Data Processing Addendum
Wrangle Jobs Inc. Data Processing Addendum
Last updated: May 18, 2026
This Data Processing Addendum ("DPA") supplements and is incorporated into the agreement, order form, statement of work, online terms, or other written agreement governing Customer's use of the services provided by Wrangle Jobs Inc. ("Wrangle") (the "Agreement"). This DPA is entered into by Wrangle and the customer or organization agreeing to the Agreement ("Customer") as of the effective date of the Agreement or the date Customer first uses the Services, whichever is earlier.
Capitalized terms not defined in this DPA have the meanings given in the Agreement. Wrangle and Customer are each a "Party" and together are the "Parties."
Details
1.1 Scope and Roles
Wrangle provides recruiting, sourcing, outreach, interview, integration, AI-assisted workflow, and related services (the "Services"). To provide the Services, Wrangle may Process Customer Data on behalf of Customer. For that Processing, Customer is the Data Controller or Data Processor, as applicable, and Wrangle acts as Customer's Data Processor or Sub-processor.
1.2 Processing Purpose
Wrangle will Process Customer Data only to provide, secure, support, maintain, and improve the Services; to comply with Customer's documented instructions; to comply with applicable law; and as otherwise permitted by this DPA or the Agreement. Wrangle does not use Customer Data to train generalized AI models or foundation models.
Details about the nature and purpose of Processing, duration, categories of Customer Data, and categories of Data Subjects are set out in Schedule 1.
1.3 Compliance
Each Party will comply with the Data Protection Laws applicable to that Party in connection with the Services.
Wrangle Obligations
2.1 Customer Instructions
This DPA, the Agreement, applicable order forms, Customer's product configuration choices, Customer's use of the Services, and Customer's written instructions constitute Customer's documented instructions for Wrangle's Processing of Customer Data ("Customer Instructions").
Wrangle will Process Customer Data only in accordance with Customer Instructions unless applicable law requires other Processing. If law requires other Processing, Wrangle will notify Customer before Processing unless legally prohibited.
2.2 Notices
Wrangle will notify Customer if Wrangle reasonably believes a Customer Instruction violates Data Protection Laws. Wrangle will also notify Customer, to the extent legally permitted, if Wrangle receives a legally binding request from a law enforcement or governmental authority for Customer Data.
2.3 Confidentiality
Wrangle will ensure that personnel authorized to Process Customer Data are subject to appropriate confidentiality obligations.
2.4 Security
Wrangle will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Current measures are summarized in Schedule 2.
2.5 Personal Data Breach
Wrangle will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Wrangle will provide reasonable information and assistance to help Customer meet applicable breach-notification obligations.
2.6 Data Subject Requests
Wrangle will, to the extent legally permitted, notify Customer if Wrangle receives a request from a Data Subject relating to Customer Data. Wrangle will not respond to the request except to redirect the Data Subject to Customer, comply with Customer's documented instructions, or comply with applicable law.
Taking into account the nature of Processing, Wrangle will provide reasonable assistance to Customer through appropriate technical and organizational measures so Customer can respond to Data Subject requests under Data Protection Laws.
2.7 Assistance
Taking into account the nature of the Processing and information available to Wrangle, Wrangle will provide reasonable assistance to Customer for Customer's compliance with Data Protection Laws, including security, breach notification, data protection impact assessments, and consultations with supervisory authorities where required.
2.8 Audits and Compliance Information
Upon Customer's reasonable written request, and no more than once per calendar year unless required by a supervisory authority or following a Personal Data Breach, Wrangle will provide information reasonably necessary to demonstrate compliance with this DPA. Where available and appropriate, Wrangle may satisfy this obligation by providing security summaries, third-party reports, policy summaries, or written responses.
Any audit or inspection must be subject to reasonable confidentiality protections, occur during normal business hours, be conducted at Customer's expense, and avoid unreasonable disruption to Wrangle's operations.
2.9 Subprocessors
Customer gives Wrangle general authorization to engage Subprocessors to Process Customer Data in connection with the Services. Wrangle's current Subprocessor List is in Schedule 3.
Wrangle will impose written obligations on each Subprocessor that are materially no less protective than the obligations imposed on Wrangle under this DPA, to the extent applicable to the Subprocessor's services. Wrangle remains responsible for its Subprocessors' acts and omissions to the extent required by Data Protection Laws and subject to the Agreement.
Wrangle will provide notice of material additions or replacements to the Subprocessor List by email, in-product notice, posting to a subprocessors page, or another reasonable method. Customer may object within 30 days after notice by providing reasonable written grounds related to data protection. The Parties will work in good faith to resolve the objection. If the objection cannot reasonably be resolved, either Party may terminate the affected Services that cannot be provided without the new Subprocessor, and Customer will receive a refund of prepaid unused fees for the terminated Services if required by the Agreement.
2.10 Return and Deletion
Upon termination or expiration of the Agreement, or upon Customer's documented instruction, Wrangle will return or delete Customer Data in accordance with the Agreement and the functionality of the Services, unless retention is required by law. Wrangle may retain Customer Data in backups, logs, security records, or archival systems for a limited period consistent with ordinary retention practices, provided such retained data remains protected and is not actively Processed except as required by law or for security, continuity, or compliance purposes.
2.11 AI and Model Training
Wrangle does not use Customer Data to train foundation models, generalized AI models, or models made available to other customers, unless Customer expressly instructs or agrees in writing to a separate model-training or fine-tuning arrangement.
Wrangle may Process Customer Data through AI and machine-learning services to provide requested features, including search, ranking, summaries, evaluations, drafting, transcript summaries, agent workflows, and data extraction. AI inputs and outputs are Customer Data to the extent they contain or are derived from Customer Data.
Wrangle may use aggregated or de-identified information, product telemetry, usage metrics, and statistical data to operate, analyze, and improve the Services, provided Wrangle does not use that information to identify Customer, Customer's users, candidates, or other Data Subjects except as permitted by the Agreement or applicable law.
Customer Obligations
3.1 Lawful Basis, Notices, and Consents
Customer represents that it has and will maintain all rights, notices, consents, authorizations, and lawful bases required to provide Customer Data to Wrangle and to authorize Wrangle to Process Customer Data as described in this DPA and the Agreement.
3.2 Product Configuration
Customer is responsible for configuring and using the Services in compliance with Data Protection Laws, including choices about connected accounts, mailboxes, ATS systems, Slack workspaces, LinkedIn functionality, candidate imports, retention, sharing settings, outreach content, and recipients.
3.3 Restricted and Sensitive Data
The Services are not designed to require Special Category Data, criminal-offense data, protected health information, payment-card data, government identification numbers, or other highly sensitive data unless expressly supported by the applicable feature and permitted by the Agreement. Customer will not submit such data unless it has a lawful basis and has implemented appropriate safeguards.
3.4 Cooperation
Customer will reasonably cooperate with Wrangle to enable Wrangle to comply with this DPA and applicable Data Protection Laws.
International Data Transfers
Customer Data may be Processed in the United States and other jurisdictions where Wrangle or its Subprocessors operate. If Customer Data is protected by GDPR, UK GDPR, Swiss data protection law, or similar transfer restrictions, the Parties will rely on an appropriate transfer mechanism, including an adequacy decision or the Standard Contractual Clauses.
Where the EU Standard Contractual Clauses apply, Module Two applies where Customer is a Controller and Wrangle is a Processor. Module Three applies where Customer is a Processor and Wrangle is a Sub-processor. Clause 7 docking does not apply unless the Parties agree otherwise. Clause 9 Option 2, general written authorization for Subprocessors, applies with the notice period in Section 2.9. Clause 11 optional language does not apply. Clause 17 Option 1 applies, and the SCCs are governed by the law of Ireland unless the Parties agree otherwise or another jurisdiction is required. Clause 18(b) disputes will be resolved before the courts of Ireland unless another venue is required by law. The details in Schedule 1 supply Annex I and Annex III information, and Schedule 2 supplies Annex II information.
For UK Data, the SCCs will be deemed amended by the UK International Data Transfer Addendum. For Swiss Data, the SCCs will be interpreted to apply to transfers from Switzerland and to reference the Swiss Federal Data Protection and Information Commissioner as required.
U.S. Privacy Laws
To the extent U.S. Privacy Laws apply to Customer Data, Wrangle will Process Customer Data as a service provider, contractor, or processor, as applicable.
Wrangle will not sell Customer Data, share Customer Data for cross-context behavioral advertising, retain or use Customer Data outside the direct business relationship between Customer and Wrangle except as permitted by Data Protection Laws, combine Customer Data with Personal Data received from or on behalf of another person except as permitted by Data Protection Laws or Customer Instructions, or attempt to re-identify de-identified Customer Data except as permitted by Data Protection Laws.
Wrangle will notify Customer if Wrangle determines it can no longer meet its obligations under applicable U.S. Privacy Laws. If Customer reasonably believes Wrangle is Processing Customer Data in a manner inconsistent with this DPA, Customer may notify Wrangle, and the Parties will work in good faith to remediate the issue.
Customer will not provide Customer Data to Wrangle in a manner that would make Wrangle a "third party" rather than a service provider, contractor, or processor under applicable U.S. Privacy Laws.
Customer-Directed Integrations
The Services allow Customer to connect or instruct Wrangle to interact with third-party services, including mailboxes, applicant tracking systems, Slack, LinkedIn, Paraform, calendar or meeting services, and other tools. These integrations are enabled by Customer or Customer's users.
Customer authorizes Wrangle to Process and transmit Customer Data through Customer-directed integrations as necessary to provide the requested functionality. Customer is responsible for the relationship, permissions, settings, and legal basis for those third-party services. Those third-party services may act as independent controllers, processors, or service providers to Customer under their own terms. A non-exhaustive list of Customer-directed integrations is in Schedule 4.
Definitions
"Customer Data" means Personal Data that Wrangle Processes on behalf of Customer through the Services.
"Data Controller" or "Controller" has the meaning assigned to "controller" or an analogous term under Data Protection Laws.
"Data Processor" or "Processor" has the meaning assigned to "processor" or an analogous term under Data Protection Laws.
"Data Protection Laws" means privacy, data protection, and cybersecurity laws applicable to Wrangle's Processing of Customer Data under the Agreement.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"GDPR" means Regulation (EU) 2016/679.
"Personal Data" means "personal data," "personal information," or an analogous term under Data Protection Laws.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by Wrangle, its Subprocessors, or others acting on Wrangle's behalf.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.
"SCCs" means the standard contractual clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as amended, updated, or replaced.
"Special Category Data" means sensitive Personal Data under Data Protection Laws, including special categories of personal data under GDPR Article 9.
"Subprocessor" means a third party engaged by Wrangle to Process Customer Data on Wrangle's behalf in connection with the Services.
"U.S. Privacy Laws" means U.S. federal and state privacy laws applicable to Customer Data, including the California Consumer Privacy Act as amended by the California Privacy Rights Act.
Schedule 1: Details of Processing
Nature and Purpose
Wrangle Processes Customer Data to provide the Services, including user account, organization, authentication, billing, and workspace administration; candidate sourcing, search, matching, ranking, filtering, enrichment, and profile review; candidate collections, imports, exports, notes, custom attributes, and sharing; outreach sequences, email sending, reply detection, unsubscribe and bounce handling, analytics, and delivery controls; customer-enabled integrations, including connected mailboxes, ATS systems, Slack, LinkedIn, Paraform, calendar, and meeting tools; interviews, meeting rooms, recordings, transcription, transcript storage, and summaries when enabled; AI-assisted drafting, evaluation, summarization, data extraction, agent workflows, and API usage; and security, fraud prevention, abuse prevention, debugging, support, logging, monitoring, and service improvement.
Duration
Customer Data is Processed for the term of the Agreement and for any period needed after termination to provide export, deletion, security, backup, legal, tax, accounting, or compliance functions.
Categories of Customer Data
Customer Data may include account, workspace, authentication, billing, and usage data; candidate, prospect, applicant, contact, resume, profile, and recruiting workflow data; job, role, search, matching, evaluation, note, collection, import, export, and generated-output data; outreach, mailbox, message, delivery, reply, unsubscribe, and bounce data; integration identifiers, settings, sync data, and provider metadata; interview meeting, recording, audio, transcript, note, and summary data where enabled; files, uploads, extracted text, and related metadata submitted by Customer or users; and technical, security, logging, analytics, and support data.
Categories of Data Subjects
Data Subjects may include Customer's users, administrators, employees, contractors, recruiters, hiring managers, interviewers, candidates, prospects, applicants, referrals, email recipients, job-board users, Slack users, and other individuals whose Personal Data is submitted to or Processed through the Services.
Sensitive Data
No Special Category Data is required for ordinary use of the Services. Customer may choose to submit or import data that includes sensitive information, including information contained in resumes, notes, candidate records, interview recordings, emails, or ATS data. Customer is responsible for ensuring such data is lawful to Process and appropriate safeguards are in place.
Frequency
Processing occurs continuously or intermittently depending on Customer's use of the Services, connected integrations, scheduled jobs, API calls, background syncs, and configured workflows.
Transfers to Subprocessors
Subprocessors Process Customer Data as necessary to provide the Services for the duration of the Agreement or as otherwise described in this DPA, the Agreement, or the applicable Subprocessor's retention obligations.
Schedule 2: Technical and Organizational Measures
Wrangle maintains technical and organizational measures appropriate to the nature of the Services, including encryption in transit using TLS for network communications where supported; encryption at rest where provided by infrastructure, database, storage, and hosting providers; authentication and authorization controls for user accounts and administrative access; role-based or least-privilege access controls for internal systems; use of OAuth and API-token based access for customer-connected services; restricted handling of access credentials for customer-connected services and service providers; logical separation of customer workspaces and organization-scoped data in application logic and data models; logging, monitoring, error tracking, rate limiting, and abuse-prevention controls; backup, redundancy, and disaster-recovery capabilities provided by underlying infrastructure providers; code review, testing, dependency management, and deployment controls appropriate to the Services; subprocessors subject to written confidentiality, security, and data protection obligations; and incident-response procedures for investigating, mitigating, and notifying Customer of Personal Data Breaches.
Some controls depend on the product tier, enabled features, provider configuration, and Customer's own configuration choices.
Schedule 3: Subprocessor List
Wrangle uses the following Subprocessors to provide the Services. Some Subprocessors are used only for specific features, plans, regions, or customer configurations.
Google LLC / Google Cloud Platform / Firebase. Purpose: cloud infrastructure, storage, database, background processing, and logs. Data Processed: Customer Data stored or processed in the Services and related operational metadata.
Vercel Inc. Purpose: application hosting, application infrastructure, observability, and provider routing where enabled. Data Processed: requests, responses, logs, metadata, and feature inputs/outputs where routed through Vercel.
PlanetScale, Inc. Purpose: managed database for structured application and search data. Data Processed: structured Customer Data, identifiers, and metadata.
Upstash, Inc. Purpose: caching, rate limiting, queues, and temporary workflow state. Data Processed: cache keys, identifiers, usage and rate-limit metadata, and workflow metadata.
turbopuffer Inc. Purpose: search, matching, and retrieval infrastructure. Data Processed: search data, identifiers, metadata, and profile or candidate attributes.
Clerk, Inc. Purpose: authentication, user identity, organization membership, sessions, and account management. Data Processed: user names, emails, identifiers, organization, and role metadata.
Stripe, Inc. Purpose: payments, subscriptions, invoices, billing, and payment-event processing. Data Processed: billing contacts, subscription data, and payment metadata.
Mixpanel, Inc. Purpose: product analytics, event tracking, and usage telemetry. Data Processed: user identifiers, event properties, page data, and usage metadata.
Resend, Inc. Purpose: transactional and lifecycle email delivery and unsubscribe handling. Data Processed: email addresses, contact properties, message metadata, and email content for sent messages.
OpenAI OpCo, LLC / OpenAI affiliates. Purpose: AI-assisted features, including generation, classification, extraction, search, and evaluation. Data Processed: inputs, outputs, transcripts, profile data, job data, and search data submitted for requested AI features.
Voyage AI Innovations, Inc. Purpose: search and matching support. Data Processed: search queries, candidate or profile snippets, and ranking metadata.
Cohere Inc. Purpose: search and ranking support where enabled. Data Processed: search queries, candidate or profile snippets, and ranking metadata.
Cerebras Systems Inc. Purpose: AI inference and fallback model calls where enabled. Data Processed: AI inputs and outputs submitted for requested AI features.
Groq, Inc. Purpose: AI inference and fallback model calls where enabled. Data Processed: AI inputs and outputs submitted for requested AI features.
OpenRouter, Inc. Purpose: AI model routing and fallback inference where enabled. Data Processed: AI inputs and outputs submitted for requested AI features.
Parallel Web Systems Inc. Purpose: web research and retrieval where enabled. Data Processed: search queries, context, results, and related metadata.
Perplexity AI, Inc. Purpose: web search and answer generation where enabled. Data Processed: search queries, context, results, and related metadata.
Clay Labs Inc. Purpose: contact enrichment where enabled. Data Processed: candidate identifiers, contact details, request metadata, and enrichment results.
RapidAPI and selected RapidAPI providers. Purpose: profile enrichment where enabled. Data Processed: profile URLs, profile identifiers, request metadata, and enrichment results.
Daily.co / Daily. Purpose: interview meeting rooms, recordings, and meeting-related media features where enabled. Data Processed: meeting identifiers, participant or session metadata, and recordings where enabled.
AssemblyAI Inc. Purpose: audio transcription for interview recordings where enabled. Data Processed: uploaded audio, transcripts, and transcription metadata.
Schedule 4: Customer-Directed Integrations
The following providers are commonly used as Customer-directed integrations. Depending on the feature and Customer configuration, these providers may act as Customer's own service provider, processor, controller, or independent third party under their own terms.
Google LLC / Gmail / Google Workspace. Integration Purpose: connected mailboxes, contacts, calendar, reply polling, and email sending where enabled.
Microsoft Corporation / Microsoft 365 / Outlook / Microsoft Graph. Integration Purpose: connected mailboxes, reply polling, and email sending where enabled.
Slack Technologies, LLC. Integration Purpose: Slack app, messages, commands, event handling, and account linking where enabled.
LinkedIn Corporation. Integration Purpose: LinkedIn connection, message, reply, and status workflows where enabled.
Customer-configured ATS providers, including Ashby, Greenhouse, Lever, and Recruit CRM. Integration Purpose: job, candidate, applicant, stage, and status sync where enabled.
Paraform. Integration Purpose: recruiter role sync and attribution where enabled.
Customer-configured MCP/API clients. Integration Purpose: customer-directed API and MCP access where enabled.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg"><path d="M 5.532 5.532 C 5.392 5.673 5.201 5.752 5.002 5.752 C 4.803 5.752 4.612 5.673 4.472 5.532 L 0.229 1.289 C 0.157 1.22 0.1 1.138 0.061 1.046 C 0.022 0.955 0.001 0.856 0 0.757 C -0.001 0.657 0.018 0.558 0.056 0.466 C 0.094 0.374 0.149 0.29 0.22 0.22 C 0.29 0.149 0.374 0.094 0.466 0.056 C 0.558 0.018 0.657 -0.001 0.757 0 C 0.856 0.001 0.955 0.022 1.046 0.061 C 1.138 0.1 1.22 0.157 1.289 0.229 L 5.002 3.941 L 8.714 0.229 C 8.856 0.092 9.045 0.017 9.242 0.018 C 9.439 0.02 9.627 0.099 9.766 0.238 C 9.905 0.377 9.984 0.565 9.985 0.762 C 9.987 0.959 9.912 1.148 9.775 1.289 Z" fill="rgba(0, 0, 0, 0.48)" height="5.751770886718224px" id="xX_b3JCdG" transform="translate(3.998 6.248)" width="9.985511041712934px"/></svg>)
