Data Processing Addendum
This page contains the substantive terms of the Data Processing Addendum (“DPA”) we enter into with recruiter customers. The executed, countersigned version is available from legal@hiringtest.ai. For our security posture more broadly, see the Trust & Security page; for what we collect and why, see the Privacy Policy.
Effective date: May 19, 2026
This DPA is entered into between Sidekick Software Inc. (“Processor”, “we”), a Delaware corporation operating HiringTest.ai and HiringCase.com, and the customer organization that has accepted our Terms of Service (“Controller”, “you”).
For purposes of GDPR, UK Data Protection Act, and analogous laws: you are the Data Controller of the personal data of your candidates and team members; we are the Data Processor acting on your documented instructions. For purposes of CCPA, we are a Service Provider; we do not sell or share personal information for cross-context behavioural advertising.
We process personal data on your behalf for the purpose of providing the HiringTest.ai platform: generating, scoring, and presenting candidate assessments; managing pipeline state and dispositions; integrating with your applicant- tracking system; computing fraud and integrity signals; and providing supporting product features (HiringCase living résumé, endorsements, identity verification when enabled).
Data subjects: your candidates, your employees and team members (recruiters, hiring managers, IT support roles), and endorsers a candidate has invited to attest to their work history.
Categories of personal data: name, email, profile image, LinkedIn headline and URL, authentication identifiers, assessment responses (text, audio, video), AI sandbox conversation logs, uploaded files (resume, portfolio), self-reported AI proficiency and tool selections, integrity signals (timing, tab-switch + paste events, browser fingerprint), and identity-verification artifacts (where Controller has opted in). No special- category data (race, ethnicity, religion, health, sexual orientation, biometric data outside identity verification) is required or solicited by the platform; if a Controller configures custom prompts that solicit such data, that Controller is solely responsible.
We process personal data for the duration of your subscription, subject to the retention windows described in the Privacy Policy. On termination of your subscription, we delete personal data within 90 days, except where we are required to retain specific records to comply with legal obligations or to resolve disputes.
We will:
You authorize us to engage the subprocessors listed in our Privacy Policy, Section 7. We impose data-protection obligations on each subprocessor that are substantially the same as those set out in this DPA. We remain liable for any acts or omissions of a subprocessor to the same extent as if we had performed them ourselves.
We will provide at least 30 days' advance notice of any intended addition or replacement of subprocessors processing your customer data. You may object to such changes on reasonable data-protection grounds; in that case the parties will work in good faith to resolve the objection, and you may terminate the affected services if a resolution cannot be reached.
Personal data is hosted in the United States. Where data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, the parties will rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, both as updated from time to time. Such clauses are deemed incorporated into this DPA by reference and take precedence in case of conflict.
We maintain industry-standard technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:
A more detailed description of our security posture is available at /trust. SOC 2 Type II attestation is in progress.
You may audit our compliance with this DPA once per year, on at least 30 days' written notice, during normal business hours, and at your own cost. Audits are scoped to information reasonably necessary to verify compliance, and we will satisfy audit requirements primarily by providing our most recent SOC 2 Type II report (or, until issued, our equivalent ISMS documentation), the penetration-test summary, and the subprocessor + retention disclosures referenced in this DPA. On-site audits are not permitted except where required by a competent supervisory authority.
We will notify you without undue delay, and in any case within 72 hours, of becoming aware of a Personal Data Breach affecting your data. The notification will include the nature of the breach, categories and approximate number of data subjects and records concerned (where known), the likely consequences, and the measures taken or proposed.
Report suspected incidents to security@hiringtest.ai.
On termination of the services, we will, at your choice, delete or return personal data to you within 90 days, except where storage is required by applicable law. Standard candidate-data export is available as a CSV; an additional structured-JSON dump is available on request.
Each party's liability under or in connection with this DPA, taken together with the corresponding underlying agreement (the Terms of Service), is subject to the limitations of liability set out in the underlying agreement. Nothing in this DPA limits a party's liability where such limitation is prohibited by applicable data-protection law.
This DPA is governed by the law of the state of Delaware, U.S.A., except that, where transfers covered by Standard Contractual Clauses are concerned, the law and jurisdiction provisions of those clauses prevail.
In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data. In case of conflict between this DPA and the Standard Contractual Clauses (where applicable), the SCCs prevail.
We may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, our service, or our subprocessor list. Material changes will be communicated at least 30 days in advance to enterprise customers.
DPA-related inquiries: legal@hiringtest.ai. Security-incident reports: security@hiringtest.ai. Data-subject requests: privacy@hiringtest.ai.