Data Processing Agreement

Effective Date: 19th February 2026

This Data Processing Agreement ("DPA") is entered into between you (the "Controller") and Itinair Ltd, trading as Ansius ("Processor"), and governs the processing of candidate personal data when you use Ansius Hirewall to post jobs, receive applications, and manage candidates.

Important: Ansius hosts public job pages on its platform where candidates can view and apply for your jobs. When candidates apply through these public pages, Ansius acts as a joint controller for the initial collection of candidate data (as Ansius hosts the pages and collects the data), and then processes that data on your behalf as Processor. This DPA governs Ansius's role as Processor when processing candidate data for your recruitment purposes. Ansius's role as Controller for public job pages is addressed in the Ansius Privacy Policy.

By using Ansius Hirewall for recruitment or applicant processing, you agree to this DPA. This DPA is part of and supplements the Ansius Terms of Service and Privacy Policy.

1. Definitions

• Controller: The recruiter, employer, or organization that determines the purposes and means of processing candidate personal data and uses Ansius to process that data.
• Processor: Itinair Ltd (Ansius), which processes personal data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person (candidate or user) processed via Ansius.
• Processing: Any operation performed on Personal Data (e.g. collection, storage, analysis, disclosure).
• Data Subject: The natural person to whom the Personal Data relates (e.g. job applicants, candidates).
• GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation) and, where applicable, equivalent national or regional laws.
• Sub-Processor: A third party engaged by the Processor to process Personal Data on the Processor's behalf.

2. Roles and Responsibilities

Controller Responsibilities: You (the employer/recruiter) are the Controller of candidate personal data for recruitment and hiring purposes. You are responsible for:

• Ensuring you have a valid legal basis for processing candidate data (e.g., legitimate interest in evaluating candidates, contract if offering a position)
• Providing candidates with appropriate privacy notices about how you process their data (in addition to Ansius's Privacy Policy)
• Determining which candidate data is processed and for what recruitment purposes
• Ensuring your use of Hirewall and instructions to Ansius comply with applicable data protection law
• Responding to data subject rights requests from candidates regarding your use of their data

Processor Responsibilities: Ansius processes candidate Personal Data on your behalf as Processor. Ansius processes data only on your documented instructions (including through your use of Hirewall) and in accordance with this DPA and applicable law.

Joint Controllership: When candidates apply through Ansius public job pages, Ansius also acts as Controller for hosting the pages and initial data collection. This joint controllership is addressed in Ansius's Privacy Policy. Once data is collected, Ansius processes it on your behalf as Processor in accordance with this DPA.

3. Subject Matter and Duration

The subject matter of this DPA is the processing of Personal Data by the Processor in connection with the provision of Ansius Hirewall services, including:

• Job posting and publication on public job pages
• Receiving and processing candidate applications submitted through public job pages or other channels
• CV analysis, match scoring, and requirement matching
• Applicant management, status tracking, and workflow management
• Candidate communication and feedback delivery
• Data storage, retrieval, and reporting for recruitment purposes

The duration of processing is for the term during which the Controller uses Ansius Hirewall and until all Personal Data has been deleted or returned in accordance with this DPA.

4. Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Hosting and displaying job postings on public job pages accessible to candidates without authentication
• Receiving and processing candidate applications submitted through public job pages or other application channels
• Analyzing CVs against job requirements and generating match scores
• Extracting and structuring candidate information from CVs
• Storing applications, CVs, analysis results, and related metadata
• Enabling the Controller to manage applicants, jobs, and hiring workflows through the Hirewall dashboard
• Providing automated candidate feedback and status updates
• Providing authentication, account management, and support for the Controller's users
• Operating, securing, and improving the Hirewall service in accordance with the Terms of Service and Privacy Policy

5. Types of Personal Data and Categories of Data Subjects

Types of Personal Data

• Candidate data: name, email, phone, address, LinkedIn profile, CV content, CV files (e.g. PDF, DOCX), and any other information contained in or extracted from applications or CVs
• Analysis data: match scores, requirement-by-requirement evidence, structured CV data, and other outputs generated by the service
• Controller user data: account information (e.g. email, name, company) of users who access Ansius on behalf of the Controller

Categories of Data Subjects

• Job applicants and candidates whose data the Controller submits to Ansius
• Recruiters and other personnel of the Controller who use Ansius

6. Controller Obligations

The Controller shall:

• Process Personal Data in compliance with applicable data protection law and only to the extent necessary for legitimate recruitment and hiring purposes
• Ensure that it has a valid legal basis (e.g. consent, contract, legitimate interest, or legal obligation) for processing candidate data and for disclosing candidate data to the Processor
• Provide candidates with privacy notices: The Controller must provide candidates with clear information about how the Controller processes their data. While Ansius provides its Privacy Policy on public job pages (which covers Ansius's role as Controller for hosting pages and initial collection), the Controller should provide its own privacy notice covering:
  • Who the Controller is (employer/recruiter name and contact)
  • How the Controller will use candidate data for recruitment purposes
  • How long the Controller will retain candidate data
  • Candidate rights and how to exercise them with the Controller
  • How to contact the Controller regarding data protection matters
  The Controller may include this information in job postings, on application forms, or through separate privacy notices or links. Ansius's Privacy Policy on public job pages covers Ansius's role but does not replace the Controller's obligation to provide its own privacy notice.
• Handle public applications: When candidates apply through Ansius public job pages, Ansius collects the data as Controller (for hosting purposes) and then processes it on the Controller's behalf as Processor. The Controller is responsible for ensuring candidates understand that their data will be used by the Controller for recruitment purposes. The Controller must ensure that submitting an application provides a valid legal basis for the Controller's processing under applicable law.
• Give only lawful and documented instructions to the Processor; the Processor will inform the Controller if an instruction is considered to infringe GDPR or other applicable law
• Ensure that personnel with access to Hirewall are bound by confidentiality and data protection obligations as appropriate
• Respond promptly to data subject requests (access, rectification, erasure, etc.) received from candidates regarding the Controller's use of their data, and cooperate with the Processor in fulfilling such requests

7. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law (in which case the Processor shall inform the Controller of that legal requirement in advance, unless the law prohibits such information)
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and at rest, access controls, and regular assessment of those measures
• Assist the Controller in responding to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection, and related rights) by providing functionality and support as described in the Privacy Policy and by responding to Controller requests within a reasonable time
• Assist the Controller in ensuring compliance with obligations relating to security of processing, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to the Processor
• Notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data, and provide information reasonably necessary for the Controller to meet any breach-reporting obligations
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an authorised auditor, subject to reasonable notice and confidentiality obligations

8. Sub-Processors

The Controller authorises the Processor to engage Sub-Processors to carry out specific processing activities on the Processor's behalf. The Processor shall:

• Ensure that each Sub-Processor is bound by a contract that imposes on the Sub-Processor data protection obligations no less protective than those in this DPA
• Remain liable to the Controller for the performance of each Sub-Processor's obligations

Current Sub-Processors

Personal Data may be processed by the following categories of Sub-Processors for the purposes indicated:

• Google LLC (Firebase): Cloud database (Firestore), file storage (Firebase Storage), authentication, and analytics. Purpose: hosting, storing, and securing application and account data. Location: may include USA and other regions; governed by Google's Data Processing Terms and, where relevant, Standard Contractual Clauses.
• Stripe, Inc.: Payment processing. Purpose: processing payments; card data is processed by Stripe and not stored by Ansius. Location: may include USA; governed by Stripe's DPA and applicable terms.
• OpenAI, L.L.C.: Language models for text analysis. Purpose: analysis of CV and job description content to generate match scores and evidence. Data is processed according to OpenAI's Data Processing Addendum. Location: may include USA.
• Google LLC (Gemini / Vertex): Language models for text analysis. Purpose: analysis of CV and job description content. Governed by Google's Data Processing Terms. Location: may include USA and other regions.
• Vercel Inc.: Hosting and performance analytics. Purpose: hosting the Service and collecting performance metrics. Location: may include USA and other regions; governed by Vercel's terms and privacy policy.
• Hotjar Ltd.: User behavior analytics. Purpose: understanding how users interact with the Service through session recordings and heatmaps. Location: may include EU and other regions; governed by Hotjar's privacy policy and terms.

The Processor may update the list of Sub-Processors from time to time. Material changes (new Sub-Processors or significant changes in purpose or location) will be communicated via the Ansius website or by email. The Controller may object to a new Sub-Processor on reasonable grounds relating to data protection by contacting hello@ansius.com within 30 days of notice. If the Processor cannot reasonably accommodate the objection, the Controller may suspend or terminate the affected part of the service or the agreement in accordance with the Terms of Service.

9. International Transfers

Where Personal Data is transferred to a country outside the European Economic Area (EEA) or the UK that has not been recognised as providing an adequate level of data protection, the Processor shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or the UK authorities, or another mechanism permitted under GDPR. The Processor will provide details of the transfer mechanism applied upon reasonable request.

10. Data Retention and Deletion

Processing by the Processor continues for as long as the Controller uses Ansius and data is retained in accordance with the Processor's data retention policy (as described in the Privacy Policy). Upon termination of the service or at the Controller's request, the Processor will delete or return Personal Data as specified in Section 7, unless retention is required by applicable law.

11. Audit and Compliance

The Processor maintains audit logs and documentation necessary to demonstrate compliance with this DPA. The Controller may request evidence of compliance and, subject to reasonable notice and confidentiality, request an audit. If an audit is required by a supervisory authority or by the Controller's legal obligations, the Processor will cooperate and provide relevant information. Any audit shall be at the Controller's expense unless the audit reveals a material breach by the Processor.

12. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. The Processor shall be liable for damage caused by processing only where it has not complied with obligations under GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller. The Controller shall be responsible for ensuring that its instructions and use of the service comply with applicable law and that it has a valid legal basis for the processing.

13. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service or the Privacy Policy, this DPA shall prevail with respect to the processing of Personal Data subject to GDPR or equivalent data protection law.

14. Public Job Applications and Joint Controllership

Ansius hosts public job pages on its platform (e.g., ansius.com/jobs/[slug]) where candidates can view and apply for jobs without creating accounts. When candidates submit applications through these public pages:

• Ansius as Controller: Ansius acts as Controller for hosting the public job pages and initially collecting candidate data (as Ansius operates the platform and collects the data). This is addressed in Ansius's Privacy Policy.
• Controller as Controller: You (the employer/recruiter) are the Controller of candidate data for recruitment and hiring purposes. You determine the purposes and means of processing for evaluating candidates and making hiring decisions.
• Ansius as Processor: After initial collection, Ansius processes candidate data on your behalf as Processor in accordance with this DPA and your instructions (e.g., analyzing CVs, generating match scores, storing applications, enabling you to manage candidates).
• Privacy Notices: Ansius provides its Privacy Policy on public job pages, which covers Ansius's role as Controller for hosting and initial collection. You must provide your own privacy notice covering your role as Controller and how you use candidate data for recruitment purposes.
• Legal Basis: You must ensure that candidates' submission of applications provides a valid legal basis for your processing under applicable data protection law (typically legitimate interest in evaluating candidates or contract if offering a position).
• Data Subject Rights: Candidates may exercise rights with both Ansius (regarding Ansius's role as Controller) and with you (regarding your role as Controller). Ansius will assist you in responding to requests regarding your processing as set out in Section 7.

The Controller acknowledges that candidates applying through public pages may not have direct accounts with Ansius, and the Controller is responsible for managing data subject rights requests from such candidates regarding the Controller's use of their data, with assistance from the Processor as set out in Section 7.

15. Contact and Acceptance

By using Ansius Hirewall to process candidate or applicant personal data, you accept this DPA as the Controller. For questions about this DPA, to exercise Data Subject rights on behalf of your candidates, or to request deletion or return of data, contact:

Email: hello@ansius.com

Itinair Ltd, Corner Chambers 590A Kingsbury Road, B24 9ND Birmingham, United Kingdom. Registration: 13875988.