Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between CVault AI ("Processor") and the organisation accessing the CVault API or platform ("Controller"). It applies whenever the Controller sends personal data to CVault for processing and is incorporated by reference into the CVault Terms of Service.
To request a countersigned copy, email [email protected] with subject line DPA Request.
1. Definitions
- Personal Data
- Any information relating to an identified or identifiable natural person contained in resume or CV files submitted to the CVault API, including but not limited to name, contact details, employment history, and education.
- Processing
- Any operation performed on Personal Data, including collection, storage, parsing, structuring, retrieval, and deletion.
- Sub-processor
- Any third party engaged by CVault AI to assist in Processing on behalf of the Controller. See Section 7.
- Data Subject
- The individual whose personal data is contained in a submitted resume or CV file.
2. Scope and nature of processing
CVault AI processes Personal Data solely to provide the resume parsing, candidate scoring, and candidate intelligence services described in the CVault documentation. Processing is carried out:
- On documented instructions from the Controller (API requests and configuration).
- For no purpose other than providing the contracted services.
- For no longer than necessary — parsed structured data is automatically and permanently deleted 30 days after creation; uploaded source files are deleted immediately after text extraction.
CVault AI will not sell, share, or use Personal Data to train models on behalf of third parties.
3. Controller obligations
The Controller warrants that it:
- Has a lawful basis for submitting candidate Personal Data to CVault AI (e.g. legitimate interest in recruitment, or candidate consent).
- Has informed Data Subjects that their resume may be processed by a third-party parsing service.
- Will not submit special-category data (health, biometric, racial/ethnic origin, etc.) beyond what candidates have voluntarily included in their resume.
- Will submit deletion requests to CVault AI promptly upon receiving a Data Subject erasure request (Article 17 GDPR).
4. Data subject rights
CVault AI will assist the Controller in meeting its obligations to respond to Data Subject requests under Chapter III of the GDPR, including:
- Access (Art. 15): CVault AI can provide the Controller with a copy of all structured data held for a specific candidate upon written request.
- Erasure (Art. 17): CVault AI will permanently delete all Personal Data for a specified candidate within 5 business days of receiving a verified deletion request from the Controller.
- Rectification (Art. 16): The Controller may delete and re-submit corrected data at any time.
- Portability (Art. 20): Structured candidate data is available in machine-readable JSON format via the API at any time.
Requests should be sent to [email protected].
5. Security measures
CVault AI implements and maintains the following technical and organisational security measures:
- Encryption at rest: All Personal Data is encrypted using AES-256.
- Encryption in transit: All data in transit is protected via TLS 1.2 or higher.
- Access control: Production database access is restricted to authorised personnel only, protected by row-level security policies scoped to individual accounts.
- API authentication: All API endpoints require authentication via signed API keys or JWT tokens. Keys are stored as SHA-256 hashes and never in plaintext.
- Automatic deletion: Automated deletion jobs run daily to purge Personal Data beyond the 30-day retention window.
- Incident response: CVault AI will notify the Controller within 72 hours of becoming aware of a personal data breach, as required by Art. 33 GDPR.
6. International transfers
CVault AI's primary infrastructure is hosted within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g. to sub-processors listed in Section 7), CVault AI ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission under Art. 46(2)(c) GDPR.
7. Sub-processors
CVault AI engages the following sub-processors. The Controller provides general authorisation for sub-processor engagement. CVault AI will inform the Controller of any intended changes at least 14 days in advance, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Structured data storage and authentication | EEA |
| DigitalOcean | API server infrastructure and file processing | EEA |
| Paddle | Payment processing (billing data only, not resume data) | UK / EEA |
8. Audits and compliance
CVault AI will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. This includes responding to written questionnaires and, where required, permitting and contributing to audits conducted by the Controller or a mandated third-party auditor, subject to reasonable notice and confidentiality obligations.
9. Term and termination
This DPA remains in effect for the duration of the service agreement between the Controller and CVault AI. Upon termination, CVault AI will delete all remaining Personal Data within 30 days, unless a longer retention period is required by applicable law.
10. Governing law
This DPA is governed by the laws of the jurisdiction in which CVault AI is established and shall be interpreted consistently with the EU General Data Protection Regulation (2016/679).
Request a signed copy
To receive a countersigned DPA for your records, email [email protected] with subject line DPA Request and your company name. We respond within 2 business days.