How we handle data.
AgentyLab handles candidate data on behalf of the recruitment agencies it works with. That makes us a UK GDPR processor under Article 28. This page tells the recruiters, candidates and compliance teams whose data we touch what we do with it, and what we will not do.
The commitments below are the same ones our design-partner DPA codifies in full.
Where data lives.
Production infrastructure is deployed in the United Kingdom or the European Economic Area. Data residency is a hard requirement, not a preference.
- AES-256 encryption at rest, including database, file storage and backups.
- TLS 1.2 or higher in transit between client, backend and every sub-processor.
- Row-Level Security enforced at the database layer (Supabase Postgres) — tenant isolation does not rely on application logic alone.
- Field-level encryption for the most sensitive Personal Data via a managed key store, with regular key rotation.
What gets anonymised before AI sees it.
Before any candidate data is transmitted to a large language model that has not been explicitly designated as a Sensitive-Data Sub-Processor, an automated anonymisation pipeline removes the parts that could re-identify a candidate.
- Names, dates of birth and direct contact details are stripped from CV content.
- Graduation years are converted to "years since graduation" to limit age inference.
- Postcodes and addresses are never used as proxies for socioeconomic status.
- Health, racial or ethnic origin, and trade union membership are stripped before any LLM call unless your agency has lawfully directed otherwise.
- A Router component enforces these rules at the orchestration layer — identifiable candidate data cannot be routed to the wrong sub-processor by a configuration mistake.
Sub-processors and routing.
Every sub-processor is assessed for data-protection and security maturity before engagement and bound by a written contract on terms no less protective than this policy. The current list of sub-processors is available on request.
- Two distinct data zones: AI-processable fields, and compliance-only fields that are never sent to a large language model.
- No third-party plugin auto-install. All extensions to the orchestration runtime are reviewed and signed off by AgentyLab before deployment.
- A web application firewall and rate limiting protect against common attack patterns.
Audit and retention.
An append-only audit log records every data access, modification, export, deletion and AI-processing event — who, what, when, from where, and what action. Audit logs are retained for seven years.
On termination of the partnership, candidate data is deleted using a method that renders it unrecoverable. Written confirmation of deletion is provided on request.
Your rights.
AgentyLab acts as a UK GDPR processor on behalf of the recruitment agencies it works with. The agency is the controller of the candidate data it brings into the platform. Individual rights requests (access, rectification, erasure, restriction, portability, objection) should be raised with the recruitment agency you are dealing with.
If a request reaches AgentyLab directly, we will forward it to the relevant agency without undue delay and assist them in responding, in line with our Article 28 obligations.
Contact and DPA.
Design partners and clients get a full UK GDPR Article 28 Data Processing Agreement, covering the technical and organisational measures summarised on this page, before any production access.
Questions about this policy, or DPA requests, go to team@agentylab.com.
3 Wise Road, London E15 2TG, United Kingdom.
Company number 16682173 (England and Wales).
team@agentylab.com
for DPA, audit, or privacy questions.