Last updated: April 6, 2026
Version 1.0
This Data Processing Agreement ("DPA") supplements the HireVia AI Terms of Service ("Agreement"). You are the Controller; HireVia AI is the Processor. Terms not defined here have the meanings in the Agreement.
1. What We Process
Element
Details
Data Subjects
Job candidates, hiring managers, interviewers, Authorised Users
Personal Data
Names, contact details, employment history, education, skills, CV content, assessment responses, interview records
Purpose
Providing the HireVia AI recruitment platform: CV parsing, candidate matching, pipeline management, scheduling
Duration
Term of the Agreement + 90-day post-termination deletion period
2. Our Obligations
Process Personal Data only on your documented instructions
Ensure staff with access are bound by confidentiality
Maintain appropriate technical and organisational security measures (Section 5)
Assist with Data Subject rights requests within 10 business days
Assist with DPIAs where required
Delete or return all Personal Data on termination (Section 7)
Not use Personal Data for any purpose beyond providing the Services
3. Your Obligations
Ensure a lawful basis exists for all processing
Provide candidates with appropriate privacy notices
Obtain necessary consents before uploading candidate data
Do not upload special category data (health, biometric, political) unless agreed in writing
4. Subprocessors
Subprocessor
Purpose
Location
Safeguard
AWS
Infrastructure & storage
Singapore
SCCs / AWS DPA
OpenAI
AI CV text processing
United States
SCCs / OpenAI DPA
Resend
Email delivery
United States
SCCs
Microsoft
Calendar integration
United States
SCCs / MS DPA
Current list at hirevia.ai/legal/subprocessors. Change notification and objection rights per Section 7 of the Agreement (14 days’ notice, right to object, terminate if unresolved).
5. Security
Encryption: TLS 1.2+ in transit, AES-256 at rest
Access: role-based controls, MFA for admin, least privilege
Network: AWS WAF, private subnets, security group isolation
Monitoring: CloudWatch, application logging (no PII in logs)
Vulnerability management: Dependabot, dependency updates, container scanning
Incident response: documented procedure with triage, containment, recovery, and post-incident review
6. Breach Notification
We will notify you of a confirmed Personal Data breach without undue delay, including:
Nature of the breach and approximate records affected
Likely consequences and measures taken to mitigate
We will cooperate to help you meet your 72-hour GDPR notification obligation to Supervisory Authorities.
7. Retention & Deletion
Data
Retention
Deletion
Active candidate data
Recruitment period + 12 months
Automated
AI processing logs
90 days from creation
Automated purge
Post-termination
30-day export window
Deleted within 90 days after
Written deletion confirmation provided on request. Longer retention only where required by law.
8. International Transfers
Primary storage: AWS Singapore (ap-southeast-1). CV text processed via OpenAI (US). Emails via Resend (US). Calendar via Microsoft (US).
Safeguards for cross-border transfers:
EU/EEA transfers: Standard Contractual Clauses (Module 2: Controller to Processor)
UK transfers: UK IDTA or UK Addendum to EU SCCs
Supplementary measures: encryption in transit and at rest, access controls
9. Audit
You may audit our compliance with this DPA once per year with 30 days’ written notice. We may satisfy audit requests by providing an ISO 27001 certificate (certification in progress), security questionnaire, or equivalent evidence. On-site audits available if alternative evidence is insufficient
10. Liability & Governing Law
Data protection liability cap per the Agreement: the greater of 24 months’ fees or USD 10,000. Governing law follows the Agreement (Section 15, tiered by Customer jurisdiction). Mandatory local data protection law applies regardless.
11. Term
This DPA is effective from the Agreement date until all Personal Data is deleted. Breach notification, deletion, and audit obligations survive termination.
By executing the Agreement, both parties agree to be bound by this Data Processing Agreement.