GDPR Compliant

Data Processing Agreement

This agreement defines how CVReady processes personal data on behalf of our customers

Version 1.0 • Last updated: July 26, 2025

1. Parties and Introduction

This Data Processing Agreement ("DPA") forms part of the Service Agreement between:

  • Nocodo LTD (the "Data Processor" or "Processor"), a company registered in Cyprus, providing CV processing services; and
  • The customer identified in the Service Agreement (the "Data Controller" or "Controller")

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the CVReady services, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

Terms not otherwise defined herein shall have the meaning given to them in the GDPR. In this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person contained in CVs and resumes processed through the CVReady platform;
  • "Processing" means any operation performed on Personal Data, including collection, storage, formatting, analysis, and deletion;
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data;
  • "Data Subject" means the individual job candidates whose Personal Data is contained in the CVs;
  • "Services" means the CV processing and formatting services provided by CVReady.

3. Details of Processing

3.1 Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller for the duration of the Service Agreement, for the purpose of providing CV processing and formatting services.

3.2 Nature and Purpose

The processing involves automated formatting, text extraction, AI-powered analysis, and standardization of CV content to create professionally formatted documents and extract structured data.

3.3 Types of Personal Data

  • Names and contact information
  • Employment history and job titles
  • Educational background and qualifications
  • Professional skills and competencies
  • Languages and certifications
  • Other information typically contained in CVs

3.4 Categories of Data Subjects

Job candidates and applicants whose CVs are submitted to the Controller and processed through the CVReady platform.

4. Obligations of the Processor

The Processor shall:

  1. Process only on instructions: Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law;
  2. Confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 6;
  4. Sub-processors: Not engage another processor without prior specific or general written authorization of the Controller, as detailed in Section 5;
  5. Data Subject rights: Assist the Controller by appropriate technical and organizational measures in fulfilling obligations to respond to Data Subject requests;
  6. Compliance assistance: Assist the Controller in ensuring compliance with obligations pursuant to Articles 32-36 GDPR;
  7. Deletion or return: Delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage;
  8. Audit: Make available to the Controller all information necessary to demonstrate compliance with this Article and allow for and contribute to audits.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller hereby provides general authorization for the Processor to engage the following Sub-processors:

Sub-processor Purpose Location
Anthropic AI text processing (Claude API) United States
Cloudflare R2 File storage EU
Hetzner Server hosting EU

5.2 Changes to Sub-processors

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Services.

6. Technical and Organizational Security Measures

The Processor has implemented and will maintain the following security measures:

Technical Measures

  • Encryption of data in transit (TLS 1.2 or higher)
  • Encryption of data at rest
  • Regular security patches and updates
  • Firewall and intrusion detection systems
  • Access logging and monitoring
  • Regular automated backups

Organizational Measures

  • Access control and authentication procedures
  • Confidentiality agreements with personnel
  • Regular security training
  • Incident response procedures
  • Data minimization practices
  • Regular security assessments

7. International Data Transfers

Personal Data is primarily processed and stored within the European Union. Any transfers to third countries shall only occur:

  • To countries with an adequacy decision by the European Commission; or
  • Subject to appropriate safeguards as described in Article 46 GDPR, including Standard Contractual Clauses

Note: Processing by Anthropic (United States) is covered by their GDPR-compliant data processing agreement and appropriate safeguards.

8. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests exercising their rights under GDPR, including:

Right of Access

Providing copies of Personal Data

Right to Rectification

Correcting inaccurate data

Right to Erasure

Deleting Personal Data

Right to Restriction

Limiting processing activities

Right to Portability

Exporting data in machine-readable format

Right to Object

Objecting to processing

9. Personal Data Breach Notification

Breach Response Procedure

  1. The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach;
  2. The notification shall include:
    • Description of the nature of the breach
    • Categories and approximate number of Data Subjects affected
    • Categories and approximate number of Personal Data records concerned
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  3. The Processor shall document all breaches and make this documentation available to the Controller;
  4. The Processor shall cooperate with the Controller in addressing the breach and mitigating its effects.

10. Audit and Inspection Rights

The Processor shall:

  • Make available to the Controller all information necessary to demonstrate compliance with this DPA;
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller;
  • Provide audit reports or certifications from independent third parties where available;
  • Ensure that any audit is conducted with minimal disruption to the Processor's business operations.

Note: Audits shall be conducted with reasonable notice and during regular business hours, subject to the Processor's security and confidentiality requirements.

11. Liability and Indemnification

The liability of each party under this DPA shall be subject to the limitations set out in the Service Agreement. Each party shall indemnify the other against all damages, losses, and expenses arising out of any breach by that party of the terms of this DPA.

12. Duration and Termination

This DPA shall come into effect when the Controller starts using the Services and shall continue for the duration of the Service Agreement.

Upon termination of the Service Agreement, the Processor shall, at the choice of the Controller:

  • Return all Personal Data to the Controller in a commonly used format; and/or
  • Delete all Personal Data and certify such deletion in writing

The Processor may retain Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law.

13. General Provisions

13.1 Amendments

This DPA may only be amended with the written consent of both parties. The Processor reserves the right to update this DPA to reflect changes in law or services, with reasonable notice to the Controller.

13.2 Governing Law

This DPA shall be governed by the laws of Cyprus and the courts of Cyprus shall have exclusive jurisdiction for any disputes arising under this DPA.

13.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Order of Precedence

In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the processing of Personal Data.

14. Contact Information

Data Protection Contact

CVReady Data Protection Officer

Email: privacy@cvready.co

For any questions regarding this DPA or data processing activities, please contact our Data Protection Officer at the above email address.

Need a signed copy?

Enterprise customers can request a signed DPA by contacting our sales team.

Request Signed DPA

We use cookies to enhance your experience and analyze site usage. Learn more