Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Automated Recruiter Terms of Service between Automated Recruiter LLC ("Automated Recruiter," "Processor") and the customer ("Customer," "Controller") and governs Automated Recruiter's processing of personal data on behalf of the Customer in connection with the platform. By using the platform, Customer agrees to the terms of this DPA. Capitalized terms not defined here have the meanings given in the Terms of Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that Automated Recruiter processes on behalf of the Customer as Processor, including candidate names, resumes, contact information, and evaluation data uploaded or generated through the platform.

"Processing" has the meaning given under applicable data protection law and includes collection, storage, use, analysis, transmission, deletion, and any other operation performed on Personal Data.

"Applicable Data Protection Law" means all privacy and data protection laws applicable to the parties' respective processing activities, including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the EU General Data Protection Regulation (GDPR) where applicable, and other applicable state and federal privacy statutes.

"Subprocessor" means any third party engaged by Automated Recruiter to process Personal Data on behalf of the Customer.

2. Roles and Scope

For recruiting and candidate data that Customer uploads or processes through the platform, Automated Recruiter acts as a Processor or service provider on behalf of the Customer, who is the Controller or business. For account, billing, support, website, and relationship data, Automated Recruiter acts as Controller or business in its own right.

This DPA applies to Automated Recruiter's processing of Personal Data on behalf of the Customer as Processor. It does not apply to data Automated Recruiter processes as Controller, which is governed by the Privacy Policy.

3. Customer Instructions

Automated Recruiter will process Personal Data only: (a) as necessary to provide the platform and related services described in the Terms of Service; (b) as documented in the Privacy Policy and this DPA; (c) as required by applicable law; or (d) as otherwise agreed in writing by the parties.

Customer is the Controller and is solely responsible for: (i) ensuring that Personal Data is lawfully collected and that Customer has the authority to upload or process it through the platform; (ii) providing required notices to candidates and obtaining required consents before uploading Personal Data; (iii) determining whether any applicable law requires a human review, adverse-action notice, or other compliance step in connection with the platform's outputs; and (iv) directing the processing of Personal Data through the platform's features and configuration.

If Automated Recruiter believes a Customer instruction violates Applicable Data Protection Law, Automated Recruiter will notify the Customer promptly.

4. Confidentiality

Automated Recruiter will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations and are trained on applicable data protection requirements.

5. Security Measures

Automated Recruiter implements and maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures are described at Security Overview and include:

• Encryption of Personal Data in transit using HTTPS/TLS
• Encryption of Personal Data at rest via cloud-provider managed encryption
• Tenant-scoped access controls and least-privilege permissions
• Role-based access management and restricted production access
• Operational monitoring, structured logging, and audit events
• Managed identity for service-to-service authentication within the platform

Automated Recruiter may update security measures over time provided that updates do not materially reduce the overall protection afforded to Personal Data.

6. Subprocessors

Customer authorizes Automated Recruiter to engage the Subprocessors listed at Subprocessors. Automated Recruiter will ensure that each Subprocessor is bound by data protection obligations at least as protective as those in this DPA with respect to Personal Data they process.

Automated Recruiter will provide reasonable advance notice (at least 30 days where practicable) before adding new Subprocessors that process Personal Data. Enterprise customers may object to new Subprocessors by contacting us within 15 days of notice. If Automated Recruiter proceeds with an objected Subprocessor, Customer's sole remedy is to terminate the applicable service without penalty upon 30 days' written notice.

7. Candidate and Data Subject Rights

Where Automated Recruiter receives a data rights request from an individual regarding Personal Data processed on behalf of Customer, Automated Recruiter will promptly forward the request to Customer and provide reasonable assistance. Customer is responsible for responding to individuals whose data Customer controls as part of the recruiting relationship. Automated Recruiter will assist Customer in responding to such requests using available platform features and reasonable operational support, to the extent required by Applicable Data Protection Law.

8. Security Incidents

Automated Recruiter will notify Customer without undue delay (and in any event within 72 hours where required by applicable law) after becoming aware of a security incident involving Personal Data processed on Customer's behalf. Notification will include: a description of the nature of the incident, the categories and approximate number of data subjects and records affected (to the extent known), the likely consequences, and the measures taken or proposed to address the incident. Automated Recruiter will cooperate with Customer and take reasonable steps to mitigate the effects of the incident.

9. Deletion and Return

Upon termination or expiration of the Terms of Service, or upon Customer's written request, Automated Recruiter will delete or anonymize Personal Data processed on Customer's behalf within 60 days, except as required for legal compliance, billing record-keeping, fraud prevention, dispute resolution, or enforcement of agreements. Automated Recruiter will confirm completion of deletion upon Customer request.

10. International Transfers

Personal Data is processed and stored primarily in the United States. Where Automated Recruiter transfers Personal Data from the European Economic Area, the United Kingdom, or another jurisdiction with cross-border transfer restrictions, it will do so only using appropriate transfer mechanisms as required by Applicable Data Protection Law, which may include Standard Contractual Clauses or other applicable safeguards. Customers with specific transfer requirements may contact us to discuss additional arrangements.

11. Audits

Upon Customer's reasonable written request (no more than once per year, except where required by applicable regulatory authority), Automated Recruiter will provide information reasonably necessary to demonstrate compliance with this DPA. Information may be provided in the form of documentation, certifications, or audit reports rather than direct facility access, at Automated Recruiter's reasonable discretion. Customer bears its own costs associated with any audit exercise.

12. Liability and Conflict

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to data processing obligations. Enterprise customers with specific regulatory or contractual requirements may request a separately executed DPA by contacting us through Contact.

Terms of Service · Privacy Policy · Subprocessors · Security · Contact