← Startup Roles

Data Sharing Agreement

Effective 15 July 2026

This Data Sharing Agreement ("DSA") forms part of, and is incorporated by reference into, the Client Terms of Service between Startup Roles ("we", "us", "our") and the Client organisation ("you", "your"). In the event of any conflict between this DSA and the Client Terms of Service in relation to the processing of Shared Personal Data, this DSA prevails.

We may update this DSA from time to time where reasonably necessary to reflect changes in Data Protection Laws or in our sub-processing arrangements.

1. Definitions

"Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and related terms have the meanings given in the UK GDPR (and, where applicable, the EU GDPR).

"Data Protection Laws" means all applicable data protection, privacy and electronic communications laws and regulations, including the UK GDPR, the UK Data Protection Act 2018, PECR, the EU GDPR, and equivalent regimes in other jurisdictions to the extent applicable.

"Shared Personal Data" means Personal Data that we disclose to you through the Platform (in particular Candidate profile and contact information) in connection with the Client Terms of Service.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (Version B.1.0) as updated from time to time.

"UK Restricted Transfer" means a transfer of Personal Data to a country or territory outside the UK that is not the subject of an adequacy decision and that requires an additional lawful transfer mechanism under Chapter V of the UK GDPR.

2. Purpose of sharing

We share Shared Personal Data with you so that you can:

  • evaluate whether a Candidate is a fit for your open roles;
  • contact Candidates who have been Introduced to you;
  • run your own interview, assessment and hiring process; and
  • maintain the pipeline records you keep on the Platform.

The legal basis for this sharing is our and your legitimate interests in operating an efficient talent market and, where applicable, the performance of the Client Terms of Service.

3. Roles of the parties

With respect to Shared Personal Data, you and we are independent Controllers. Each party is responsible for its own compliance with Data Protection Laws. Neither party is the other's processor, joint controller, agent, or sub-processor in respect of Shared Personal Data.

To the extent that we process Personal Data on your behalf (for example, hosting the notes you enter into the Platform), we do so as your processor and only in accordance with your documented instructions, which instructions are those set out in the Client Terms of Service and the Platform's normal functionality.

4. Your obligations as an independent Controller

  • Comply with Data Protection Laws in relation to any Shared Personal Data you receive, including in relation to outreach, retention, and deletion.
  • Provide required transparency notices to Data Subjects and honour their rights (access, rectification, erasure, objection, restriction, portability, and rights against automated decision-making).
  • Have a lawful basis for your Processing (including for direct outreach to Candidates you have chosen to contact).
  • Implement appropriate technical and organisational measures to protect Shared Personal Data.
  • Notify us without undue delay (and in any event within 48 hours) if you become aware of a Personal Data Breach involving Shared Personal Data, providing sufficient detail for us to notify affected Data Subjects and regulators where required.
  • Assist us with reasonable requests relating to Data Subject rights, regulatory investigations, or data protection impact assessments that relate to Shared Personal Data.
  • Not use Shared Personal Data for any purpose other than the purposes set out in section 2, and in particular not for training AI models, list-building, or resale.

5. Our obligations

  • Provide only Shared Personal Data that is relevant and proportionate to the sourcing purpose.
  • Apply reasonable automated filters intended to avoid transferring special-category data, though we do not warrant that such filters will always succeed.
  • Maintain appropriate technical and organisational measures to protect Personal Data we control, including encryption in transit and at rest, access controls, and audit logging.
  • Provide reasonable co-operation with you in relation to Data Subject requests and regulatory enquiries insofar as they relate to Personal Data we control.

6. Special categories of data

We do not intentionally include special categories of data (e.g. health, racial or ethnic origin, religion, sexual orientation, political opinions, trade-union membership) in Shared Personal Data. If you nevertheless receive or generate such data through the Platform, you are solely responsible for identifying a lawful basis and condition for Processing it under Data Protection Laws.

7. International transfers

To the extent our disclosure of Shared Personal Data to you is a UK Restricted Transfer, we and you enter into the UK Addendum on the terms set out below.

  • We are the data exporter and you are the data importer.
  • Table 1 of the UK Addendum is populated with the details in section 9 of this DSA.
  • For Table 2, Module 1 of the Approved EU SCCs applies (controller-to-controller), and clauses 7 (Docking Clause) and 11 (Option) do not apply.
  • Table 3 is completed with the details in sections 4 and 9 of this DSA.
  • Table 4 is completed by ticking "Exporter".
  • Part 2 (Mandatory Clauses) of the UK Addendum applies.

For EEA restricted transfers, the parties enter into the EU Commission Standard Contractual Clauses (Module 1) incorporated by reference, with equivalent completions.

8. Sub-processing and onward transfers

We use sub-processors to operate the Platform, including hosting, database, authentication, email, AI inference, and observability providers. A current list is available on request from privacy@startuproles.co. We ensure each sub-processor is bound by written terms providing an equivalent level of protection.

You must not transfer Shared Personal Data to third parties (including your own sub-processors, external recruiters, or portfolio companies) except as reasonably necessary to evaluate and progress the Candidate for your own Engagement, and always under equivalent contractual safeguards and in compliance with Data Protection Laws.

9. Data sharing details

Data exporter (us)

Name: Startup Roles

Contact for data protection: privacy@startuproles.co

Activities: AI-assisted sourcing, ranking and pipeline management platform.

Role: Controller.

Data importer (you)

Name: the Client organisation you registered with on the Platform.

Address and data-protection contact: the details you provide in your account.

Activities: hiring for your organisation using the Platform.

Role: Controller.

Processing details

Data subjects: Candidates.

Categories of Personal Data: name, work title and history, education, skills, professional qualifications, public profile links, contact details, location, language, and any assessments generated by our ranking systems.

Special categories: not intended; additional safeguards in section 6 apply where such data is nevertheless surfaced.

Frequency of transfer: continuous, on demand as you accept Candidates from a longlist.

Nature and purpose: disclosure to enable the Client to evaluate, contact and hire Candidates.

Retention: as required for the purposes described in the Privacy Policy and subject to Data Protection Laws.

10. Term and termination

This DSA remains in force for as long as the Client Terms of Service are in force or you retain Shared Personal Data received under them. On termination or expiry, and subject to legal retention obligations, you must delete or anonymise Shared Personal Data that you no longer need for a lawful purpose.

11. Contact

Data protection matters: privacy@startuproles.co. Legal matters: legal@startuproles.co.