Published terms — incorporated by reference into every Client MSA · Last updated: May 17, 2026
This Data Processing Addendum (this "DPA") is published by Swiftlee LLC, a Nevada limited liability company with its principal place of business at 6605 Grand Montecito Pkwy, Suite 100, Las Vegas, NV 89149, United States ("Swiftlee" or "Processor"). It is incorporated by reference into the Master Services Agreement (the "MSA") executed between Swiftlee and each Client, and applies whenever Client provides Swiftlee with Personal Data subject to the GDPR, UK GDPR, CCPA/CPRA, or analogous data-protection law.
In the event of any conflict between this DPA and the MSA with respect to Processing of Personal Data, this DPA controls. Clients that require a Client-executed copy of this DPA (for procurement, legal-review, or audit purposes) may request one through the Client dashboard or by writing to support@hireswiftlee.com.
Capitalized terms not defined in this Data Processing Addendum (this "DPA") have the meanings given to them in the Master Services Agreement (the "MSA") between Swiftlee LLC ("Swiftlee" or "Processor") and the Client ("Client" or "Controller").
For purposes of this DPA: "Applicable Data Protection Law" means, as applicable to the processing of Personal Data hereunder, the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act and California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq., "CCPA/CPRA"), and any other data-protection law of a jurisdiction whose residents' Personal Data is processed under the MSA.
"Personal Data" has the meaning given in the GDPR (and, where applicable, includes "personal information" as defined in the CCPA/CPRA). "Processing" has the meaning given in the GDPR. "Data Subject", "Controller", "Processor", "Supervisory Authority", and "Special Category Data" have the meanings given in the GDPR.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in the form attached as Schedule A and amended by the elections made in Annexes I, II, and III to this DPA. "UK IDTA" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.
"Security Incident" means a confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Swiftlee or any sub-processor. A Security Incident does NOT include unsuccessful access attempts that do not result in compromise of Personal Data (e.g., scanned ports, blocked login attempts, denied phishing).
This DPA applies to Swiftlee's Processing of Personal Data on behalf of Client in connection with the Platform and any Statement of Work executed under the MSA. With respect to Personal Data processed under the MSA: Client is the Controller and Swiftlee is the Processor, except where Swiftlee acts as an independent Controller of business-contact data of Client's representatives for legitimate business purposes (account administration, security, billing, and product-relationship communications), in which case Swiftlee's own Privacy Policy applies.
Where Client uses the Platform to direct an Independent Contractor sourced through Swiftlee, the Contractor acts as a sub-processor to Swiftlee for the limited purpose of performing the Services described in the applicable SOW.
This DPA does not apply to Personal Data that Swiftlee collects directly from Data Subjects (for example, Contractor identity-verification data, tax forms, and payout banking details) — Swiftlee is the Controller of such data and processes it under its own Privacy Policy at https://hireswiftlee.com/privacy.
Subject matter: Provision of the HireSwiftlee marketplace and any Services described in an SOW (including bilingual contractor staffing, time tracking, deliverable management, billing, and Client-facing communications).
Duration: The term of the MSA, plus any post-termination period reasonably required for return or deletion of Personal Data in accordance with Section 11.
Nature and purpose: Storage, organization, retrieval, consultation, transmission, and other Processing operations performed in connection with delivering the Services and discharging Swiftlee's legal obligations.
Types of Personal Data, categories of Data Subjects, processing locations, and transfer mechanisms: As set out in Annex I to this DPA.
Swiftlee will Process Personal Data only on documented instructions from Client, including with regard to transfers of Personal Data to a third country or international organization, unless Swiftlee is required to do so by Union or Member State law to which Swiftlee is subject. In such a case, Swiftlee will inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
Client's instructions to Swiftlee comprise (i) the MSA, (ii) each SOW, (iii) this DPA, (iv) Client's documented use of the Platform's configuration controls (including data-residency selections, retention settings, and access permissions), and (v) any further written instructions issued by Client to Swiftlee. If Swiftlee believes any instruction infringes Applicable Data Protection Law, Swiftlee will inform Client without undue delay.
Client represents and warrants that (a) it has obtained and will maintain all rights, consents, and lawful bases necessary to provide Personal Data to Swiftlee and for Swiftlee to Process it as described in this DPA, (b) its instructions to Swiftlee comply with Applicable Data Protection Law, and (c) it has provided Data Subjects with all required notices regarding Swiftlee's role as a Processor and the categories of sub-processors set out in Annex III.
Swiftlee will ensure that any person it authorizes to Process Personal Data — including Swiftlee employees, contractors, and sub-processors — is committed to confidentiality (whether by contractual obligation or statutory duty), is informed of the confidential nature of the Personal Data, and processes the Personal Data only on instructions from Swiftlee consistent with this DPA.
Swiftlee will limit access to Personal Data to those personnel who require access to provide the Services, will maintain access logs of administrative access for not less than twelve (12) months, and will revoke access promptly upon termination of an individual's role.
General authorisation. Client grants Swiftlee general written authorisation to engage sub-processors to assist Swiftlee in providing the Services. The list of sub-processors authorised at the effective date of this DPA is set out in Annex III. Swiftlee will maintain a current list of sub-processors at https://hireswiftlee.com/dpa.
Change notification. Swiftlee will notify Client at least thirty (30) days in advance of any addition or replacement of a sub-processor through an update to the public sub-processor list and a notice to the email address Client has registered for legal notices. Client may object to such addition or replacement on reasonable Data-Protection-related grounds by written notice within fifteen (15) days of the change notification. If the parties cannot agree on a resolution within thirty (30) days of Client's objection, Client may terminate the affected portion of the MSA without penalty by written notice.
Flow-down. Swiftlee will impose on each sub-processor data-protection obligations no less protective than those imposed on Swiftlee under this DPA, and will remain liable to Client for the acts and omissions of each sub-processor as if those acts and omissions were Swiftlee's own.
As of the date of this DPA, Swiftlee uses the following sub-processors:
• Vercel Inc. — Application hosting and edge delivery for the HireSwiftlee web platform. Location: United States. Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Supabase Inc. — Managed Postgres database, authentication, file storage, and realtime channels for Platform data. Location: United States (primary region) / European Union (where Client elects EU residency). Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Stripe, Inc. — Processing of Client payment cards for Statements issued under the MSA. Stripe is itself an independent controller of cardholder data and a PCI DSS Level 1 service provider. Location: United States (with EU/UK sub-processing for European Clients). Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module One controller-to-controller for cardholder data; Module Two for any payment metadata processed on Swiftlee's behalf).
• Wise Payments Ltd. — Cross-border payouts to Contractors and Recruiters. Wise is itself an independent controller of beneficiary banking data subject to its own regulator (FCA, UK). Location: United Kingdom, United States, European Union. Cross-border transfer mechanism: UK International Data Transfer Addendum (IDTA) and 2021 EU SCCs (Module One).
• Resend Inc. — Transactional email delivery (account, billing, security, and engagement notifications). Location: United States. Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Anthropic, PBC — AI-assisted features (e.g., bug-report triage, content suggestion). Where Platform features submit Client personal data to Anthropic, such data is sent under Anthropic's zero-retention API tier; no Anthropic model is trained on Client data. Location: United States. Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Google LLC (Google Workspace) — Internal business email and document storage; receives personal data only incidentally (e.g., where Client contacts Swiftlee support). Location: United States (multi-region). Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Independent Contractors engaged through the Platform — Performance of services for Client under the applicable Statement of Work. Each Contractor is bound to confidentiality and data-handling obligations under the Independent Contractor Agreement (see Section 4 and 12 of the ICA). Location: Primarily Mexico; varies by SOW. Cross-border transfer mechanism: 2021 EU SCCs (Module Three: processor-to-processor); contractual flow-down of GDPR Article 28(3) obligations via the ICA.
Swiftlee will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of Processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures are set out in Annex II and include, at minimum: encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent); role-based access control with least-privilege defaults; multi-factor authentication for administrative accounts; audit logging; segregation of production and non-production environments; routine vulnerability scanning; secure software development practices; and an incident-response plan tested at least annually.
Swiftlee will regularly review and, where appropriate, update its technical and organizational measures to reflect changes in the state of the art, threats to Personal Data, and Swiftlee's risk profile. Material reductions in the level of protection will not be made without prior written notice to Client.
Swiftlee will notify Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Client's Personal Data. The notice will, to the extent then known: (a) describe the nature of the Security Incident, including (where possible) the categories and approximate number of Data Subjects and records concerned; (b) identify the likely consequences; (c) describe the measures taken or proposed to address the Security Incident and mitigate its possible adverse effects; and (d) provide a point of contact at Swiftlee for further information.
Where it is not possible to provide all of the foregoing information at the same time, Swiftlee will provide the information in phases as it becomes available, in compliance with GDPR Article 33(4). Swiftlee will reasonably cooperate with Client in fulfilling Client's notification obligations to Supervisory Authorities and affected Data Subjects.
Swiftlee's notification of, or response to, a Security Incident is not an acknowledgement by Swiftlee of any fault or liability.
Data-subject requests. Swiftlee will, taking into account the nature of the Processing, assist Client by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising rights under Applicable Data Protection Law (access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making). Where a Data Subject contacts Swiftlee directly with a request relating to Personal Data Swiftlee Processes on Client's behalf, Swiftlee will forward the request to Client and not respond substantively except to acknowledge receipt and instruct the Data Subject to contact Client.
DPIA and prior consultation. Swiftlee will provide Client with reasonable assistance, taking into account the nature of Processing and the information available to Swiftlee, in carrying out data-protection impact assessments and any required prior consultations with Supervisory Authorities under GDPR Articles 35 and 36.
Records of Processing. Swiftlee maintains a record of Processing activities carried out on behalf of Client in accordance with GDPR Article 30(2) and will make such record available to Client and to Supervisory Authorities on request.
Swiftlee will make available to Client all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Client or an independent third-party auditor mandated by Client and reasonably acceptable to Swiftlee (which acceptance shall not be unreasonably withheld), subject to the following: (a) audits may be conducted no more than once per twelve-month period (except where a Security Incident or Supervisory Authority request reasonably requires a further audit); (b) Client provides at least thirty (30) days' prior written notice; (c) the audit is conducted during normal business hours and in a manner that minimises disruption to Swiftlee's operations; (d) Client and any auditor are bound by confidentiality obligations equivalent to those in Section 4 of the MSA; and (e) audit reports are Confidential Information of Swiftlee.
Swiftlee may satisfy its audit obligations under this Section by providing Client with copies of relevant independent third-party audit reports (e.g., SOC 2 Type II reports, ISO 27001 certifications, or penetration-test summaries) covering Swiftlee's Processing operations.
On termination of the MSA or earlier on Client's written request, Swiftlee will, at Client's election, (a) return all Personal Data Processed on Client's behalf to Client in a structured, commonly-used, machine-readable format, or (b) securely delete all such Personal Data, in each case within ninety (90) days of termination unless retention is required by applicable law. Following return or deletion, Swiftlee will delete existing copies unless Union or Member State law (or other applicable law) requires storage of the Personal Data, in which case Swiftlee will notify Client of the requirement.
Swiftlee may retain Personal Data in routine backups for the duration of its backup retention cycle (currently thirty (30) days), provided such backups remain subject to the security measures in Section 7 and are purged or overwritten in the ordinary course.
Where Personal Data subject to the GDPR is transferred by Client (as data exporter) to Swiftlee (as data importer) outside the European Economic Area to a jurisdiction not the subject of an adequacy decision under GDPR Article 45, the 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor), are hereby incorporated into this DPA by reference and apply to such transfer. The Parties agree to the elections set out in Schedule A.
Where Personal Data subject to the UK GDPR is so transferred, the UK ICO's International Data Transfer Addendum (IDTA) to the EU SCCs is hereby incorporated by reference and applies, with Client as data exporter and Swiftlee as data importer, using the elections set out in Schedule A.
Where Personal Data subject to Swiss Federal Act on Data Protection ("FADP") is so transferred, the EU SCCs apply with the following modifications, as set out in the Swiss Federal Data Protection and Information Commissioner's guidance: (i) references to the GDPR are read as references to the FADP where applicable; (ii) "Member State" is interpreted to include Switzerland; and (iii) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
Swiftlee will conduct, and update as necessary, a transfer impact assessment evaluating the laws and practices of the third country to which Personal Data is transferred (including U.S. laws relating to government access) and will implement supplementary measures (such as additional encryption or pseudonymization) where Swiftlee's assessment indicates the SCCs alone do not provide an essentially equivalent level of protection.
To the extent Swiftlee Processes Personal Data subject to the CCPA/CPRA on Client's behalf, Swiftlee acts as a "service provider" as that term is defined in Cal. Civ. Code § 1798.140(ag). Swiftlee shall not (a) sell or share Personal Data as those terms are defined in the CCPA/CPRA; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services for Client, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services; (c) retain, use, or disclose the Personal Data outside of the direct business relationship between Swiftlee and Client; (d) combine the Personal Data with Personal Data Swiftlee receives from any other source, except as expressly permitted by CCPA/CPRA Regulations; or (e) engage any sub-processor without flowing down the foregoing restrictions.
Swiftlee certifies that it understands the restrictions in this Section and will comply with them. Client may, on reasonable notice, take steps to stop and remediate any unauthorised use of Personal Data by Swiftlee. Notwithstanding the indemnification and limitation-of-liability provisions of the MSA, Swiftlee's certification under this Section is intended to satisfy the service-provider contract requirements of Cal. Civ. Code § 1798.140(ag) and the CPRA Regulations.
Each Party's liability under this DPA is subject to the limitations of liability set out in the MSA, except that liability arising from breach of this DPA falls within the carve-outs to the cap set out in Section 9 of the MSA only to the extent the breach involves (i) a Security Incident caused by Swiftlee's gross negligence or willful misconduct, or (ii) Swiftlee's intentional disregard of Client's lawful instructions.
This DPA is effective on the latest of: (a) the date Client signs or otherwise accepts the MSA (in which case this DPA is automatically incorporated by reference and binds the Parties without further signature); (b) the date Client executes a signed copy of this DPA, where Client requests one; or (c) the date Client first transmits Personal Data to Swiftlee that is subject to GDPR, UK GDPR, or CCPA/CPRA. This DPA terminates on the later of termination of the MSA or completion of Swiftlee's deletion/return obligations under Section 11. Sections 5 (Confidentiality), 8 (Security Incident Notification — as to incidents arising during the term), 11 (Return or Deletion), and 14 (Liability and Term) survive termination.
Swiftlee may amend this DPA from time to time to reflect changes in Applicable Data Protection Law or in Swiftlee's Processing operations; material changes will be communicated to Client at least thirty (30) days before they take effect, and Client may terminate the affected portion of the MSA without penalty if it does not agree to the change.
A. List of Parties. Data exporter: Client, in its capacity as Controller of Personal Data submitted to the Platform. Contact details: as set out in the MSA signature block. Activities relevant to the data transferred: receipt of Services from Swiftlee under the MSA and applicable SOWs. Role: Controller.
Data importer: Swiftlee LLC, a Nevada limited liability company, 6605 Grand Montecito Pkwy, Suite 100, Las Vegas, NV 89149, United States. Contact: support@hireswiftlee.com. Activities relevant to the data transferred: provision of the Platform and Services. Role: Processor.
B. Description of Transfer.
• Categories of Data Subjects: Client's employees, contractors, customers, prospects, end-users, and any other natural persons whose Personal Data Client elects to submit to the Platform in connection with the Services.
• Categories of Personal Data: identification and contact data (name, email, phone, postal address); employment / professional data (job title, work history); account data (Platform login identifiers); communication data (messages, attachments, call records submitted to the Platform); usage data (timestamps, IP address, device data). Special-category data is not contemplated and Client agrees not to submit special-category data without first executing a written supplement to this DPA.
• Sensitive data transferred: None contemplated. Client shall not submit Special Category Data, government-issued identifiers (other than as required by an SOW), payment-card data, or data of children under 16 without prior written authorisation from Swiftlee.
• Frequency of transfer: Continuous, for the duration of the MSA.
• Nature of the processing: Storage, retrieval, transmission, organisation, consultation, and other operations necessary to provide the Services.
• Purpose of the data transfer and further processing: Performance of the Services described in the MSA and SOWs.
• Retention period: For the duration of the MSA, plus the deletion/return period in Section 11.
• Transfers to sub-processors: As set out in Annex III.
C. Competent Supervisory Authority. The supervisory authority of the EEA Member State in which the data exporter is established, or, where the data exporter is not established in the EEA, the supervisory authority of the Member State in which the data exporter's representative under GDPR Article 27 is established. For UK transfers: the UK Information Commissioner's Office. For Swiss transfers: the Swiss Federal Data Protection and Information Commissioner.
Swiftlee implements and maintains the following technical and organisational measures, evaluated on the basis of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing:
• Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 (or stronger) provided by Swiftlee's infrastructure providers.
• Access control. Role-based access with least-privilege defaults; multi-factor authentication required for all administrative accounts; production database access logged and reviewed.
• Identity and credential management. Unique user identifiers; password complexity requirements; session expiry; credential rotation on personnel changes.
• Network security. Production environments isolated from corporate networks; perimeter firewall and intrusion-detection monitoring; web application firewall.
• Application security. Secure software development lifecycle including code review, dependency-vulnerability scanning, and pre-deployment security checks; row-level security policies enforce per-user data access at the database layer.
• Logging and monitoring. Centralised application and infrastructure logging retained for not less than twelve (12) months; alerting on anomalous activity.
• Backup and restoration. Encrypted backups taken on a continuous basis; tested restoration procedures; backup retention of approximately thirty (30) days.
• Data segregation. Multi-tenant isolation enforced at the application and database layer through row-level security policies and per-tenant access scopes.
• Incident response. Documented incident-response plan; designated incident-response lead; tabletop exercises conducted at least annually.
• Personnel. Background checks where permitted by local law; written confidentiality obligations; security training at hire and annually.
• Vendor management. Material sub-processors subject to written data-protection agreements; periodic risk review of sub-processors.
• Physical security. Production infrastructure hosted with providers operating SOC 2 / ISO 27001 certified data centres; no Personal Data is stored on Swiftlee-owned physical hardware.
Swiftlee will update these measures from time to time to maintain an appropriate level of security; material reductions will not be made without prior written notice to Client.
As of the date of this DPA, Swiftlee uses the following sub-processors:
• Vercel Inc. — Application hosting and edge delivery for the HireSwiftlee web platform. Location: United States. Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Supabase Inc. — Managed Postgres database, authentication, file storage, and realtime channels for Platform data. Location: United States (primary region) / European Union (where Client elects EU residency). Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Stripe, Inc. — Processing of Client payment cards for Statements issued under the MSA. Stripe is itself an independent controller of cardholder data and a PCI DSS Level 1 service provider. Location: United States (with EU/UK sub-processing for European Clients). Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module One controller-to-controller for cardholder data; Module Two for any payment metadata processed on Swiftlee's behalf).
• Wise Payments Ltd. — Cross-border payouts to Contractors and Recruiters. Wise is itself an independent controller of beneficiary banking data subject to its own regulator (FCA, UK). Location: United Kingdom, United States, European Union. Cross-border transfer mechanism: UK International Data Transfer Addendum (IDTA) and 2021 EU SCCs (Module One).
• Resend Inc. — Transactional email delivery (account, billing, security, and engagement notifications). Location: United States. Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Anthropic, PBC — AI-assisted features (e.g., bug-report triage, content suggestion). Where Platform features submit Client personal data to Anthropic, such data is sent under Anthropic's zero-retention API tier; no Anthropic model is trained on Client data. Location: United States. Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Google LLC (Google Workspace) — Internal business email and document storage; receives personal data only incidentally (e.g., where Client contacts Swiftlee support). Location: United States (multi-region). Cross-border transfer mechanism: 2021 EU Standard Contractual Clauses (Module Two).
• Independent Contractors engaged through the Platform — Performance of services for Client under the applicable Statement of Work. Each Contractor is bound to confidentiality and data-handling obligations under the Independent Contractor Agreement (see Section 4 and 12 of the ICA). Location: Primarily Mexico; varies by SOW. Cross-border transfer mechanism: 2021 EU SCCs (Module Three: processor-to-processor); contractual flow-down of GDPR Article 28(3) obligations via the ICA.
For the purposes of the 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) incorporated by reference under Section 12, the Parties agree to the following elections:
• Module: Module Two (controller to processor).
• Docking clause (Clause 7): Applicable. Additional entities may accede with the agreement of the Parties.
• Sub-processor authorisation (Clause 9): Option 2 — general written authorisation. Notice period for changes to sub-processors: thirty (30) days, as set out in Section 6.
• Redress (Clause 11): Optional independent dispute-resolution body is not selected.
• Liability (Clause 12): The cap and carve-outs in Section 14 of this DPA and the corresponding provisions of the MSA apply.
• Supervisory authority (Clause 13): As set out in Annex I, Section C.
• Governing law (Clause 17): Option 1 — the law of the EU Member State in which the data exporter is established (or, where the exporter is not established in an EU Member State, Ireland).
• Forum and jurisdiction (Clause 18): The courts of the EU Member State whose law governs the SCCs.
For the UK IDTA: Table 1 (Parties) is completed as set out in Annex I, Section A. Table 2 (Selected SCCs, Modules, and Selected Clauses) selects Module Two of the EU SCCs as incorporated into this DPA. Table 3 (Appendix Information) refers to Annexes I, II, and III to this DPA. Table 4 (Ending this Addendum when the Approved Addendum Changes) — Importer may end the IDTA upon a UK ICO-approved change with thirty (30) days' notice.
This is the public version of the HireSwiftlee Data Processing Addendum. It is incorporated by reference into every Client MSA and binds Swiftlee and each Client without separate signature. To request a Client-executed copy, write to support@hireswiftlee.com.