Document: ProperFit Hire — Data Processing Agreement (template)
Version: 1.0
Date: 6 May 2026
Form: Multi-signed contract between the Customer (employer-hirer, Data Controller) and Brian Gillingham trading as ProperFit Hire (Joint Controller / Data Processor)
Lawful framework: UK GDPR Articles 26 (Joint Controllers) and 28 (Data Processors); UK SCCs (International Data Transfer Agreement / Addendum) where relevant
Status: Template — to be issued and counter-signed before any cohort processing begins
---
Customer ("Controller"):
[Customer legal name, registered office, company number]
Contact for data protection: ___________
ProperFit Hire ("Joint Controller / Processor"):
Brian Gillingham, trading as ProperFit Hire
Lincoln, LN2 2HL, United Kingdom
ICO registration: ZA###### (number to follow within 7 working days of 6 May 2026)
Contact for data protection: dpo@properfithire.co.uk
---
This DPA governs the processing of personal data of work-seekers (candidates) carried out by ProperFit Hire on instructions from the Customer, under the Customer's recruitment activities for one or more job vacancies.
This DPA takes effect on the Effective Date below and continues until either:
(a) the Customer's last cohort order has been delivered AND any retention period has elapsed (typically 18 months from delivery for audit trails); OR
(b) the parties terminate the engagement in writing.
The Customer is the Data Controller for the underlying recruitment process.
ProperFit Hire is Joint Controller for decisions about scoring methodology, retention, and audit-trail retention; and Processor for the day-to-day handling of CV data on the Customer's behalf.
---
Collection (from Customer), structured extraction, scoring, ranking, report generation, secure storage, deletion per retention policy.
---
The Customer warrants that:
3.1 It has, for each CV submitted, a lawful basis to share the CV with ProperFit Hire.
3.2 It will provide candidates with appropriate notice that their CV is processed by a third-party scoring service, either directly or by directing them to ProperFit Hire's Candidate Privacy Notice at https://properfithire.co.uk/privacy/candidate.
3.3 It has its own lawful basis for the underlying recruitment activity.
3.4 It will not submit CVs of candidates who have explicitly objected to its processing under Article 21 UK GDPR.
3.5 It will conduct meaningful human review of every shortlisted candidate per ICO 2026 ADM guidance — i.e. it will not "rubber-stamp" the algorithmic ranking.
3.6 It is responsible for Right-to-Work checks under the Immigration, Asylum and Nationality Act 2006.
3.7 It is responsible for sector-regulator background checks (CQC, FCA, DBS, etc.) where required.
---
ProperFit Hire shall:
4.1 Process personal data only on documented Customer instructions, save where required by law (in which case it will inform the Customer prior to processing).
4.2 Ensure persons authorised to process personal data are bound by confidentiality.
4.3 Implement appropriate technical and organisational measures (TOMs) per Annex A.
4.4 Not engage another processor without prior written authorisation. The current sub-processors are listed in Annex B.
4.5 Assist the Customer in fulfilling its obligations under Articles 32-36 UK GDPR (security; breach notification; DPIA; prior consultation).
4.6 Assist the Customer in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection).
4.7 Make available all information necessary to demonstrate compliance and allow audits in accordance with §10.
4.8 Notify the Customer without undue delay of any personal data breach affecting Customer data.
4.9 At the choice of the Customer, delete or return all personal data to the Customer at the end of processing, unless retention is required by law.
---
The Customer and ProperFit Hire share a duty under Article 13/14 UK GDPR to provide candidates with notice that their CV is processed.
5.1 ProperFit Hire publishes a Candidate Privacy Notice at https://properfithire.co.uk/privacy/candidate.
5.2 The Customer agrees to either:
(a) link to this notice from its own privacy materials, or
(b) include equivalent information in its own candidate-facing notice.
5.3 ProperFit Hire will refresh the published notice when material changes occur and provide 14 days' notice to the Customer.
---
6.1 ProperFit Hire will notify the Customer within 24 hours of becoming aware of any personal data breach affecting Customer data.
6.2 The notification will include all information required by Article 33(3) UK GDPR.
6.3 ProperFit Hire will assist the Customer in notifying the ICO within 72 hours per Article 33 UK GDPR if required.
6.4 ProperFit Hire will assist the Customer in notifying affected data subjects per Article 34 UK GDPR if required.
See docs/legal/05_breach_response_plan.md for the operational procedure.
---
7.1 ProperFit Hire will, upon Customer request, provide all information necessary to respond to data-subject requests within the 30-day SLA.
7.2 If a data-subject request is received directly by ProperFit Hire, it will be acted upon under the SAR Procedure (docs/legal/04_SAR_procedure.md) and the Customer will be informed within 5 working days.
7.3 No fee is charged to the data subject for the first request (Article 12(5) UK GDPR).
---
8.1 No transfers of personal data outside the UK / EEA / adequacy zone occur as part of the standard processing.
8.2 If any future transfer becomes necessary, ProperFit Hire will:
(a) inform the Customer in writing 30 days in advance;
(b) put in place appropriate safeguards under Article 46 UK GDPR (typically the UK International Data Transfer Agreement / Addendum to EU SCCs); and
(c) update Annex B sub-processor list accordingly.
---
9.1 CVs and JD content: deleted 7 days after report delivery.
9.2 Audit-trail reports: retained 18 months from delivery for tribunal defensibility, unless erasure is requested by the data subject.
9.3 Customer billing records: retained 6 years per HMRC requirement.
9.4 Full retention schedule: docs/legal/06_retention_policy.md.
---
10.1 ProperFit Hire will, on no more than 30 days' written notice, allow the Customer (or its independent auditor) to inspect compliance with this DPA. Audits are limited to once per 12 months unless triggered by a breach.
10.2 The Customer will bear its own costs unless the audit reveals material non-compliance, in which case ProperFit Hire bears reasonable costs.
10.3 Where ProperFit Hire holds independent third-party certification (e.g. ISO 27001 in future), it may submit the certification report in lieu of an on-site audit.
---
11.1 Each party is liable for damages caused by processing that infringes UK GDPR, in accordance with Articles 82 UK GDPR.
11.2 Liability cap: 12 months of fees actually paid by the Customer to ProperFit Hire in the period preceding the claim. (Aligns with Customer Terms of Service §8.)
11.3 The cap does not apply to: death/personal injury caused by negligence, fraud, or any liability that cannot lawfully be excluded.
---
12.1 Either party may terminate this DPA on 30 days' written notice.
12.2 On termination, ProperFit Hire will, at Customer's election, return or delete all personal data within 30 days, save where retention is required by law (e.g. HMRC records).
12.3 Audit-trail reports retained for tribunal defensibility per §9.2 may be retained for the remainder of the 18-month period unless the Customer requests immediate erasure.
---
13.1 This DPA is governed by the laws of England and Wales.
13.2 Any dispute will first be addressed by direct discussion between Brian Gillingham (ProperFit Hire) and the Customer's nominated representative.
13.3 If unresolved within 14 days, either party may escalate to mediation (CEDR) or formal proceedings in the County Court at Lincoln.
13.4 Data-protection complaints may also be raised with the Information Commissioner's Office (ICO) at https://ico.org.uk.
---
14.1 This DPA, the Customer Terms of Service, and the Hirer Terms of Engagement form the entire agreement between the parties for data-processing matters.
14.2 In case of conflict, the order of precedence is: this DPA → Hirer Terms of Engagement → Customer Terms of Service.
---
Customer (Data Controller):
Signed: _________________________
Print name: _________________________
Title: _________________________
Date: _________________________
ProperFit Hire (Joint Controller / Processor):
Signed: _________________________
Brian Gillingham, Founder, ProperFit Hire
Date: _________________________
Effective Date: _________________________
---
ProperFit Hire implements the following safeguards:
---
The following sub-processors are engaged with appropriate Article 28 contracts:
| Sub-processor | Role | Location | Lawful basis for transfer |
|---|---|---|---|
| **Microsoft Azure** (Switzerland North) | VM hosting, managed disk encryption | Switzerland | UK Adequacy Regulations 2021 |
| **Stripe Payments UK Ltd** | Payment processing only — receives transaction data, never CV content | UK | Performance of contract |
| **Microsoft 365 / Exchange Online** | Email delivery (order confirmations, candidate notifications) | EU/UK | UK Adequacy Regulations |
| **Microsoft Identity Platform** | OAuth Sign-in with Microsoft (where customer chooses) | EU/UK | UK Adequacy Regulations |
| **Cloudflare Web Analytics** | Privacy-first traffic analytics (no cookies, no PII) | Global anycast | DPF / SCCs as applicable |
| **Cerebras Cloud** (when used) | Free-tier LLM inference for STAR writeups | US | UK SCCs / DPF; opt-in only with explicit Customer authorisation |
| **OpenAI API** (when used) | Frontier LLM for STAR writeups | US | UK SCCs / DPF; opt-in only |
The Customer authorises the engagement of these sub-processors at the Effective Date. ProperFit Hire will give 30 days' written notice before adding or replacing any sub-processor; the Customer may object during that window, in which case the parties shall discuss in good faith and may terminate this DPA if no resolution is reached.
---
```
Customer ProperFit Hire (UK) Sub-processors
-------- -------------------- --------------
| | |
| 1. Upload CVs + JD --------> | |
| | 2. Run Mermoid scoring |
| | (deterministic, no LLM) |
| | |
| | 3. Generate STAR writeup ------> | LLM provider
| | (anonymised excerpts) | (Cerebras / OpenAI)
| | |
| | 4. Store at Azure UK/EU |
| | /home/mermoid/.aether-orders |
| | |
| 5. <-- Email PDF report ---- | |
| 6. <-- View in portal ------ | |
| | |
| | 7. Delete CVs/JD at +7 days |
| | 8. Delete audit at +18 months |
```
---
End of DPA template.
To execute: replace bracketed placeholders with Customer specifics, both parties sign, retain a counter-signed copy in docs/legal/dpa_executed/{customer_short_name}.pdf.