Data Processing Agreement

When you use Figo to process the personal data of candidates, you (the customer) are the data controller and Figo is your data processor under GDPR Article 28. The Data Processing Agreement (DPA) is the contract that records Figo's processor obligations to you — what we can and cannot do with the data you entrust to us, how we'll respond to security incidents, and how candidate rights flow through the system.

1. When you need our DPA

You need a DPA signed before you start processing real candidate data through Figo if any of the following apply:

• Your candidates are located in the EU, EEA, UK, or Switzerland.
• Your candidates are protected by US state privacy laws (CA, VA, CO, CT, UT, TX, WA, TN — any of the comprehensive privacy regimes) or sector-specific laws such as CCPA/CPRA.
• Your candidates are located in Canada, Brazil, Australia, or another jurisdiction with a data-protection regime that requires a controller-processor contract.
• Your organisation's procurement or vendor-risk-management process requires a DPA with any vendor that handles personal data.

If you're operating Figo only with synthetic or test data, you don't need a DPA — but it costs nothing to have one on file for the day you flip to live data.

2. What our DPA covers

• Scope and instructions. Figo only processes your candidate data on your documented instructions, for the purpose of operating the platform.
• Confidentiality. Every Figo team member with access to customer data is under a written confidentiality obligation.
• Security measures. The technical and organisational measures described in our Security overview are incorporated by reference.
• Sub-processors. Authorised sub-processors are listed at /legal/sub-processors with a 30-day change-notification commitment.
• International transfers. Where data leaves the EU/EEA or UK, transfers are protected by Standard Contractual Clauses or an equivalent mechanism.
• Candidate rights. Figo will assist you in responding to access, rectification, erasure, restriction, portability, and objection requests within the regulatory deadline. Practical tooling is built into the product (see Security overview, section 8).
• Breach notification. Figo will notify you within 24 hours of confirming a breach that affects your data.
• Return and deletion. On termination, we'll return or delete your candidate data on your election, within the contractually agreed window.
• Audit rights. Reasonable audit cooperation, subject to confidentiality and scheduling constraints standard for SaaS processors.

3. How to request the DPA

Email hello@usefigo.com with the subject line DPA request and include:

• Your organisation's legal name and the country it's registered in.
• The name and email of the signer (and a separate compliance contact, if different).
• The jurisdictions where your candidates are located, if known.
• Any specific clauses your procurement process requires (e.g. UK addendum, Swiss FADP addendum, US state-specific rider).

We send DPAs through a standard e-signature flow. There's no fee and no minimum commitment. If our standard DPA needs to be adapted to your jurisdiction or your procurement process, tell us what's missing and we'll work with you.

4. Related

• Privacy Policy — how the marketing site uses your information.
• Security overview — the technical and organisational measures.
• Sub-processors list — the third parties referenced in the DPA.
• How Figo's AI works — useful context for the customer DPIA you'll typically conduct on top.

5. Questions

If you're not sure whether you need a DPA, email hello@usefigo.com with what you're trying to do and we'll help you figure it out.