Legal

Data Processing Addendum

Last updated: 30 June 2026

Template notice. This Data Processing Addendum (DPA) is a starting template. Review and adapt it with qualified legal counsel before relying on it.

This DPA forms part of the agreement between the customer (“Controller”) and AiTS Express by XTen (“Processor”) for personal data processed in the AiTS Express product.

1. Roles & scope

The Controller determines the purposes of processing candidate and team data. AiTS Express processes that data only on the Controller’s documented instructions to provide the service.

2. Subject matter & categories

  • Subject matter: applicant tracking, AI scoring, sourcing, and hiring workflow.
  • Data subjects: job applicants, candidates, and the Controller’s team members.
  • Categories: contact details, CV/résumé content, application data, scores, notes, and audit records.

3. Security measures

  • Row-level data isolation, fail-closed: queries are scoped to the workspace, and access is denied if ownership can’t be confirmed.
  • Optional dedicated database and data residency on the Scale plan.
  • Two-factor authentication, a complete audit log, and encryption in transit.
  • Per-workspace AI metering and budget caps.

4. Sub-processors

AiTS Express uses vetted sub-processors (for example, hosting and transactional email providers) under written contracts with equivalent obligations. A current list is available on request; we will give notice of changes so the Controller may object.

5. Data subject rights

The product provides export and erasure tools so the Controller can fulfil access, portability, and right-to-erasure (GDPR / PDP) requests. AiTS Express assists the Controller with such requests.

6. International transfers

Where data is transferred across borders, appropriate safeguards (such as standard contractual clauses) are used. Data residency options can keep data in a required region.

7. Return & deletion

On termination, the Controller can export its data; we then delete or anonymise it within a reasonable period, except where retention is legally required.

8. Contact

For DPA requests or our sub-processor list, email support@xten.pro.