Data Processing Agreement
This agreement defines how CVReady processes personal data on behalf of our customers
1. Parties and Introduction
This Data Processing Agreement ("DPA") forms part of the Service Agreement between:
- Nocodo LTD (the "Data Processor" or "Processor"), a company registered in Cyprus, providing CV processing services; and
- The customer identified in the Service Agreement (the "Data Controller" or "Controller")
This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the CVReady services, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
Terms not otherwise defined herein shall have the meaning given to them in the GDPR. In this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person contained in CVs and resumes processed through the CVReady platform;
- "Processing" means any operation performed on Personal Data, including collection, storage, formatting, analysis, and deletion;
- "Sub-processor" means any third party engaged by the Processor to process Personal Data;
- "Data Subject" means the individual job candidates whose Personal Data is contained in the CVs;
- "Services" means the CV processing and formatting services provided by CVReady.
3. Details of Processing
3.1 Subject Matter and Duration
The Processor shall process Personal Data on behalf of the Controller for the duration of the Service Agreement, for the purpose of providing CV processing and formatting services.
3.2 Nature and Purpose
The processing involves automated formatting, text extraction, AI-powered analysis, and standardization of CV content to create professionally formatted documents and extract structured data.
3.3 Types of Personal Data
- Names and contact information
- Employment history and job titles
- Educational background and qualifications
- Professional skills and competencies
- Languages and certifications
- Other information typically contained in CVs
3.4 Categories of Data Subjects
Job candidates and applicants whose CVs are submitted to the Controller and processed through the CVReady platform.
4. Obligations of the Processor
The Processor shall:
- Process only on instructions: Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law;
- Confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 6;
- Sub-processors: Not engage another processor without prior specific or general written authorization of the Controller, as detailed in Section 5;
- Data Subject rights: Assist the Controller by appropriate technical and organizational measures in fulfilling obligations to respond to Data Subject requests;
- Compliance assistance: Assist the Controller in ensuring compliance with obligations pursuant to Articles 32-36 GDPR;
- Deletion or return: Delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage;
- Audit: Make available to the Controller all information necessary to demonstrate compliance with this Article and allow for and contribute to audits.
5. Sub-processors
5.1 Authorized Sub-processors
The Controller hereby provides general authorization for the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI text processing (Claude API) | United States |
| Cloudflare R2 | File storage | EU |
| Hetzner | Server hosting | EU (Germany) |
5.2 Changes to Sub-processors
The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Services.
6. Technical and Organizational Security Measures
The Processor has implemented and will maintain the following security measures:
Technical Measures
- Encryption of data in transit (TLS 1.2 or higher)
- Encryption of data at rest
- Regular security patches and updates
- Firewall and intrusion detection systems
- Access logging and monitoring
- Regular automated backups
Organizational Measures
- Access control and authentication procedures
- Confidentiality agreements with personnel
- Regular security training
- Incident response procedures
- Data minimization practices
- Regular security assessments
7. International Data Transfers
Personal Data is primarily processed and stored within the European Union. Any transfers to third countries shall only occur:
- To countries with an adequacy decision by the European Commission; or
- Subject to appropriate safeguards as described in Article 46 GDPR, including Standard Contractual Clauses
Note: Processing by Anthropic (United States) is covered by their GDPR-compliant data processing agreement and appropriate safeguards.
8. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests exercising their rights under GDPR, including:
Right of Access
Providing copies of Personal Data
Right to Rectification
Correcting inaccurate data
Right to Erasure
Deleting Personal Data
Right to Restriction
Limiting processing activities
Right to Portability
Exporting data in machine-readable format
Right to Object
Objecting to processing
9. Personal Data Breach Notification
Breach Response Procedure
- The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach;
- The notification shall include: description of the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach;
- The Processor shall document all breaches and make this documentation available to the Controller;
- The Processor shall cooperate with the Controller in addressing the breach and mitigating its effects.
10. Audit and Inspection Rights
The Processor shall:
- Make available to the Controller all information necessary to demonstrate compliance with this DPA;
- Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller;
- Provide audit reports or certifications from independent third parties where available;
- Ensure that any audit is conducted with minimal disruption to the Processor's business operations.
Note: Audits shall be conducted with reasonable notice and during regular business hours, subject to the Processor's security and confidentiality requirements.
11. Liability and Indemnification
The liability of each party under this DPA shall be subject to the limitations set out in the Service Agreement. Each party shall indemnify the other against all damages, losses, and expenses arising out of any breach by that party of the terms of this DPA.
12. Duration and Termination
This DPA shall come into effect when the Controller starts using the Services and shall continue for the duration of the Service Agreement.
Upon termination of the Service Agreement, the Processor shall, at the choice of the Controller:
- Return all Personal Data to the Controller in a commonly used format; and/or
- Delete all Personal Data and certify such deletion in writing
The Processor may retain Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law.
13. General Provisions
13.1 Amendments
This DPA may only be amended with the written consent of both parties. The Processor reserves the right to update this DPA to reflect changes in law or services, with reasonable notice to the Controller.
13.2 Governing Law
This DPA shall be governed by the laws of Cyprus and the courts of Cyprus shall have exclusive jurisdiction for any disputes arising under this DPA.
13.3 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
13.4 Order of Precedence
In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the processing of Personal Data.
14. Contact Information
Data Protection Contact
CVReady Data Protection Officer
Email: privacy@cvready.co
For any questions regarding this DPA or data processing activities, please contact our Data Protection Officer at the above email address.
Need a signed copy?
Enterprise customers can request a signed DPA by contacting our sales team.