Data Processing Addendum

Effective April 29, 2026

The short version

  • This Data Processing Addendum (“DPA”) supplements and forms part of the Sorinai Terms of Service (the “Agreement”) between Sorinai Ltd and the customer named on the applicable order or account (“Customer”).
  • Sorinai acts as a processor for Customer Data (most commonly, candidate transcripts, recordings, notes, and uploaded documents). Customer is the controller and is responsible for the lawful basis of processing, including obtaining recording consent from candidates.
  • Our subprocessors are listed on our Privacy Policy. Any change to that list will be notified in advance.
  • Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses, incorporated into this DPA by reference.
  • Questions or requests: privacy@sorinai.com.

1. Definitions

Capitalised terms used in this DPA but not defined here have the meaning given in the Agreement. The following definitions apply:

  • “Customer Data” means personal data that Sorinai processes on behalf of Customer to provide the Services, including session audio, transcripts, notes, AI-generated outputs, and any reference material (such as resumes or job descriptions) that Customer or its end users upload to the Services.
  • “Data Protection Laws” means all data protection and privacy laws applicable to the processing of Customer Data under this DPA, including the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and, where applicable, U.S. state privacy laws (including the CCPA).
  • “controller”, “processor”, “data subject”, “personal data”, “processing”, and “personal data breach” have the meanings given in the UK GDPR (and equivalent terms under other Data Protection Laws).
  • “Sub-processor” means any third party engaged by Sorinai to process Customer Data in connection with the Services.
  • “Subprocessor List”means the list of Sorinai's subprocessors published at sorinai.com/privacy.
  • “SCCs” means the standard contractual clauses approved by the European Commission under Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced.
  • “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018.

2. Scope and roles

In providing the Services, Sorinai processes Customer Data on behalf of Customer. For the purposes of Data Protection Laws, Customer is the controller of Customer Data and Sorinai is the processor. Where Customer is itself a processor on behalf of a third party (for example, an end-client of a recruitment agency), Sorinai is a sub-processor and the obligations in this DPA apply on that basis.

This DPA, the Agreement, and the configuration choices Customer makes within the Services together constitute Customer's documented instructions to Sorinai for the processing of Customer Data (“Customer Instructions”). Sorinai will process Customer Data only in accordance with Customer Instructions, except where required to do otherwise by law (in which case Sorinai will inform Customer of the requirement before processing, unless legally prohibited from doing so).

3. Details of processing

The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects involved in the processing are set out in Schedule 1 to this DPA.

4. Sorinai's obligations

4.1 Confidentiality

Sorinai will ensure that all personnel authorised to process Customer Data are bound by appropriate obligations of confidentiality.

4.2 Security

Sorinai will implement and maintain technical and organisational measures appropriate to the risk of the processing, as described in Schedule 2 to this DPA.

4.3 Personal data breaches

Sorinai will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide reasonable information and assistance to enable Customer to comply with its own obligations under Data Protection Laws.

4.4 Data subject requests

Taking into account the nature of the processing, Sorinai will provide reasonable assistance (including by appropriate technical and organisational measures) to enable Customer to respond to requests from data subjects exercising their rights under Data Protection Laws. If Sorinai receives a request directly from a data subject in respect of Customer Data, Sorinai will, to the extent legally permitted, refer the data subject to Customer and not respond to the request without Customer's instructions.

4.5 Assistance with DPIAs and consultations

Taking into account the nature of the processing and the information available to Sorinai, Sorinai will provide reasonable assistance to Customer with data protection impact assessments and any required prior consultations with supervisory authorities, where these relate to Sorinai's processing of Customer Data.

4.6 Notices

Sorinai will inform Customer if, in Sorinai's reasonable opinion, an instruction from Customer infringes Data Protection Laws. Sorinai will also, to the extent legally permitted, inform Customer of any legally binding request for disclosure of Customer Data received from a public authority.

5. Sub-processors

Customer provides a general authorisation for Sorinai to engage the Sub-processors listed on the Subprocessor List for the processing of Customer Data.

Sorinai will impose on each Sub-processor data protection obligations no less protective than those contained in this DPA, and will remain responsible to Customer for the performance of each Sub-processor's obligations to the same extent as if Sorinai were performing them itself.

Sorinai will give Customer prior notice of any intended addition or replacement of a Sub-processor, by updating the Subprocessor List and notifying Customer by email or in-product notice. Customer may object to the change on reasonable data-protection grounds within 30 days of the notice, by writing to privacy@sorinai.com. If the Parties cannot resolve the objection within a further 30 days, Customer may terminate the affected portion of the Services and receive a pro-rata refund of any pre-paid fees covering the period after termination.

6. International transfers

Sorinai's primary infrastructure is located in the United Kingdom and Western Europe. Some Sub-processors are located in, or transfer Customer Data to, the United States or other third countries.

Where Customer Data is transferred from the United Kingdom or the EEA to a country that is not the subject of an adequacy decision, the Parties agree that:

  • the SCCs are incorporated into this DPA by reference and apply to the transfer, with Module Two (controller to processor) applying where Customer is a controller and Module Three (processor to processor) applying where Customer is a processor; and
  • for transfers of UK personal data, the SCCs apply as amended by the UK Addendum, which is incorporated into this DPA by reference.

For each module of the SCCs that applies: (i) the optional docking clause in Clause 7 does not apply; (ii) in Clause 9, Option 2 (general written authorisation) applies, with the notice period set out in Section 5 of this DPA; (iii) the optional language in Clause 11 does not apply; (iv) the governing law in Clause 17 (Option 1) is the law of England and Wales; (v) the courts of England and Wales have jurisdiction under Clause 18(b); (vi) Schedule 1 to this DPA contains the information required by Annex I and Annex III; and (vii) Schedule 2 to this DPA contains the information required by Annex II. The competent supervisory authority is the UK Information Commissioner's Office.

7. Audit

On Customer's reasonable written request, and no more than once in any 12-month period, Sorinai will make available information reasonably necessary to demonstrate compliance with this DPA. Where available, Sorinai may satisfy this obligation by providing summaries of independent audit or certification reports. Any audit information made available under this Section is the confidential information of Sorinai.

Where Data Protection Laws require Customer to carry out an on-site audit, Sorinai will cooperate in good faith on the scope, timing, and conduct of such audit, which must be undertaken in a manner that minimises disruption to Sorinai's business and is conducted at Customer's cost.

8. Data return and deletion

Customer may delete Customer Data at any time using the controls available in the Services. Following expiry or termination of the Agreement, Sorinai will, at Customer's choice, return or delete Customer Data within a reasonable period, except where retention is required by applicable law (in which case Sorinai will isolate and protect the retained data and limit further processing accordingly). Backups containing Customer Data may persist for a limited further period in line with Sorinai's and its Sub-processors' backup cycles before being overwritten.

9. Customer obligations

Customer warrants that it has, and will maintain throughout the term of the Agreement, all notices, consents, lawful bases, and other rights required under Data Protection Laws to provide Customer Data to Sorinai and to authorise Sorinai (and its Sub-processors) to process it as contemplated by the Agreement and this DPA. In particular, Customer is responsible for obtaining any recording or transcription consents required from participants in any session captured using the Services.

Customer is responsible for the configuration and design choices it makes within the Services (including retention, deletion, sharing, and access controls) and for ensuring those choices are appropriate under Data Protection Laws.

10. U.S. state privacy laws

To the extent any U.S. state privacy law (including the CCPA) applies to Customer Data: (a) Sorinai is a service provider / processor and not a third party; (b) Sorinai will not sell or share Customer Data, retain, use, or disclose it outside the direct business relationship between the Parties, or combine it with personal data from other sources except as permitted by law; (c) Sorinai will provide reasonable assistance to enable Customer to respond to consumer requests; and (d) Sorinai will notify Customer if it determines it can no longer meet its obligations under the applicable U.S. state privacy law.

11. Liability

Each Party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12. Term and termination

This DPA takes effect on the effective date above (or, if later, the start date of the Agreement) and continues for the duration of the Agreement and for so long thereafter as Sorinai processes Customer Data.

13. Governing law

This DPA is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it, without prejudice to any mandatory provision of Data Protection Laws.

14. Order of precedence

In the event of any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict in respect of the subject matter of this DPA. The SCCs (as amended by the UK Addendum where applicable) prevail over this DPA in respect of the subject matter of those clauses.

15. Contact

For questions about this DPA or to make a request under it, contact privacy@sorinai.com. General enquiries: hello@sorinai.com.

Schedule 1 — Details of processing

Parties

Data exporter: Customer, as identified in the Agreement. The data exporter is the controller of Customer Data (or, where applicable, a processor acting on behalf of a third-party controller).

Data importer: Sorinai Ltd, a private limited company registered in England and Wales (company number 17153714) with its registered office at 4 Baltimore Wharf, London, E14 9AQ, United Kingdom. The data importer is the processor of Customer Data. Contact: privacy@sorinai.com.

Subject matter and purpose

Provision of the Sorinai Services to Customer under the Agreement, including the capture and transcription of recruitment conversations, generation of AI-assisted notes and suggestions, and storage of related Customer-supplied reference material.

Duration

The duration of the Agreement, plus any further period reasonably required to perform deletion or return of Customer Data.

Nature of the processing

Collection, recording, organisation, storage, transmission, transcription, AI-assisted analysis, retrieval, and deletion of Customer Data, as required to provide the Services.

Categories of data subjects

  • Customer's authorised users (recruiters and admins);
  • candidates and other participants in conversations captured using the Services;
  • individuals identified in reference material uploaded by Customer (for example, references named in a CV).

Categories of personal data

  • identifiers (name, email, organisation, role);
  • audio and transcripts of recruitment conversations, including anything participants choose to say;
  • content of resumes, job descriptions, qualification templates, and notes uploaded by Customer or its users;
  • AI-generated outputs derived from the above (summaries, suggested questions, qualification status, and similar);
  • account, usage, and device information necessary to operate the Services.

Special category data

The Services are not intended to process special category data (as defined in Article 9 UK GDPR) or criminal-offence data. However, recruitment conversations and CVs may incidentally contain such data (for example, references to health, ethnicity, religion, or trade union membership) where a data subject volunteers it. Customer is responsible for ensuring it has an appropriate Article 9 condition and any required additional safeguards before such data enters the Services.

Frequency of processing

Continuous, for the duration of the Agreement.

Sub-processors

The current list of Sub-processors is published at sorinai.com/privacy.

Competent supervisory authority

The UK Information Commissioner's Office (ICO) is the competent supervisory authority. Where the EU GDPR applies and the processing falls within the jurisdiction of an EU supervisory authority, that authority is competent for the relevant processing.

Schedule 2 — Security measures

Sorinai applies the following technical and organisational measures to protect Customer Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing:

  • Encryption in transit. All connections to the Services and to Sub-processors are protected by TLS.
  • Encryption at rest. Customer Data is stored on infrastructure that encrypts data at rest at the storage layer.
  • Access control.Authentication is performed by an established identity provider; access to Customer Data in the Services is scoped to Customer's organisation and the users Customer authorises.
  • Personnel. Sorinai personnel with access to production systems are bound by confidentiality obligations and are granted access only as needed to operate and support the Services.
  • Vendor management. Sorinai contracts with Sub-processors under written agreements imposing data protection obligations no less protective than this DPA.
  • Logging and monitoring. Application and infrastructure events are logged and monitored to support operational reliability and the detection of suspicious activity.
  • Resilience and recovery.Customer Data is stored on infrastructure with regular backups operated by Sorinai's infrastructure Sub-processors.
  • Incident response. Sorinai maintains procedures for identifying, investigating, and notifying personal data breaches affecting Customer Data.
  • Deletion. Customer can delete Customer Data from within the Services. Account closure triggers removal of Customer Data from active systems, subject to backup cycles described above.

Sorinai may update the measures in this Schedule from time to time, provided that any update does not materially decrease the overall level of security of the Services.