This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer") and JuggleHire LLC ("JuggleHire") governing your use of the JuggleHire hiring platform (the "Service"), comprising the JuggleHire Terms of Service available at jugglehire.com/terms-and-conditions and any order form executed between the parties (together, the "Agreement").

This DPA reflects the parties' agreement on the processing of Customer Personal Data in connection with the Service. It applies to the extent JuggleHire processes Personal Data on behalf of the Customer that is subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"), or the Swiss Federal Act on Data Protection ("FADP") (collectively, "Data Protection Laws").

In the event of a conflict between this DPA and any other terms of the Agreement, this DPA controls solely with respect to the processing of Customer Personal Data subject to Data Protection Laws.

1. Definitions

Capitalised terms used and not otherwise defined in this DPA have the meanings given to them in the GDPR. In addition:

• "Customer Personal Data" means Personal Data uploaded to or generated within the Service by or on behalf of the Customer, including candidate names, email addresses, phone numbers, resumes, application answers, assessment responses, video recordings, and any other Personal Data the Customer or its candidates submit through the Service.
• "Sub-Processor" means any third party engaged by JuggleHire to process Customer Personal Data on JuggleHire's behalf.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, as approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
• "UK Addendum" means the United Kingdom International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.

2. Roles and Scope

With respect to Customer Personal Data, the Customer is the data controller and JuggleHire is the data processor. JuggleHire shall process Customer Personal Data only on documented instructions from the Customer, including the instructions set out in the Agreement, this DPA, and as configured by the Customer in the Service. JuggleHire shall not process Customer Personal Data for any purpose other than the provision of the Service to the Customer.

Annex 1 sets out the subject-matter, duration, nature, purpose, types of Personal Data, and categories of data subjects concerned by the processing.

3. Customer Obligations

The Customer warrants that:

• it has provided all required notices and obtained all required consents or other lawful bases for the processing of Customer Personal Data, including from candidates;
• its instructions to JuggleHire in respect of Customer Personal Data comply with Data Protection Laws;
• it has the right to transfer or provide access to Customer Personal Data to JuggleHire and the Sub-Processors listed at jugglehire.com/sub-processors.

4. JuggleHire Obligations

JuggleHire shall:

• process Customer Personal Data only on documented Customer instructions, including with regard to international transfers, unless required to do so by EU, UK, or Member State law to which JuggleHire is subject (in which case JuggleHire shall inform the Customer of that legal requirement before processing, unless prohibited by law on important grounds of public interest);
• ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations of an appropriate nature (whether contractual or statutory);
• implement and maintain the technical and organisational security measures described in Annex 2 and designed to ensure a level of security appropriate to the risk;
• promptly notify the Customer if, in JuggleHire's opinion, a Customer instruction infringes Data Protection Laws;
• taking into account the nature of the processing, assist the Customer with appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to data subject requests under GDPR Articles 12–22;
• assist the Customer in ensuring compliance with GDPR Articles 32–36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and information available to JuggleHire.

5. Sub-Processors

The Customer grants JuggleHire general written authorisation to engage Sub-Processors, subject to this Section 5. The current list of Sub-Processors is published at jugglehire.com/sub-processors and is incorporated into this DPA by reference.

JuggleHire shall provide at least 30 days' advance notice of any new Sub-Processor by updating the published list and, where the Customer has subscribed to change notifications, by email. Customers may subscribe by emailing hello@jugglehire.com with the subject line "Subscribe to sub-processor changes".

The Customer may object to a new Sub-Processor by giving JuggleHire reasonable, good-faith reasons in writing within 30 days of the notice. JuggleHire shall use reasonable efforts to make available to the Customer a change in the Service or recommend a commercially reasonable alternative. If JuggleHire is unable to do so, the Customer's exclusive remedy is to terminate the affected portion of the Service for convenience by providing written notice to JuggleHire, in which case JuggleHire shall refund any pre-paid fees covering the unused remainder of the subscription term.

JuggleHire shall enter into a written agreement with each Sub-Processor imposing data-protection obligations substantially equivalent to those set out in this DPA. JuggleHire remains liable to the Customer for the acts and omissions of its Sub-Processors as if performed by JuggleHire itself.

6. International Transfers

Where JuggleHire transfers Customer Personal Data of EEA, UK, or Swiss data subjects to a country that has not been deemed adequate by the European Commission, the UK government, or the Swiss Federal Council (a "Restricted Transfer"), the parties agree that the transfer is subject to:

• the SCCs, Module 2 (controller-to-processor), which are hereby incorporated by reference into and form part of this DPA, with the Customer as data exporter and JuggleHire as data importer; and
• for transfers from the United Kingdom, the UK Addendum, with the relevant tables completed in line with the Agreement and this DPA; and
• for transfers from Switzerland, the SCCs as adapted under the FADP and the guidance of the Swiss Federal Data Protection and Information Commissioner.

The parties agree that:

• Clause 7 (Docking clause) of the SCCs is not adopted; Clause 9 option 2 (general written authorisation for Sub-Processors) applies, with the 30-day notice period set out in Section 5; Clause 11 option to refer disputes to an independent dispute resolution body is not adopted; Clause 17 governing law is the law of Ireland; Clause 18 forum is the courts of Ireland.
• The Annexes to the SCCs are deemed populated by Annex 1, Annex 2, and Annex 3 of this DPA respectively.

Where a Sub-Processor is self-certified under the EU-US Data Privacy Framework, transfers to that Sub-Processor may additionally rely on that adequacy mechanism.

7. Personal Data Breaches

JuggleHire shall notify the Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall describe, to the extent known at the time:

• the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to be taken to address the breach and mitigate its effects.

JuggleHire shall provide reasonable cooperation and assistance to the Customer in fulfilling its breach-notification obligations under GDPR Articles 33 and 34.

8. Data Subject Rights

JuggleHire provides the following functionality in the Service to assist the Customer in responding to data subject requests:

• a candidate-facing public request flow on each Customer's tenant subdomain at https://{customer}.jugglehire.com/privacy/request where candidates can request a copy of, or deletion of, their Personal Data;
• recruiter-side controls to anonymise, hard-delete, or export a candidate's Personal Data on demand;
• per-tenant retention controls to configure the maximum retention period for rejected and inactive candidates.

Where JuggleHire receives a data subject request directed at Customer Personal Data, it shall not respond directly to the data subject (other than to acknowledge receipt and refer the request to the Customer) and shall promptly forward the request to the Customer.

9. Audits

JuggleHire shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice (not less than 30 days, except in the case of an actual or suspected Personal Data Breach), and no more than once per calendar year, JuggleHire shall allow for and contribute to audits conducted by the Customer or another auditor mandated by the Customer, subject to:

• the Customer (or its auditor) entering into a confidentiality agreement reasonably acceptable to JuggleHire;
• the audit being conducted at the Customer's expense during JuggleHire's normal business hours and in a manner designed not to interfere unreasonably with JuggleHire's operations;
• the audit not extending to JuggleHire's other customers' data, JuggleHire's commercially confidential information, or to any audited certifications or reports JuggleHire makes available (including SOC reports or equivalent), which JuggleHire may provide in lieu of an on-site audit where they reasonably address the scope of the proposed audit.

10. Return and Deletion

On termination or expiry of the Agreement, JuggleHire shall, at the Customer's election, return or delete all Customer Personal Data in its possession or control, save for copies that JuggleHire is required to retain under applicable law (in which case JuggleHire shall continue to apply this DPA to such copies until they are deleted). The Customer may export its data via the Service before the deletion timeline elapses; JuggleHire's standard deletion timeline after termination is set out in our retention policy at jugglehire.com/privacy-policy.

11. Liability

Note: The liability provisions of this DPA are intended to be governed by the limitation-of-liability clause in the Agreement (Terms of Service). Customers requiring negotiated indemnity or liability caps in respect of this DPA should contact hello@jugglehire.com to execute a customer-specific addendum.

Each party's liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability where it cannot be limited or excluded under applicable law (including in respect of fraud, fraudulent misrepresentation, or wilful misconduct).

12. Term and Survival

This DPA takes effect on the Effective Date of the Agreement and remains in force for as long as JuggleHire processes Customer Personal Data on the Customer's behalf. Sections that by their nature should survive termination (including Sections 1, 7, 9, 10, 11, and 13) shall do so.

13. General

• Governing law and jurisdiction. This DPA is governed by the laws of Ireland; the courts of Ireland have exclusive jurisdiction over any dispute, save where the SCCs require otherwise.
• Order of precedence. If any provision of this DPA conflicts with a provision of the SCCs, the SCCs prevail to the extent of that conflict.
• Updates. JuggleHire may update this DPA from time to time. Material updates will be notified to Customer-account owners by email and via in-app notification at least 30 days before they take effect; immaterial updates may be made by publication on this page.
• Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

Annex 1 — Description of Processing

Subject-matter. Provision of the JuggleHire hiring platform to the Customer pursuant to the Agreement.

Duration. For the term of the Agreement plus any retention period required by applicable law, set out in the JuggleHire Privacy Policy.

Nature and purpose. Processing operations include collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction. The purpose is to enable the Customer to manage candidate sourcing, applicant tracking, evaluation, interview scheduling, and offer management.

Categories of data subjects. (a) The Customer's employees and authorised users (recruiters, hiring managers, team owners); (b) candidates and prospective candidates whose Personal Data is uploaded to or generated within the Customer's JuggleHire workspace.

Categories of Personal Data.

• identification and contact data (name, email, phone, profile photo);
• professional data (resume content, work history, education, skills, links to professional profiles);
• application content (cover letters, application form answers, scenario answers);
• assessment responses (text answers, multiple-choice selections, audio/video recordings, files);
• communications (in-product messages, interview booking details);
• technical data (IP address, user agent, cookie identifiers, device information).

Special categories. JuggleHire does not request or require Personal Data of the special categories described in GDPR Article 9. Customers must not upload such Personal Data unless they have a lawful basis under Article 9(2) and have notified JuggleHire in writing.

Annex 2 — Technical and Organisational Measures

JuggleHire implements and maintains the following measures designed to protect Customer Personal Data:

• Encryption. Data in transit is encrypted using TLS 1.2 or higher; data at rest is encrypted using AES-256 (database, object storage, backups).
• Access control. Role-based access control (Owner, Admin, Recruiter) with the principle of least privilege. Production access for JuggleHire personnel is limited to a minimum, audit-logged, and protected by multi-factor authentication.
• Tenant isolation. Customer data is logically segregated by team_id at every layer (controller, service, database query). Cross-tenant access is blocked at the framework level and tested in CI.
• Logging and monitoring. Append-only application activity log; security and uptime monitoring across application, queue, and storage layers.
• Backups. Encrypted automated backups with point-in-time restore.
• Vulnerability management. Regular dependency scanning, security updates, and code review on every pull request.
• Personnel. Confidentiality obligations for all personnel; security-awareness expectations as part of onboarding.
• Incident response. Documented breach-response procedure, including 72-hour Customer notification in the event of a Personal Data Breach.
• Sub-processor diligence. Sub-processors are selected for their security posture and bound by contractual obligations substantially equivalent to those in this DPA.

Annex 3 — Sub-Processors

The current list of authorised Sub-Processors is published at jugglehire.com/sub-processors and is incorporated by reference into this DPA.

Acceptance. By clicking Accept Data Processing Addendum inside the JuggleHire app, the Customer accepts this DPA on behalf of the legal entity that owns the JuggleHire workspace. Acceptance is recorded with timestamp, acceptor identity, and DPA version. Customers requiring a counter-signed copy on company letterhead may request one by emailing hello@jugglehire.com.