Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Hiribly Terms of Service and applies to the extent that Hiribly processes Personal Data on behalf of Customer in scope of GDPR, UK GDPR, the Swiss FADP, the California Consumer Privacy Act (as amended by the CPRA), or other applicable data protection laws.

1. Roles

Customer is the Controller / Business; Hiribly is the Processor / Service Provider. Each party will comply with its obligations under applicable Data Protection Laws.

2. Scope & instructions

Hiribly will process Personal Data only on Customer's documented instructions, including those provided through the Service configuration, except where otherwise required by law.

3. Subject matter, duration, nature, purpose

Subject matter: provision of the AI-assisted recruiting Service. Duration: term of the Agreement plus retention periods. Nature & purpose: hosting, screening, ranking, and reporting on job applicants. Categories of data subjects: candidates, recruiter users. Categories of data: identifiers, contact, professional history (CV), screening outputs.

4. Confidentiality

Hiribly ensures personnel authorised to process Personal Data are bound by confidentiality obligations.

5. Security

Hiribly implements appropriate technical and organisational measures, including encryption in transit and at rest, access controls, vulnerability management, secure SDLC, regular backups, and incident response.

6. Sub-processors

Customer authorises Hiribly to engage the sub-processors listed in our Privacy Policy. We will give at least 30 days' prior notice of new sub-processors; Customer may object on reasonable data-protection grounds.

7. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), the UK International Data Transfer Addendum, and the Swiss addendum are incorporated by reference.

8. Data subject requests

Hiribly will, taking into account the nature of the processing, provide reasonable assistance to Customer in responding to data subject requests (access, rectification, erasure, portability, objection, restriction).

9. Breach notification

Hiribly will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, with information reasonably required to satisfy Customer's regulatory obligations.

10. Audits

Hiribly will make available information necessary to demonstrate compliance and, on reasonable notice and subject to confidentiality, allow audits by Customer or a mutually agreed third-party auditor no more than once per year (or more frequently if required by a supervisory authority).

11. Deletion / return

On termination Hiribly will, at Customer's choice, delete or return Customer Personal Data within 30 days, except where retention is required by law.

12. CCPA / CPRA

Hiribly is a "Service Provider" and will not (a) sell or share Personal Information; (b) retain, use, or disclose it outside the direct business relationship; or (c) combine it with Personal Information from other sources, except as permitted by law.

13. Contact

DPA-related correspondence: dpo@hiribly.com.