Data Processing Addendum

You are the controller (or business) for Candidate personal data processed for your hiring purposes. We process Candidate Data and Customer Data as a processor (or service provider) on your documented instructions, as set forth in the Terms, Privacy Policy, this DPA, and your use of the Service.

For Customer account, billing, authentication, and Service-operation data, we act as an independent controller for limited operational purposes described in our Privacy Policy.

We will:

• Process personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case we will notify you of that legal requirement before processing, unless the law prohibits notice);
• Ensure personnel with access are bound by written confidentiality obligations and receive appropriate data protection training;
• Implement and maintain the technical and organizational security measures described in Annex 2;
• Not sell or share personal data, and not use Candidate Data, interview content, or any inference inputs or outputs to train, fine-tune, or evaluate AI models;
• Assist you, taking into account the nature of processing, in responding to data subject requests under applicable law, and in fulfilling your obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation);
• Notify you without undue delay, and within 72 hours where feasible, after becoming aware of a confirmed personal data breach affecting your data, including the information required under GDPR Article 33(3) to the extent known;
• On termination of the Service or your written request, delete or return all Candidate Data within 30 days, and provide written confirmation of deletion on request, unless retention is required by applicable law;
• Forward any data subject request received directly by us to you within a reasonable period, and not respond to the requestor except to confirm the request has been forwarded.

You authorize our use of the sub-processors listed at Sub-processors, which we maintain as an up-to-date register. We will provide at least 30 days' prior notice before adding or replacing a sub-processor that materially affects processing of Candidate or Customer personal data. You may subscribe to notifications by emailing info@vettahire.com.

You may object to a new sub-processor on reasonable grounds relating to data protection within 30 days of notice. If we cannot resolve the objection through reasonable measures, you may terminate the affected portion of the Service with a pro-rata refund of pre-paid fees.

We remain responsible for the acts and omissions of our sub-processors as if they were our own, and we impose data protection obligations on sub-processors that are no less protective than those in this DPA.

The Service uses third-party large language model inference (currently provided by Deep Infra, Inc. operating in the United States) to generate interview responses, transcripts, summaries, and recommendation scores. The following terms apply:

No training use. Neither we nor our inference sub-processor uses Candidate Data, prompts, or model outputs to train, fine-tune, or evaluate AI models. Our inference sub-processor operates a zero data retention policy: inputs and outputs are not stored on disk and are deleted from memory after inference completes. Our inference sub-processor is SOC 2 Type II and ISO 27001 certified.

Recommendations, not decisions. Outputs of the Service (including summaries, scores, and recommendations) are intended to support, not replace, human decision-making by you. You remain solely responsible for hiring decisions and for ensuring that meaningful human review occurs before any decision producing legal or similarly significant effects on a Candidate within the meaning of GDPR Article 22.

EU AI Act allocation. Where the Service is used as a high-risk AI system under Regulation (EU) 2024/1689 (the AI Act), you act as the deployer and we act as the provider. We will make available the technical documentation, instructions for use, and information reasonably necessary for you to meet your deployer obligations. You are responsible for human oversight, conducting fundamental rights impact assessments where required, informing Candidates of the use of the Service, and maintaining records of operation under your control.

Jurisdiction-specific support. On request and where applicable, we will provide reasonable information to support your compliance with NYC Local Law 144 (bias audits), Illinois Artificial Intelligence Video Interview Act, Colorado SB 24-205, and similar laws. You remain responsible for performing audits, providing Candidate notices, and obtaining consents required of you as the employer.

Personal data is processed primarily in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to a country not benefiting from an adequacy decision, we rely on:

• the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), Module Two (controller to processor), which are incorporated by reference and deemed executed between you (data exporter) and us (data importer);
• for UK transfers, the UK International Data Transfer Addendum issued by the ICO, incorporated by reference;
• for Swiss transfers, the SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.

The optional docking clause applies; for Clause 17, the law of Ireland governs; for Clause 18, courts of Ireland have jurisdiction. Annex I, II, and III of the SCCs are populated by Annex 1 and Annex 2 of this DPA and the Sub-processors page.

Our AI inference sub-processor operates exclusively in US data centers; we do not onward-transfer Candidate Data to any other jurisdiction without notice.

For California personal information, we act as your service provider. We will not (a) sell or share personal information; (b) retain, use, or disclose personal information for any purpose other than providing the Service specified in the contract, except as permitted by CPRA; (c) retain, use, or disclose personal information outside of the direct business relationship between you and us; or (d) combine personal information received from or on behalf of you with personal information received from other sources, except as permitted by CPRA. We certify that we understand and will comply with these restrictions.

We maintain the technical and organizational measures set forth in Annex 2. On reasonable written request no more than once per twelve months (except following a confirmed material breach affecting your data), we will provide information necessary to demonstrate compliance with this DPA, including responses to a reasonable security questionnaire and copies of relevant third-party certifications or audit reports under NDA.

Where required by law and where information and audit reports we provide are insufficient, on-site audits may be conducted by you or by a mutually agreed independent third-party auditor, on at least 30 days' written notice, during normal business hours, in a manner that does not disrupt operations, and subject to confidentiality.

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms. Nothing in this DPA limits any liability that cannot be limited under applicable data protection law.

This DPA applies for the duration of your use of the Service and survives until all Candidate Data and Customer Data has been deleted or returned in accordance with this DPA.

This DPA is governed by the laws of the State of Delaware, United States, except that where the SCCs, UK Addendum, or Swiss SCCs apply, those instruments are governed by the law specified in them.

In the event of conflict: (1) the SCCs, UK Addendum, or Swiss SCCs (where applicable); (2) this DPA; (3) the Terms of Use; (4) any other agreement between the parties.

Data protection inquiries and legal notices: info@vettahire.com.

Enterprise Customers requiring a counter-signed DPA, additional security documentation, or customized terms may contact us.

Subject matter: Provision of the VettaHire AI hiring screener Service.

Duration: For the term of the Customer's subscription and the retention periods set out in our Privacy Policy.

Nature and purpose of processing: Hosting candidate data, sending interview invitations, conducting AI-driven text-based interviews, generating transcripts and summaries, producing recommendation scores, detecting integrity signals during interviews, providing the Customer dashboard and reporting.

Categories of data subjects:

• Customer's job candidates (Candidates)
• Customer's authorized users (recruiters, hiring managers, admins)

Categories of personal data:

• Candidates: name, email address, IP address, device and browser information, interview responses (text), AI-generated transcripts and summaries, recommendation scores, integrity flags, timestamps, optional information voluntarily provided by the Candidate during the interview.
• Customer users: name, email address, hashed password or OAuth identifier, role, IP address, audit logs, billing contact information.

Special categories of data (GDPR Art. 9): None are required by the Service. Customers must not configure questions designed to elicit special category data. Candidates may voluntarily disclose such data in free-text responses; we treat any such content as Candidate Data under this DPA but do not target processing of it.

Frequency of processing: Continuous during the subscription term.

Retention: Candidate Data is retained until the Customer deletes the relevant job or otherwise instructs deletion, subject to the stale-invitation cleanup schedule in our Privacy Policy. Audit logs are retained for 12 months. Billing records are retained as required by applicable tax and financial law.

Recipients (sub-processors): As listed at Sub-processors.

We maintain the following measures, which may evolve over time provided the overall level of security is not reduced.

• Access control. Role-based access control on the Customer dashboard. Multi-factor authentication required for administrative access to production systems. Principle of least privilege applied to employee access.
• Encryption. TLS 1.2 or higher for all data in transit. Encryption at rest for the production database and object storage using provider-managed keys.
• Network security. Production systems operated on Cloudflare's edge network with DDoS protection, WAF, and bot management. No public-facing database endpoints.
• Application security. Secure software development lifecycle including code review, dependency scanning, and secret scanning. Periodic security review.
• AI inference security. Inference performed by sub-processor operating SOC 2 Type II and ISO 27001 certified infrastructure with zero data retention. No training use of customer prompts or outputs.
• Logging and monitoring. Application and access logs retained for security and debugging. Anomaly detection on authentication events.
• Backup and recovery. Regular automated backups of production data with documented recovery procedures.
• Personnel. Background checks where permitted by law. Confidentiality agreements. Annual security awareness training.
• Incident response. Documented incident response procedure with defined severity levels and notification timelines.
• Vendor management. Sub-processors evaluated for security and data protection posture before engagement and listed publicly with notification of changes.
• Data minimization. Candidate data collected is limited to what is necessary for the Service. Self-serve deletion available to Customers.