Data Processing Agreement

1. Definitions

• "Data Protection Laws" means the GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable data protection legislation
• "Personal Data" means any information relating to an identified or identifiable natural person processed by VScout on behalf of the Controller
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
• "Sub-Processor" means any third party engaged by VScout to process Personal Data on behalf of the Controller
• "Data Subject" means the individual to whom the Personal Data relates (e.g., job candidates, users)
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data

2. Scope & Roles

This DPA applies to all Personal Data processed by VScout on behalf of the Customer in connection with the Service.

3. Processor Obligations

As a data processor, VScout shall:

• Process Personal Data only on the documented instructions of the Controller, unless required by law
• Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures (see Section 5)
• Assist the Controller in fulfilling Data Subject rights requests
• Assist the Controller with data protection impact assessments (DPIAs) where required
• Not engage any Sub-Processor without prior notice to the Controller (see Section 4)
• Delete or return all Personal Data upon termination, at the Controller's choice (see Section 10)
• Make available all information necessary to demonstrate compliance with this DPA

4. Sub-Processors

The Controller grants general authorization for VScout to engage the following Sub-Processors. We will notify the Controller at least 30 days before adding or replacing any Sub-Processor.

If the Controller objects to a new Sub-Processor, the Controller may terminate the Agreement by providing written notice within 30 days of our notification. VScout imposes data protection obligations on all Sub-Processors that are no less protective than those in this DPA.

5. Security Measures

VScout implements and maintains the following technical and organizational measures to protect Personal Data:

Technical Measures

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Row-Level Security (RLS) policies ensuring organizational data isolation
• Automated encrypted backups with geographically separate storage
• Regular key rotation and secure key management
• Rate limiting on all API and authentication endpoints
• Vector embeddings stored with organizational isolation

Organizational Measures

• Role-based access control (Admin, Recruiter, Hiring Manager, Viewer)
• Employee confidentiality agreements and security training
• Principle of least privilege for all system access
• Regular security audits and penetration testing
• Documented incident response procedures
• AI audit trail logging all automated processing actions with reasoning

6. Breach Notification

In the event of a Security Incident involving Personal Data:

• VScout will notify the Controller without undue delay and within 72 hours of becoming aware of the incident
• Notification will include: the nature of the incident, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address it
• VScout will cooperate with the Controller and take reasonable steps to mitigate the effects of the incident
• VScout will document all Security Incidents, including facts, effects, and remedial actions taken
• The Controller is responsible for notifying the relevant supervisory authority and affected Data Subjects where required by law

7. Data Subject Requests

VScout will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection):

• If VScout receives a request directly from a Data Subject, we will promptly redirect the request to the Controller
• VScout provides self-service tools for Controllers to process requests: data export (CSV/Excel), data deletion, and profile correction through the platform
• Where self-service is insufficient, VScout will provide reasonable assistance to the Controller within 10 business days
• VScout will not independently respond to Data Subject requests unless legally required

8. International Data Transfers

Where Personal Data is transferred outside the EEA/UK, VScout ensures adequate protection through:

• Standard Contractual Clauses (SCCs): This DPA incorporates by reference the European Commission's SCCs (Module 2: Controller to Processor) as set out in Commission Implementing Decision (EU) 2021/914
• UK International Data Transfer Addendum: For transfers from the UK, the UK IDTA is incorporated as applicable
• Supplementary measures: Encryption, pseudonymization, and access controls as described in Section 5
• Transfer impact assessment: Available upon request from the Controller

9. Audits & Compliance

• VScout will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA
• The Controller (or an appointed independent auditor) may conduct audits of VScout's processing activities, with 30 days written notice and subject to reasonable confidentiality obligations
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt VScout's operations
• VScout may satisfy audit requests by providing relevant certifications, audit reports, or summaries of security practices

10. Data Deletion & Return

Upon termination of the Agreement:

• The Controller may request return of all Personal Data in a structured, machine-readable format (CSV, Excel) within the 30-day post-termination retention window
• After the 30-day window (or immediately upon written request), VScout will securely delete all Personal Data, including copies in active systems
• Personal Data in encrypted backups will be deleted according to the backup rotation schedule, not exceeding 90 days after deletion from active systems
• VScout will provide written confirmation of deletion upon the Controller's request
• Exceptions: data required for legal compliance (e.g., billing records) will be retained as required by law and processed only for that purpose

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. VScout's total aggregate liability for all claims arising under this DPA shall not exceed the total fees paid by the Controller in the twelve (12) months preceding the event giving rise to the claim.

12. Term & Termination

This DPA takes effect when the Controller accepts the Terms of Service and remains in force for the duration of the Agreement. Obligations relating to data deletion, confidentiality, and ongoing security measures survive termination.