Data Processing Agreement - JobRoute.ai

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between JobRoute.ai ("Processor" or "we") and the customer ("Controller" or "you") and governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Definitions

In this DPA, the following terms have the meanings set forth below:

Personal Data: Any information relating to an identified or identifiable natural person processed through the Service
Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
Data Subject: An identified or identifiable natural person whose Personal Data is processed
Controller: The entity that determines the purposes and means of processing Personal Data
Processor: The entity that processes Personal Data on behalf of the Controller
Sub-processor: Any third party engaged by the Processor to process Personal Data

3. Scope and Roles

Under this DPA:

You act as the Controller of Personal Data of your employees, candidates, and other individuals whose data you process through the Service
We act as the Processor, processing Personal Data on your behalf solely to provide the Service
The subject matter, duration, nature, and purpose of processing are defined by your use of the Service
Personal Data relates to individuals whose workforce data you input into our platform

4. Processor Obligations

As a Processor, we agree to:

Process Personal Data only on your documented instructions, unless required by law
Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational measures to ensure security of Personal Data
Use Sub-processors only with your prior authorization and under appropriate written contracts
Assist you in responding to Data Subject requests to exercise their rights
Assist you in ensuring compliance with data protection obligations
Delete or return Personal Data upon termination of services, unless retention is required by law
Make available all information necessary to demonstrate compliance with this DPA

5. Security Measures

We implement and maintain appropriate technical and organizational security measures, including:

Encryption of data in transit and at rest
Access controls and authentication mechanisms
Regular security assessments and penetration testing
Incident response and breach notification procedures
SOC 2 Type II compliance
Employee security training and background checks
Physical security of data centers
Regular backup and disaster recovery procedures

6. Sub-processors

We may engage Sub-processors to assist in providing the Service. By accepting this DPA, you provide general authorization for us to engage Sub-processors, subject to the following conditions:

We maintain a list of current Sub-processors available upon request
We will notify you of any changes to Sub-processors at least 30 days in advance
You may object to a new Sub-processor on reasonable data protection grounds
All Sub-processors are bound by written agreements imposing substantially the same obligations as this DPA
We remain fully liable for Sub-processor performance

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including requests to:

Access their Personal Data
Rectify inaccurate Personal Data
Erase Personal Data
Restrict processing of Personal Data
Port their Personal Data
Object to processing of Personal Data

We will respond to your requests for assistance within a reasonable timeframe. You are responsible for responding to Data Subjects within applicable legal timeframes.

8. Data Breach Notification

We will notify you without undue delay upon becoming aware of a Personal Data breach affecting your data. Our notification will include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact information for further information

9. Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). For such transfers, we implement appropriate safeguards, including:

Standard Contractual Clauses approved by the European Commission
Adequacy decisions by the European Commission
Other legally recognized transfer mechanisms

10. Audits and Compliance

We will make available to you information necessary to demonstrate compliance with this DPA and allow for audits. We maintain SOC 2 Type II compliance and will provide audit reports upon request under appropriate confidentiality obligations.

11. Data Retention and Deletion

Upon termination or expiration of the Service:

We will delete or return all Personal Data within 90 days, as you instruct
We may retain Personal Data as required by applicable law
Deleted data cannot be recovered
Certification of deletion will be provided upon request

12. Controller Responsibilities

As Controller, you are responsible for:

Ensuring you have a legal basis for processing Personal Data
Complying with your data protection obligations
Providing clear processing instructions to us
Ensuring the accuracy and lawfulness of Personal Data provided
Obtaining necessary consents and providing required notices to Data Subjects

13. Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

14. Term and Termination

This DPA will remain in effect as long as we process Personal Data on your behalf. The obligations under this DPA will survive termination of the Terms of Service for as long as we retain any Personal Data.

15. Contact Information

For questions about this DPA or to exercise your rights under it, please contact:

Data Protection Officer
Email: privacy@jobroute.ai
General Inquiries: hello@jobroute.ai