Data Sharing Agreement

18C AI Platform
Data Sharing Agreement
Last Updated: November 11, 2025

PARTIES

This Data Sharing Agreement (“DSA” or “Agreement”) is entered into between: 18C Partners, a California limited liability company (“18C,” “we,” “us,” or “our”), with its principal place of business at 2 Cortes Court, Moraga, CA 94556 and the Hiring Company receiving 18C’s recruiting services (“Hiring Company,” “you,” or “your”). 18C and the Hiring Company are collectively referred to as the “Parties” and individually as a “Party.”

BACKGROUND

18C operates an AI-powered recruiting platform (the “Platform”) connecting job seekers (“Candidates”) with hiring companies; Hiring Company will use the Platform to share job opportunities for which Candidates can apply; the Parties will share Candidate Personal Data for recruitment and hiring purposes as independent Controllers and will comply with all applicable data protection laws.

DEFINITIONS 

“Applicable Laws” means all federal, state, local, and international laws governing the Processing of Personal Data, including CCPA/CPRA, GDPR, UK GDPR, and applicable data breach notification laws.

“Candidate” means any individual whose Personal Data is processed in connection with the Services, including job seekers and applicants.

“Controller” means an entity that determines the purposes and means of Processing Personal Data.

“Data Subject” means an identifiable individual to whom Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable individual, as defined under Applicable Laws.

“Personal Data Breach” means any confirmed or suspected unauthorized access, disclosure, loss, alteration, or destruction of Personal Data.

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

“Processor” means an entity that processes Personal Data on behalf of a Controller.

“Services” means the recruiting and talent-matching services provided by 18C under the Platform Terms.

“Subprocessor” means any third party engaged by 18C that Processes Personal Data on its behalf.

“Standard Contractual Clauses,” “UK Addendum,” and “UK Restricted Transfer” refer to the applicable legal mechanisms for cross-border data transfers under data protection laws.

SCOPE AND PURPOSE

This Agreement governs the sharing and Processing of Candidate Personal Data between the Parties. Personal Data is shared only to identify, evaluate, communicate with, and hire Candidates, and for related legal and recordkeeping purposes. Each Party will only process the minimum data necessary for these purposes.

ROLES AND RESPONSIBILITIES

Each Party acts as an independent Controller.

18C, as a Controller, collects Candidate data through the Platform, evaluates Candidate suitability, and shares data with the Hiring Company. 18C is responsible for providing Candidate disclosures, obtaining required consents, using approved Subprocessors, securing data, and notifying Hiring Company of breaches.

Hiring Company, as a Controller, receives Candidate data, evaluates Candidates, makes hiring decisions, and communicates with Candidates. Hiring Company must Process data only for permitted purposes, comply with data protection laws, secure Personal Data, notify 18C of breaches, and honor Data Subject rights.

Neither Party will Process Personal Data in a way that violates law or misuses Candidate data.

LAWFUL BASIS FOR PROCESSING

Each Party represents that it has a lawful basis to Process Candidate Personal Data under data protection laws.

18C relies on legitimate interest, performance of contract, consent (where required), and legal obligations.

Hiring Company relies on legitimate interest, pre-contractual necessity, and legal obligations.

Both Parties will maintain a lawful basis throughout the term of this Agreement.

DATA CATEGORIES AND PROCESSING DETAILS

The Parties agree that the Processing contemplated by this Agreement involves the following categories of Personal Data and Data Subjects

Data Subjects: Job seekers, applicants, and candidates for employment with Hiring Company.

Categories of Personal Data:

  • Contact information (name, email, phone number, address)

  • Professional information (résumé, cover letter, work history, education, skills, certifications, references, LinkedIn profile)

  • Application materials and responses to job-specific questions

  • Communications between Candidates, 18C, and Hiring Company

We do not expect to collect sensitive data. If a Candidate submits sensitive information, each Party will comply with Applicable Laws and apply appropriate safeguards.

Data Flow:

  • 18C collects Personal Data from Candidates via the Platform

  • 18C shares Candidate Personal Data with Hiring Company via secure portal, encrypted email, or other secure channels

  • Hiring Company provides feedback and hiring decisions to 18C

  • Hiring Company may request additional information from Candidates directly or through 18C

DATA RETENTION AND DELETION

18C may retain Candidate data for up to 48 months from the first introduction or until deletion is requested. Hiring Company may retain Candidate data for up to 24 months from the final hiring decision, unless shorter retention is requested, longer retention is required by law, or the Candidate is hired, after which data becomes the Hiring Company’s employment records.

When retention periods expire or the Agreement ends, each Party must securely delete or anonymize Personal Data or certify deletion, except where law requires further retention.

18C retains commercial “ownership” of Candidate introductions for 12 months from the date an introduction is made to the Hiring Company for Success Fee tracking. 

SUBPROCESSORS AND THIRD PARTIES

18C engages certain third-party service providers (“Subprocessors”) to assist in providing the Services. All Subprocessors are bound by written agreements imposing data protection, confidentiality, and security obligations. 18C’s current Subprocessors are:

  • Eleven Labs: AI chatbot for candidate intake (voice and text); data stored in United States; does not use candidate data for external AI training

  • Airtable: Customer relationship management (CRM); data stored in United States

  • Squarespace: Website hosting; data stored in United States

  • Softr.io: Platform hosting and dashboard; data stored in United States

  • Google Workspace (Gmail): Email communications; data stored in United States

  • Slack: Internal and client communications; data stored in United States

  • MailerLite: Marketing and transactional emails; data stored in United States (EU data centers available)

Hiring Company’s Third Parties. The Hiring Company may engage its own vendors (e.g., background check or ATS providers) only under written agreements that mirror this Agreement’s protections. The Hiring Company remains fully liable for such vendors.

Prohibited Uses. Hiring Company and its vendors may not: (a) Sell or share Candidate data; (b) Use data for advertising or unrelated commercial purposes; (c) Combine data with unrelated datasets; or (d) Use data to train AI or machine-learning models except as necessary to provide internal hiring services.

SECURITY AND CONFIDENTIALITY

Personal Data shall be treated as Confidential Information per the Platform Terms. The Hiring Company agrees to use data only for purposes set forth in this Agreement; Limit access to authorized personnel; and Protect data through encryption, access controls, and secure communications.

Each Party shall implement and maintain technical and organizational measures (“TOMs”) to ensure the security and confidentiality of Personal Data. Approved methods of transmission of Personal Data are via the Platform portal, encrypted email, or secure messaging. Unencrypted transmission is prohibited. Each Party must also implement role-based access controls, maintain audit logs, and ensure personnel are trained in data security and confidentiality.

DATA BREACH NOTIFICATION

In the case of a breach of Personal Data, each Party shall notify the other no later than forty-eight (48) hours after becoming aware of a confirmed or suspected Personal Data Breach involving shared data. The notice shall describe the breach, affected data, potential impact, mitigation steps, and a contact point for follow-up. The affected Party shall investigate the circumstances surrounding the  breach promptly, mitigate harm, prevent recurrence, and keep the other Party informed.

Each Party is independently responsible for determining and fulfilling any notification obligations to regulators or Data Subjects. The Parties shall cooperate to ensure consistency in timing and content. Each Party bears its own costs arising from a breach it caused. Liability is allocated per Section 13 (Liability and Indemnification).

DATA SUBJECT RIGHTS

The Parties acknowledge Data Subjects’ rights under data protection laws (e.g., access, correction, deletion, restriction, portability, objection, and opt-out). If a Party receives a Data Subject request relating to shared Personal Data, it shall notify the other within five (5) business days and cooperate as needed at the requesting Party’s expense. Each Party is responsible for responding to requests concerning its own Processing activities. Responses must meet legal deadlines: one (1) month under GDPR (extendable) and forty-five (45) days under CCPA/CPRA.

INTERNATIONAL DATA TRANSFERS

Where 18C transfers data subject to UK GDPR, the Parties adopt the UK Addendum to the EU Standard Contractual Clauses (SCCs), Module 1 (Controller-to-Controller).

For transfers under EU GDPR, the SCCs (Decision (EU) 2021/914, Module 1) are incorporated by reference. 18C is the data exporter, and Hiring Company is the data importer. The laws of Ireland and Irish courts govern SCC disputes.

If further measures are required for compliance (e.g., encryption, pseudonymization, or supplemental contractual clauses), the Parties shall cooperate in good faith to implement them. Transfers from other regions will comply with the applicable data transfer mechanisms required by local laws.

The Parties agree that data sharing under this Agreement is not a “sale” or “sharing” of Personal Data under the CCPA/CPRA.

LIABILITY & INDEMNIFICATION

The Hiring Company shall indemnify, defend, and hold harmless 18C and its affiliates, officers, and agents from all losses, claims, and penalties arising from their breach of this Agreement; noncompliance with Applicable Laws; breaches or misuse of Personal Data within their control; or employment-related violations resulting from Hiring Company’s actions.

18C shall indemnify Hiring Company for losses arising from 18C’s breach of this Agreement; noncompliance with data protection laws; or personal Data Breaches within 18C’s systems or caused by its Subprocessors.

If both Parties are found jointly liable, each Party is responsible only for the portion attributable to its conduct, with rights of contribution for any excess paid.

AUDIT AND COMPLIANCE

Either Party may request written certification of the other Party’s compliance with this Agreement once per year, or sooner if there is a suspected breach, a regulatory inquiry, or reasonable evidence of non-compliance. The audited Party must provide a written certification of compliance, including a summary of security measures and reasonable supporting documentation, within thirty (30) days. If non-compliance is identified, the audited Party must promptly remediate and confirm completion in writing. If a Party receives a regulatory inquiry related to Personal Data shared under this Agreement, it will notify the other Party (unless legally prohibited) and cooperate in good faith to respond.