How Vitae processes data on your behalf.

This DPA is entered into between Vitae AI Ltd, a company registered in England & Wales with its registered office in London, United Kingdom (“Vitae”, “Processor”) and the customer that has entered into the Vitae Terms of Service or an Order with Vitae (“Customer”, “Controller”) (each a “Party”).

This DPA governs the processing of Customer Personal Data by Vitae as a processor and forms part of the Agreement between the Parties. In the event of a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict for matters of data protection.

• Agreement — the Vitae Terms of Service and any Order signed or accepted by Customer.
• Applicable Data Protection Law — the UK GDPR, the Data Protection Act 2018, the EU GDPR, the EU ePrivacy Directive (and national implementations), and any other applicable data protection or privacy law.
• Customer Personal Data — personal data within the Customer Data that Vitae processes on Customer’s behalf in providing the Services.
• Data Subject, Personal Data, Processing, Controller, Processor, Sub-processor, Supervisory Authority — have the meanings given in the Applicable Data Protection Law.
• Standard Contractual Clauses — the EU Commission Decision 2021/914 module-2 clauses (controller-to-processor) and the UK International Data Transfer Addendum.

Customer is the Controller and Vitae is the Processor of Customer Personal Data. The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex A.

Each Party is responsible for compliance with its respective obligations under Applicable Data Protection Law. Customer is responsible for ensuring it has a lawful basis for the processing it instructs Vitae to perform.

Vitae will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by Applicable Data Protection Law.

Customer’s use of the Services and configuration choices in the product are documented instructions. Customer may issue further written instructions by email to hello@vitae.ai. Vitae will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

Vitae will ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and have received appropriate training on data protection. Access to Customer Personal Data is granted on a least-privilege basis.

Vitae will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, that data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

The measures in force at the date of this DPA are described in Annex B. Vitae may update those measures from time to time provided the level of protection is not materially decreased.

Customer grants Vitae a general authorisation to engage sub-processors to assist in providing the Services, subject to the conditions in this clause. The current list of sub-processors is set out in Annex C and on the Trust Centre.

• Vitae will impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
• Vitae remains liable for the acts and omissions of its sub-processors as if they were its own.
• Vitae will give Customer at least 30 days’ prior notice of any new or replacement sub-processor by updating the Trust Centre and notifying customers who have subscribed to updates.
• Customer may object on reasonable data-protection grounds within 14 days of notice. The Parties will work in good faith to resolve the objection; if not resolved, Customer may terminate the affected Services on written notice without further liability.

Vitae will provide the Services in a way that enables Customer to respond to data subject requests under Applicable Data Protection Law. Where Vitae receives a request directly from a data subject in respect of Customer Personal Data, Vitae will not respond directly (other than to direct the request to Customer) and will inform Customer without undue delay.

Vitae will provide reasonable assistance to Customer, taking into account the nature of the processing, in fulfilling Customer’s obligations to respond to data subject requests, including by providing self-service tooling where available.

Vitae will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

• The nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and to mitigate its possible adverse effects.
• A point of contact for further information.

Vitae will document each breach and provide reasonable assistance to Customer in complying with Articles 33 and 34 of the GDPR.

Where Customer Personal Data is transferred from the UK or EEA to a country that has not received an adequacy decision, the Parties agree that the Standard Contractual Clauses (and the UK Addendum where applicable) are incorporated into this DPA by reference and will apply between Customer (as data exporter) and Vitae and any onward sub-processor (as data importer), with the optional clauses selected as follows: docking clause included, option 2 for Clause 9(a) (general written authorisation, 30-day notice period), option 1 for Clause 11(a) (independent dispute resolution body) deselected, governing law England & Wales / Ireland depending on origin, and forum England & Wales / Ireland respectively.

Vitae will make available to Customer all information necessary to demonstrate compliance with this DPA. Vitae will satisfy audit rights primarily through the provision of:

• The most recent third-party audit reports (e.g. SOC 2 Type II once available);
• Penetration test executive summaries;
• Continuous controls monitoring evidence summaries; and
• Written responses to reasonable security questionnaires within one business week.

Where the above is insufficient, Customer may, on at least 30 days’ written notice and no more than once per year (except following a Personal Data Breach affecting Customer or where required by a Supervisory Authority), conduct an audit at Customer’s expense, during business hours, with reasonable scope, and subject to confidentiality obligations.

On termination or expiry of the Agreement, and at Customer’s choice expressed in writing, Vitae will return or delete all Customer Personal Data, and delete existing copies, except to the extent retention is required by Applicable Data Protection Law. Lawful backup copies will be deleted in accordance with Vitae’s standard backup retention cycle, after which they will be overwritten or rendered inaccessible.

Each Party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, the Standard Contractual Clauses retain their independent legal effect to the extent required by law.

• This DPA is governed by the laws of England and Wales, without prejudice to the governing law of the Standard Contractual Clauses where they apply.
• The courts of England and Wales have exclusive jurisdiction over disputes arising out of or in connection with this DPA, without prejudice to mandatory jurisdiction provisions in the Standard Contractual Clauses.
• If any provision is held unenforceable, the remaining provisions remain in full force.
• This DPA may be updated from time to time. Material changes will be notified at least 30 days in advance.

Subject matter and duration

The provision of the Vitae Services for the term of the Agreement.

Nature and purpose of processing

To provide an AI-native recruiting platform: candidate sourcing, search and matching, conversation intelligence, voice and chat screening, candidate presentation, outreach, workflows, reporting, and integrations with third-party systems chosen by Customer.

Categories of data subjects

• Candidates and prospective candidates whose data is uploaded or generated by Customer.
• Customer’s personnel who use the Services.
• Other individuals whose personal data Customer chooses to process within the Services.

Categories of personal data

• Identifiers and contact details (name, email, phone, profile URLs).
• Professional and CV/resume data (employment history, education, skills, salary expectation).
• Communications and screening content (messages, call recordings, transcripts where enabled).
• Authentication and product usage data for Customer’s personnel.

Special categories

Customer should not upload special category data unless strictly necessary and lawful. Where Customer chooses to capture demographic data for EEO/diversity reporting, Vitae processes it only as instructed.

• Identity & access — MFA for all staff, SSO/SAML 2.0 for enterprise logins, role-based access with least-privilege defaults, quarterly access reviews.
• Data protection — AES-256 at rest, TLS 1.3 in transit, per-tenant key isolation, configurable retention, customer data not used to train shared models.
• Infrastructure — Hosted on Google Cloud (EU and US regions), region-pinning, daily encrypted backups with tested restores, network isolation.
• Application security — Code review on every change, automated SAST and dependency scanning, annual third-party penetration testing, secrets vault.
• Monitoring & response — 24/7 alerting, tamper-evident security logs retained 12 months, documented incident response playbooks rehearsed quarterly.
• People & policies — Background checks, annual security and privacy training, contractual confidentiality, MDM-managed encrypted laptops.

The full description is published in the Trust Centre.

Subscribe to sub-processor change notifications by emailing hello@vitae.ai.