Legal

Data Processing Agreement

Latest update: 12 June 2026

This Data Processing Agreement (“Agreement”) is entered into by and between you, as the Controller, and:

1. Subject matter, main contract, and term

The subject matter of the Agreement results from the main contract signed by the parties for the provision of the FTEngine services (“Contract”). The Processor shall carry out the processing activities described therein, with respect to the following categories of Personal Data:

• contact and communication data of the user (account holder);
• payment-related data for invoicing purposes;
• personal data contained in documents uploaded by the user — in particular expert CVs and Terms of Reference — including identification data (name, contact details, links), professional data (qualifications, work experience, dates, employers, languages, publications, place of performance), and the names and contact details of reference persons;
• data relating to the use of the FTEngine website, such as support requests.

and referring to the following categories of Data Subjects:

• the user (account holder);
• the experts whose CVs are uploaded by the user;
• reference persons and former employers named within the CVs.

Notwithstanding the Controller’s location, and unless otherwise stated herein — in particular with regard to the Subprocessors Anthropic and Cloudflare pursuant to sec. 7 and Appendix II below — all data processing activities carried out by the Processor shall be executed within the territories of the European Union / European Economic Area (EU/EEA). Processing carried out by Anthropic (United States) and by Cloudflare (United States / global edge network) is governed by the European Commission’s Standard Contractual Clauses.

2. Definitions

In this Agreement, unless otherwise required by the context, the following terms shall have the meaning set forth below:

• “Agreement” refers to this Data Processing Agreement and all its corresponding Schedules, and any amendments thereto.
• “Applicable Data Protection Laws” refers to any applicable privacy and data protection laws and regulations, such as the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and, as the case may be, the UK GDPR and other equivalent laws.
• “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• “Data Subject(s)” means the individual to whom Personal Data relates.
• “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the identity of that natural person.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, restriction, erasure or destruction.
• “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
• “Subprocessor” means any Processor engaged by the Processor who agrees to receive Personal Data exclusively intended for the Processing activities to be carried out on behalf of the Controller after the latter has authorized such subcontracting.
• “Technical and Organisational Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing.

All capitalized terms not defined herein shall have the meaning set forth in the GDPR and any Applicable Data Protection Laws.

3. Processing on instruction

The Processor agrees to process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Applicable Data Protection Laws to which the Processor is subject.

4. Technical and organizational measures

The Processor commits to adopt and implement all necessary technical and organizational measures that provide a level of security appropriate to the risk involved in the Processing and the nature of the Personal Data to be protected. These measures shall, amongst others, safeguard Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed. Specific details of these measures are laid out in Appendix I.

5. Exercise of rights

The Processor is committed to supporting the Controller in ensuring compliance with the rights of Data Subjects under Applicable Data Protection Laws.

The rights granted to the Controller under this Agreement, including but not limited to the right to rectification, restriction, and erasure or return of data, can be exercised by contacting the Processor at the email address [email protected].

6. Compliance assurance and other duties of the Processor

The Processor ensures the compliance of its data Processing activities and strict adherence to its obligations under the Applicable Data Protection Laws. This includes:

• Documentation and implementation of specific procedures: the Processor shall keep a record of the processing activities carried out on behalf of the Controller, inclusive of the information required under Applicable Data Protection Laws.
• Data Minimization: the Processor shall ensure that Personal Data is adequate, relevant, and limited to what is strictly necessary in relation to the purposes for which it is processed.
• Data Accuracy: the Processor shall take every reasonable step to ensure that Personal Data that is inaccurate is erased or rectified without delay.
• Data Availability, Integrity and Confidentiality: the Processor shall carry out its processing activities ensuring the security of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate Technical and Organisational Measures.
• Cooperation with Controller: the Processor shall assist the Controller in ensuring compliance with the obligations concerning the security of processing, the notification of Personal Data breaches, data protection impact assessments, and prior consultation in relation to high-risk processing.
• Employee confidentiality: the Processor shall ensure that persons engaged in the Processing of Personal Data are informed of its confidential nature and are bound by confidentiality obligations.
• Response to Data Subjects: if the Processor receives a request from a Data Subject, it shall advise the Data Subject to submit their request to the Controller and notify the Controller of the request as soon as practicable.
• Data Protection Impact Assessment (DPIA): upon the Controller’s request, the Processor shall provide the necessary information to carry out a DPIA as required by Applicable Data Protection Laws.

7. Subprocessors

The Controller acknowledges and accepts that the Processor may engage Subprocessors to carry out processing activities under this Agreement. The currently engaged Subprocessors are listed in Appendix II and are hereby deemed accepted by the Controller.

The Processor commits to notify the Controller in advance about any planned change of Subprocessors and to collect the Controller’s approval before performing such change. The Processor shall in any case impose on Subprocessors the same data protection obligations as set out in this Agreement.

8. Audits

The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Inspections and audits shall be agreed upon in advance with the Processor and take place without impairing the Processor’s regular business operations.

9. Data Breaches

The Processor shall implement and maintain appropriate procedures and technologies to detect, prevent, and respond to data breaches.

In the event of a Personal Data breach, the Processor will promptly and without undue delay notify the Controller upon becoming aware of it. This notification will include:

• a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and data records concerned;
• the name and contact details of a contact point where more information can be obtained;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall document any Personal Data breaches and assist the Controller in ensuring compliance with the Controller’s obligations concerning breach notifications to the authorities and affected individuals. The Processor shall not communicate the breach to any third party or to the affected Data Subject without the prior written consent of the Controller, unless such communication is required by Applicable Data Protection Laws.

10. Data Retention

Throughout the term of this Agreement, the Processor shall retain all Personal Data collected and processed hereunder for as long as necessary for the provision of the services, unless sooner deleted by the Controller.

Data retention applied upon termination of the service

Upon expiration of this Agreement (for whichever cause), or sooner if so directed by the Controller, the Processor shall, at the Controller’s discretion, delete or return all Personal Data collected and processed under this Agreement, unless required to retain it under any applicable legal provision. By design of the Service, source files uploaded by the user (expert CVs and Terms of Reference) are deleted automatically as soon as the related processing job is completed, and generated output documents are retained for ninety (90) days from creation and then automatically and permanently deleted. When a user account is deleted, the associated Personal Data (stored files and account data) is erased without undue delay.

Notwithstanding the foregoing, the Processor shall be entitled to retain, even after termination, all information necessary to demonstrate orderly and compliant processing, in accordance with statutory retention periods.

Appendix I — Technical and Organisational Measures

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk.

• Data residency: data is hosted and processed within the EU — database, authentication and storage on Supabase (EU region); backend processing on Render (Frankfurt, EU).
• Encryption: Personal Data is protected in transit (TLS) and at rest. At-rest encryption of the database and file storage is provided at platform level by Supabase; in addition, the pseudonymisation map linking pseudonyms to direct identifiers is encrypted by the Service using AES-256-GCM.
• Access control and isolation: access requires authentication; each Controller’s data is logically isolated through database Row-Level Security.
• Data minimisation and pseudonymisation: before transmission to the AI Subprocessor, direct identifiers are removed server-side for text-based (Word) CVs; for PDF CVs the document is read and identifiers are pseudonymised server-side within the EU; re-association occurs only within the EU.
• Retention and deletion: Personal Data is deleted in accordance with the retention policy set out in Section 10 — uploaded source files are deleted on completion of the related job, generated outputs after ninety (90) days, and account data upon account deletion.
• Logging and monitoring: application and operational logs are captured by the hosting platform (Render). The Service does not currently implement dedicated access-audit logging of Personal Data or automated monitoring and alerting.
• Backup and restore: database backups are provided at platform level by Supabase according to the subscribed plan; the Service does not implement additional custom backups.
• Incident detection, response and breach notification: these are handled as an organisational process, relying on the security controls and notifications of the platform providers (Supabase, Render, Cloudflare). The Service does not currently operate a dedicated automated intrusion-detection system.
• Confidentiality: persons authorised to access Personal Data are bound by confidentiality obligations.

The Processor does not currently hold an ISO 27001 (or equivalent) certification. Any certification obtained in the future will be reflected here.

Appendix II — Authorised Subprocessors