Data Processing Agreement
Roles of the Parties
This Data Processing Agreement (the “DPA”) describes how [LEGAL_ENTITY](the “Company,” “we,” or “us”) handles personal data on your behalf when you use ContextualIntel(the “Service”). It forms part of, and is governed by, our Terms of Service and Privacy Policy.
For the personal data you add to the Service — in particular the contact details and information you store about other people (for example, recruiters, colleagues, or other contacts) — you act as the controller and the Company acts as your processor. That means you decide what personal data is entered and why, and we process it only on your behalf to provide the Service to you.
This matches the warranty in our Terms: when you add information about other people, you are the controller of that data, and you confirm you have a lawful basis and the right to provide it. This DPA is most relevant if you use the Service for business or professional purposes; it is made available to all users and referenced from the Terms.
The Company may also act as an independent controller for some data it collects to run and secure the Service (for example, your account and billing data). That processing is described in the Privacy Policy and is not the subject of this DPA, which covers only the personal data we process on your behalf as your processor.
Scope and Your Instructions
We process the personal data covered by this DPA only on your documented instructions, including as to international transfers, unless we are required to do otherwise by a law that applies to us (in which case we will tell you, unless that law forbids it).
Your instructions are made up of: (a) this DPA, the Terms, and the Privacy Policy; and (b) your use of the features and settings of the Service. Using the Service to store, organize, score, or generate content from your contact data and other entries is your instruction to process that personal data for those purposes.
The subject matter is the provision of the Service. The duration is the term of your account. The nature and purpose are hosting, storing, organizing, and processing the data (including AI-assisted features) to operate, secure, and provide the Service to you. The types of personal data and categories of data subjects are determined by you and typically include the identifiers and contact details of the people you add and the content you enter about them.
Confidentiality
We ensure that the people we authorize to process the personal data covered by this DPA are bound by an appropriate duty of confidentiality (whether contractual or statutory) and are only given access to the extent needed to provide, support, secure, and maintain the Service.
Security Measures
We maintain technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, appropriate to the risk. These measures include, as applicable:
- encryption of data in transit, and at rest where supported by our infrastructure providers;
- access controls, authentication, and least-privilege access to systems and data;
- logical separation of customer data and environment hardening;
- regular patching and use of reputable infrastructure providers with their own security programs; and
- logging and monitoring to help detect and respond to security events.
Security is a shared responsibility: you are responsible for keeping your account credentials secure and for the lawfulness of the data you choose to enter. The specific measures may evolve as the Service and the threat landscape change, provided the overall level of protection is not reduced.
Subprocessors
You give the Company general authorization to engage subprocessors to help provide the Service. We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance of those obligations.
The subprocessors we currently use are listed below. This table is generated directly from our internal subprocessor register, so it stays in step with the processors we actually use:
| Name | Purpose | Region | Processes personal data |
|---|---|---|---|
| Supabase | Authentication and primary application database (Postgres). | United States | Yes |
| Stripe | Payment processing and subscription billing for the Pro tier. | United States | Yes |
| Resend | Transactional and notification email delivery. | United States | Yes |
| Vercel | Application hosting, serverless compute, and edge delivery. | United States | Yes |
| OpenAI | AI features (match scoring, resume tailoring, interview prep, and related generation). Zero-retention / no-training terms to be secured before launch. | United States | Yes |
| [JV_PROCESSOR_NAME] | Joint-venture operations performed on the Company's behalf (product operations, support, and development). | Canada (Quebec) | Yes |
| USAJOBS | Public job-data source for federal job listings. | United States | No |
We will give notice (for example, by updating this list or by reasonable means) before adding or replacing a subprocessor that processes personal data covered by this DPA. You have the right to object to a new subprocessor on reasonable, data-protection grounds. If you do, we will work with you in good faith to address your concern; if we cannot, your remedy is to stop using the relevant feature or to terminate as described in the Terms.
International Data Transfers
The Service is operated from, and personal data is primarily stored in, the United States. If you access the Service from outside the United States, you understand that your data — and the contact data you enter — will be transferred to and processed in the United States and other countries where we or our subprocessors operate.
Where a transfer is subject to data-protection law that restricts cross-border transfers, we rely on an appropriate transfer mechanism:
- EU / EEA: the European Commission’s Standard Contractual Clauses (SCCs), together with any supplementary measures that may be required;
- United Kingdom: the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs;
- Canada: for our Montreal-based subprocessor (a joint-venture partner that processes data on our behalf), the transfer to Canada is made under the protections that apply to it, including Quebec’s Law 25 and contractual safeguards equivalent to those above.
You can ask us for more information about the safeguards that apply to a particular transfer by contacting us at the address below.
Assistance with Data-Subject Requests
Because you are the controller of the contact data you enter, you are primarily responsible for responding to requests from the people whose data you store (for example, requests to access, correct, or delete their data).
Taking into account the nature of the processing, we will provide reasonable assistance — through the self-service export and deletion tools in the Service and, where those are not sufficient, by reasonable additional means — to help you meet your obligation to respond to such requests. If we receive a request directly from one of your data subjects, we will, where lawful, direct them to you. How individual rights are handled is described further in our Privacy Policy.
Personal-Data Breach Notification
If we become aware of a personal-data breach affecting personal data we process on your behalf, we will notify you without undue delay after becoming aware of it. The notification will include the information reasonably available to us to help you meet any obligation you have to notify a supervisory authority or affected individuals, and we will take reasonable steps to mitigate the breach and prevent recurrence. Our notification is not an acknowledgment of fault or liability.
Deletion or Return on Termination
On termination of your account or expiry of this DPA, we will, at your choice, delete or return the personal data we process on your behalf, and delete existing copies, except to the extent we are required by law to retain it. You can export your data using the tools in the Service before you close your account. Residual copies may persist in routine backups for a limited time before being overwritten, during which they remain protected by this DPA.
Audit and Information Rights
We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To respect the confidentiality, security, and continuity of the Service and of other customers, audits are limited to once per year (unless required by a supervisory authority or following a personal-data breach), require reasonable advance written notice, are conducted during business hours, and may be satisfied first by our providing relevant documentation, certifications, or third-party reports that we or our subprocessors maintain.
Liability and Order of Precedence
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in the Terms to a party’s liability means the aggregate liability of that party under the Terms and this DPA together.
This DPA forms part of the Terms. If there is a conflict between this DPA and the Terms or the Privacy Policy on the subject of the processing of personal data on your behalf, this DPA controls to the extent of that conflict. On all other matters, the Terms control. Where mandatory data-protection law requires a specific term that this DPA does not adequately address, that law prevails to the extent required.
Contact
Questions about this DPA or our processing of personal data on your behalf? Contact us at privacy@[DOMAIN].