Skip to main content
resumeground

Data Processing Agreement

Required for GDPR-regulated customers processing personal data through Resume Ground.

DPA v1.0
Effective May 19, 2026

1. Subject Matter

This Data Processing Agreement ("DPA") forms part of the agreement between Resume Ground ("Processor") and the Customer ("Controller") for the processing of personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Scope and Duration

The Processor will process personal data only on documented instructions from the Controller, for the duration of the underlying service agreement.

3. Categories of Data Subjects

End users of the Controller's recruiting workflows: candidates, applicants, hiring team members, and authorized recruiters.

4. Categories of Personal Data

Identification data (name, email), professional history (resume content, employment, education), application status, communications, and authentication metadata.

5. Sub-processors

The Processor uses vetted sub-processors for hosting (Supabase / cloud infrastructure), email delivery, and AI inference. A current list is available upon request.

6. Security Measures

Encryption in transit (TLS 1.2+) and at rest, role-based access control, audit logging, regular vulnerability scanning, and security incident response procedures.

7. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within statutory timelines.

8. Breach Notification

The Processor will notify the Controller without undue delay (and within 72 hours where feasible) of any personal data breach affecting the Controller's data.

9. International Transfers

Where personal data is transferred outside the EEA, the parties rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Audit

The Processor will make available all information necessary to demonstrate compliance and allow audits, conducted by the Controller or a mandated auditor, on reasonable notice.

11. Return or Deletion

On termination, the Processor will, at the Controller's choice, delete or return all personal data, unless retention is required by law.

Sign this DPA
Your signature is recorded with a content hash for audit purposes. Use Print to save a PDF copy.