Trust Center

Last updated · May 30, 2026

Data Processing Addendum

This DPA applies to business users (companies, organizations) processing personal data through ResumeAI. Most individual users don't need this.

01Who is this for?

This Data Processing Addendum ("DPA") is for business users (companies, organizations, employers) who need a formal Article 28 GDPR contract because they process personal data of their employees, candidates, or other data subjects through ResumeAI.

If you're using ResumeAI for your own personal job search, our Privacy Policy covers you — no DPA needed.

This DPA becomes part of our Terms of Service when business users accept it. To countersign, email legal@resumeai.blog.

02Scope

This DPA applies when ResumeAI processes personal data on behalf of a Customer (you) who is subject to GDPR, UK GDPR, or similar laws.

Definitions follow GDPR Article 4: "personal data," "processing," "data subject," "controller," "processor," and "sub-processor" have their GDPR meanings.

03Roles

  • Customer = Controller (decides why and how data is processed)
  • ResumeAI = Processor (processes data on Customer's instructions)
  • Our service providers = Sub-processors

Customer is responsible for the lawful basis of processing and obtaining any required consents from data subjects (e.g., candidates whose resumes you're analyzing).

04Subject matter of processing

Nature and purpose: AI-powered resume analysis, ATS scanning, bullet rewriting, cover letter generation, interview preparation.

Categories of data: Names, contact details, professional history, education, skills, and any other personal data Customer submits via resumes or job descriptions.

Categories of data subjects: Customer's employees, candidates, or other individuals whose data Customer submits.

Duration: For the term of Customer's account, plus retention as specified in our Privacy Policy.

05Security measures

We implement appropriate technical and organizational measures (TOMs) per GDPR Article 32:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access controls: Role-based access, least privilege, audit logging
  • Authentication: Multi-factor available, OAuth-based
  • Network security: CSP, HSTS, rate limiting, CORS lockdown
  • Monitoring: Error tracking (Sentry), audit logs, abuse detection
  • Backup: Encrypted backups, 7-day retention, tested restoration
  • Vulnerability management: Regular dependency updates, security patches
  • Personnel: Confidentiality obligations, security training

Detailed TOMs are available upon request to security@resumeai.blog.

06Sub-processors

Customer authorizes ResumeAI to engage the sub-processors listed in our Privacy Policy § 5.

We will:

  • Notify Customer of new sub-processors with 30 days notice (via email or website)
  • Bind sub-processors to data protection terms no less protective than this DPA
  • Remain liable for sub-processors' acts and omissions

Customer may object to a new sub-processor in writing. If we can't accommodate the objection, Customer may terminate the affected service for a prorated refund.

07International data transfers

For transfers of EU/UK personal data to countries without an adequacy decision (including the United States), we rely on:

  • European Commission Standard Contractual Clauses (SCCs), Module 2 (Controller-to-Processor)
  • UK International Data Transfer Addendum where applicable
  • Supplementary measures as recommended by EDPB guidance

The SCCs are incorporated by reference into this DPA. In case of conflict, the SCCs prevail.

08Data subject rights assistance

We will assist Customer in responding to data subject requests (access, rectification, erasure, portability, objection) by:

  • Providing data export functionality (JSON via Account settings)
  • Honoring deletion requests via Account settings or email
  • Providing access to processing records for data subjects when requested
  • Forwarding requests we receive directly to Customer when Customer is the controller

Reasonable assistance is included in your subscription. Excessive or repeated requests may incur additional fees.

09Personal data breach notification

If we become aware of a personal data breach affecting Customer data, we will:

  • Notify Customer without undue delay (within 72 hours of becoming aware)
  • Provide information necessary for Customer to comply with GDPR Article 33 obligations
  • Cooperate with investigations and remediation
  • Document the breach in our audit logs

Notification will include: nature of breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10Return or deletion of data

Upon termination of Customer's account:

  • Customer can export data via the Account settings page
  • We delete all personal data within 24 hours of account deletion
  • Anonymized audit logs may be retained for 90 days for fraud prevention
  • Payment records retained for 7 years for tax compliance (no personal data beyond email + transaction details)

We will certify deletion upon Customer request.

11Contact

DPA execution & questions

legal@resumeai.blog

Counter-signed DPAs available on request.