Data Processing Agreement (DPA)

1. Subject Matter

This Agreement governs resumAI's processing of personal data on behalf of the Customer in connection with the provision of resume parsing and AI-based data extraction services (the "Services").

2. Roles of the Parties

• Controller: The Customer determines the purposes and means of personal data processing.
• Processor: resumAI processes personal data only on the Customer's documented instructions and does not determine the purposes of processing.

3. Categories of Data

Data Subjects:

• Individuals whose resumes or CVs are uploaded by the Customer (e.g., job applicants)

Categories of Personal Data:

• Name, contact information, education, employment history, skills, and any additional data contained within uploaded CVs or resumes

4. Nature and Purpose of Processing

resumAI processes personal data solely for the following purposes:

• Parsing resumes/CVs and extracting structured information
• Temporarily storing resume content for quality assurance
• Returning results through dashboards or export features

resumAI will not use the data for advertising, profiling, or any other secondary purpose.

5. Duration of Processing

Personal data will be processed:

• As long as needed to deliver the Services
• Retained for up to 12 months unless purged earlier by the Customer
• Subject to a 30-day soft delete period after user-initiated purge or account deactivation
• Data during soft deletion can be recovered by request (see Section 10)

6. Subprocessors

The Customer authorizes resumAI to use the following subprocessors:

resumAI will notify the Customer of intended changes to subprocessors and allow objections if justified.

7. Data Subject Rights

resumAI will assist the Controller in fulfilling requests from data subjects to exercise their rights, including:

• Right of access
• Rectification
• Erasure
• Restriction of processing
• Objection to processing
• Data portability

Support requests must be sent to gdpr@resumai.eu.

8. Security Measures

resumAI shall implement appropriate technical and organizational measures to ensure data security, including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Internal access logging and system monitoring
• Data minimization and lifecycle enforcement

9. Data Breach Notification

In the event of a personal data breach, resumAI shall notify the Customer without undue delay, including:

• Description of the breach
• Contact point for further information
• Likely consequences
• Mitigation and corrective measures taken

10. Deletion or Return of Data

Upon termination of the agreement or at Customer's written request:

• resumAI will permanently delete all personal data after the 30-day soft-deletion window
• During soft deletion, data may be recovered by contacting gdpr@resumai.eu and providing relevant identification
• Credit balances are not recoverable once soft deletion is initiated
• resumAI may, if requested, return the data in a structured format (JSON or CSV) prior to deletion

11. Audits

The Customer may audit resumAI's compliance with this DPA under the following conditions:

• At most once per year
• With reasonable advance notice
• During business hours and without disrupting platform services
• Limited in scope to data protection obligations only

12. Governing Law

This Agreement is governed by the laws of Portugal, unless the Controller is located in another EU jurisdiction with applicable overriding national law.

13. Liability

Any liability related to this Agreement shall be governed by the limitations set forth in the resumAI Terms of Service, unless otherwise required under applicable law.

14. Contact

15. Acceptance

By accepting the resumAI Terms of Service, the Customer also agrees to the terms of this Data Processing Agreement.