Data Processing Agreement

This DPA applies between Merqent (“Processor”) and the customer organization (“Controller”) that uses the Merqent platform. It is incorporated by reference into the Merqent Terms of Service.

Last updated: May 2026

1. Definitions

"Controller" means the customer organization that determines the purposes and means of processing candidate personal data. "Processor" means Merqent, which processes personal data on behalf of the Controller. "Data Subject" means any identified or identifiable natural person whose personal data is processed, primarily job candidates. "Personal Data", "Processing", "Sub-processor" and "Supervisory Authority" have the meanings given in the GDPR.

2. Subject matter and duration

This DPA governs the processing of candidate personal data by Merqent as Processor on behalf of the Controller in connection with the Merqent platform. Processing continues for the duration of the customer agreement and until all personal data is deleted or returned in accordance with this DPA.

3. Nature and purpose of processing

Merqent processes personal data to: (a) host and operate the recruitment screening platform; (b) conduct AI-assisted interview sessions and generate scores and reports; (c) store and display candidate profiles, screening transcripts and recruiter notes; (d) send transactional emails; and (e) provide analytics and reporting to the Controller. Processing is carried out solely on the documented instructions of the Controller, which are set out in the platform configuration and these Terms.

4. Categories of personal data and data subjects

Data subjects are job candidates who apply via the platform or are added by the Controller. Categories of personal data include: name, email address, phone number, location, LinkedIn profile, availability, salary expectation, CV content, interview transcripts, AI-generated assessments, recruiter notes and technical session data (IP address, timestamps).

5. Obligations of the Processor

Merqent shall: (a) process personal data only on the Controller's documented instructions; (b) ensure that authorized personnel are bound by appropriate confidentiality obligations; (c) implement technical and organizational measures to protect personal data as described in clause 7; (d) assist the Controller in responding to data subject requests within reasonable timescales; (e) notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a personal data breach; (f) delete or return all personal data on termination of the agreement at the Controller's choice; and (g) make available information necessary to demonstrate compliance with this DPA.

6. Obligations of the Controller

The Controller shall: (a) ensure it has a lawful basis to collect and submit candidate personal data to Merqent; (b) provide candidates with clear notice about AI processing in accordance with GDPR Articles 13–14; (c) ensure that personal data submitted is accurate and limited to what is necessary; (d) configure appropriate retention settings; and (e) be responsible for any instructions given to Merqent that result in a breach of applicable law.

7. Security measures

Merqent implements the following technical and organizational measures: encryption of personal data at rest and in transit (TLS 1.2+); database-level field encryption for sensitive data; access controls limited to authorized personnel; regular security assessments; incident response procedures; and audit logging. Merqent reviews and updates these measures as necessary.

8. Sub-processors

Merqent uses the following categories of sub-processors: cloud infrastructure and database hosting (EU region); email delivery (Resend); payment processing (Stripe); AI model provider (OpenAI, data processed under their data processing agreement with API data protection commitments). Merqent ensures sub-processors are bound by data protection obligations at least equivalent to this DPA. Merqent will notify the Controller of intended changes to sub-processors by updating this page, giving at least 14 days' notice before a new sub-processor processes personal data.

9. International transfers

Personal data is primarily processed within the European Economic Area (EEA). Where sub-processors are located outside the EEA, Merqent ensures appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

10. Data subject rights

Merqent provides technical mechanisms to assist the Controller in fulfilling data subject rights including access, rectification, erasure and restriction. Candidates can submit deletion requests directly via the privacy page. Merqent will forward any data subject requests received directly to the Controller without undue delay.

11. Audits and inspections

Merqent shall provide the Controller with all information necessary to demonstrate compliance with this DPA. The Controller may, upon reasonable written notice of at least 14 days, conduct audits or inspections of Merqent's processing activities, subject to appropriate confidentiality arrangements and at the Controller's own cost.

12. Data retention and deletion

Candidate personal data is retained for up to 12 months after creation unless the Controller deletes it earlier. On termination of the customer agreement, Merqent will delete all personal data within 30 days unless legal obligations require longer retention. Merqent provides in-platform deletion tools and responds to deletion requests sent to privacy@merqent.com.

13. Liability and indemnification

Each party's liability under this DPA is subject to the limitations set out in the main Terms of Service. Where a party is held liable for a GDPR infringement caused by the other party's breach of this DPA, that other party shall indemnify the first party to the extent of its responsibility for the infringement.

14. Governing law

This DPA is governed by the laws of the Netherlands and forms part of the agreement between Merqent and the Controller. In case of conflict between this DPA and the Terms of Service, this DPA takes precedence in relation to the processing of personal data.

15. Contact

For data protection matters, contact privacy@merqent.com. Our privacy policy and further information are available at merqent.com/privacy.