Data Processing Agreement

Last updated: 19 May 2026

This Data Processing Agreement ("DPA") applies between The Wight List Ltd ("Processor") and any employer ("Controller") using our job board services.

1. Scope

We process candidate personal data on behalf of employers solely for the purpose of facilitating recruitment.

2. Processor obligations

We will: process data only on your documented instructions; ensure persons processing data are bound by confidentiality; implement appropriate technical and organisational security measures; assist you in fulfilling data subject rights requests; delete or return all personal data upon termination.

3. Sub-processors

We use the following sub-processors: AWS (hosting, UK), Stripe (payments, UK/EU), Resend (email, EU). We will notify you 30 days before adding new sub-processors.

4. Security

Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access is role-based and logged.

5. Breach notification

We will notify you within 72 hours of becoming aware of a personal data breach.

6. Governing law

This DPA is governed by English law.

To accept this DPA, tick the box during employer registration. For queries: legal@thewightlist.co.uk