Data Processing Addendum

1.Definitions

1. 1.1Terms such as "controller", "processor", "personal data", "processing", "data subject" and "personal data breach" have the meanings given to them in the GDPR.
2. 1.2"Applicable Data Protection Law" means the GDPR and Law 125(I)/2018 of the Republic of Cyprus, together with any other applicable data-protection law.

2.Roles and scope of processing

1. 2.1The Controller determines the purposes and means of processing candidate personal data for its recruitment activities, and the Processor processes such data solely on the Controller's documented instructions.
2. 2.2The subject matter, duration, nature and purpose of the processing, the categories of data subjects and personal data, are described in Annex 1 (Details of Processing). This includes candidate profile data, CVs, application records, interview recordings, transcripts, automated scorecards, matching evidence, consent records and audit logs processed for recruitment workflows.

3.Obligations of the Processor

The Processor shall:

1. 3.1process personal data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do otherwise by law;
2. 3.2ensure that persons authorised to process personal data are bound by an appropriate duty of confidentiality;
3. 3.3implement the technical and organisational measures described in clause 5 and Annex 2;
4. 3.4respect the conditions in clause 6 for engaging sub-processors;
5. 3.5assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to data-subject requests and to ensure security, breach notification and data-protection impact assessments; and
6. 3.6at the Controller's choice, delete or return all personal data at the end of the provision of the services, save to the extent retention is required by law.

4.Confidentiality

1. 4.1The Processor shall treat all personal data as confidential and shall not disclose it except as permitted under this DPA or as required by law.

5.Security

1. 5.1The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, as further described in Annex 2 (Security Measures) and in the Information Security Statement.

6.Sub-processors

1. 6.1The Controller grants the Processor general authorisation to engage sub-processors, subject to the conditions in this clause.
2. 6.2The Processor shall impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and shall remain liable for the acts and omissions of its sub-processors.
3. 6.3The Processor shall maintain an up-to-date list of sub-processors (see the Sub-processor Notice) and shall give the Controller prior notice of any intended change, allowing the Controller to object on reasonable data-protection grounds.

7.Data-subject requests

1. 7.1The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests by data subjects to exercise their rights, and shall promptly forward to the Controller any such request it receives directly.

8.Personal data breach

1. 8.1The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data, and shall provide the information reasonably required to enable the Controller to meet its own notification obligations.
2. 8.2The Processor maintains an internal breach-notification procedure aligned to Articles 33 and 34 GDPR, including severity triage, evidence preservation, controller notice, supervisory-authority assessment, data-subject communication assessment and breach-register completion.

9.International transfers

1. 9.1The Processor shall not transfer personal data outside the EEA except on the Controller's instructions and subject to appropriate safeguards under Chapter V GDPR, including the Standard Contractual Clauses where applicable.

10.Audit

1. 10.1The Processor shall make available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to reasonable audits, subject to appropriate confidentiality and security safeguards.

11.Liability and governing law

1. 11.1The liability of each party under this DPA is subject to the limitations of liability agreed in the Employer Terms of Service.
2. 11.2This DPA is governed by the laws of the Republic of Cyprus.

12.Annexes

1. 12.1Annex 1 - Details of Processing: recruitment workflow hosting, CV parsing, screening, structured voice interview, assessment, matching, candidate sharing, employer pipeline management, support and billing administration for candidates, employer users and invited representatives.
2. 12.2Annex 2 - Security Measures: encryption in transit and at rest, row-level security, least-privilege and audited access, signed URL expiry controls, provider kill-switches, network and application security, monitoring, backup/resilience controls, incident response and regular review of measures.
3. 12.3Annex 3 - Sub-processors: Google Cloud / Gemini, Supabase, Vercel, Railway, Stripe, Cal.com, Resend, Meta, Cloudflare and Sentry as published and maintained in the Sub-processor Notice.
4. 12.4Annex 4 - Compliance Assistance: assistance with data-subject requests, DPIAs, prior-consultation assessment, breach notifications, audit evidence and deletion/return of personal data at service termination.