ICANTalent

Legal

Data Processing Addendum

Last updated: April 2026 · v1.0

This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (the “Controller”) and ICAN MENA FZ-LLC (the “Processor”) and applies when ICAN processes Personal Data on behalf of the Controller through ICAN Talent.

1. Definitions

Capitalised terms not defined here have the meaning given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “PDPL”).

2. Subject matter and duration

ICAN processes Personal Data on the Controller's instructions to provide the ICAN Talent service for the term of the underlying subscription.

3. Nature and purpose of processing

The nature of processing is: hosting, indexing, scoring, parsing, storing, and presenting candidate application data; routing communications between recruiters and candidates; AI-assisted recommendation generation. The purpose is to provide the ICAN Talent recruitment platform.

4. Categories of data subjects and data

Data subjects include: Controller's employees and authorized users; job candidates and applicants; interviewers and references provided by candidates.

Categories of Personal Data include:

  • Identity and contact data (name, email, phone, address)
  • CV content (work history, education, skills, languages)
  • Sensitive data only where the Controller chooses to upload it (avoid where possible)
  • Assessment data (AI scores, interviewer notes, decisions)

5. Sub-processors

The Controller authorizes ICAN to use the following sub-processors:

  • Vercel Inc. — application hosting (USA / EU; Standard Contractual Clauses signed)
  • Supabase Inc. — database, auth, storage (EU — Frankfurt)
  • Anthropic, PBC — AI inference (USA; zero data retention configured)
  • SendGrid (Twilio Inc.) — transactional email (USA)
  • Stripe Inc. — payment processing (USA / EU)

ICAN will notify the Controller of any new sub-processor at least 30 days in advance, allowing the Controller to object.

6. Security measures

ICAN implements appropriate technical and organisational measures including encryption at rest (AES-256) and in transit (TLS 1.3); multi-tenant isolation via Postgres Row-Level Security; role-based access controls; audit logging; regular security testing; and a documented incident response plan. See our Security page for details.

7. International transfers

For transfers outside the EEA / UAE, ICAN relies on the EU Standard Contractual Clauses or equivalent UAE PDPL adequacy mechanisms.

8. Data subject requests

ICAN will assist the Controller in responding to data subject access, correction, deletion, and portability requests within 14 calendar days.

9. Personal data breaches

ICAN will notify the Controller without undue delay (and within 72 hours where reasonably possible) of any confirmed personal data breach affecting the Controller's data.

10. Audits

ICAN will make available all information necessary to demonstrate compliance. Enterprise customers may request an annual audit (or accept an equivalent third-party report — SOC 2 in progress).

11. Return or deletion

On termination, ICAN will delete or return all Personal Data within 30 days, except where retention is required by law.

12. Acceptance

By using ICAN Talent, the Controller accepts this DPA. For a counter-signed copy on letterhead, email legal@icanmena.com.