Skip to main content

Data Processing Agreement

Version 1.0.0 · effective 6/15/2026

Data Processing Agreement (DPA)

This Data Processing Agreement (the "DPA") forms part of the BSR Group Terms of Service and applies whenever Brunel Strategic Resourcing Group Ltd ("BSR Group", "we", "Processor") processes personal data on behalf of a Customer (a Company client or a Recruiter Partner) ("Customer", "Controller", "you").

This DPA is required by Article 28 UK GDPR. It does not apply to processing where BSR Group is itself the controller (for which see the Privacy Notice).

1. Definitions

Terms have the meanings given in the UK GDPR. "Personal data", "process", "controller", "processor", "data subject", "supervisory authority", "personal data breach" and "special category data" all have the meanings given in Article 4 UK GDPR.

2. Subject-matter, duration, nature and purpose

ItemDetail
Subject-matterOperation of the BSR Group recruitment Platform on Customer's behalf
DurationThe term of the Engagement Letter / Partner Agreement plus the retention period in §10
Nature and purposeRecruitment workflow, candidate management, project and resource planning, document storage, billing, compliance and audit, AI-assisted features (where enabled)
Type of personal dataCandidate profile data, CVs, qualifications, references, right-to-work and clearance data, hiring manager contact data, communications
Categories of data subjectCandidates, hiring managers and authorised users on the Customer account

3. Customer instructions

We will only process personal data on documented instructions from Customer, including those given through the Platform (uploads, configuration, role assignments) and any specific instructions in the Engagement Letter or Partner Agreement. We will inform Customer if an instruction infringes UK GDPR. Use of the Platform constitutes a documented instruction to process for the purposes set out above.

4. Confidentiality

Persons authorised to process the personal data on our side are subject to written confidentiality obligations and to need-to-know access controls.

5. Security measures (Article 32)

We implement appropriate technical and organisational measures including:

  • TLS 1.2+ for data in transit; AES-256 at rest where supported by the storage service.
  • Role-based access control with mandatory MFA for staff and admin roles.
  • IDOR-prevention checks on every cross-tenant resource lookup.
  • CSRF protection on all state-changing endpoints.
  • Rate limiting on authentication and high-risk endpoints.
  • Centralised audit logging with 5-year retention.
  • Quarterly vulnerability scanning and external penetration testing at major release boundaries.
  • A documented incident response and breach notification procedure operated by the DPO.
  • Documented backup and restore procedures with regular tested restores.

6. Sub-processors

Customer authorises BSR Group to engage the sub-processors listed in the live register at /dashboard/admin/gdpr/subprocessors (the "Sub-processor Register"). Key sub-processors at the date of this DPA:

  • Hostinger International Ltd — application + database hosting (UK / EU regions)
  • Google LLC — Workspace email transit + (consent-only) Google Analytics
  • OpenAI L.L.C. and Google AI — AI features (with limited per-feature inputs)
  • Anthropic, PBC — AI fallbacks
  • Stripe Payments UK Ltd — invoicing and direct debit (Customer billing only)

We will give Customer at least 30 days' prior notice of any new or replacement sub-processor by updating the Sub-processor Register. Customer may object on reasonable data-protection grounds; the parties will work in good faith to resolve the objection or, failing that, Customer may terminate the affected service.

7. Data subject rights

We will assist Customer to respond to data subject requests received in respect of Customer's data — by providing self-service export and erasure tools in the Platform and, where additional cooperation is required, by responding to written requests within 14 calendar days.

8. Personal data breach

We will notify Customer without undue delay (and in any event within 48 hours) of becoming aware of any personal data breach affecting Customer data, providing the information required by Article 33 UK GDPR. Reporting to the ICO and to data subjects remains the Customer's responsibility unless otherwise agreed in writing.

9. International transfers

Where personal data is transferred outside the UK / EEA we will rely on the UK Adequacy Decision, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, in each case with appropriate technical and organisational safeguards.

10. Return and deletion at end of services

On termination of the Engagement Letter or Partner Agreement, Customer can export all of its data via the Platform's bulk export tooling. We will delete or anonymise Customer's personal data within 90 days of the later of (a) termination or (b) Customer's last successful export request, except where retention is required by law (e.g. financial records under the Companies Act 2006).

11. Audit and inspection

We will make available to Customer information necessary to demonstrate compliance with Article 28 obligations (typically: this DPA, the Sub-processor Register, our security overview, our latest pen-test summary). Customer may request an audit no more than once per 12-month period on 30 days' written notice; the parties will agree scope, location and timing in good faith. Where a third-party audit report addresses Customer's concerns, we may share that report instead.

12. Liability and indemnities

Liability under this DPA is governed by the Engagement Letter or Partner Agreement. Where neither is in force, the limitation of liability set out in the Terms of Service §11 applies.

13. Order of precedence

If there is a conflict between this DPA, an Engagement Letter, a Partner Agreement and the Terms of Service, the order of precedence (highest first) is:

  1. The Engagement Letter / Partner Agreement (for commercial matters).
  2. This DPA (for data protection matters).
  3. The Terms of Service.

14. Changes

We may update this DPA from time to time via the admin policy editor. Material changes require Customer to re-accept on next sign-in by an authorised user.

15. Contact

Data protection questions: dpo@bsr.group. Security incidents: security@bsr.group (24-hour monitored).