Data Privacy
Fastflo Global Data Processing Addendum (Processor)
Last updated: 09/09/2025
This Data Processing Addendum (”DPA”) forms part of and is subject to the agreement(s) between Fastflo and the customer entity that govern the use of Fastflo services (each, a “Main Agreement”). To the extent Fastflo Processes Personal Data on behalf of Customer in the course of providing the Services, the parties agree to the terms of this DPA.
1. Parties; Contact Details
Processor: Fastflo LLC (”Fastflo”). Privacy contact: [privacy@fastflo.ai].
Controller/Customer: The entity identified in the Main Agreement (”Customer”).
2. Definitions
Capitalized terms not defined in this DPA have the meanings in the Main Agreement. “GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR; “UK GDPR” has the meaning given in section 3(10) of the UK Data Protection Act 2018; “CCPA” means the California Consumer Privacy Act of 2018 as amended by the CPRA; “Data Protection Laws” means all laws applicable to the Processing of Personal Data under the Main Agreement, including GDPR, UK GDPR, Swiss FADP and CCPA. “Standard Contractual Clauses” or “SCCs” means the modular clauses in Commission Implementing Decision (EU) 2021/914, as amended or replaced.
“Personal Data” means any information relating to an identified or identifiable natural person processed by Fastflo on behalf of Customer. “Processing”, “Controller”, “Processor”, “Data Subject” and other terms have the meanings in Data Protection Laws.
“Services” means Fastflo’s recruitment automation software platform, integrations (including ATS integrations), and related implementation, support and messaging services provided under the Main Agreement.
3. Roles of the Parties; Details of Processing
3.1 Roles. Customer is the Controller of Personal Data and appoints Fastflo as its Processor to Process Personal Data for the limited purposes of providing the Services. Where Customer acts as a processor on behalf of a third-party controller, Customer warrants that its instructions to Fastflo reflect the relevant controller’s instructions.
3.2 Documented Instructions. Fastflo will Process Personal Data only on Documented Instructions from Customer, including as set forth in the Main Agreement and this DPA, and as necessary to comply with law. Fastflo will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
3.3 Details of Processing. The subject matter, duration, nature and purpose of Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I (Details of Processing).
4. Customer Responsibilities
Customer is responsible for: (a) determining the lawfulness of Processing; (b) obtaining necessary notices and consents from Data Subjects (e.g., for messaging via channels such as WhatsApp); (c) configuring the Services to meet Customer’s compliance obligations; and (d) providing accurate and lawful instructions.
5. Confidentiality
Fastflo ensures that persons authorized to Process Personal Data are under appropriate duties of confidentiality and receive periodic privacy and security training.
6. Security Measures
6.1 Security. Taking into account the nature of Processing and the risks to Data Subjects, Fastflo implements and maintains appropriate technical and organizational measures (”TOMs”) available upon request.
6.2 Customer Controls. Customer is responsible for implementing its own security controls appropriate for its use of the Services (e.g., access management, role-based permissions, and ATS-side controls).
7. Personal Data Breach
Fastflo will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed for Customer. The notification will include information Customer reasonably requires to meet its obligations, to the extent known at the time. Fastflo will promptly take reasonable steps to mitigate effects and prevent recurrence.
8. Subprocessors
8.1 Authorization. Customer authorizes Fastflo to engage Subprocessors to Process Personal Data in connection with the Services.
8.2 Subprocessor Obligations. Fastflo will: (a) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA; and (b) remain responsible for each Subprocessor’s performance.
8.3 Notice and Objection. Fastflo will maintain a Subprocessor List (available upon requesrt) and provide advance notice of material changes. Customer may object on reasonable, material grounds relating to data protection by notifying Fastflo within 15 business days of the notice. If the parties cannot resolve the objection in good faith, Customer may suspend or terminate the affected Services (without penalty) and receive a pro‑rated refund of prepaid, unused fees for the terminated portion.
9. Assistance; Data Subject Requests
Taking into account the nature of the Processing, Fastflo will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligations to respond to requests to exercise Data Subjects’ rights, to conduct data protection impact assessments, and to consult with supervisory authorities, as required by Data Protection Laws.
10. Audits and Information
Upon Customer’s written request, Fastflo will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., policy summaries, security whitepapers, third‑party audit reports if available under NDA). Where such information is insufficient, Customer may conduct an audit no more than once per 12 months (or more frequently if required by a competent authority), upon 30 days’ notice, during normal business hours, without disrupting operations, and subject to confidentiality and reasonable time/materials fees for on‑site audits.
11. Data Hosting Locations
11.1 Locations. Fastflo may Process Personal Data in the United States and other jurisdictions where Fastflo or its Subprocessors maintain operations. Where Processing involves a transfer of Personal Data outside the EEA, UK, or Switzerland, Fastflo will comply with Chapter V GDPR and equivalent provisions.
12. Return and Deletion
Upon termination or expiration of the Main Agreement, Fastflo will, at Customer’s choice, return or delete Personal Data after a 30‑day retention period (unless a longer period is required by law). If Customer does not make a timely election, Fastflo will delete Personal Data after the retention period. Fastflo may retain minimal logs/records as required for proof of compliance, dispute resolution or legal obligations, subject to continued protections.
13. CCPA/CPRA (U.S.)
Where Fastflo Processes Personal Information subject to the CCPA on behalf of Customer, Fastflo acts as a Service Provider (or Contractor) and will: (a) Process such Personal Information solely for the Business Purposes of providing the Services and as otherwise permitted by CCPA; (b) not sell or share Personal Information; (c) not combine Personal Information with other data except as permitted by CCPA; (d) notify Customer of any Subcontractors (subprocessors) and bind them by written agreement; and (e) make available information necessary to demonstrate compliance. Fastflo certifies it understands and will comply with these restrictions.
14. Liability; Order of Precedence
The limitations of liability in the Main Agreement apply to this DPA. In case of conflict between this DPA and the Main Agreement, this DPA controls to the extent of the conflict and solely with respect to Processing of Personal Data. The SCCs (and UK Addendum) prevail over this DPA to the extent of direct conflict for cross‑border transfers.
15. Miscellaneous
Nothing in this DPA confers any third‑party rights. This DPA is effective on the Effective Date of the Main Agreement (or the date the parties otherwise agree) and remains in force for so long as Fastflo Processes Personal Data for Customer.
Annex I – Details of Processing
Subject Matter: Processing of Personal Data submitted to or collected via the Services in connection with recruitment automation and communications.
Duration: For the term of the Main Agreement and any post‑termination data export period.
Nature and Purpose: Hosting, storage, retrieval, transmission, and other Processing necessary to provide the Services; messaging and scheduling workflows; ATS integrations; analytics and reporting for performance and reliability; security and abuse prevention.
Types of Personal Data: Determined by Customer configuration and lawful instructions, typically including:
- Identification data (name, email address, phone number, messaging handle, candidate ID);
- Professional and application data (CV/resume content, role applied for, requisition identifiers, work history, qualifications, screening responses);
- Scheduling and coordination data (availability, interview times, calendar metadata);
- Communications metadata (timestamps, status, delivery/receipt indicators, IP address, user agent, device/browser metadata);
- Recruiter/administrator account data (name, business contact details, role/permissions);
- Any other data Customer elects to submit consistent with the Main Agreement.
Special Categories: Not intended, but may be Processed where submitted by Customer in the recruitment context (e.g., disability accommodations) in which case Customer is responsible for identifying a lawful basis and providing instructions; Fastflo will apply enhanced protections.
Categories of Data Subjects: Job applicants and candidates; Customer’s recruiters and HR personnel; other Authorized Users.
Processing Locations: United States; other locations of Subprocessors as notified.