This DPA forms part of the Terms of Service and reflects the parties' agreement under GDPR Article 28 with respect to the processing of personal data of Candidates.
1. Roles
The Customer (recruiter) is the Controller. AiHR is the Processor.
2. Subject matter and duration
Processing candidate personal data to deliver structured interviews and evidence-cited advisory reports for human review.
3. Nature and purpose
Collection and sanitization of resume text, interview transcript and optional consented audio; AI inference; advisory report generation; secure delivery to Controller.
4. Categories of data subjects and data
Candidates: identification, contact, professional experience, transcript, optional interview audio, and session metadata.
5. Processor obligations
- Process personal data only on documented instructions from the Controller.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational measures (Annex A).
- Assist the Controller in fulfilling data-subject rights and DPIAs.
- Notify Controller of personal-data breaches without undue delay (and in any event within 72 hours).
- Make available all information necessary to demonstrate compliance and allow audits.
6. Sub-processors
Customer authorises the sub-processors listed in our Privacy Policy. We will notify of changes 30 days in advance; Customer may object on reasonable grounds.
7. International transfers
Where data is transferred outside the EEA, Standard Contractual Clauses (Commission Decision 2021/914) apply.
8. Return or deletion
Upon termination, we delete or return all personal data within 30 days, unless retention is required by law.
9. Liability
Each party's liability is governed by the Terms of Service.
Annex A — Security measures
- TLS 1.2+ in transit; AES-256 at rest.
- Row-Level Security policies on all tenant tables.
- Least-privilege service keys; audit logging.
- No appearance, emotion, personality, voice-characteristic, or protected-trait inference.
- Quarterly access reviews; SOC2-aligned operational controls.