Data Processing / Data Sharing Agreement

1. Parties & roles

This Agreement is entered into between:

• •staqs (“Discloser”) — Staqs, Inc., of 251 Little Falls Drive, Wilmington, DE 19808, USA, operator of terminalhire.com; and
• •the Buyer (“Recipient”) — [Partner Agency Legal Name], of [Partner Agency Address].

Each party acts as an independent controller with respect to the shared lead data. staqs discloses consented leads collected from developers; the Buyer determines its own purposes and means of processing those leads for recruiting and is an independent controller for that activity. This is not a controller-to-processor relationship; neither party processes the lead data on behalf of the other.

2. Subject matter & duration

The subject matter is the disclosure by staqs to the Buyer of developer leads that the developer has explicitly consented to share with that named Buyer. This Agreement takes effect on June 15, 2026 and continues until terminated under Clause 13, or for the duration of the parties' recruiting relationship: the term of the underlying services agreement between the parties.

3. Nature & purpose of processing

The Buyer may process the lead data solely for recruiting outreach to the developer in connection with the specific opportunity (or opportunities) for which the developer consented. The Buyer shall observe strict purpose limitation and shall not, without a separate lawful basis and the developer's consent:

• ✗resell, license, or otherwise commercialize the lead data;
• ✗enrich, append, or combine it with other data sources to build an expanded profile;
• ✗onward-transfer it to any third party (see Clause 8);
• ✗use it for advertising, model training, or any purpose unrelated to the consented recruiting contact.

4. Categories of data & data subjects

Data subjects: developers who used Terminalhire and explicitly opted in to share a lead with the Buyer.

Categories of personal data (the consented lead fields only):

• GitHub login
• Name
• Public email
• Top languages
• Skill tags
• Developer-set display name
• Developer-set contact email

The lead data excludes private repositories, employer-repo-derived tags, raw code, access tokens, session context, and file paths. No special-category data is intentionally shared.

5. Controller obligations

Each party shall comply with applicable data protection laws (including the GDPR, UK GDPR, and the CCPA/CPRA where relevant) in respect of its own processing. staqs is responsible for obtaining the developer's consent at the point of share and for accurately conveying the recipient's identity. The Buyer is responsible for its own processing as an independent controller, including providing its own privacy notice to the data subject as required and honoring any withdrawal of consent or objection it receives (see Clauses 6 and 7).

6. Lawful basis

The lawful basis for the disclosure is the explicit consent obtained by staqs from the developer at the point of share (a named-buyer prompt). The Buyer acknowledges that this consent is specific to the Buyer and the recruiting purpose, and that the developer may withdraw it at any time. Upon notice of withdrawal, the Buyer shall cease processing and delete the lead data within 30 days, except where retention is required by law.

7. Data subject rights cooperation

The parties shall cooperate in good faith and without undue delay to enable data subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent). Each party shall promptly forward to the other any request it receives that relates to the other party's processing, and shall provide reasonable assistance to respond within statutory deadlines.

8. Sub-processors & onward transfers

The Buyer shall not disclose or onward-transfer the lead data to any third party (including affiliates, sub-processors, or sub-contractors) except (a) to service providers acting under written confidentiality and data-protection terms at least as protective as this Agreement and solely to support the consented recruiting purpose, or (b) with the developer's separate consent or another lawful basis. The Buyer shall maintain a record of any such recipients and provide it on request: None as of the Effective Date.

9. Security measures (Art. 32)

Each party shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: encryption in transit (TLS) and at rest, access controls and least-privilege, pseudonymization where feasible, confidentiality and integrity of processing systems, resilience and backup, and regular testing of those measures. Buyer-specific measures: to be completed by Controller.

10. Confidentiality

Each party shall keep the lead data and the terms of this Agreement confidential, shall ensure that personnel authorized to process the lead data are bound by confidentiality obligations, and shall not disclose it except as permitted by this Agreement or required by law.

11. International transfers

Where the disclosure involves a transfer of personal data of EU/EEA or UK data subjects to a country without an adequacy decision, the parties shall rely on the EU Standard Contractual Clauses, Module One (controller-to-controller), and, for UK data, the UK International Data Transfer Addendum, which are incorporated by reference and completed at: [to be finalized with counsel: SCC Module 1 annexes and signatures (parties, competent supervisory authority, transfer details, TOMs)]. The data location is the United States.

12. Personal data breach notification

A party that becomes aware of a personal data breach affecting the lead data shall notify the other party without undue delay and no later than 48 hours after becoming aware of it and shall provide sufficient information to allow the other party to meet its own notification obligations to regulators and data subjects. The parties shall cooperate on investigation, mitigation, and remediation.

13. Audit rights

On reasonable prior written notice and no more than once per 12-month period (or following a breach or regulator request), staqs may request information reasonably necessary to demonstrate the Buyer's compliance with this Agreement, and the Buyer shall make available such information and, where agreed, allow for and contribute to audits conducted under appropriate confidentiality.

14. Return / deletion on termination

On termination of this Agreement, and at any time on the developer's withdrawal of consent, the Buyer shall, at staqs's or the developer's direction, return or securely delete the lead data and any copies, except where retention is required by law, and shall certify deletion on request.

15. Liability & indemnity

Liability and indemnification between the parties are governed by [to be finalized with counsel: liability & indemnity terms (caps, exclusions, indemnities)]. Nothing in this Agreement limits liability where it cannot be limited under applicable law.

16. Governing law & jurisdiction

This Agreement is governed by the State of Delaware, USA, and the parties submit to the jurisdiction of the state and federal courts located in the State of Delaware, USA.

17. Signatures