Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between ThinkATS Technology Solutions Limited ("ThinkATS", "Processor") and the Customer ("Controller") who has accepted ThinkATS's Terms of Service. Together these are referred to as the "Agreement".

This DPA applies where ThinkATS processes personal data on behalf of the Customer in the course of providing the ThinkATS platform and associated services.

1. Definitions

• Personal Data has the meaning given under the Nigeria Data Protection Act 2023 (NDPA) and, where applicable, the EU General Data Protection Regulation (GDPR): any information relating to an identified or identifiable natural person.
• Controller means the Customer — the natural or legal person who determines the purposes and means of processing personal data.
• Processor means ThinkATS — processing personal data on behalf of the Controller.
• Sub-processor means any third party engaged by ThinkATS to assist in processing personal data on behalf of the Controller.
• Data Subject means an identified or identifiable natural person whose personal data is processed — primarily candidates applying for roles through the Customer's ThinkATS-powered careers site.
• Processing means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

2. Scope and nature of processing

ThinkATS processes personal data on behalf of the Customer for the following purposes:

• Receiving, storing, and displaying candidate applications submitted through the Customer's careers site
• Scoring and ranking candidates against structured job requirements using Application Intelligence
• Enabling pipeline management including stage transitions, recruiter notes, and candidate communications
• Delivering transactional emails to candidates on behalf of the Customer, including application confirmations, stage updates, interview invitations, and offer or rejection communications
• Maintaining audit logs of hiring workflow actions within the Customer's workspace

The categories of personal data processed include: candidate name, contact details, CV and work history, education and qualifications, screening responses, application intelligence scores, and pipeline stage history.

The data subjects are candidates — individuals who apply for roles published by the Customer through ThinkATS.

Processing will continue for the duration of the Agreement and until all personal data is deleted or returned in accordance with clause 9.

3. Customer obligations (Controller)

The Customer warrants and agrees that:

• It has a lawful basis for collecting and processing candidate personal data and has provided candidates with appropriate notice of how their data will be used, including that it is processed by ThinkATS as a sub-processor.
• It will comply with all applicable data protection laws in relation to personal data it controls, including the NDPA 2023 and any other applicable national law.
• It will ensure that any instructions it provides to ThinkATS regarding processing are lawful.
• It will manage candidate data retention within its workspace in accordance with applicable law and its own privacy policy.
• It will respond to data subject requests from candidates in relation to their application data. ThinkATS will provide reasonable assistance to enable the Customer to respond to such requests.

4. ThinkATS obligations (Processor)

ThinkATS agrees to:

• Process personal data only on documented instructions from the Customer, which includes processing in accordance with the Agreement and this DPA. ThinkATS will inform the Customer if it believes any instruction infringes applicable data protection law.
• Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or disclosure, including the security measures described in clause 5.
• Not engage any sub-processor without prior written authorisation from the Customer, which is deemed given by acceptance of this DPA in respect of the sub-processors listed in Schedule A.
• Assist the Customer in meeting its obligations to respond to data subject requests, to conduct data protection impact assessments where required, and to notify supervisory authorities of data breaches where applicable.
• Notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting Customer data.
• At the Customer's choice, delete or return all personal data upon termination of the Agreement, and delete existing copies unless retention is required by applicable law.
• Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

5. Technical and organisational security measures

ThinkATS implements the following technical and organisational measures to protect personal data:

• Tenant data isolation: Row-level security enforced at the database layer via Supabase. Each Customer's data is strictly isolated and inaccessible to other tenants at the database level.
• Access control: Role-based access control (RBAC) with four defined roles — Owner, Admin, Recruiter, Viewer — governing operational access within each workspace.
• Audit logging: Key workflow actions are recorded as timestamped events, providing a complete operational audit trail.
• Communication security: Candidate emails are processed via an outbox-based queuing pattern, separating interface actions from message delivery and reducing risk of unintended communication.
• Infrastructure security: AWS production-grade infrastructure in EU West 1 (Ireland). AWS maintains ISO 27001, SOC 1, SOC 2, and SOC 3 certifications.
• Encryption: Data encrypted in transit using TLS. Data encrypted at rest via AWS and Supabase default encryption.
• Authentication: Workspace authentication managed via Supabase Auth with support for secure password policies.

6. Sub-processors

The Customer provides general authorisation for ThinkATS to engage the sub-processors listed in Schedule A. ThinkATS will notify the Customer of any intended changes to sub-processors — including additions or replacements — giving the Customer reasonable opportunity to object before the change takes effect.

ThinkATS ensures sub-processors are subject to data protection obligations consistent with this DPA.

7. International transfers

Personal data is stored in the EU (AWS EU West 1, Ireland). Where any sub-processor transfers personal data outside the EEA or outside the Customer's country of establishment, ThinkATS will ensure that appropriate safeguards are in place, including standard contractual clauses or equivalent protections under applicable law.

8. Data subject rights

Where a candidate exercises a data subject right (access, rectification, erasure, portability, restriction, or objection) directly with ThinkATS, ThinkATS will promptly forward the request to the relevant Customer and provide reasonable technical assistance to enable the Customer to respond. The Customer remains responsible for responding to data subject requests as the data controller.

9. Termination and data deletion

Upon expiry or termination of the Agreement, ThinkATS will, at the Customer's written request made within 30 days of termination:

• Return all Customer personal data in a structured, machine-readable format; or
• Securely delete all Customer personal data from ThinkATS systems.

Where ThinkATS is required by applicable law to retain personal data beyond the termination of the Agreement, it will inform the Customer of this requirement and restrict processing of the retained data to the extent required by law.

If the Customer does not submit a written deletion or return request within 30 days of termination, ThinkATS will securely delete Customer personal data within 60 days of termination.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the ThinkATS Terms of Service. ThinkATS's total liability under this DPA shall not exceed the total fees paid by the Customer to ThinkATS in the 12 months preceding the claim.

11. Governing law

This DPA is governed by the laws of the Federal Republic of Nigeria. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Lagos State, Nigeria, without prejudice to any mandatory rights a Customer may have under the law of their country of establishment.

12. Contact

For data processing enquiries, DPA execution requests, or breach notifications:

Email: privacy@thinkats.com
ThinkATS Technology Solutions Limited
RC 9151027
18b Engineer Muali Subair Street, Lekki, Lagos, Nigeria

Schedule A — Authorised sub-processors