ISO 27001 Certified Book demo
HireWithLumi Book a demo

Legal

Data Processing Agreement.

Our standard DPA is available on request and is included as a schedule with every paid subscription.

Draft summary. Executable DPA available on request.

The document below is a plain-language summary of our standard Data Processing Agreement. The executable DPA is provided as a Word document on request and is attached as a schedule to every paid subscription. For a copy now, email hello@hirewithlumi.com.

Summary of the standard DPA

Our standard DPA is based on the UK ICO's International Data Transfer Agreement and the EU Standard Contractual Clauses. It covers the following points:

Roles

The Customer is the Data Controller. Lumina Innovations Holdings Limited (trading as HireWithLumi) is the Data Processor. We process candidate personal data on the Customer's behalf and in accordance with the Customer's documented instructions.

Scope of processing

We process candidate data submitted through the HireWithLumi platform for the purpose of CV assessment, Enhanced Assessment, Digital Footprint Analysis, and audit logging. Processing takes place for the duration of the subscription and any agreed retention period afterwards.

Categories of data

  • Candidate identifying data: name, contact details, CV content
  • Candidate career history: employment dates, roles, qualifications
  • Responses to Enhanced Assessment questions
  • Publicly accessible social content analysed with candidate consent (Digital Footprint)
  • Assessment scores and reasoning generated by the platform

Special category data

We do not actively solicit special category data (health, race, religion, sexual orientation, etc.). Where such data appears incidentally in a CV, it is flagged by our bias-checking layer and excluded from scoring decisions.

Sub-processors

We rely on a limited number of sub-processors to deliver the service:

  • Cloud infrastructure (UK / EU region)
  • AI model providers (contractual restrictions prevent training on customer data)
  • Email delivery
  • Backup and disaster recovery

A full and current sub-processor list is provided as a schedule in the executable DPA. We notify customers of material sub-processor changes with at least 30 days' notice.

Security

We operate to ISO 27001 standards. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is role-based with audit logging. Annual penetration testing and continuous vulnerability scanning are in place. See the Security page for the full posture.

Data residency

UK and EU data residency options are available as standard. Enterprise customers can request custom arrangements during contract negotiation.

International transfers

Where data is transferred outside the UK / EEA, we rely on the ICO's IDTA or EU Standard Contractual Clauses as appropriate, with a Transfer Risk Assessment documented.

Data subject rights

We will assist the Customer in responding to data subject requests (access, erasure, rectification, restriction, portability, objection) within the timeframes required by UK GDPR.

Breach notification

We commit to notifying the Customer of a personal data breach affecting their data within 24 hours of becoming aware.

Audit rights

Customers are entitled to an annual audit, either by reviewing our current ISO 27001 certificate and penetration test summary, or by on-site audit with reasonable notice.

Data return and deletion

On termination, customer data is either returned or securely deleted within 30 days, at the Customer's choice. A deletion certificate is issued on request.

Requesting the executable DPA

Email hello@hirewithlumi.com with "DPA request" in the subject line. We typically return a signed copy within 2 business days.