Speak to lily

Book a demo

Menu

Speak to lily

Book a demo

Data Processing Agreement

Last Updated :

Sep 11, 2025

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement (“MSA”) between:

  • Progreso AI Limited, a company registered in the United Kingdom with its registered office at 128 City Road, London, EC1V 2NX (“Lily” or “Processor”),

  • and the entity identified in the applicable Order Form (“Customer” or “Controller”).

This DPA governs the processing of Personal Data by Lily on behalf of the Customer under the MSA.

By signing the Order Form or using the Services, Customer agrees to the terms of this DPA.

1. Definitions

Unless otherwise defined in the MSA or Privacy Policy, the following definitions apply:

  • “Applicable Data Protection Laws” means all laws and regulations relating to data protection and privacy, including the UK GDPR, EU GDPR, Data Protection Act 2018, and any other relevant laws governing the processing of Personal Data.

  • “Controller”, “Processor”, “Personal Data”, “Personal Data Breach”, “Data Subject”, and “Supervisory Authority” shall have the meanings given in Applicable Data Protection Laws.

  • “Aggregated Data” means data that has been anonymised and combined with other data so that it can no longer identify any natural person.

  • “Sub-Processor” means any third party appointed by or on behalf of Lily to process Personal Data on behalf of the Customer.

  • “Services” means the Lily AI platform and related services provided under the MSA.

2. Roles of the Parties

  1. Customer as Controller

    • The Customer is the Controller of Personal Data processed under the MSA.

    • Lily acts as Processor, processing Personal Data only in accordance with Customer’s documented instructions.

  2. Lily as Independent Controller (Aggregated Data)

    • Lily may act as independent Controller in relation to Aggregated Data for:

      • Improving and developing Lily’s services and AI models,

      • Generating statistical reports and benchmarking insights.

    • Aggregated Data will never contain Personal Data or identify any Data Subject.

  3. No Joint Controllership

    • Except as explicitly stated, the parties agree they are not joint controllers.

3. Subject Matter, Nature, and Duration

Item

Details

Subject Matter

Candidate data and recruitment data processed to deliver Lily’s AI-powered recruitment and screening services.

Nature of Processing

Collection, storage, transcription, analysis, reporting, and secure transfer of candidate data.

Purpose

To enable the Customer to manage hiring and screening of candidates through the Services.

Duration

Term of the MSA plus 30-day secure deletion period.

Data Subjects

Job applicants, candidates, hiring managers, authorised Customer personnel.

Categories of Data

Name, contact details, CV data, call recordings, transcripts, hiring decisions, recruitment notes.


4. Processing Instructions

  • Lily will process Personal Data solely on documented instructions from the Customer, including:

    • The MSA,

    • This DPA,

    • Other written agreements between the parties.

  • If Lily believes an instruction infringes Applicable Data Protection Laws, it will promptly inform the Customer.

5. Sub-Processors

  1. Authorisation

  2. Notice and Objection

    • Lily will notify Customer of new Sub-Processors at least 30 days before engagement.

    • Customer may object by written notice with reasonable grounds related to data protection.

  3. Contracts with Sub-Processors

    • Lily shall ensure each Sub-Processor is bound by obligations equivalent to those in this DPA.

6. Security Measures

  1. Technical and Organisational Measures
    Lily will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

    • Encryption of data in transit and at rest,

    • Role-based access controls,

    • Logging and monitoring,

    • Regular penetration testing,

    • Secure development lifecycle practices.

7. Data Subject Rights (DSARs)

  1. Customer Leads

    • Customer is solely responsible for handling all Data Subject requests, including requests for transcripts or other personal data.

  2. Lily Support

    • Lily shall provide reasonable assistance to Customer to fulfil DSARs, provided that:

      • The request is lawful,

      • Costs are borne by the Customer where appropriate.

  3. No Direct Response

    • Lily must not respond directly to Data Subjects unless explicitly authorised in writing by the Customer.

8. Personal Data Breach Notification

  • Lily shall notify Customer without undue delay and no later than 24 hours after becoming aware of a Personal Data Breach.

  • The notification will include:

    • Description of the breach,

    • Categories and approximate number of Data Subjects affected,

    • Likely consequences,

    • Steps taken or proposed to address the breach.

9. International Data Transfers

  • Lily will only transfer Personal Data outside the UK or EEA where lawful mechanisms exist, including:

    • Standard Contractual Clauses (SCCs) and UK Addendum,

    • Any future adequacy decisions or approved transfer frameworks.

  • Current SCCs are available at:
    https://teamlily.ai/legal/sccs

10. Retention and Deletion

  • Upon termination of the Services, Lily will:

    1. Delete all Personal Data within 30 days, or

    2. Return Personal Data to Customer upon written request before deletion.

  • Data deletion will be irreversible and securely logged.

  • This aligns with Section 5 of the Privacy Policy (data kept only as long as necessary).

11. Audit and Compliance

  1. Virtual Audits First

    • Lily will provide relevant documentation, certifications (e.g., ISO 27001, Cyber Essentials Plus), and third-party reports to demonstrate compliance.

  2. Onsite Audit

    • Permitted only if:

      • Virtual audits are insufficient,

      • Customer gives 30 days’ notice,

      • Scope is limited to verifying compliance with this DPA.

  3. Costs

    • Customer bears audit costs unless a material breach by Lily is found.

12. Aggregated Data

  • Lily retains the right to create, use, and disclose Aggregated Data for:

    • Service improvements,

    • AI model development,

    • Statistical analysis and benchmarking.

  • Aggregated Data will never identify individuals and falls outside the scope of this DPA and GDPR.

13. Liability and Indemnification

  • Each party’s liability under this DPA is subject to the limitations in Section 10 of the MSA.

  • Customer indemnifies Lily for any claims arising from:

    • Unlawful instructions,

    • Customer’s failure to comply with Applicable Data Protection Laws.

14. Precedence

If there is any conflict:

  1. This DPA prevails over the MSA,

  2. The MSA prevails over the Order Form.

15. Versioning and Updates

  • Lily may update this DPA from time to time to reflect changes in laws, regulations, or business practices.

  • Customers will be notified of material changes by email or in-app notifications.

  • The most current version will always be available at:
    https://teamlily.ai/legal/dpa