Last updated: 01.10.2026
This Data Processing Addendum (“DPA”) forms part of the ClearCheck Terms of Use or other written agreement governing use of the ClearCheck service (the “Agreement”) entered into between:
DATA FACTORY LTD
Registration Number: HE 478941
Private Limited Company registered in Cyprus
(“Company”, “Processor”, “Service Provider”, “we”, “us”),
and
The customer using the ClearCheck service
(“Customer”, “Controller”, “Business”, “you”).
This DPA applies to the extent Company processes Personal Data on behalf of Customer in connection with the ClearCheck platform (“Service”).
If there is a conflict between this DPA and the Agreement regarding Personal Data processing, this DPA shall control.
Effective Date: [Insert date]
“Personal Data” means any information relating to an identified or identifiable individual processed under this DPA.
“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
“Customer Data” means Personal Data submitted by or on behalf of Customer into the Service, including Personal Data contained in reports generated through Customer’s use of the Service.
“Data Protection Laws” means applicable privacy and data protection laws, including, where applicable:
U.S. state privacy laws (including the California Consumer Privacy Act as amended by the CPRA),
the EU General Data Protection Regulation (“GDPR”) and UK GDPR (if applicable).
2.1 Customer as Controller / Business
Customer is the controller (or “business” under CPRA) of Customer Data.
2.2 Company as Processor / Service Provider
Company acts as a processor (or “service provider” / “contractor” under CPRA) and processes Customer Data solely:
to provide, maintain, and secure the Service,
in accordance with Customer’s documented instructions,
as set forth in the Agreement and this DPA.
2.3 No Independent Use of Customer Data
Company does not process Customer Data for its own independent purposes and does not use Customer Data for advertising, profiling, or data resale.
3.1 Company processes Customer Data only as necessary to:
provide access to the ClearCheck dashboard,
generate and deliver background check reports requested by Customer,
administer accounts, billing, and support,
ensure platform security, fraud prevention, and system integrity,
comply with applicable legal obligations.
3.2 Company does not make hiring decisions, recommendations, or legal determinations based on Customer Data.
Customer is solely responsible for:
determining lawful purposes for processing,
ensuring compliance with applicable employment and privacy laws (including FCRA where applicable),
obtaining all required disclosures, authorizations, and consents,
ensuring the accuracy and lawfulness of data submitted to the Service.
Customer shall not instruct Company to process Personal Data in violation of applicable law.
Company ensures that all personnel authorized to process Customer Data are subject to confidentiality obligations appropriate to the nature of the data and their access.
6.1 Company maintains appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
6.2 Security measures are proportionate to the nature of the Service and risk profile and are described at a high level in Exhibit C.
7.1 Authorization
Customer provides general authorization for Company to engage Subprocessors as necessary to provide the Service.
7.2 List of Subprocessors
Company’s current Subprocessors are listed in Exhibit B.
7.3 Changes
Company may update Subprocessors from time to time and will make updated information available upon request.
7.4 Flow-Down Obligations
Company enters into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA.
7.5 Responsibility
Company remains responsible for Subprocessors’ compliance with their processing obligations.
8.1 Company will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.
8.2 Company will provide reasonable information and cooperation to assist Customer in meeting any breach notification obligations under applicable law.
8.3 Notification does not constitute an admission of fault or liability.
9.1 If Company receives a request from a data subject relating to Customer Data, Company will, where legally permitted, refer the request to Customer.
9.2 Company will provide reasonable assistance to Customer in responding to such requests where technically feasible and legally permitted.
Customer remains responsible for responding to data subject requests.
10.1 Company retains Customer Data only for the duration necessary to provide the Service and as required for legal, security, fraud prevention, or accounting purposes.
10.2 Upon termination of the Agreement, Company will delete or return Customer Data upon Customer’s written request, unless retention is required by law.
11.1 Upon reasonable written request, Company will provide Customer with information reasonably necessary to demonstrate compliance with this DPA (e.g., written security summaries).
11.2 Any audit must be:
limited in scope to Customer Data,
conducted no more than once per year,
subject to confidentiality and security controls,
at Customer’s expense.
To the extent applicable:
12.1 Company acts as a Service Provider / Contractor.
12.2 Company will not:
sell or share Customer Data,
retain, use, or disclose Customer Data outside the purpose of providing the Service,
combine Customer Data with data from other customers for advertising.
12.3 Company certifies its understanding of these restrictions.
Customer acknowledges that Customer Data may be processed in the EU and other jurisdictions as necessary to provide the Service.
Where required by Data Protection Laws, appropriate safeguards (such as Standard Contractual Clauses) will be made available upon request.
In the event of a conflict:
Executed transfer mechanisms (if any)
This DPA
The Agreement
Privacy Contact: [email protected]
Company: DATA FACTORY LTD
Service: ClearCheck background check reporting platform
Nature of Processing:
Collection, storage, processing, and presentation of Customer-initiated background check data through the dashboard.
Purpose:
Provision of employment background check reports and related account, support, billing, and security operations.
Categories of Data Subjects:
Individuals screened by Customer
Customer’s authorized users
Categories of Personal Data:
Account and contact information
Identifiers submitted by Customer
Report output data
Transaction metadata
Special Categories:
Customer is responsible for ensuring any sensitive data submitted is lawful and appropriate.
| Function | Subprocessor | Location |
|---|---|---|
| Payment Processing | PayPro Global | As determined by provider |
| Hosting & Infrastructure | Hetzner Online GmbH | Finland (EU) |
| Transactional Email | Google LLC (Gmail) | As determined by provider |
Customer support is provided through Company’s proprietary in-dashboard support and chat solution.
No third-party analytics services are used.
Contact: [email protected]
Company maintains safeguards including:
access controls and role-based permissions,
encrypted data transmission,
secure hosting infrastructure,
monitoring and logging for security events,
backup and recovery procedures,
internal access limitation and change management.
Get in touch with us to learn more about our background check services and how we can help you make informed decisions.
