Data Processing Addendum (DPA)

Last updated: 2025-10-15

This DPA forms part of the agreement between ResumeSync AB ("Processor") and the customer ("Controller") when the Controller provides personal data for processing in ResumeSync.

1. Subject-matter and duration

Processor will process personal data to provide the ResumeSync service, for the term of the main agreement.

2. Nature and purpose

Importing, parsing, generating, hosting, and delivering application materials at the Controller's instruction.

3. Categories of data & subjects

Candidate profile data, resumes/CVs, job descriptions; data subjects are Controller's users and candidates.

4. Processor obligations

Process only on documented instructions.

Ensure confidentiality, security, and staff training.

Assist with data subject requests and DPIAs as reasonable.

Delete or return personal data at termination (unless law requires retention).

Maintain records of processing.

5. Security

Processor implements appropriate technical and organizational measures (see [Security Overview](/legal/security)).

6. Sub-processors

Controller authorizes Processor to use sub-processors: Vercel (hosting), Supabase (database/auth/storage), Stripe (payments), Anthropic/OpenAI (model inference). Processor will flow down equivalent obligations and notify material changes.

7. International transfers

Where transfers occur outside the EEA/UK, Processor uses applicable transfer mechanisms (e.g., SCCs) and safeguards.

8. Audits

Upon reasonable request, Processor provides information to demonstrate compliance. Onsite audits may be conducted no more than annually with reasonable notice.

9. Liability

Liability is as set out in the main agreement's limitation of liability.

10. Termination

Upon termination, Processor deletes or returns personal data within 30 days, unless retention is required by law.