Data Processing Agreement (DPA)
Agreement governing the processing of personal data on behalf of your organizationLast updated: February 2026
1. Definitions
- "Controller": the recruiting organization (customer) that determines the purposes and means of processing personal data through the Services.
- "Processor": AI Interview Analyzer Sp. z o.o., which processes personal data on behalf of the Controller.
- "Sub-processor": a third party engaged by the Processor to process personal data on behalf of the Controller.
- "Personal Data": any information relating to an identified or identifiable natural person as defined in Art. 4(1) GDPR.
- "Processing": any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject": the natural person whose personal data is processed (primarily job candidates).
- "Services": the AI Interview Analyzer platform and all related services provided by the Processor to the Controller.
- "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Subject Matter, Duration, Nature & Purpose
Subject matter: Processing of candidate personal data for AI-assisted interview analysis.
Duration: This DPA is effective from the date of acceptance and continues for the duration of the Controller's subscription to the Services, plus any applicable data retention period.
Nature of processing: Automated processing including transcription, AI analysis, scoring, and storage, as well as manual access by authorized personnel for support purposes.
Purpose: To provide interview transcription, question-and-answer extraction, requirement scoring, feedback generation, and related interview analysis services as described in the Service documentation.
3. Types of Personal Data
The following categories of personal data are processed:
- Candidate data: name, email address, voice recordings, interview transcripts, CV/resume data, AI evaluation results (scores, justifications), feedback text.
- Recruiter data (as platform users): name, email address, IP address (in audit logs).
4. Categories of Data Subjects
- Job candidates (primary data subjects).
- Recruiters, hiring managers, and interviewers (as platform users).
5. Processor Obligations
The Processor shall:
(a) Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law.
(b) Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement appropriate technical and organizational security measures as described in Annex B.
(d) Not engage another processor (sub-processor) without prior written authorization from the Controller, subject to Section 6.
(e) Assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
(f) Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, data protection impact assessments, breach notification, prior consultation).
(g) At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage.
(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, as described in Section 11.
6. Sub-Processors
The Controller grants general written authorization for the Processor to engage the sub-processors listed in Annex A. The Processor shall:
(a) Inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller 30 days written notice.
(b) Allow the Controller to object to such changes within 14 days of notification. If the Controller objects and the parties cannot reach agreement, the Controller may terminate the subscription.
(c) Ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.
(d) Remain fully liable to the Controller for the performance of sub-processor obligations.
Sub-processors marked as "conditional" in Annex A are engaged only when the Controller activates the corresponding feature in the platform.
7. Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex B. These measures include, but are not limited to:
- Encryption of personal data at rest (AES-256) and in transit (TLS 1.3).
- Role-based access control (RBAC).
- Audit logging of all data access and processing operations.
- Automated data deletion per the Controller's configured retention policy.
- Regular security assessments and vulnerability management.
8. Data Subject Rights Assistance
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests within 72 hours of receiving the Controller's request. The platform provides self-service tools for:
- Right of Access (Art. 15): Export of all candidate data.
- Right to Rectification (Art. 16): Editing of candidate information.
- Right to Erasure (Art. 17): Deletion of all candidate data and associated interview records.
- Right to Restriction (Art. 18): Limiting processing of specific candidate data.
- Right to Portability (Art. 20): Export in machine-readable format (JSON).
- Right to Object (Art. 21): Withdrawal of consent and cessation of processing.
9. Breach Notification
The Processor shall notify the Controller of a personal data breach without undue delay, and no later than 72 hours after becoming aware of it, in accordance with Article 33 of the GDPR. The notification shall include:
- The nature of the personal data breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Processor's data protection contact (security@aiinterviewanalyzer.com).
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
10. Data Return & Deletion
Upon termination of the Services:
(a) The Processor shall, at the Controller's choice, delete or return all personal data within 30 days.
(b) Data return shall be provided in machine-readable format (JSON).
(c) Deletion shall be confirmed in writing (email) to the Controller.
(d) The Processor may retain personal data to the extent required by EU or Member State law, in which case the Processor shall inform the Controller of such requirement.
11. Audit Rights
(a) The Controller may audit the Processor's compliance with this DPA once per calendar year, with 30 days prior written notice.
(b) Remote audit: The Processor shall provide an annual compliance report and responses to the Controller's audit questionnaire. When available, a SOC 2 Type II report shall be provided.
(c) On-site audits: When remote audit is insufficient, on-site audits may be conducted at the Controller's expense, during business hours, subject to a non-disclosure agreement.
(d) The Processor shall cooperate with audits conducted by the Controller or an independent auditor mandated by the Controller.
12. Liability
(a) Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
(b) The Processor's aggregate liability under this DPA shall not exceed the total fees paid by the Controller in the 12 months preceding the claim.
13. International Transfers
(a) All processing under this DPA occurs within the European Economic Area (EEA). No personal data is transferred outside the EEA.
(b) Sub-processor data center locations: West Europe (Netherlands), Sweden Central, Ireland, Poland, Germany.
(c) If future business needs require transfers outside the EEA, the Processor shall implement Standard Contractual Clauses (EU Commission Decision 2021/914) and inform the Controller prior to any transfer.
14. Term, Termination & Updates
(a) This DPA is effective from the date of acceptance and remains in force for the duration of the Controller's subscription to the Services.
(b) This DPA terminates automatically when all personal data has been deleted or returned in accordance with Section 10.
(c) The Processor may update this DPA with 30 days written notice to the Controller's organization administrator email. The notice shall include a summary of changes and a link to the updated DPA.
(d) Continued use of the Services after the 30-day notice period constitutes acceptance of the updated DPA.
(e) If the Controller objects to an update, the Controller may terminate the subscription before the update takes effect. Upon termination, Section 10 (Data Return & Deletion) applies.
Questions about this document? Contact us at contact@aiinterviewanalyzer.com