Recruiti AI

Recruiti AI

Data Processing Agreement

See also our Terms of Service and Privacy Policy.

Last Updated: April 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Recruiti AI ("Recruiti AI", "Processor") and the customer entity that has accepted those Terms ("Customer", "Controller"), and governs the processing of personal data by Recruiti AI on behalf of the Customer in connection with the Services.

This DPA is effective from the date on which the Customer accepts the Terms of Service and remains in force for the duration of those Terms. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in relation to the processing of personal data.

In this DPA, "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council; "personal data", "data subject", "processing", "controller", and "processor" have the meanings given in the GDPR; "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission in Decision 2021/914; and "sub-processor" means any processor engaged by Recruiti AI to process personal data on behalf of the Customer.

1. Roles of the Parties

The Customer is the data controller and determines the purposes and means of processing personal data of candidates, interviewers, and other interview participants in connection with its recruitment activities. Recruiti AI is the data processor and processes such personal data only on behalf of and under the instructions of the Customer for the purpose of providing the Services.

2. Subject Matter, Nature, and Purpose of Processing

Recruiti AI processes personal data on behalf of the Customer for the following purposes:

  • operating the Recording Bot to join virtual meetings at the Customer's direction and capture audio;
  • transcribing audio recordings into text with speaker diarization;
  • generating AI-powered summaries, action items, and query responses from transcripts;
  • creating and storing embeddings to enable semantic search across interview content;
  • storing transcripts, summaries, and associated metadata in accordance with the Customer's retention settings; and
  • delivering the results of the above processing to the Customer through the Platform.

The categories of personal data processed include: names and job titles of interview participants; audio recordings of interviews; transcripts and AI-generated summaries; meeting metadata (date, duration, participants); and any other personal data contained in the content of interview conversations. The categories of data subjects are candidates, recruiters, hiring managers, and other persons present in recorded meetings.

3. Processor Obligations

Recruiti AI shall, in its capacity as data processor:

  • process personal data only on documented instructions from the Customer, including as set out in the Terms of Service and this DPA, unless required to do so by applicable law, in which case Recruiti AI shall inform the Customer of that legal requirement before processing unless prohibited by law;
  • ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Section 5 of this DPA;
  • not engage a sub-processor without prior specific or general written authorisation of the Customer, and where general authorisation is given, inform the Customer of any intended changes and give the Customer the opportunity to object;
  • assist the Customer, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to requests for exercising data subjects' rights;
  • assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the GDPR, including in relation to security, breach notification, data protection impact assessments, and prior consultation;
  • at the Customer's choice, delete or return all personal data to the Customer after the end of the provision of Services relating to processing, and delete existing copies unless applicable law requires storage of the personal data; and
  • make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

4. Customer Obligations

The Customer represents, warrants, and undertakes that:

  • it has a lawful basis under applicable law for all personal data it submits to the Services for processing, including appropriate consent from interview participants where required;
  • it has provided or will provide all required notices to data subjects regarding the processing of their personal data, including notice of recording where applicable;
  • it is responsible for ensuring that its instructions to Recruiti AI comply with applicable data protection law; and
  • it will promptly notify Recruiti AI if it becomes aware that any processing instruction infringes applicable data protection law.

5. Security Measures

Recruiti AI shall implement and maintain the following technical and organisational security measures:

  • encryption of personal data in transit using Transport Layer Security (TLS) with 128-bit or higher AES encryption;
  • encryption of personal data at rest using 256-bit AES encryption;
  • logical isolation of each customer's data through row-level security controls;
  • access controls limiting internal access to personal data on a need-to-know basis;
  • short-lived signed URLs (expiring after one hour) for audio file access, with no permanent public URLs;
  • regular security monitoring and anomaly detection; and
  • an internal personal data breach response procedure, including notification to the Customer without undue delay and in any event within 48 hours of becoming aware of a personal data breach likely to affect the Customer's data, to enable the Customer to fulfil its own 72-hour notification obligation to supervisory authorities under GDPR Article 33.

6. Sub-Processors

The Customer hereby grants general authorisation to Recruiti AI to engage sub-processors. Recruiti AI maintains a current list of sub-processors at recruiti.io/sub-processors. Recruiti AI will inform the Customer of any intended changes to that list (additions or replacements) with at least fourteen (14) days' notice, giving the Customer the opportunity to object to such changes. If the Customer objects on reasonable data protection grounds, the parties will work in good faith to resolve the objection; if it cannot be resolved, the Customer may terminate the Services by written notice.

Recruiti AI shall impose data protection obligations on all sub-processors that are equivalent to those set out in this DPA. Recruiti AI shall remain fully liable to the Customer for the performance of a sub-processor's obligations to the extent that Recruiti AI is required to perform those obligations under this DPA.

7. International Data Transfers

Where Recruiti AI transfers personal data from the EEA to a country not covered by an EU adequacy decision, it shall do so on the basis of appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914. The applicable module of the SCCs (Module Two: Controller to Processor) is hereby incorporated into this DPA by reference. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

Recruiti AI shall conduct Transfer Impact Assessments as required to confirm that Standard Contractual Clauses provide an essentially equivalent level of protection for transfers to each relevant destination country, and shall make the results available to the Customer on request.

8. Data Subject Rights

Recruiti AI shall, to the extent reasonably practicable, assist the Customer in responding to requests from data subjects exercising their rights under the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Where Recruiti AI receives a request directly from a data subject in relation to data processed on behalf of the Customer, Recruiti AI shall promptly notify the Customer and shall not respond to the request without the Customer's prior written authorisation, unless required to do so by law.

9. Data Retention and Deletion

Recruiti AI shall retain personal data processed on behalf of the Customer in accordance with the retention settings applicable to the Customer's subscription plan. Audio recordings are deleted automatically at the end of the applicable retention period (30 days on the Free plan, 90 days on the Pro plan, and one year on the Growth plan). Transcripts and summaries are retained for 30 days on the Free plan and for the duration of the Customer's active account on paid plans.

On expiry or termination of the Terms of Service, Recruiti AI shall, at the Customer's written request made within the 90-day post-termination export window, return or delete all personal data processed on behalf of the Customer, and shall certify such deletion in writing. After the expiry of the 90-day export window, Recruiti AI shall delete all remaining personal data unless required by applicable law to retain it.

10. Audits

Recruiti AI shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. At the Customer's written request, with at least thirty (30) days' prior notice and no more than once per calendar year, Recruiti AI shall allow for and contribute to audits or inspections conducted by the Customer or an auditor mandated by the Customer, subject to the auditor signing a confidentiality agreement acceptable to Recruiti AI. Audit costs shall be borne by the Customer unless the audit reveals a material breach by Recruiti AI.

11. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited under applicable law, including obligations arising under the GDPR.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Lithuania and, where applicable, the law of the European Union. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Republic of Lithuania, without prejudice to the mandatory jurisdiction of any supervisory authority.

13. Contact

Questions regarding this DPA or data processing activities should be directed to:

Recruiti AI
Email: info@recruiti.io
Website: recruiti.io

Recruiti AI · recruiti.io · info@recruiti.io