Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the agreement between JobsApply (sole proprietorship) ("Processor") and the customer identified in the relevant order form or account registration ("Controller") for the provision of the JobsApply service ("Service"). It sets out the terms on which the Processor processes Personal Data on behalf of the Controller in accordance with applicable Data Protection Laws — including the GDPR, UK GDPR, Swiss FADP, Canadian PIPEDA and Law 25, LGPD, and CCPA/CPRA to the extent applicable.

1. Definitions

Capitalized terms used but not defined have the meanings given in the applicable Data Protection Law. "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" have the meanings in the GDPR (or their local equivalents).

2. Scope and roles

• The Controller is the controller of Personal Data it provides or that is generated through its use of the Service.
• The Processor processes Personal Data only on the Controller's documented instructions, including the instructions set out in the Service description, this DPA, and the main agreement.
• The Processor will not process Personal Data for any other purpose unless required by law applicable to it, in which case the Processor will notify the Controller before processing (unless the law prohibits notification).

3. Subject-matter and details of processing

4. Processor obligations

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures set out in Annex A to ensure a level of security appropriate to the risk.
• Assist the Controller, to the extent reasonable, with (a) responding to requests from data subjects and (b) meeting the Controller's obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
• At the Controller's choice, delete or return all Personal Data after the end of the Services, unless the Processor is required by law to retain it.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 8.

5. Sub-processors

The Controller authorizes the Processor to engage sub-processors selected by the Processor to provide hosting, AI, payments, email, observability, and analytics services. A current list of sub-processors (provider identity, purpose, and processing location) is available to the Controller on request to privacy@jobsapply.app. The Processor will (a) impose written obligations on sub-processors substantially equivalent to those in this DPA, (b) remain liable for their acts and omissions, and (c) notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve; failing resolution, the Controller may terminate the affected portion of the Services.

6. Personal-data breaches

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal-Data Breach affecting the Controller's Personal Data, and will provide the information the Controller needs to meet its own notification obligations.

7. International transfers

Where the Processor transfers Personal Data outside the EEA / UK / Switzerland to a country without an adequacy decision, the parties agree that the relevant Standard Contractual Clauses (EU Commission Decision 2021/914), UK IDTA / Addendum, or Swiss FDPIC clauses are incorporated by reference, with the Processor acting as data importer and the Controller as data exporter. Module 2 (Controller to Processor) applies by default; Module 3 (Processor to Processor) applies where the Controller is itself a processor.

8. Audits

The Processor makes available on request (a) current independent attestations (SOC 2, ISO 27001) of its own or its Sub-processors' controls where available, and (b) responses to a reasonable written questionnaire once per 12-month period. On-site audits are limited to good-faith belief of a material breach of this DPA and are subject to reasonable notice, confidentiality, and reimbursement of Processor's costs.

9. Return or deletion

On termination of the Services, and at the Controller's choice, the Processor will delete or return all Personal Data within ninety (90) days, except for copies required to be retained by law.

10. Liability

The liability cap in the main agreement applies in the aggregate to this DPA and the main agreement; nothing in this DPA increases or decreases it.

11. Governing law

This DPA is governed by the same law as the main agreement, except that the SCCs incorporated under Section 7 are governed as specified in the SCCs.

12. Contact

Data-protection questions: privacy@jobsapply.app. Breach reports: security@jobsapply.app.

Annex A — Technical and organizational measures

• TLS 1.2+ for all data in transit.
• Symmetric encryption (Fernet / AES-128-CBC + HMAC) for sensitive credentials at rest.
• Password hashing with PBKDF2 (salted).
• Network isolation of production databases; admin access via SSH keys.
• Rate limiting on authentication endpoints.
• Role-based access to production data limited to the operator.
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
• Documented incident-response process.
• Sub-processor list with transfer-mechanism disclosure.

This DPA is a template. To execute, email a signed copy to legal@jobsapply.app with the identifying Controller name and account email.