Data Protection Addendum (DPA) 
20th November 2023

Data Processing Details

Data Subjects


Your Lead Contact Person and Billing Contact Person (if stated in Your Order Form), Your Users, and Your Candidates.

Categories of Personal Data



Standard data: First Name, Last Name, email address, phone number, IP address, device identifier, browser type and version, time zone setting, browser plug in types and versions, operating system and platform, interaction data (such as support tickets), Candidate ID, username, and psychometric assessment data (both Candidate inputs and results).

Special category data: Demographic data relating to the Candidate such as ethnicity, age, gender and health may also be collected from a Candidate (on a strictly optional basis).

Purpose of Processing


For Our provision of the Services,  reporting, and insights to You under the Agreement. We may also use Your Personal Data to improve our product and services, but we will always permanently anonymise Your Personal Data first.

Period of Processing



For Users, Lead Contact Person and Billing Contact Person: We will retain their information for  the duration of the Agreement and for a reasonable period of no longer than 30 days after that to return or delete Your Personal Data. 

For Candidates: We will retain their information for 12 months after their last activity with Us. This period is counted from the latest of these events: (i) creation of the Candidate's record in the Platform, (ii) the Candidate's invitation to take the Assessment, (iii) the Candidate opening the Assessment, or (iv) the Candidate completing the Assessment. If You ask the Candidate to take an Assessment for a different Live Campaign within these 12 months, this retention period restarts.





This DPA contains the clauses required by the Data Protection Legislation for contracts between controllers and processors and applies to You and Us because:

(a) You have engaged Us to act as Your Service provider by accepting the terms of Our Agreement; and

(b) The Services We provide you require us to act as your data processor in relation to any Personal Data that You or Your Candidates provide to us in order for us to provide you with these Services.

Our Roles


You are the Data Controller and We are the Data Processor. 

Your Responsibilities


As the Data Controller, You retain control of the Personal Data and remain responsible for Your obligations as the Data Controller under the Data Protection Legislation, which includes ensuring You have determined a correct legal basis for Us to process Your Personal Data in accordance with the Agreement and terms of this DPA.


Our Obligations to You

Compliance with Law


We will always comply with our obligations under the Data Protection Legislation when processing any of Your Personal Data on your behalf.

Acting on Your instructions


We will only process Your Personal Data in accordance with Your documented instructions set out in this DPA. If We are required to process Your Personal Data for another reason (such as to comply with a law), unless We are prohibited from doing so, We will advise you of that legal requirement in advance of any processing.



We will maintain confidentiality of Your Personal Data in accordance with the confidentiality provisions of Our Agreement. Specifically, We will ensure that any persons authorised to process Your Personal Data have agreed in writing to confidentiality terms which are no worse than what We require for Our own personal data or are under a similar statutory obligation to keep Your Personal Data confidential.

Responding to Data Subject Access Requests


Taking into account the nature of processing, We will assist You, at your cost, to respond to requests from a Data Subject when exercising their rights under the Data Protection Legislation or any other applicable law, including subject access rights, the rights to rectify or right to erase Personal Data.

Assisting Impact Assessments and Regulatory Requests


We will provide reasonable assistance to You with respect to any data protection impact assessment and communications with data privacy authorities (such as the Information Commissioner’s Office) as is required under any applicable law, in each case solely in relation to Our processing of Your Personal Data, taking into account the nature and scope of such Personal Data.

Information and Audit Requests


If You request assistance in ensuring Your compliance with Your obligations under the Data Protection Legislation, We will make available all information reasonably necessary to demonstrate Our compliance with this DPA to you, including allowing for and contributing to audits by your mandated auditor, provided that (i) such audit is at Your expense and no more than once per year (except where required by a relevant regulatory authority) (ii) reasonable advance written notice is given to Us, (iii) such audit shall not materially interfere with Our day to day business operations, and (iv) You shall comply with Our confidentiality, security, and health and safety policies. You also agree that the first step in relation to any audit as required under this clause or by the relevant regulatory authority shall be for Us to provide You with a report verifying Our compliance with Our obligations under this DPA. You agree that You shall only request a further audit if it shows reasonable grounds for believing the report to be insufficient.

Notification of Breaches


In the event of any Personal Data Breach, We will notify you without undue delay as soon as We become aware of the breach and will assist You in the notification of such breach to the relevant data privacy authority and Data Subject.

Staff Controls


We will ensure (via contractual obligations, internal policies and training) that Our staff are both authorised and have the necessary skills to process Your Personal Data in accordance with our obligations under this DPA.

Security Controls


We are proudly ISO 27001 certified (a global standard for keeping data safe and secure). We also apply the technical and organisational measures set out in our Data Security Policy to prevent the unauthorised processing of Your Personal Data or loss, damage or destruction to it. You confirm You have reviewed these measures and agree that they are appropriate, taking into account current industry practice for data security, implementation costs, the nature of Your Personal Data processed, scope, and context of Our processing.  We regularly review and update our data security controls and may accordingly update the Data Security Policy from time to time without notice to You, so long as any such changes do not cause there to be a reduction to these security levels.



You agree that We may engage Sub-processors to process Your Personal Data. The Sub-processors We use to provide the Services to You are described in the Sub-processor List. We keep this Sub-processor List up to date. In all cases:

(a) Each Sub-Processor is subject to written contractual terms that reflect at the minimum, the obligations We have to You under this DPA regarding how We process Your Personal Data under this Agreement;

(b) We will remain liable to You for any acts or omissions of any Sub-Processors We appoint to process Your Personal Data;

(c) We may change or replace our Sub-Processors from time to time. If we do, we will follow the notification process in section 1.4 of the Agreement, which also gives you an opportunity to object to this change if you do not agree;

(d) The sub-processing will end in accordance with section 1.3 above, or earlier if the services any Sub-Processors are no longer required by Us in order to provide You with the Services.

International Transfers


To protect transfers of Your Personal Data to countries outside the EEA and UK, where the UK Secretary of State has not determined the country has (a) an adequate level of protection, or (b) approved any other framework as adequate for the transfer (such as the UK-US data-bridge) the Parties agree to enter an IDTA as follows:

(a) For the purposes of Table 1 of the IDTA, We are the “Data Importer” and You are the “Data Exporter” of the Personal Data. The rest of the required details are set out in Your signed Order Form.

(b) For the purposes of Table 2 of the IDTA:

        (i) The law of England and Wales will govern the IDTA and be the primary place for any legal claims to be made.

       (ii) In relation to the Processing of the Personal Data, the Data Exporter is the Data Controller and We and Our Sub-processors are the Data Importer (and any onward  transfers to Our Sub-processors will be made strictly in accordance with the requirements of this DPA).

         (iii) The ‘Linked Agreement’ is this DPA and shall remain in place for the duration of the Agreement. 

(c)For the purposes of Table 2, the details of the ‘Transferred Data’ are set out in clauses 1.1 to 1.4 of this DPA and with respect to any specific onward processing by Our relevant Sub-Processors in the link to our current list of Sub-Processors at clause 3.10.

(d) For the purposes of Table 4, the details of the ‘Security Requirements’ are set out in clause 3.9 of this DPA and our Data Security Policy.

(e) The Part 4 ‘Mandatory Clauses’ of IDTA apply.

(f) For the avoidance of doubt where this DPA specifies any further audit and Sub-processor requirements, such requirements also apply in relation to the IDTA.

(g) By signing the Order Form confirms, both parties confirm their agreement to the IDTA as stated above.

Deletion of Your Personal Data


We will delete all Your Personal Data on the earlier of (a) 24 months when We receive it, (b) upon Your written request, or (c) within a reasonable period of no longer than 30 days following the end of the Agreement unless applicable law requires Us to retain a copy of any such data (and this DPA will continue to apply to that retained data). If You want to retain a copy of Your Personal Data, it is Your responsibility to export it from our Platform prior to the end of the Agreement. Please note, we will start the process of deleting Your Personal Data as soon as possible upon termination of the Agreement, so if You want to retain any such Personal Data, You must let us know before that.


Order of precedence


In the event of any inconsistency between the Order Form, Terms and Conditions, this DPA and IDTA, the terms of the following documents will prevail (in order of precedence): the Order Form, IDTA, DPA, then the Terms and Conditions.



Capitalised words in this DPA have the meanings given to them in the Agreement.Any rules of interpretation and defined terms in the Agreement apply to this DPA.

Last Updated: 20 November 2023


View the previous Data Protection Addendum 2022 here.

To view the 2021 Data Protection Addendum click here.


This is the Privacy and Cookies Policy for the assessment application (BBA App) available to employers who purchase our services for use in their recruitment processes (‘Clients’), employees and candidates of our Clients (‘Candidates’) and the separate online Client Management Portal for Clients (the ‘DataHub’) (collectively ‘Services’) provided by Arctic Shores Limited (“we“,”us” and “our“). We are committed to protecting and respecting your privacy.

This policy together with our Terms of Service sets out the basis on which any personal data we collect from you in relation to the Services, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. Your use of any of the Services is subject to these terms.

Information we collect

We will collect and process the following personal data about:

We will collect and process the following personal data about:

Candidate BBA App – If you are a Candidate for employment, in order for you to use the BBA App you will have already applied for a position with a potential employer or a recruitment company who is our Client, the data controller. In this circumstance, Arctic Shores will act as a data processor of your information under the instructions of our Client. The potential employing Client will forward a link in an email which will enable the generation of a user ID, user name and password necessary at the point Candidates download and sign in to the BBA App. The personal information we receive from you about you from the use of the BBA App is by reference to this pre-allocated user ID, user name and password. No direct identifying information such as name, email or address is collected or provided to us through the BBA App.