Data Processing Agreement (DPA)

Unless otherwise stated, the following terms have these meanings:

• "Applicable Data Protection Law" means the LGPD and, to the extent it applies to a given processing activity, the GDPR and any other privacy or data protection law that applies to the Service.

• "Controller" (controlador under the LGPD) means the party that determines the purposes and means of processing, here the Customer.

• "Processor" (operador under the LGPD) means the party that processes personal data on behalf of the Controller, here Employmee.

• "Sub-processor" means any third party engaged by Employmee to process Candidate Personal Data on Employmee's behalf in order to provide the Service.

• "Candidate Personal Data" means personal data relating to your job candidates that Employmee processes on your behalf, as further described in Section 3.

• "Data Subject" means the individual to whom personal data relates, here primarily a job candidate.

• "Processing" means any operation performed on personal data, such as collection, storage, parsing, use, transmission, or deletion.

• "Data Subject Request" means a request from a Data Subject to exercise rights under Applicable Data Protection Law (such as access, correction, deletion/erasure, portability, or objection).

• "Personal Data Breach" means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Candidate Personal Data.

• "ANPD" means the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados).

• Subject matter. Employmee processes Candidate Personal Data so that you can pre-screen job candidates using the Service.

• Nature of processing. Processing includes: receiving applications submitted through a tokenized public application link; collecting candidate consent; receiving and storing CV files; parsing CV content; conducting an AI-assisted text interview (including, where the candidate uses voice, speech-to-text and text-to-speech); generating an evidence-cited, per-criterion assessment report using AI; making reports available to your recruiters; maintaining an append-only audit trail of decisions; and deleting or returning data as described in this DPA.

• Purpose. The sole purpose is to provide, secure, support, and maintain the Service for you. Employmee does not process Candidate Personal Data for its own purposes, does not sell it, and does not use it to train its own or any third party's general-purpose AI models.

• Duration. Processing lasts for the term of the main services agreement and for any wind-down period needed to return or delete data under Section 9, subject to the retention behavior described there.

Categories of Data Subjects:

• Job candidates who apply to your roles through the Service.

Categories of Candidate Personal Data processed on your behalf:

• Identity and contact data: candidate full name and email address.

• CV / resume content: the uploaded CV file (PDF or DOCX, up to 10MB) and the structured information parsed from it, which may include work history, education, skills, and any other personal data the candidate chooses to include in their CV.

• Interview responses: the candidate's written answers during the AI text interview and, where voice is used, audio and its transcription.

• Assessment and process data: the AI-generated assessment report (with citations back to the candidate's own submissions), application status, and the recruiter's decision and written rationale.

• Consent records: a versioned record of the data and AI-processing policy the candidate agreed to, including policy version and timestamp.

• Technical/operational data: identifiers, timestamps, and audit-trail entries generated while using the Service.

Sensitive personal data. The Service is not intended to collect special-category or sensitive personal data (dados pessoais sensíveis). You instruct candidates not to submit such data, and you remain responsible for the content candidates upload. To the extent a candidate voluntarily includes such data in a CV or free-text answer, Employmee processes it only as part of the relevant CV or response and under the same protections as other Candidate Personal Data.

• You are the Controller and Employmee is the Processor for Candidate Personal Data. As the data controller for your candidates under the LGPD, you decide which roles to open, which assessment criteria to use, and how to act on assessment reports.

• You are responsible for establishing a valid legal basis for the processing, for the lawfulness of your instructions, for providing candidates with required privacy notices, and for obtaining and managing any consent required from candidates. The Service collects a versioned consent from each candidate at the point of application covering automated/AI processing of their CV and responses; you remain responsible for ensuring this consent and your own notices meet your legal obligations.

• Employmee processes Candidate Personal Data only as a Processor on your behalf and on your documented instructions, except where Applicable Data Protection Law requires otherwise (in which case Employmee will inform you of that legal requirement before processing, unless the law prohibits such notice).

Employmee will:

• Process on documented instructions only. Process Candidate Personal Data solely to provide the Service and only on your documented instructions (which include this DPA, the main services agreement, and your configuration and use of the Service). If Employmee believes an instruction violates Applicable Data Protection Law, it will inform you.

• Confidentiality. Ensure that personnel authorized to process Candidate Personal Data are bound by appropriate confidentiality obligations and access the data only on a need-to-know basis.

• Security measures. Implement and maintain appropriate technical and organizational measures to protect Candidate Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and risk of the processing. These measures include, at minimum:
• Encryption of Candidate Personal Data in transit (TLS) and at rest, including CV files stored in Cloudflare R2;
• Role-based access control for recruiters authenticated via Clerk, with workspace isolation so each customer's data is logically separated and a customer's staff can only access that customer's candidates;
• An append-only audit trail of recruiter decisions and key data events;
• Authenticated, secret-protected internal interfaces, with the production environment configured to refuse to start if required security secrets or storage are absent (fail-closed rather than degrade silently);
• Captcha protection (Cloudflare Turnstile) on the public application form to reduce abuse;
• A documented data-erasure capability that redacts personal data from records and deletes CV bytes from storage (see Section 9).

• No further processing. Not use Candidate Personal Data for any purpose other than providing the Service, and not sell it or use it to train general-purpose AI models.

The security measures may be updated over time provided the level of protection is not materially reduced.

You authorize Employmee to engage the Sub-processors listed in Section 7 to process Candidate Personal Data in order to provide the Service. For each Sub-processor, Employmee will: (a) carry out reasonable due diligence; (b) impose data protection obligations no less protective than those in this DPA by written contract; and (c) remain liable to you for the Sub-processor's performance of those obligations.

Changes and right to object. Employmee will give you prior notice (by email and/or in-product, at least [30] days before the change takes effect) of any intended addition or replacement of a Sub-processor. If you have a reasonable, data-protection-related objection, you may notify Employmee within [15] days of the notice. The parties will work in good faith to address the objection; if it cannot be resolved, you may, as your sole remedy, terminate the portion of the Service that cannot be provided without the objected-to Sub-processor, in accordance with the termination terms of the main services agreement.

The following Sub-processors are engaged to provide the Service. Each processes only the Candidate Personal Data needed for its function. (Place of processing and certifications must be confirmed and kept current by Employmee; see Review Notes.)

Employmee will maintain an up-to-date version of this list and make it available to you on request or via a designated location. For the AI Sub-processors (Anthropic and OpenAI), Employmee will configure the Service, where such options are offered, so that Candidate Personal Data submitted through the API is not used to train those providers' models; you acknowledge that the precise terms are governed by those providers' applicable data-processing terms, which Employmee will confirm and keep current.

• Data Subject Requests. Taking into account the nature of the processing, Employmee will provide reasonable assistance, through appropriate technical and organizational measures, to help you respond to Data Subject Requests (including access, correction, deletion/erasure, portability, and objection). If Employmee receives a request directly from a candidate, it will not respond directly (except to confirm the request relates to you as Controller) and will, where legally permitted, promptly forward it to you.

• Erasure support. The Service includes a built-in erasure capability: on your instruction (or automatically when a candidate's retention window expires), Employmee redacts personal data from candidate records (including derived data in otherwise immutable assessment reports, CV snapshots, and interview transcripts) while preserving non-personal provenance needed for the audit trail, and deletes the CV file bytes from object storage. This action is recorded in the audit trail.

• Retention. By default the Service retains Candidate Personal Data for a configurable retention period (default [180] days) after which it is automatically erased, unless you and Employmee agree otherwise in writing or you instruct earlier deletion. You are responsible for configuring a retention period appropriate to your legal basis and obligations.

• Broader assistance. Taking into account the nature of processing and the information available to it, Employmee will provide reasonable assistance with your obligations regarding security of processing, Personal Data Breach notification, data protection impact assessments, and prior consultation with the ANPD or other supervisory authority.

• On expiry or termination of the main services agreement, and in any case on your written request, Employmee will, at your choice, delete or return all Candidate Personal Data processed on your behalf, and delete existing copies, unless Applicable Data Protection Law requires continued storage.

• Return, where requested, will be made in a commonly used, machine-readable format within a reasonable period.

• Deletion uses the erasure capability described in Section 8: personal data is redacted from records and CV bytes are deleted from storage. Limited records may be retained in backups for a short rotation period and in the append-only audit/log trail, in each case only as required for security, dispute resolution, or legal compliance, and they remain protected by this DPA until deleted.

• On request, Employmee will provide written confirmation that data has been deleted or returned in accordance with this Section.

• Employmee will make available to you information reasonably necessary to demonstrate compliance with this DPA, including, on request, summaries of its security measures and any third-party audit reports or certifications it holds.

• Where such information is insufficient to demonstrate compliance, you (or an independent auditor mandated by you and bound by confidentiality, who is not a competitor of Employmee) may conduct an audit no more than once per year (and additionally if required by a supervisory authority or following a Personal Data Breach affecting your data), on reasonable prior written notice of at least [30] days, during business hours, and in a manner that does not unreasonably disrupt Employmee's operations or compromise the confidentiality of other customers' data. Each party bears its own costs unless the audit reveals a material breach by Employmee.

• Employmee and its Sub-processors may process Candidate Personal Data in locations outside Brazil (and, where relevant, outside the country of origin of the data). Several Sub-processors operate global infrastructure.

• Where Candidate Personal Data is transferred across borders, Employmee will ensure the transfer relies on a lawful transfer mechanism recognized under Applicable Data Protection Law (for the LGPD, an adequate level of protection, ANPD standard contractual clauses, or another valid basis under Articles 33 to 36 of the LGPD; for the GDPR, EU Standard Contractual Clauses or another valid mechanism) and will implement supplementary safeguards where required.

• The specific processing locations and transfer mechanisms for each Sub-processor must be confirmed and documented by Employmee (see Review Notes).

• Employmee will notify you without undue delay, and in any event within [72] hours, after becoming aware of a Personal Data Breach affecting Candidate Personal Data processed on your behalf.

• The notification will describe, to the extent known: the nature of the breach and the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed to address it and mitigate its effects. Where all information is not available at once, it may be provided in phases without undue further delay.

• Employmee will provide reasonable cooperation and assistance to help you meet your own breach-notification obligations to the ANPD, other supervisory authorities, and affected Data Subjects. As Controller, you are responsible for determining whether and how to notify authorities and Data Subjects.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the main services agreement. [Confirm how liability caps and any carve-outs apply to data protection claims and to claims by Data Subjects or supervisory authorities. Placeholder for legal review.]

This DPA is governed by the laws of [governing jurisdiction], without regard to its conflict-of-laws rules, and the parties submit to the courts/venue specified in the main services agreement, except where Applicable Data Protection Law requires a different forum. [Confirm governing law and venue. Placeholder for legal review.]

• This DPA forms part of and supplements the main services agreement. In the event of a conflict between this DPA and the main services agreement on the protection of personal data, this DPA prevails. The Sub-processor list in Section 7 prevails over any general list elsewhere.

• Employmee may update this DPA to reflect changes in Applicable Data Protection Law, Sub-processors, or the Service, provided no such change materially reduces the protection of Candidate Personal Data. Material changes will be communicated in advance in accordance with the main services agreement.