collect special categories of personal data (Article 9 GDPR). However, resumes and application materials submitted by candidates may incidentally contain such data (e.g., disability status, ethnicity, religious affiliation). The Controller is responsible for ensuring a lawful basis exists for processing any special category data that may be contained within candidate submissions.

Purpose of Processing

Recruitment and applicant tracking management on behalf of the Controller, including: receiving and storing applications, managing hiring pipelines, facilitating candidate evaluation and team collaboration, scheduling interviews, managing offers, and related recruitment workflows.

Duration of Processing

For the term of the agreement between the Controller and Kit, plus the post-termination deletion window described in Section 12. The Controller may configure shorter retention periods within the platform, which Kit will enforce automatically.

Annex 2: Technical and Organisational Measures

Kit implements the following measures in accordance with Article 32 of the GDPR:

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Sensitive personal data fields are encrypted at the application level using Active Record Encryption (deterministic and non-deterministic encryption as appropriate)
  • Database backups are encrypted

Access Control

  • Multi-tenant data isolation enforced at the database query level (account-scoped queries)
  • Role-based access control within each employer account (owner, admin, member roles)
  • Authentication via secure session management with configurable multi-factor authentication
  • API access controlled via scoped API tokens with granular permissions

Infrastructure Security

  • All infrastructure hosted within the European Union (Hetzner Cloud, Nuremberg, Germany, datacenter nbg1-dc3)
  • Database traffic isolated on a private network with no public internet exposure
  • DDoS protection and web application firewall via Cloudflare
  • Regular automated security scanning (Brakeman for Rails vulnerabilities, bundler-audit for gem vulnerabilities, importmap audit for JavaScript dependencies)

Data Minimisation and Retention

  • Configurable data retention periods per employer account
  • Automated anonymisation of candidate records upon consent expiry
  • Consent management with audit trail (timestamped, IP-logged consent records)
  • Comprehensive data export functionality for data portability

Incident Response

  • Error monitoring and alerting (Sentry)
  • Automated uptime monitoring with public status page
  • Defined incident response procedures including breach notification workflows

Organisational Measures

  • Confidentiality obligations for all personnel with access to personal data
  • Principle of least privilege for system access
  • Regular review of access permissions

Annex 3: Sub-processor List

The following Sub-processors are authorised to process Customer Data as of the date shown at the top of this DPA:

Sub-processor Purpose Location Transfer Mechanism
Hetzner Online GmbH Infrastructure hosting, compute, load balancing, S3-compatible object storage Nuremberg, Germany (EU) N/A (EU) — Hetzner DPA
Cloudflare, Inc. CDN, DNS, DDoS protection, web application firewall Global (EU processing available) DPF + SCCs — Cloudflare DPA
Stripe, Inc. Payment processing United States DPF + SCCs — Stripe DPA
Functional Software, Inc. (Sentry) Error monitoring and performance tracking United States DPF + SCCs — Sentry DPA

Customer-Designated Processors

The following integrations are activated and configured by the Customer using their own credentials. Kit facilitates the technical connection but does not select or contract with these providers:

Integration Type Purpose Customer Responsibility
AI providers (BYOK) AI-assisted features (e.g., candidate evaluation, content generation) when activated by the Customer Customer is responsible for their own data processing agreement with their chosen AI provider. Kit does not send candidate personal data to AI providers unless explicitly initiated by the Customer.
Slack Candidate channel notifications and team collaboration (when connected by the Customer) Customer is responsible for their own agreement with Slack/Salesforce.
GitHub Code assignment repository management (when connected by the Customer) Customer is responsible for their own agreement with GitHub/Microsoft.

To receive notifications about changes to this Sub-processor list, please contact [email protected].