Data Processing Addendum
Effective: May 8, 2026
Note: This is a starter DPA template. Have counsel align it with the Standard Contractual Clauses (2021/914) and your target jurisdictions before signing.
This Data Processing Addendum (“DPA”) supplements the Hireflow Terms of Service and applies whenever Hireflow processes personal data on the Account Holder’s behalf.
1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the Indian Digital Personal Data Protection Act, 2023 (DPDPA), as applicable. “Customer Data” means personal data the Account Holder uploads or instructs Hireflow to process. “Sub-processor” means any third party engaged by Hireflow to process Customer Data.
2. Roles
The Account Holder is the controller. Hireflow is the processor. Hireflow processes Customer Data only on the controller’s documented instructions, which include the Terms and the controller’s use of the service.
3. Categories of data & data subjects
- Categories: name, contact details, employment history, resume contents, application form responses, AI-extracted structured fields, pipeline status, internal comments and ratings.
- Data subjects: job candidates and prospective candidates submitted by the Account Holder.
- Special categories: Hireflow does not solicit special-category data; Account Holders should not upload it.
4. Hireflow’s obligations
- Process Customer Data only on controller’s instructions.
- Ensure persons authorized to process are bound by confidentiality.
- Implement the security measures in §6.
- Engage Sub-processors only as listed in §7 with a comparable contract.
- Assist the controller with data-subject requests (export, deletion, restriction) within 30 days.
- Notify the controller of any personal-data breach without undue delay (within 72 hours).
- Make available all information necessary to demonstrate compliance and submit to audits per §8.
- At the controller’s choice, return or delete Customer Data within 30 days of contract end.
5. Controller’s obligations
- Establish and maintain a lawful basis for processing each Candidate’s data.
- Provide candidates the privacy notice required by Article 13/14 GDPR or the DPDPA equivalent.
- Promptly handle data-subject rights against Customer Data.
6. Security measures
- TLS 1.2+ in transit, AES-256 at rest.
- Postgres row-level security on every tenant table; per-schema isolation for Enterprise customers.
- Audit log of every control-plane mutation, retained 13 months.
- Quarterly access reviews; least-privilege internal RBAC.
- Daily encrypted backups, 35-day retention, restore drills documented.
- Annual penetration test; SOC 2 Type II in progress.
7. Sub-processors
The following sub-processors process Customer Data:
| Sub-processor | Purpose | Region |
|---|---|---|
| Neon (Postgres) | Primary database | EU (Frankfurt) |
| Stripe | Billing & payments (no candidate PII) | EU / US |
| Resend | Transactional email | EU |
| OpenRouter | Resume / form text extraction (data not used for training) | EU/US (per OpenRouter’s upstream provider routing) |
| S3-compatible storage | Resume file storage | EU |
We’ll notify the controller 30 days before adding or replacing a sub-processor; the controller may object on reasonable grounds.
8. Audits
On 30 days’ notice, the controller may audit Hireflow’s compliance once per 12 months at its own expense, subject to a confidentiality agreement and limited to documents necessary to verify compliance. Hireflow’s SOC 2 report (when available) satisfies this obligation.
9. International transfers
Where transfers leave the EEA / UK / India, the parties rely on the applicable Standard Contractual Clauses (2021/914 for the EU) and any supplementary measures we determine are necessary. Hireflow infrastructure is hosted in the EU by default.
10. Contact & representatives
DPO / privacy contact: dpo@hireflow.app. EU representative (Article 27 GDPR): [to be appointed].
Questions? Email legal@hireflow.app.