TalentFlow AIExplore Platform
Trust & LegalData Processing Addendum

Data Processing Addendum

Standard DPA covering UK GDPR, EU GDPR, and Standard Contractual Clauses for international transfers.

Effective date: 30 April 2026

This Data Processing Addendum ('DPA') forms part of the agreement between Rockface Limited ('Processor') and the customer ('Controller') for the use of the Rockface service. It governs the processing of personal data on the Controller's behalf and incorporates the UK International Data Transfer Addendum and EU Standard Contractual Clauses (Module 2: controller-to-processor) where applicable.

1. Definitions

Capitalised terms used here have the meaning given in UK GDPR / EU GDPR. 'Personal Data', 'Data Subject', 'Processing', 'Sub-processor', 'Supervisory Authority' and 'Personal Data Breach' have their statutory meanings.

2. Scope and roles

The Controller is the controller of Personal Data uploaded to or generated by the service. Rockface is the processor and processes Personal Data only on the Controller's documented instructions, including those given through configuration of the service.

3. Details of processing (Annex 1)

ItemDescription
Subject matterProvision of the Rockface talent management platform
DurationTerm of the underlying subscription, plus a 30-day return/deletion window
Nature and purposeHosting, AI inference, analytics, support, and integrations on Controller-supplied data
Categories of data subjectsController's employees, contractors, candidates, and authorised end-users
Categories of personal dataIdentifiers, employment data, compensation, performance, learning, skills, engagement signals, audit metadata
Special categoriesOnly where Controller configures features that require it, e.g. DEI reporting; subject to additional safeguards

4. Processor obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure persons authorised to process Personal Data are bound by confidentiality.
  • Implement the technical and organisational measures in Annex 2.
  • Assist the Controller with data subject requests, DPIAs, and Supervisory Authority enquiries.
  • Notify the Controller without undue delay (and within 72 hours) of becoming aware of a Personal Data Breach.
  • On termination, return or delete Personal Data within 30 days, save where retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow audits, subject to confidentiality.

5. Sub-processors

The Controller authorises the use of the sub-processors listed at /legal/subprocessors. We will give at least 30 days' notice of new sub-processors via that page and a notification feed; the Controller may object on reasonable data-protection grounds within that window.

6. International transfers

Where Personal Data is transferred outside the UK/EEA, the parties incorporate (a) the UK International Data Transfer Addendum to the EU SCCs, and (b) the EU SCCs Module 2 (controller-to-processor), with the docking clause and Option 2 for sub-processors. Annex 1 details apply.

7. Security measures (Annex 2)

  • Encryption in transit (TLS 1.3) and at rest (AES-256); customer-managed keys available.
  • SSO (SAML), SCIM provisioning, role-based access control, least-privilege admin model.
  • ISO 27001 and SOC 2 Type II — annually audited; reports available under NDA.
  • Region pinning (US, EU, APAC) and configurable retention.
  • Immutable audit log; SIEM streaming on request.
  • Documented incident response plan with 24/7 on-call.
  • Annual penetration testing by an independent third party; remediation tracked to closure.

8. AI-specific safeguards

  • Customer Personal Data is NOT used to train shared or general-purpose models.
  • Per-tenant model isolation; outputs never blended across customers.
  • Explainability and adverse-impact reports for every production model.
  • Customer can disable any AI feature; on disable, derived outputs are deleted within 30 days.

9. Term and survival

This DPA is effective from the start of the underlying agreement and survives until all Personal Data has been returned or deleted. Confidentiality, indemnification, and liability provisions survive termination.

Contact us

Data Protection Officer · Rockface Limited Email: rockface@rockface.biz Postal: Suite RA01, 195-197 Wood Street, London, E17 3NU, United Kingdom For UK/EEA residents, you also have the right to lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority.

This page is a plain-English summary. If anything here conflicts with your signed agreement (MSA, DPA, or order form), the signed agreement controls.