Data processing addendum
Version 1 · 18 July 2026This addendum forms part of the JOBE Recruit terms when a customer uses JOBE to process personal information for which that customer is a controller. It records the controller-to-processor instructions and safeguards for that customer workspace.
Postal address must be completed
The Processor is Christopher John Howitt, a sole trader trading as JOBE Recruit. A valid postal or service address is still required in the Terms. This addendum should not be treated as commercially complete until that address is published.
1. Roles and order of terms
The subscribing recruiter or recruitment business is the Customer and normally the controller of candidate, client and recruitment-workspace information. Christopher John Howitt, trading as JOBE Recruit, is the Processor for that information. He remains a separate independent controller for JOBE’s own account administration, billing, security, support, consent-based analytics and corporate prospect research that JOBE sources or creates for the lead marketplace, as explained in the Privacy notice.
This addendum does not govern JOBE’s independent-controller marketplace research. If the Customer saves, supplements or uses a marketplace record for outreach, the Customer is a separate controller for that use and JOBE processes the resulting workspace copy on the Customer’s instructions.
This addendum applies for the subscription and any period in which the Processor retains Customer personal information. If it conflicts with the general Terms about processing Customer personal information, this addendum takes priority. It does not replace a lawful international-transfer mechanism where one is required.
2. Processing details
| Subject matter | Providing the JOBE recruitment workspace, authentication, synchronisation, Business team collaboration, requested AI and transcription actions, reporting, support and client-sharing functions. |
|---|---|
| Duration | The service term plus the deletion, backup, dispute and legal-retention periods described in the Privacy notice. |
| Nature and purpose | Receiving, hosting, organising, retrieving, synchronising, analysing on request, transmitting to authorised providers or recipients, exporting and deleting information to deliver Customer-selected recruitment workflows. |
| People | Candidates, prospective candidates, client contacts, prospective clients, referees and the Customer’s authorised users. |
| Information | Identity and contact information; CV, employment, skills, availability, interview and assessment information; job and client records; recruiter notes; call transcript text and summaries; shortlist decisions; tasks and commercial records. The Customer must avoid unnecessary special-category, criminal-offence, identity-document and financial information. |
| Instructions | This addendum, the Terms, the Customer’s settings and the actions its authorised users take in JOBE. The Customer can give additional lawful written instructions through support where they are consistent with the service. |
3. Processor commitments
- Process Customer personal information only on documented instructions, including for an international transfer, unless UK law requires otherwise. Where legally permitted, tell the Customer before required processing.
- Immediately tell the Customer if an instruction appears to infringe applicable data-protection law, without providing legal advice.
- Ensure people authorised to process the information are subject to confidentiality obligations and access it only as needed.
- Maintain proportionate technical and organisational measures described in the Security summary, taking account of risk, cost, scope and the nature of the service.
- Assist reasonably with data-subject requests, security obligations, impact assessments and regulator consultation, taking account of the nature of the processing and information available to the Processor.
- Notify the Customer without undue delay after confirming a personal-data breach affecting its workspace and provide available information reasonably needed for the Customer’s response.
- At the end of service, delete or return Customer personal information on request, subject to backup cycles and information that law or a live dispute requires the Processor to keep.
- Provide information reasonably necessary to demonstrate compliance with this addendum and permit proportionate audits under section 7.
4. Sub-processors
The Customer gives general written authorisation for the Processor to use the sub-processors listed below for the stated functions. The Processor must impose data-protection obligations appropriate to each service and remains responsible to the Customer for its sub-processors’ performance of those obligations.
The Processor will publish a material new sub-processor on this page before it begins processing Customer workspace information where reasonably practicable. A Customer with a reasonable data-protection objection must contact support promptly. The parties will try in good faith to resolve it; if no reasonable alternative exists, the Customer may stop the affected function or terminate before that sub-processor begins processing.
| Provider | Function | Information when used |
|---|---|---|
| Supabase | Authentication, individual workspace sync, shortlist and feedback storage | Account identity and relevant workspace or shortlist records |
| Railway | Application/API hosting and Business shared-workspace database | Service requests, operational records and shared Business records |
| Anthropic | Requested extraction, structuring, summarisation and coaching | Only content needed for the requested AI action |
| OpenAI | Requested transcription and configured support assistance | Selected audio or support question text |
| Resend | Support and team-invitation delivery | Support message or invitation contact details |
Stripe, Google Analytics and Companies House normally process billing, consent-based product analytics or public corporate queries for JOBE’s or the Customer’s separate purposes rather than processing the core recruitment workspace on the Customer’s behalf. Anthropic may also process limited corporate prospect fields for JOBE’s independent-controller marketplace scoring or sales preparation. Those activities fall under the Privacy notice rather than this processor addendum.
5. International processing
The providers above may process information in the UK, EEA, United States or another service location. Each party must meet the transfer obligations that apply to transfers it initiates. Where the Processor initiates a restricted transfer, it will use an applicable adequacy regulation, the UK International Data Transfer Agreement or Addendum, or another lawful safeguard, and will provide reasonable information for the Customer’s assessment on request. The Customer authorises transfers made consistently with this section and the sub-processor authorisation above.
6. Customer commitments
- Give lawful instructions, establish a lawful basis, provide required privacy information and handle data-subject rights as controller.
- Limit access to authorised users, manage Business membership and client links, configure retention and keep suitable exports or backups.
- Do not submit information the service is not suitable for, and obtain any permission or give any notice required before recording or transcribing a call.
- For prospect outreach, distinguish corporate subscribers from sole traders and relevant partnerships, provide Article 14 privacy information where required, screen applicable TPS, CTPS and internal suppression lists, identify the sender, provide an opt-out and promptly honour objections.
- Assess whether its recruitment use, AI use or international data flows require a data-protection impact assessment or additional safeguards.
7. Information and audits
The Processor will first satisfy an audit request with current policies, processing summaries, provider information and reasonable written answers. If that is insufficient, the Customer may conduct one proportionate audit in a 12-month period on at least 30 days’ notice, during normal business hours, subject to confidentiality, security and other customers’ rights. Additional audits are permitted after a confirmed material breach or where a regulator requires one. The Customer bears its audit costs and the Processor may charge reasonable costs for bespoke assistance unless the audit identifies a material Processor breach.
Contact and reference
Questions or additional written instructions: chrisjhowitt@gmail.com.
This addendum follows the compulsory controller–processor topics summarised in the UK Information Commissioner’s Article 28 contract guidance. Customers should take their own legal advice about their particular recruitment processing and transfers.