Pilot Data Processing Addendum

1. Roles

For candidate and recruiting data uploaded into sHRark, the customer organization acts as the data controller and sHRark acts as the data processor.

2. Processing scope

sHRark processes personal data only to provide the pilot service: hosting candidate records, parsing uploaded files, generating ranking support, storing recruiter notes, maintaining audit trails, and fulfilling deletion, export, and retention instructions available in the product.

3. Customer instructions and responsibility

• The customer instructs sHRark to process data only for the customer's recruiting activities.
• The customer is responsible for lawful collection, lawful basis, candidate notices, and employment-law compliance.
• The customer must not upload data it is not authorized to process.
• The customer remains responsible for all hiring decisions and any use of AI outputs.

4. Security measures

sHRark applies access controls, tenant isolation, encrypted transport, retention and anonymization controls, and audit logging as described in the Security page and Privacy Policy. These measures are designed to support the pilot service and do not constitute a guarantee that the customer's broader legal obligations are fully satisfied without its own review and procedures.

Production application resources are currently operated in Azure Sweden Central. Operational backup and restore rely on Azure-managed database backup capabilities and storage durability; negotiated full-scope agreements should define customer-specific backup retention, RTO/RPO, and restore-test evidence where required.

5. Subprocessors

Current subprocessors for the pilot are Microsoft Azure (hosting, database, storage, AI), Resend (transactional email), and GitHub (source control and CI). The customer authorizes the use of these subprocessors for the pilot.

A current public summary is also maintained on the Subprocessors page.

6. Incident notice

If sHRark confirms a personal-data incident affecting customer data, sHRark will notify the customer without undue delay and, where feasible, no later than 72 hours after confirmation. sHRark will provide commercially reasonable information then available so the customer can assess any notification duties of its own.

7. Deletion and return

During the pilot, the customer may request deletion of its organization data or use in-product deletion, anonymization, export, and retention controls. After pilot termination, sHRark may delete pilot data in accordance with the retention policy and operational backup lifecycle.

8. Nature of this pilot DPA

This public DPA page is intended to provide a lightweight pilot-ready processor summary. Enterprise customers or customers with stricter procurement requirements may require a negotiated or signed data processing agreement, additional transfer language, or a longer-form security review.

For full-scope bank deployment, the intended package is a signed DPA/order form, security annex, agreed subprocessor and data-residency terms, incident notice language, backup/restore commitments, and Microsoft Entra-based access controls such as SSO, MFA, and conditional-access policy alignment where required.