This Data Processing Agreement ("DPA") forms part of the Terms of Service between Eldorado Node ("Processor") and the subscribing corporate client ("Controller"). It governs the processing of personal data by Eldorado Node on behalf of the Client in connection with the HR Intelligence System.
1. Definitions
- Controller — the corporate client who determines the purposes and means of processing candidate personal data
- Processor — Eldorado Node, who processes personal data on behalf of the Controller
- Personal Data — any information relating to an identified or identifiable natural person, including candidate names, emails, CV content, and voice recordings
- Processing — any operation performed on personal data, including collection, transmission, analysis, storage, and deletion
- Sub-processor — a third party engaged by Eldorado Node to process personal data
2. Subject Matter and Duration
Eldorado Node processes personal data for the purpose of delivering AI-powered candidate evaluation services as described in the Terms of Service. Processing continues for the duration of the subscription and for such retention periods as specified in the Privacy Policy.
3. Nature and Purpose of Processing
| Data Category | Purpose | Storage Location |
|---|---|---|
| Candidate name and email | Identification, communication routing, report delivery | Eldorado Node Google Sheets (Controller's subscription) |
| CV documents | AI parsing for evaluation — transmitted and uploaded to Controller's Drive | Controller's Google Drive (not retained by Processor) |
| Interview recordings | AI transcription for evaluation — transmitted and uploaded to Controller's Drive | Controller's Google Drive (not retained by Processor) |
| Evaluation scores and metadata | Scoring results, compliance status, audit trail | Eldorado Node Google Sheets |
| Recruiter notes | Behavioral signal weighting in evaluation | Eldorado Node Google Sheets |
4. Processor Obligations
Eldorado Node shall:
- Process personal data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA)
- Ensure that persons authorised to process the personal data have committed to confidentiality
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent (general authorisation is granted for the sub-processors listed in Schedule A)
- Assist the Controller in fulfilling data subject rights requests
- Delete or return all personal data upon termination of the subscription
- Make available all information necessary to demonstrate compliance with this DPA
- Notify the Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach
5. Controller Obligations
The Controller shall:
- Ensure there is a lawful basis for processing candidate personal data
- Provide candidates with appropriate privacy notices regarding AI-assisted evaluation where required by law
- Ensure candidates' data is accurate and up to date when submitted
- Not submit sensitive special category data beyond what is necessary for evaluation
- Review all FLAG compliance status evaluations before making decisions
- Comply with applicable data protection law in their jurisdiction
6. Sub-processors
Schedule A — Approved Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC (Gemini API) | AI evaluation — CV parsing and candidate scoring | USA |
| Google LLC (Drive, Sheets) | File routing and data storage | USA |
| Groq Inc. | Audio transcription (Whisper model) | USA |
| Tavily AI | Professional footprint search | USA |
| n8n GmbH | Workflow orchestration and automation | Germany / Cloud |
Eldorado Node will notify the Controller of any intended changes to sub-processors by email at least 14 days in advance, giving the Controller the opportunity to object.
7. Security Measures
Eldorado Node implements the following technical and organisational measures:
- Access control — API key authentication, session token management, rate limiting
- Encryption in transit — HTTPS/TLS for all data transmission
- Data minimisation — candidate documents not retained after upload to Controller's Drive
- Audit logging — immutable audit trail of all evaluation events
- Incident response — automated error monitoring with immediate alerts
- Access segregation — separate credentials per service component
8. Data Breach Notification
In the event of a personal data breach affecting candidate data, Eldorado Node will:
- Notify the Controller within 72 hours of becoming aware
- Provide details of the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed
- Cooperate with the Controller in notifying supervisory authorities where required
9. Data Subject Rights
When a data subject (candidate) exercises their rights under applicable data protection law, the Controller is responsible for responding. Eldorado Node will assist by providing relevant data held in our systems within 5 business days of a written request from the Controller.
10. Data Transfers
Processing by sub-processors listed in Schedule A involves transfers of personal data to the United States. These transfers are made under appropriate safeguards including the EU-US Data Privacy Framework (where applicable), Standard Contractual Clauses, or equivalent mechanisms recognised under applicable law.
11. Audit Rights
The Controller has the right to conduct audits of Eldorado Node's data processing activities under this DPA upon reasonable written notice (minimum 30 days). Audits shall not unreasonably disrupt normal business operations.
12. Deletion on Termination
Upon termination of the subscription, Eldorado Node will delete or anonymise all personal data processed on behalf of the Controller within 30 days, except where retention is required by applicable law. Audit log records may be retained for up to 7 years for compliance purposes in anonymised form.
13. Governing Law
This DPA is governed by the same law as the Terms of Service. Where the Controller is established in the UK, this DPA incorporates the UK International Data Transfer Agreement (IDTA) as applicable. Where the Controller is established in the EEA, this DPA incorporates the EU Standard Contractual Clauses (Module 2: Controller to Processor).
14. Contact
For data protection enquiries:
Eldorado Node
Abuja, FCT, Nigeria
daniel@eldoradonode.work
This DPA is incorporated by reference into the Terms of Service and takes effect upon subscription to the HR Intelligence System. No separate signature is required. If you require a signed DPA for enterprise compliance purposes, contact daniel@eldoradonode.work.