Our Commitment to Recruitment Excellence & Data Protection

​

At W3 Sourcing, we operate to the highest professional and ethical standards in recruitment, built on trust, discretion, and long-term partnerships. We work with senior candidates and organisations across competitive and regulated markets, and we recognise that confidentiality, fairness, and integrity are fundamental to responsible recruitment.

​

We are committed to safeguarding all client and candidate information entrusted to us. Personal data is handled with care, processed only for legitimate recruitment purposes, and protected through robust organisational, technical, and contractual controls. Access to information is strictly limited to authorised personnel, and we do not sell, misuse, or publicly disclose confidential data.

​

Equally, we are committed to ethical recruitment practices that promote fair opportunity and non-discrimination. We support inclusive hiring and assess candidates based on role-relevant skills, experience, and merit. We do not tolerate discrimination or unfair treatment on the basis of race, ethnicity, gender, sexual orientation, age, disability, religion, nationality, or any other protected characteristic, and we expect the same standards from the partners we work with.

​

Our recruitment processes are human-led, transparent, and accountable, designed to treat candidates with respect at every stage. Technology is used only to support efficiency and accuracy and is deployed within private, business-controlled environments; it does not replace human judgment or enable automated hiring decisions.

​

W3 Sourcing complies with applicable data protection, privacy, and employment-related laws across the jurisdictions in which we operate and regularly reviews its practices to ensure alignment with evolving regulatory standards and market expectations.

​

Above all, we recognise the responsibility that comes with representing individuals and organisations at pivotal moments in their careers and growth. Acting ethically, protecting confidential information, and supporting fair access to opportunity are central to how we build trust and deliver long-term value.

​

Master Data Processing Addendum W3 Sourcing

Last updated: 2/6/2026

​

This Master Data Processing Addendum (“DPA”) applies to Personal Data processed by W3 Sourcing in connection with recruitment and advisory services. It forms part of the agreement between W3 Sourcing and the Client (the “Agreement”). It also explains how W3 Sourcing processes Candidate Personal Data where W3 Sourcing acts as a Controller.

​

1. Definitions

• Personal Data: information relating to an identified or identifiable individual.

• Candidate Personal Data: Personal Data relating to candidates, applicants, contractors, or prospective hires.

• Client Personal Data: Personal Data provided by or on behalf of the Client (e.g., hiring manager contact details, interview panels, employees providing references).

• Controller: the party that determines purposes/means of processing.

• Processor: the party that processes Personal Data on behalf of a Controller.

• Applicable Data Protection Laws: laws applicable to processing, including UK GDPR, EU GDPR, Singapore PDPA, Hong Kong PDPO, UAE PDPL, and relevant US state laws (including CPRA where applicable).

​

2. Roles: When W3 Sourcing Is Processor vs Controller

2.1 Processing as a Processor (Client Personal Data)

For Client Personal Data processed to deliver services to the Client, the Client is the Controller and W3 Sourcing is the Processor.

2.2 Processing as an Independent Controller (Candidate Personal Data)

For Candidate Personal Data collected and maintained in W3 Sourcing’s talent network and used to provide recruitment services across opportunities, W3 Sourcing typically acts as an independent Controller (and in some engagements may act as a joint controller with the Client for limited workflows). Where W3 Sourcing acts as Controller, Section 11 (Candidate Processing Terms) applies.

2.3 Dual Role Clarity

The parties acknowledge that W3 Sourcing may process different data sets under different roles at the same time. This DPA allocates obligations by data set and purpose.

​

3. Processor Terms

3.1 Processing Instructions

W3 Sourcing shall process Client Personal Data only:

• on documented instructions from the Client; and

• as necessary to perform the services under the Agreement.

W3 Sourcing shall not sell Client Personal Data or use it for advertising or unrelated purposes.

3.2 Confidentiality

W3 Sourcing ensures personnel authorised to process Client Personal Data are bound by confidentiality obligations and trained on appropriate handling.

3.3 Security Measures

W3 Sourcing maintains appropriate administrative, technical, and physical safeguards designed to protect Personal Data against unauthorised access, disclosure, alteration, or loss.

3.4 Sub-processors

W3 Sourcing may engage sub-processors (e.g., secure cloud providers, recruitment platforms) to support service delivery, under written terms that provide a level of protection no less protective than this DPA. W3 Sourcing remains responsible for sub-processors.

3.5 Assistance With Rights Requests

W3 Sourcing shall reasonably assist the Client to respond to verified requests relating to Client Personal Data (access, deletion, correction, restriction), where required by law.

3.6 Deletion/Return

Upon termination, W3 Sourcing will delete or return Client Personal Data, subject to legal retention requirements and secure archiving obligations.

​

4. Harmonised Breach Notification

W3 Sourcing shall notify the Client without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed under this DPA, unless a shorter period is required by law.
Notifications will include, to the extent reasonably available: (a) the nature of the breach; (b) categories/approximate volume of data affected; (c) likely consequences; and (d) mitigation steps. W3 Sourcing will cooperate reasonably to support regulatory or data subject notification obligations.

​

5. International Transfers

Where transfers occur across borders, the parties will implement appropriate safeguards required by law (e.g., SCCs/IDTA or equivalent contractual safeguards).

​

6. Audits and Information

On reasonable notice, W3 Sourcing will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security constraints.

​

7. AI-Assisted Note-Taking and Transcription

Where W3 Sourcing uses AI-assisted note-taking tools, including Fathom and Paraform, these tools are deployed solely within private, business-controlled environments. Personal Data processed through these tools:

• remains accessible only to authorised W3 Sourcing personnel;

• is not sold, licensed, or shared for unrelated purposes;

• is not used to train public or third-party AI models; and

• is retained/deleted in accordance with contractual requirements and applicable law.

Use of such tools does not replace human decision-making and does not involve automated hiring decisions.

​

8. No Sale / No Ad-Tech Use (US)

W3 Sourcing does not “sell” Personal Data or “share” Personal Data for cross-context behavioural advertising, as those terms are defined under CPRA/CCPA.

​

9. Data Retention

W3 Sourcing retains Personal Data only as long as necessary for recruitment purposes, to meet legal obligations, and for legitimate business needs. Retention periods may differ by data type and jurisdiction.

​

10. Order of Precedence

In the event of conflict:

1. Applicable jurisdiction schedule

2. This Master DPA

3. Agreement

​

11. Candidate Processing Terms (W3 Sourcing as Controller)

11.1 Purpose and Use

W3 Sourcing processes Candidate Personal Data to:

• assess suitability for roles;

• present candidates to prospective employers (with candidate knowledge/instruction);

• arrange interviews and manage recruitment processes; and

• maintain a talent network for future opportunities.

11.2 Candidate Data Sharing

Candidate Personal Data is shared with clients only where necessary for recruitment and typically with the candidate’s knowledge or instruction. W3 Sourcing will not publish Candidate Personal Data publicly.

11.3 Candidate Rights

Candidates may request access, correction, deletion, or restriction of their data, subject to legal requirements. Requests can be made via the contact methods on W3 Sourcing’s website.

11.4 Lawful Bases

Where applicable, W3 Sourcing relies on contractual necessity, legitimate interests, legal obligation, and/or consent, depending on jurisdiction and context.

​

12. Jurisdictional Schedules

• Schedule 1: United States (CCPA/CPRA-style service provider terms)

• Schedule 2: New York (NY SHIELD Act security program expectations)

• Schedule 3: UK GDPR (Article 28 processor terms)

• Schedule 4: EU GDPR (Article 28 processor terms)

• Schedule 5: Singapore PDPA

• Schedule 6: Hong Kong PDPO

• Schedule 7: UAE PDPL

​

Schedule 8 – California (San Francisco Tech & Legal Recruitment Addendum)

This Schedule applies where Personal Data includes information relating to California residents, including candidates and client representatives involved in technology, legal, financial services, or regulated professional roles, and supplements the Master Data Processing Addendum.

Where there is any conflict between this Schedule and the Master DPA, this Schedule shall prevail for California Personal Data.

​

1. Regulatory Framework

This Schedule is intended to satisfy applicable requirements under:

• The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)

• California common-law confidentiality obligations

• Professional confidentiality expectations applicable to legal, technology, and regulated roles, including attorney-client privilege considerations where relevant

​

2. Service Provider Status

For purposes of the CPRA, W3 Sourcing acts as a Service Provider when processing Client Personal Data on behalf of a Client and shall:

• Process Personal Data solely to provide recruitment and advisory services

• Not sell Personal Data

• Not share Personal Data for cross-context behavioural advertising

• Not retain, use, or disclose Personal Data outside the business purpose defined in the Agreement

​

3. Categories of Personal Data (Role-Specific)

For technology and legal recruitment in California, Personal Data processed may include:

• Professional identifiers and business contact information

• Employment history, qualifications, and technical or legal experience

• Interview feedback and assessment notes

• Role-specific information relating to regulatory, compliance, or practice area experience

W3 Sourcing does not intentionally collect sensitive personal information unless strictly necessary for recruitment or legal compliance purposes.

​

4. Confidentiality & Privilege Awareness (Legal Roles)

Where recruitment relates to legal roles, W3 Sourcing acknowledges the heightened confidentiality expectations associated with legal hiring and shall:

• Limit access to candidate information to authorised personnel only

• Treat candidate communications and interview materials as confidential

• Avoid disclosure of candidate information that could reasonably be subject to attorney-client privilege or professional secrecy obligations

• Process such information solely for recruitment purposes and not for analysis, publication, or unrelated use

​

5. Use of AI-Assisted Tools in California Engagements

Where AI-assisted note-taking or transcription tools are used in California-based engagements:

• Tools are deployed only within private, business-controlled environments

• Personal Data is not used to train public or third-party AI models

• Data is not shared with third parties for advertising or profiling

• Use of such tools does not involve automated hiring decisions and does not replace human evaluation

​

6. Consumer Rights Support

Where required under California law, W3 Sourcing shall reasonably assist the Client in responding to verified California consumer requests, including requests to:

• Know what Personal Data has been collected

• Delete Personal Data (subject to statutory exceptions)

• Correct inaccurate Personal Data

W3 Sourcing shall not discriminate against any individual for exercising their rights under the CPRA.

​

7. Data Retention (California Context)

Personal Data relating to California candidates and client representatives shall be retained only for as long as reasonably necessary to:

• Support recruitment services

• Comply with legal, regulatory, or professional obligations

• Maintain appropriate recruitment records

Data no longer required shall be securely deleted or anonymised.

​

8. Incident Response and Notification

Any Personal Data Breach involving California Personal Data shall be handled in accordance with the Harmonised Breach Notification Clause in the Master DPA and applicable California breach notification laws.

​

9. San Francisco Market Expectations

The parties acknowledge that recruitment engagements in San Francisco often involve heightened expectations around:

• Data minimisation

• Confidentiality of senior-level and in-market candidates

• Protection of sensitive technical and legal background information

W3 Sourcing agrees to process Personal Data in a manner consistent with these market norms and applicable law.

 

​​

Please address all questions to hello@w3sourcing.com

​

​

​