Data Processing Agreement
Data Processing Agreement (DPA)
Reviewed by counsel pre-launch — final review pending. This document was drafted from a Termly template and customised by the CAREER iNTEL team. Formal counsel review is scheduled post-first-revenue (D-16). Material questions can be directed to [email protected].
Effective: 2026-05-20 · Last updated: 2026-05-20
This DPA forms part of our Terms of Service and governs the processing of personal data on behalf of customers ("Controller") by CAREER iNTEL ("Processor").
1. Definitions
- Controller — the customer (you).
- Processor — CAREER iNTEL.
- Sub-processor — a third party listed in our Sub-processors page.
- Personal Data — data relating to an identified or identifiable natural person, as defined in GDPR Article 4.
- Processing — any operation performed on Personal Data.
2. Scope + roles
This is a B2B Data Processing Addendum covering our CCPA/CPRA service-provider obligations (as applicable to US customers) and the GDPR Article 28 controller-processor relationship (for our EU/UK customers). It applies as follows:
- US (CCPA/CPRA): CAREER iNTEL acts as a service provider. We process Personal Information only to perform the service for the customer (the "business"), do not sell or share it, do not retain/use/disclose it outside the direct business relationship or for any purpose other than the services, and do not combine it with personal information from other sources except as the CCPA permits.
- EU/UK (GDPR Art. 28): The Controller determines the purposes and means of processing; the Processor processes Personal Data only on documented instructions from the Controller.
For B2C usage where the natural person is the Controller (most cases), this DPA documents how we process your data on your behalf.
3. Documented instructions
Our standing instruction is the Privacy Policy plus the consent flags you maintain in Settings → Data & Privacy. You may issue additional instructions by emailing [email protected].
4. Sub-processors
We use the sub-processors listed at /legal/sub-processors. You authorise our engagement of these sub-processors by accepting this DPA.
We will provide you 30 days' notice of new sub-processors (via email + in-app banner). You may terminate the service for cause if you object to a new sub-processor we will not remove.
Every sub-processor is bound by a written agreement that imposes data-protection obligations no less protective than this DPA.
5. Security measures (Annex II to GDPR Art. 28(3)(c))
| Control | Implementation |
|---|---|
| Encryption at rest | PostgreSQL TDE + OpenBao envelope encryption per ADR-003 |
| Encryption in transit | TLS 1.3 (Let's Encrypt + Cloudflare) |
| Access control | Better Auth + WebAuthn 2FA for staff; Cloudflare Access on /admin |
| Tenant isolation | PostgreSQL Row-Level Security with withUserContext() wrapper |
| Backup | pgBackRest with 30-day retention; restore drill within last 14 days |
| Audit logging | staff_access_audit + AIUsageLog tables; 6-year retention |
| Vulnerability management | SBOM + Trivy + Grype + OSV-Scanner on every CI build |
| Incident response | 72-hour breach SLA per GDPR Art. 33; runbook at ops/runbooks/breach-notification.md |
| Pen test | Annual lite scope (HackerOne / Cobalt); reports available under NDA |
| Bias eval | 200-profile quarterly cadence (SAFE-06) |
6. Personnel + confidentiality
Personnel with access to Personal Data are:
- Subject to confidentiality obligations
- Granted least-privilege access (Casbin RBAC)
- Trained on data-protection requirements
Staff access to user-scoped Personal Data is logged in staff_access_audit with reason + timestamp + record-id. Available on SAR request.
7. Sub-processor list incorporated by reference
See /legal/sub-processors. The table includes purpose, data categories, region, and transfer mechanism for each sub-processor.
8. International transfers (SCC 2021)
Where Personal Data is transferred outside the EEA, we apply the 2021 Standard Contractual Clauses (Module 2 — Controller to Processor). Specifically:
- US sub-processors: Stripe, OpenRouter (downstream Anthropic + Meta + Mistral), Sentry, Cloudflare → SCCs in place
- UK sub-processors: covered by UK GDPR + UK IDTA
- All other regions: SCCs or adequacy decision
9. Audit rights
You may audit our compliance with this DPA once per calendar year, on 30 days' written notice, during business hours, at your cost. Audit findings are confidential.
We will provide audit-substitute artifacts at lower cost:
- SOC 2 Type I report (month 9 post-launch)
- SOC 2 Type II report (month 18 post-launch)
- Sub-processor audit reports as available
10. Breach notification (GDPR Art. 33)
In the event of a Personal Data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware. The notification will include:
- Nature of the breach (categories + approximate number of records)
- Likely consequences
- Measures taken or proposed to address the breach
- Contact: [email protected]
Internal procedure: ops/runbooks/breach-notification.md. Monthly tabletop drill calendared.
11. Data subject requests
You shall promptly notify us of any data subject request you receive that pertains to Personal Data we process on your behalf. We will assist you in responding via our SAR + delete tooling in Settings → Data & Privacy.
12. Return + deletion at termination
Upon termination of your account:
- Soft delete: 30 days. You may cancel.
- Hard delete: cryptographic shredding via OpenBao Transit DEK deletion per ADR-003 + ADR-004.
- Backups: tombstoned with +90-day expiry; encrypted records become permanently unreadable when the DEK is shredded.
- Proof artifact: SHA-256 hash of (table counts + deletion timestamp) returned to you.
13. Duration
This DPA is effective for the duration of your account + the survival period of obligations relating to data deletion (90 days post-account-deletion).
14. NDPR Nigeria addendum
For Nigerian data subjects, see our NDPR Addendum (anchor #ndpr). NDPR-specific clauses do not override the GDPR clauses above where the user is also covered by GDPR; the stricter standard prevails.
<a id="ndpr"></a>
NDPR-specific clauses
Local DPO: Currently deferred. Updates published at /trust/dpo when appointed.
NDPC complaints: Nigerian data subjects may lodge complaints with the Nigeria Data Protection Commission (https://ndpc.gov.ng).
Cross-border transfer: Personal data is stored in the United States (Hetzner, Ashburn, VA) and processed by US (and, for Brevo/Mistral, EU) sub-processors. NDPR Section 41 permits cross-border transfer with adequate safeguards; we maintain the EU-US Data Privacy Framework, the 2021 Standard Contractual Clauses, and sub-processor agreements as the safeguard mechanisms.
15. Contact + signatures
For DPA execution (B2B customers requiring counter-signed DPA): email [email protected]. We will provide a counter-signed PDF.
For B2C users, accepting our Terms of Service constitutes acceptance of this DPA.
Reviewed by counsel pre-launch — final review pending.