Data Processing Addendum

This Data Processing Addendum forms part of the Master Terms of Service between Minotaur.io LLC (“Processor”) and the Customer (“Controller”).

1. Scope and Applicability

This DPA applies to personal data uploaded or submitted by Customer into Minotaur ATS or Minotaur Sales where Minotaur processes such data on behalf of Customer (“Client Uploaded Data”). This includes candidate data, recruitment information, and prospect lists uploaded by Customer.

This DPA does NOT apply to professional or business contact datasets made available by Minotaur as part of Minotaur Sales, nor to collaborative candidate pools governed by Minotaur as an independent Controller.

2. Roles of the Parties

Customer acts as Data Controller and determines the purposes and means of processing Client Uploaded Data. Minotaur acts solely as Data Processor and processes Client Uploaded Data on documented instructions from Customer.

3. Nature, Purpose, and Duration of Processing

Processing includes hosting, storing, organizing, indexing, retrieving, transmitting, and deleting Client Uploaded Data to support recruitment or sales workflows. Processing continues for the duration of the Customer’s subscription unless otherwise instructed.

4. Categories of Data and Data Subjects

Categories of personal data may include names, email addresses, phone numbers, employment history, education, professional qualifications, resumes, prospect lists, notes, and related business records.

Data subjects include job applicants, candidates, business prospects, employees, and recruitment contacts uploaded by Customer.

5. Processor Obligations (GDPR Article 28)

Minotaur shall: (a) Process personal data only on documented instructions from Customer; (b) Ensure personnel are subject to confidentiality obligations; (c) Implement appropriate technical and organizational measures; (d) Assist Customer with data subject rights requests; (e) Assist with data protection impact assessments where applicable; (f) Notify Customer without undue delay upon becoming aware of a personal data breach; (g) Delete or return data upon termination unless retention is legally required.

6. Subprocessors

Minotaur may engage subprocessors for hosting, infrastructure, analytics, support, or security services. Minotaur shall ensure subprocessors are bound by data protection obligations equivalent to those set forth herein and remains responsible for their compliance.

7. International Data Transfers

If Client Uploaded Data is transferred internationally, Minotaur shall implement appropriate safeguards, including Standard Contractual Clauses or equivalent mechanisms.

8. Security Measures

Minotaur maintains encryption in transit and at rest, role-based access controls, logging and monitoring, regular security reviews, and technical safeguards designed to protect against unauthorized access, loss, or alteration of Client Uploaded Data.

9. Personal Data Breach Notification

In the event of a confirmed personal data breach affecting Client Uploaded Data, Minotaur shall notify Customer without undue delay and provide relevant information necessary to support Customer’s legal obligations.

10. Audit Rights

Upon reasonable written request and no more than once annually, Customer may request documentation reasonably necessary to demonstrate compliance. Audits shall be limited to documentation review unless otherwise required by law.

11. Liability

Liability under this DPA shall be subject to the limitations set forth in the Master Terms of Service.

ANNEX I – PROCESSING DETAILS

Subject Matter: Processing of Client Uploaded Data within Minotaur ATS and Sales.
Duration: For the term of the subscription unless otherwise instructed.
Nature of Processing: Hosting, storage, retrieval, organization, deletion.
Purpose: Recruitment and sales workflow management.
Categories of Data Subjects: Applicants, candidates, business prospects, contacts.
Categories of Personal Data: Contact details, employment information, resumes, uploaded business records.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES

Encryption in transit and at rest; Role-based access controls; Logging and monitoring; Secure hosting infrastructure; Regular backups; Incident response procedures; Employee confidentiality agreements; Periodic security reviews and updates.

Governing law shall follow the Master Terms of Service (Florida law).