1.Background and definitions
This Data Processing Addendum ("DPA") applies to the processing of Customer Personal Data by Fuzu Ltd or any of its affiliates contracting with the Customer ("Fuzu", "Processor") on behalf of the Customer ("Controller") in the course of providing the Service under the Fuzu Service Terms and any related commercial agreement (together, the "Agreement").
In this DPA, capitalised terms not defined here have the meanings given in the Service Terms or, where applicable, in Applicable Data Protection Law:
- "Applicable Data Protection Law" means all laws relating to the protection of personal data that apply to the processing under this DPA, including the GDPR, the UK GDPR, the Kenya Data Protection Act, 2019, the Uganda Data Protection and Privacy Act, 2019, the Nigeria Data Protection Act, 2023, and the regulations and guidance issued under those laws.
- "Customer Personal Data" means personal data processed by Fuzu on behalf of the Customer in the course of providing the Service, as further described in Annex I.
- "Data Subject Request" means a request from a data subject to exercise rights granted to that data subject by Applicable Data Protection Law.
- "GDPR" means Regulation (EU) 2016/679.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
- "Restricted Transfer" means a transfer of Customer Personal Data to a country in respect of which a separate transfer mechanism is required under Applicable Data Protection Law.
- "Standard Contractual Clauses" or "SCCs" means the Module 2 (Controller to Processor) standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, replaced, or supplemented from time to time.
- "Sub-processor" means any third party engaged by Fuzu to process Customer Personal Data on Fuzu's behalf in connection with the Service.
2.Relationship of the parties; scope
In respect of Customer Personal Data, the Customer is the controller and Fuzu is the processor, acting on the Customer's documented instructions. This DPA applies only to processing where Fuzu acts as a processor on the Customer's behalf. Where Fuzu acts as an independent controller (for example, in respect of personal data of Candidates who have created their own Fuzu profile and who interact with the Customer through the Service), Fuzu's processing is governed by the Fuzu Privacy Policy and not by this DPA.
Where the parties act as joint controllers in respect of Customer Personal Data, the allocation of responsibilities is set out in the joint-controller arrangement or otherwise agreed in writing.
3.Subject matter, duration, nature, and purpose of processing
The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects in respect of the processing under this DPA are set out in Annex I.
4.Customer's instructions
Fuzu processes Customer Personal Data only on the documented instructions of the Customer, including with regard to Restricted Transfers, unless required to do so by a law to which Fuzu is subject. The Service Terms, this DPA, the Agreement, and the Customer's use of the configurable features of the Service together constitute the Customer's complete and final instructions to Fuzu in respect of the processing of Customer Personal Data. Any additional or alternative instructions must be agreed in writing between the parties.
Where Fuzu is required by a law to which it is subject to process Customer Personal Data otherwise than in accordance with the Customer's instructions, Fuzu will inform the Customer of that legal requirement before processing, unless prohibited by law.
Fuzu will inform the Customer promptly if, in Fuzu's opinion, an instruction infringes Applicable Data Protection Law. Fuzu is not obliged to act on, and may decline to act on, an instruction that would cause Fuzu to be in breach of Applicable Data Protection Law.
5.Personnel and confidentiality
Fuzu ensures that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Fuzu provides such personnel with appropriate training on data protection and information security.
6.Technical and organisational measures
Fuzu implements and maintains the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk of the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Fuzu may update the measures in Annex II from time to time to reflect changes in industry practice or in the Service, provided that the updated measures provide a level of security at least equivalent to the security provided by the measures they replace.
7.Special-category data
Fuzu does not require the Customer to provide special-category data (also referred to as sensitive personal data under some Applicable Data Protection Laws) to use the Service. Where the Customer or its end-users provide special-category data to Fuzu through the Service, the Customer warrants that it has established a lawful basis under Applicable Data Protection Law for the processing of such data. Fuzu will apply the technical and organisational measures in Annex II to special-category data and, where Fuzu becomes aware of an issue specific to special-category data, will discuss with the Customer additional measures that may be reasonably required.
8.Personal Data Breach notification
Fuzu will notify the Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time, the information that the Customer reasonably requires to meet its own notification obligations under Applicable Data Protection Law, including:
- a description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and records affected;
- the name and contact details of Fuzu's DPO or other point of contact;
- a description of the likely consequences of the Personal Data Breach; and
- a description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
Fuzu will cooperate with the Customer and provide reasonable assistance to enable the Customer to investigate, mitigate, and remediate the Personal Data Breach and to comply with the Customer's obligations to notify the supervisory authority and affected data subjects, where required by Applicable Data Protection Law.
Fuzu's notification of a Personal Data Breach is not in itself an acknowledgement of fault or liability.
9.Sub-processors
9.1 General authorisation
The Customer provides general written authorisation for Fuzu to engage Sub-processors to process Customer Personal Data, subject to this Clause 9. The current list of Sub-processors is set out in Annex III.
9.2 Changes to Sub-processors
Fuzu will give the Customer at least thirty (30) days' prior notice of the addition or replacement of a Sub-processor, by updating the list at Annex III or by another reasonable communication method. The Customer may object to the addition or replacement of a Sub-processor on reasonable data-protection grounds by notice to Fuzu within fifteen (15) days of receiving the notification. The parties will discuss the objection in good faith and may agree on appropriate measures (for example, configuration changes, additional safeguards, or a workaround). Where the parties cannot agree, the Customer may terminate the affected Services on written notice, subject to the termination provisions of the Agreement.
9.3 Sub-processor obligations
Fuzu will enter into a written agreement with each Sub-processor that imposes on the Sub-processor data-protection obligations substantially equivalent to those imposed on Fuzu under this DPA. Fuzu remains responsible for the performance of each Sub-processor's obligations under that agreement to the same extent as Fuzu would be if it were performing the services itself.
10.Assistance with Data Subject Requests and compliance obligations
Fuzu will, taking into account the nature of the processing, provide reasonable assistance to the Customer through appropriate technical and organisational measures to enable the Customer to respond to Data Subject Requests and to comply with the Customer's other obligations under Applicable Data Protection Law (including data-protection impact assessments, prior consultations with supervisory authorities, and security obligations).
If a Data Subject Request is made directly to Fuzu in respect of Customer Personal Data, Fuzu will, unless prohibited by law, promptly inform the Customer and will not respond to the request other than to confirm receipt or to redirect the data subject to the Customer, except on the Customer's written instructions or where required by law.
11.Return and deletion of Customer Personal Data
On termination or expiry of the Agreement, or otherwise on the Customer's written request, Fuzu will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless Applicable Data Protection Law requires storage of the Customer Personal Data.
Fuzu will complete deletion within ninety (90) days of termination or the Customer's request, unless a longer period is reasonably required for backup deletion cycles. Customer Personal Data retained in backups will continue to be subject to the security obligations in this DPA until it is deleted in the ordinary course of backup expiry.
Where Applicable Data Protection Law requires Fuzu to retain Customer Personal Data, Fuzu will inform the Customer of the legal requirement and the data and processing concerned.
12.Audits
Fuzu will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, in accordance with this Clause 12.
The right to audit may be exercised once per calendar year on at least thirty (30) days' prior written notice, except where an audit is required by the Customer's supervisory authority or follows a Personal Data Breach, in which case shorter notice may apply. Audits will be conducted during business hours, in a manner that does not unreasonably interfere with Fuzu's normal business operations, and subject to reasonable confidentiality undertakings.
Fuzu may satisfy its audit obligations by providing the Customer with copies of relevant third-party audit reports and by responding to reasonable written questions from the Customer in lieu of, or in addition to, an on-site audit, where the parties agree that this is sufficient.
The Customer is responsible for the costs of any audit conducted under this Clause 12, except where the audit reveals a material non-compliance by Fuzu with this DPA, in which case Fuzu will bear the reasonable costs of the audit.
13.International transfers
13.1 Transfers from the EEA, the UK, and Switzerland
Where Fuzu transfers Customer Personal Data to a country in respect of which the European Commission has not made an adequacy decision and that is outside the EEA, the UK, or Switzerland, the transfer is subject to the SCCs, which are incorporated into this DPA by reference. The parties agree to the SCCs, Module Two (controller to processor), with Module Two clauses applying as follows:
- Clause 7 (Docking clause): included.
- Clause 9 (Use of sub-processors): Option 2 (general written authorisation) applies, with a notice period of thirty (30) days.
- Clause 11 (Redress): the optional language on independent dispute resolution is not used.
- Clause 17 (Governing law): the SCCs are governed by the law of the Republic of Finland.
- Clause 18 (Choice of forum and jurisdiction): disputes arising from the SCCs will be resolved by the courts of Helsinki, Finland.
- Annex I of the SCCs: corresponds to Annex I of this DPA.
- Annex II of the SCCs: corresponds to Annex II of this DPA.
- Annex III of the SCCs (list of Sub-processors): corresponds to Annex III of this DPA.
13.2 Transfers from the United Kingdom
Where Fuzu transfers Customer Personal Data subject to the UK GDPR to a country in respect of which the UK has not made an adequacy decision, the transfer is subject to the UK International Data Transfer Addendum to the EU SCCs (the "UK Addendum") or the UK International Data Transfer Agreement, as applicable, which is incorporated into this DPA by reference.
13.3 Transfers from Kenya, Uganda, and Nigeria
Where Customer Personal Data subject to the data-protection law of Kenya, Uganda, or Nigeria is transferred outside that country, the transfer is carried out in accordance with the cross-border transfer provisions of the applicable law, as described in the relevant Country Addendum to the Fuzu Privacy Policy. Fuzu will, on request, provide the Customer with information about the transfer mechanism applicable to such transfers.
14.Liability
The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Service Terms and the Agreement. Nothing in this DPA limits or excludes a party's liability where such limitation or exclusion would be unenforceable under Applicable Data Protection Law.
15.Order of precedence
In the event of a conflict or inconsistency between this DPA and the Service Terms or the Agreement, this DPA prevails to the extent of the conflict, but only in respect of the processing of Customer Personal Data. In the event of a conflict or inconsistency between this DPA and the SCCs (where they apply), the SCCs prevail.
16.Term and termination
This DPA takes effect on the effective date set out at the start of this document and remains in force for as long as Fuzu processes Customer Personal Data on behalf of the Customer. Termination of the Agreement does not relieve either party of obligations that by their nature survive termination, including obligations in this DPA relating to confidentiality, return and deletion of Customer Personal Data, and assistance with regulatory requests.
17.Governing law and jurisdiction
This DPA is governed by the law of Finland, except that the SCCs (where they apply) are governed by the law of Finland in accordance with Clause 13.1 above. The Country Addenda to the Service Terms apply in respect of mandatory rights under local law.
Annex I — Description of the processing
A. Data Exporter
| Field | Details |
|---|---|
Data Exporter (Customer) | The Customer identified in the Order Form, acting as data controller of the Customer Personal Data. |
Contact details | As set out in the Order Form or as notified to Fuzu in writing. |
Activities relevant to the data transferred | Receiving recruitment, candidate-management, workforce, and career-platform services from Fuzu under the Agreement. |
Role | Controller |
B. Data Importer
| Field | Details |
|---|---|
Data Importer (Processor) | Fuzu Ltd, Lapinlahdenkatu 16, 00180 Helsinki, Finland, business ID FI25462252 (and, where applicable, the relevant Fuzu group entity contracting with the Customer). |
Contact details — DPO | |
Activities relevant to the data transferred | Provision of the Service to the Customer, including hosting, processing, and analytics in connection with the Customer's use of the Service. |
Role | Processor |
C. Description of the processing and transfer
| Field | Details |
|---|---|
Categories of data subjects | Candidates and Job Seekers whose data is processed by the Customer through the Service; Business User contacts of the Customer; other individuals whose personal data the Customer chooses to process through the Service. |
Categories of personal data | Identification and contact details; professional profile information (work history, education, skills, qualifications); application data (CV, cover letter, application content, assessment and test results); communications; engagement and activity data within the Customer's environment of the Service; payment and billing information for paid Services. |
Sensitive data (special-category data) | Fuzu does not request sensitive data. Where Customer personnel or Candidates choose to include sensitive data in profiles, applications, or communications, such data is processed only as necessary to provide the Service and subject to the additional safeguards in Clause 7 of this DPA. |
Frequency of the transfer | Continuous, for the duration of the Customer's use of the Service. |
Nature of the processing | Hosting, storage, access management, search and ranking, communications, notifications, analytics, security and fraud-prevention, customer support, and other operations necessary to provide the Service. |
Purpose of processing | Provision of the Service to the Customer in accordance with the Agreement and the Customer's documented instructions. |
Duration of processing | For the term of the Agreement, plus the retention period set out in Clause 11. |
Sub-processors | As listed in Annex III, as updated from time to time in accordance with Clause 9. |
D. Competent supervisory authority
In accordance with Clause 13 of the SCCs (Module Two), the competent supervisory authority for the data exporter is the supervisory authority of the data exporter's place of main establishment in the EEA. Where the data exporter is not established in the EEA but falls within the territorial scope of the GDPR by virtue of Article 3(2), the competent supervisory authority is the Office of the Data Protection Ombudsman of Finland. For Customer Personal Data subject to the Kenya DPA, the competent authority is the Office of the Data Protection Commissioner (Kenya); for the Uganda DPPA, the Personal Data Protection Office (Uganda); for the Nigeria DPA, the Nigeria Data Protection Commission.
Annex II — Technical and organisational measures
| Measure | Description |
|---|---|
Information security governance | Documented information security policies; assigned ownership of information security and data protection; periodic management review. |
Access control | Role-based access controls; least-privilege principle; multi-factor authentication for administrative access; periodic access reviews; offboarding procedures for departing personnel. |
Authentication | Strong password requirements; multi-factor authentication available for Customer end-users with administrative privileges; brute-force protection. |
Encryption | Encryption of personal data in transit using TLS 1.2 or higher; encryption of personal data at rest using AES-256 or equivalent industry-standard algorithms. |
Pseudonymisation | Pseudonymisation of personal data where technically feasible and consistent with the purposes of processing, including in analytics and AI/ML development pipelines. |
Network security | Network segmentation; firewalls and security groups; intrusion detection and prevention; DDoS protection at the edge. |
Vulnerability management | Periodic vulnerability scanning; timely patching; annual or more frequent penetration testing by an independent provider; coordinated vulnerability disclosure process. |
Logging and monitoring | Centralised logging of authentication and administrative actions; security monitoring; alerting on anomalous activity; log retention sufficient for forensic investigation. |
Backup and recovery | Regular backups of production data; periodic restoration testing; documented business continuity and disaster recovery plans. |
Personnel security | Confidentiality undertakings from personnel with access to Customer Personal Data; background checks where permitted by local law; mandatory data protection and security training. |
Physical security | Data centres operated by reputable cloud-hosting providers with industry-standard physical security certifications (e.g., ISO 27001, SOC 2). |
Supplier management | Due diligence on sub-processors before engagement; contractual obligations equivalent to those in this DPA; periodic review of sub-processor compliance. |
Incident management | Documented incident-response procedures, including identification, containment, eradication, recovery, and post-incident review; communication procedures consistent with Clause 8. |
Data minimisation and quality | Configuration of the Service to support the data-minimisation principle; mechanisms for Customer end-users to correct or delete their own data. |
Deletion and return | Documented procedures for return and deletion of Customer Personal Data on termination, consistent with Clause 11. |
Annex III — List of Sub-processors
The following list sets out the Sub-processors engaged by Fuzu in connection with the Service. The list was compiled from the Fuzu codebase in May 2026 and is updated in accordance with Clause 9.2. The current and authoritative list is available on the sub-processors page.
Self-hosted infrastructure components running inside Fuzu's own cluster (including PostgreSQL, Redis, Elasticsearch, Sidekiq, the Flipper feature-flag store, and the Ahoy first-party server-side analytics layer) are not listed separately as Sub-processors — they run on the cloud-hosting Sub-processor listed in row 1 of the table and are governed by that relationship. Social-login providers (Google, Facebook, and LinkedIn OAuth for the Fuzu brand, and Microsoft Azure AD B2C for the Barona white-label brand) are not Sub-processors of Fuzu — they act as independent controllers or identity providers under their own terms when a User chooses to use them.
| Sub-processor | Service provided | Processing location | Transfer mechanism |
|---|---|---|---|
Amazon Web Services (AWS), orchestrated via Porter | Infrastructure hosting, database, file/object storage (Amazon S3) of all platform and personal data | EU — eu-west-1 (Ireland) | Processing within the EEA; EU Standard Contractual Clauses with supplementary measures for any out-of-region support access |
SparkPost (Bird) | SMTP delivery of transactional and notification emails on Fuzu's behalf | United States (default endpoint); EEA endpoint available | EU Standard Contractual Clauses; EU–US Data Privacy Framework where the provider is certified |
Customer.io | Lifecycle and marketing email automation; synchronisation of user profile attributes and behavioural events | United States (Fuzu brand) | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Africa's Talking | Sending SMS notifications and authentication and verification codes | Kenya and other African markets | EU Standard Contractual Clauses or local-law equivalent (including Kenya Data Protection Act 2019) |
3G DirectPay (DPO Group) | Processing payments for paid features, including card payments, bank transfer, and mobile money services (M-PESA, MTN, Tigo) | East Africa | EU Standard Contractual Clauses or local-law equivalent |
PostHog | Aggregated product analytics for Service improvement (consent-gated; enabled per brand) | EU — Frankfurt | Processing within the EEA; EU Standard Contractual Clauses for any out-of-region support access |
Google (Google Analytics, Tag Manager, Google Ads) | Web analytics, tag management, and advertising and conversion measurement (consent-gated) | United States | EU Standard Contractual Clauses; EU–US Data Privacy Framework |
Rollbar | Application error monitoring and diagnostics (error context may include user identifier and email) | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
New Relic | Application performance monitoring (APM) and diagnostics | EU data centre | Processing within the EEA; EU Standard Contractual Clauses for any out-of-region support access |
Intercom | Customer support messaging and helpdesk (employer and recruiter areas of the Service; consent-gated) | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Textkernel B.V. | CV, resume, and vacancy parsing — extraction of structured personal data from uploaded CVs | Netherlands (EEA) | Processing within the EEA; no transfer mechanism required |
Anthropic (Claude API) | Large language model analysis of candidate profiles and job data for recommendation-quality analysis and campaign-assistance features. Anthropic's commercial terms exclude prompt and response data from model training by default. | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Jina AI | Text-embedding generation for the campaign-assistance feature (semantic search over job and campaign text) | Global | EU Standard Contractual Clauses where processed outside the EEA |
Scaleway (S.A.S) | Text-embedding generation (Qwen3-Embedding-8B open-weights model) via the Generative APIs service, supporting semantic search and retrieval-augmented generation (RAG) features across the Service | France | Processing within the EEA; no transfer mechanism required. French processor under French law; no non-EEA parent or CLOUD Act exposure |
Cloudinary | Image hosting, transformation, and delivery (profile photos and other images) | United States and global CDN | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Cloudflare | Content delivery network, edge caching, DDoS protection, and web application firewall for inbound traffic | Global edge network | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Slack (Salesforce) | Internal operational notifications via webhook limited to lead generation flow (for example, meeting bookings containing employer name and contact details) | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
MGM Trade Limited | DevOps consultancy, cloud infrastructure maintenance and development | Bulgaria | Team operates in EEA; no transfer mechanism required |
Syndicode Inc | Software development, platform maintenance | United States | Team operates in EEA; no transfer mechanism required |
Trail Openers Oy | Software development, platform maintenance | Finland | Processing within the EEA; no transfer mechanism required |
Categories not currently engaged. For transparency, the following categories of service have been checked against the Fuzu codebase and no Sub-processor is currently engaged in any of them:
- Dedicated identity-verification or KYC providers (such as Onfido, Veriff, or Smile Identity). Identity-related processing for Fuzu Atlas engagements, where it occurs, is handled internally or against the relevant government registry (for example, the Nigeria National Commission for Persons with Disabilities (NCPWD) registry for disability-status validation). Where Fuzu engages a dedicated identity-verification Sub-processor in the future, the list above will be updated in accordance with Clause 9.2 of the DPA.
- Third-party push-notification vendors. Push notifications are delivered through the open Web Push standard using self-managed VAPID keys, not through a third-party push provider.
- Alternative payment providers (such as Stripe, Paystack, Flutterwave, or Pesapal). Payments are processed exclusively through 3G DirectPay.
- Alternative analytics and monitoring providers (such as Hotjar, Mixpanel, Segment, Amplitude, Sentry, or Datadog). Analytics, monitoring, and observability are limited to the Sub-processors listed above.
Annex IV — Signatures
This DPA may be executed by signature of the Customer and Fuzu, by clickwrap acceptance through the Service, or by reference to this DPA in an Order Form executed by the parties. The effective date of this DPA is the effective date set out at the start of this document or, if later, the date of the Customer's first acceptance or use of the Service following the publication of this DPA.
Signed for and on behalf of the Customer:
Name: ____________________________
Title: ____________________________
Date: ____________________________
Signed for and on behalf of Fuzu Ltd:
Name: ____________________________
Title: ____________________________
Date: ____________________________