Data Processing Agreement

This DPA is incorporated by reference into our Terms of Service and applies automatically whenever you use the Service in a business capacity to process personal data of individuals other than yourself (for example, a recruiter uploading a candidate's CV to the Service). No separate signature is required; your use of the Service for such processing constitutes acceptance.

If your organization requires a counter-signed copy or a customized DPA (for example, a specific Annex II describing additional security measures), email hello@erpcv.com.

• Applicable Data Protection Law means any law applicable to the processing of personal data under this DPA, including the EU GDPR, UK GDPR, India DPDP Act 2023, UAE Federal Decree-Law No. 45 of 2021, and US state privacy laws.
• Controller, Processor, Sub-processor, Personal Data, Personal Data Breach, Processing, Data Subject have the meanings given in the EU GDPR (or equivalent in other Applicable Data Protection Law).
• Customer Data means Personal Data the Controller submits or causes to be submitted to the Service.
• Standard Contractual Clauses or SCCs means the European Commission's Standard Contractual Clauses for international transfers approved by Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor).

• The Controller determines the purposes and means of processing the Customer Data.
• ERPCV acts as the Processor and processes Customer Data only on the Controller's documented instructions, which, by default, are the instructions implicit in the Controller's use of the Service to generate career documents.
• ERPCV will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

The duration of processing is co-extensive with the Controller's use of the Service plus the retention periods set out in Annex II.

ERPCV will:

• Process Customer Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do so by applicable law.
• Ensure that personnel authorized to process Customer Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures as described in Annex I.
• Engage sub-processors only as permitted by Section “Sub-processors” below.
• Assist the Controller, taking into account the nature of processing, in fulfilling obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection).
• Assist the Controller in complying with GDPR Art. 32 (security), 33 (breach notification to authorities), 34 (notification to Data Subjects), 35 (DPIA), and 36 (prior consultation).
• At the Controller's choice, delete or return all Customer Data after the end of the provision of services, and delete existing copies unless retention is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as described in Section “Audits” below.

The Controller provides a general written authorization for ERPCV to engage the sub-processors listed in our Privacy Policy, which currently include:

• Supabase, Inc.: database, storage, authentication
• Stripe Payments: payment processing
• Anthropic, PBC. AI text generation
• Resend: transactional email delivery
• Vercel, Inc.: hosting and CDN
• Cal.com: consultation booking

Each sub-processor is bound by data protection obligations no less protective than this DPA. ERPCV remains fully liable to the Controller for the performance of any sub-processor.

ERPCV will give the Controller at least 30 days' notice of any intended changes to the list (addition or replacement), by updating the Privacy Policy page and, where the Controller has provided a contact email, by email. The Controller may object to a new sub-processor on reasonable data protection grounds within that notice period; if the parties cannot reach resolution, the Controller may terminate the Service for convenience and receive a pro-rata refund.

Where ERPCV transfers Customer Data outside the EEA, the United Kingdom, or another jurisdiction that restricts such transfers, the parties incorporate by reference the Standard Contractual Clauses, Module Two (Controller to Processor), with the following selections:

• Clause 7 (Docking clause): optional — not applied unless separately agreed.
• Clause 9(a) (Sub-processors): Option 2 (general written authorization), with 30 days' notice as described above.
• Clause 11(a) (Redress): the optional language is not adopted.
• Clause 17 (Governing law): the law of Ireland.
• Clause 18(b) (Choice of forum): the courts of Ireland.
• Annex I.A (List of parties): as set out in the Service order; data exporter is the Controller, data importer is ERPCV FZE.
• Annex I.B (Description of transfer): as set out in this DPA, Section “Subject matter”.
• Annex II (Technical and organizational measures): as set out in Annex I to this DPA.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.

For transfers from other jurisdictions (India, UAE), ERPCV relies on equivalent contractual safeguards under Applicable Data Protection Law.

ERPCV will notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include, to the extent then known:

• The nature of the breach, categories and approximate number of Data Subjects affected, categories and approximate number of records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and to mitigate its possible adverse effects
• Contact details of the person from whom further information can be obtained

The Controller is responsible for notifying the relevant supervisory authority and affected Data Subjects where required. ERPCV will provide reasonable assistance.

ERPCV will make available to the Controller, on reasonable request and no more than once per year (unless legally required more frequently), the most recent SOC 2 reports of its sub-processors and a summary of ERPCV's own security posture, sufficient to demonstrate compliance with this DPA.

Where an audit is required by Applicable Data Protection Law and cannot reasonably be satisfied by the above documents, the Controller may conduct an audit at its own cost, on reasonable advance notice (at least 30 days), during ERPCV's normal business hours, and subject to appropriate confidentiality undertakings.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except where prohibited by Applicable Data Protection Law.

This DPA commences when the Controller first uses the Service to process Customer Data and continues until the Service is terminated. Upon termination, ERPCV will, at the Controller's choice, delete or return all Customer Data, unless retention is required by law (in which case ERPCV will continue to protect such data in accordance with this DPA).

Default retention periods after Service termination are set out in Annex II.

ERPCV implements and maintains the following measures:

Access controls

• Role-based access control to production systems
• Multi-factor authentication required for all administrative access
• Principle of least privilege applied to personnel and service accounts
• Production credentials rotated regularly and stored only in a secrets manager

Encryption

• All data in transit encrypted using TLS 1.2 or higher
• Data at rest encrypted using AES-256 (provided by Supabase)
• Passwords stored only as cryptographic hashes

Application security

• Server-side authentication on all data-modifying endpoints
• Authorization checks on all per-user resources
• Stripe webhook signature verification
• Input validation on all uploaded files (type and size)

Operational security

• Dependency scanning and timely patching
• Source-code review of changes affecting personal data handling
• Secure development environment (no production data on developer workstations)

Sub-processor diligence

• Each sub-processor is contractually bound to confidentiality and security obligations
• ERPCV reviews sub-processor SOC 2 reports annually where available

For DPA-related queries (sub-processor changes, audit requests, breach notifications, custom terms), email hello@erpcv.com.