Data Processing Addendum
Last updated 28 May 2026 ยท v2026-05-28
This Data Processing Addendum ("DPA") forms part of the JobFoundry Terms of Service and applies where JobFoundry processes personal data on behalf of a Customer acting as controller (for example, employers or coaches managing seats for their users).
1. Roles
The Customer is the controller; JobFoundry is the processor for Customer Personal Data.
2. Subject matter & duration
Processing lasts for the duration of the subscription and any wind-down period (max 30 days).
3. Nature & purpose
Hosting, AI analysis, storage and retrieval of CV and career data as instructed via the service.
4. Categories of data subjects
- End users of the Customer (jobseekers / employees).
5. Categories of personal data
- Identity and contact data, employment history, skills, professional photos.
- No special-category data is required. Customers must not upload such data without a lawful basis.
6. Sub-processors
The current sub-processor list is published in the Privacy Notice. Customers will be notified at least 30 days before any addition or replacement and may object.
7. International transfers
EU Standard Contractual Clauses (Module 2 / 3) and the UK IDTA are incorporated by reference where applicable.
8. Security measures (ISO/IEC 27001 aligned)
- Encryption: TLS 1.2+ in transit, AES-256 at rest.
- Access control: SSO, MFA for staff, least privilege, role-based access.
- Network: managed cloud, private database, automated dependency scans.
- Application: row-level security on all user tables, signed-in serverFn boundary, input validation.
- Operations: audit logs for data subject requests, incident response runbook, 24h breach notification commitment.
- Backups: encrypted, 30-day rolling, restore-tested quarterly.
9. Data subject requests
We provide self-service export and erasure in-product, and assist Customer with any DSAR within 14 days.
10. Audit
Customer may request a copy of our latest security questionnaire (SIG-Lite) and penetration test summary once per year under NDA.
11. Deletion
On termination we delete or return Customer Personal Data within 30 days, excluding backups which expire on rolling 30-day cycles.