Skip to content

Legal

Cadence Data Processing Agreement

Last updated 2026-06-22 · Version 0.2

Last updated: June 22, 2026  
Version: 0.2

This Data Processing Agreement ("DPA") forms part of the Cadence Terms of Service or other written agreement between Cadence and Customer (the "Agreement"). Capitalized terms not defined in this DPA have the meanings in the Agreement.

### 1. Roles

For Customer Data containing personal data that Cadence processes on behalf of Customer, Customer is the controller or business, and Cadence is the processor, service provider, or equivalent role under applicable privacy law. For account administration, billing, security, fraud prevention, and legal compliance data, Cadence may act as an independent controller.

### 2. Processing Details

| Item | Description |
|---|---|
| Subject matter | Provision, security, support, and improvement of the Cadence Services. |
| Duration | Term of the Agreement plus deletion/return period. |
| Nature and purpose | Hosting, storage, transmission, retrieval, analysis, workflow support, AI-assisted summaries/recommendations, support, security, and compliance. |
| Data subjects | Customer employees, managers, administrators, candidates or workers if configured, and Customer representatives. |
| Personal data | Names, contact details, role/job data, reporting lines, goals, performance information, 1:1 notes, recognition, survey data, ER case data, audit logs, usage data, and configured recordings/transcripts/audio-derived data. |
| Sensitive data | Potentially employment, performance, ER, disciplinary, disability/accommodation, demographic, union/protected-class, biometric/voiceprint, and other sensitive data if Customer uploads or enables those features. |

### 3. Customer Instructions

Cadence will process personal data only on Customer's documented instructions, including the Agreement, product configuration, and Customer users' authorized actions, unless law requires otherwise. Cadence will notify Customer if Cadence believes an instruction violates applicable data protection law, unless prohibited by law.

### 4. Confidentiality

Cadence will ensure personnel authorized to process personal data are bound by confidentiality obligations.

### 5. Security Measures

Cadence will implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include access controls, encryption in transit, logical tenant separation, logging, vulnerability management, backup practices, and incident response procedures. A security exhibit should be attached before publication.

### 6. Subprocessors

Customer authorizes Cadence to use subprocessors listed at `/subprocessors`. Cadence will impose data protection obligations on subprocessors that are materially equivalent to this DPA. Cadence remains responsible for subprocessors' performance of their data protection obligations. Cadence will provide notice of new subprocessors and a reasonable objection process.

### 7. Data Subject Requests

Cadence will provide reasonable assistance to Customer, taking into account the nature of processing, to help Customer respond to data-subject rights requests. Customer is responsible for responding to requests where Customer is controller.

### 8. Security Incidents

Cadence will notify Customer without undue delay after confirming a personal data breach affecting Customer personal data. The notice will include available information reasonably required for Customer to meet its legal obligations. Cadence's notice is not an admission of fault or liability.

### 9. DPIAs and Regulator Assistance

Cadence will provide reasonable assistance for data protection impact assessments and regulator consultations required by applicable law, taking into account the nature of processing and information available to Cadence.

### 10. Deletion and Return

At termination or Customer request, Cadence will delete or return personal data according to product functionality, the Agreement, and legal retention obligations. Backup deletion may occur on Cadence's ordinary backup lifecycle.

### 11. Audits

Cadence will make available information reasonably necessary to demonstrate compliance with this DPA, including security documentation, certifications, or audit reports when available. Customer audits must be reasonable, avoid disruption, protect Cadence and other customers' confidential information, and be subject to notice and confidentiality terms.

### 12. International Transfers

Where personal data is transferred from the EEA, UK, or Switzerland to a country lacking an adequacy decision, the parties will use an approved transfer mechanism, such as Standard Contractual Clauses, the UK International Data Transfer Addendum, or another mechanism recognized by applicable law, as applicable. Customer authorizes Cadence to enter into those transfer terms as needed to provide the Services.

### 13. US State Privacy Laws

Cadence will not sell Customer personal data or share it for cross-context behavioral advertising as those terms are defined by applicable US state privacy laws. Cadence will process Customer personal data only for permitted business purposes and as otherwise allowed by the Agreement.

### 14. Biometric and Recording Data

Customer must not configure Cadence to collect or process voiceprints, biometric identifiers, workplace recordings, or transcripts unless Customer has provided legally sufficient notice and obtained required consent or written release. For Illinois users or employees, Customer must not enable voiceprint or biometric processing without BIPA-specific review and controls.