Data Processing Agreement — Ceevee Recruitment Platform

This Data Processing Agreement ("DPA") is entered into by and between the organization that registers for and uses the Ceevee platform ("Data Controller", "Employer", "you") and Correct Context sp. z o.o. ("Data Processor", "Ceevee", "we", "us"), in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By creating an account on Ceevee and using the Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. This DPA is legally binding from the moment of account registration.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
• "Candidate Data" means personal data of job applicants uploaded to or collected through the Platform, including CVs, assessment results, and application data.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Data Processor to process Candidate Data.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Service" means the Ceevee platform and all related tools and features.

2. Scope and Purpose

This DPA applies to the processing of Candidate Data by the Data Processor on behalf of the Data Controller through the Service. The processing covers:

• Subject matter: Recruitment management and candidate evaluation services
• Duration: For the term of the Data Controller's use of the Service, plus the data deletion period specified in Section 10
• Nature of processing: Storage, retrieval, organization, AI-powered analysis, assessment generation, and communication facilitation
• Types of data: Candidate names, contact information, CVs, work history, education, skills, assessment results, personality profiles, and application data
• Categories of data subjects: Job applicants and candidates whose data is uploaded or collected by the Data Controller

3. Data Controller's Obligations

The Data Controller warrants and agrees that:

• It has a valid legal basis under GDPR (e.g., Art. 6(1)(b) or Art. 6(1)(f)) for all Candidate Data processed through the Service
• It has provided adequate privacy notices to candidates, including disclosure of AI-based processing and the identity of Ceevee as a data processor
• It will respond to data subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes mandated by GDPR
• It will not upload special category data (Art. 9 GDPR) without explicit candidate consent and a valid legal basis
• It will conduct a Data Protection Impact Assessment (DPIA) where required, particularly for large-scale processing or AI-based profiling
• It will comply with all applicable data protection, employment, and anti-discrimination laws when using the Service
• It will apply human review and oversight to all AI-generated outputs before making hiring decisions
• Its instructions to the Data Processor will not cause the Data Processor to violate GDPR or any other applicable data protection law

4. Data Processor's Obligations

The Data Processor agrees to:

• Process Candidate Data only on the Data Controller's documented instructions, unless required by EU or Polish law (in which case, the Data Processor will inform the Data Controller before processing, unless prohibited by law)
• Ensure that all personnel authorized to process Candidate Data are bound by statutory or contractual confidentiality obligations
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including:
  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security (RLS) policies isolating data between organizations
  • bcrypt password hashing
  • Multi-factor authentication for production system access
  • Audit logging of security-relevant events
  • Regular security patching and dependency updates
• Engage sub-processors only with prior notification and appropriate data processing agreements (see Section 6)
• Not share Candidate Data between different Data Controller organizations on the Platform
• Not use Candidate Data for any purpose other than providing the Service, including marketing, analytics, or AI model training
• Assist the Data Controller in fulfilling obligations regarding data subject requests, DPIA, breach notification, and security measures (Art. 28(3)(e)-(f))

5. Data Breach Notification

In accordance with Art. 33 GDPR:

• The Data Processor will notify the Data Controller without undue delay and in any event within 48 hours of becoming aware of a Data Breach affecting Candidate Data
• The notification will include:
  • The nature of the breach, including categories and approximate number of data subjects affected
  • The name and contact details of the Data Processor's contact point
  • A description of the likely consequences of the breach
  • A description of measures taken or proposed to address the breach and mitigate its effects
• The Data Controller is responsible for notifying the supervisory authority within 72 hours (Art. 33) and affected data subjects where required (Art. 34)

6. Sub-processors

The Data Controller provides general authorization for the Data Processor to engage the following sub-processors:

• Supabase, Inc. (US/EU) — Database hosting, authentication, and file storage
• Vercel, Inc. (US/EU) — Application hosting and content delivery network
• Anthropic, PBC (US) — AI processing for CV scanning and assessment generation
• Resend, Inc. (US) — Transactional email delivery

The Data Processor will:

• Ensure each sub-processor is bound by data processing obligations no less protective than those in this DPA
• Notify the Data Controller of any intended additions or replacements of sub-processors, giving reasonable opportunity to object
• Remain fully liable to the Data Controller for the acts and omissions of its sub-processors

7. International Data Transfers

Where Candidate Data is transferred outside the European Economic Area (EEA), the Data Processor ensures adequate protection through:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
• The EU-US Data Privacy Framework, where applicable
• Data processing agreements with all sub-processors that include GDPR-compliant transfer provisions

The Data Controller may request copies of the relevant transfer mechanisms.

8. Audits and Inspections

The Data Processor will:

• Make available to the Data Controller all information necessary to demonstrate compliance with Art. 28 GDPR obligations
• Allow for and contribute to audits and inspections conducted by the Data Controller or an authorized auditor, subject to reasonable advance notice (at least 30 days) and confidentiality obligations
• Immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes GDPR or other data protection provisions

9. Assistance to the Data Controller

The Data Processor will assist the Data Controller with:

• Data subject requests: Forwarding requests received directly from candidates and providing tools to fulfill access, rectification, erasure, and portability requests
• Data protection impact assessments and prior consultations with supervisory authorities (Art. 35-36 GDPR)
• Security measures: Providing information about the technical and organizational measures implemented
• Breach notification: Providing all information needed by the Data Controller to comply with Articles 33 and 34 GDPR

10. Data Deletion and Return

Upon termination of the Service agreement:

• The Data Processor will delete all Candidate Data within 30 days of account termination, unless retention is required by EU or Polish law
• Upon request before termination, the Data Processor will provide a data export in a structured, commonly used, machine-readable format
• Backup copies will be purged within 90 days of deletion from primary storage
• The Data Processor will provide written confirmation of deletion upon the Data Controller's request

11. Liability and Indemnification

• Each party is liable for damages caused by processing that infringes GDPR, in accordance with Art. 82 GDPR
• The Data Controller will indemnify and hold harmless the Data Processor from claims arising from the Data Controller's violation of GDPR, failure to obtain lawful basis, inadequate privacy notices, or unlawful instructions
• The Data Processor will indemnify and hold harmless the Data Controller from claims arising from the Data Processor's failure to comply with its obligations under this DPA or GDPR

12. Term and Termination

• This DPA enters into force upon the Data Controller's registration for the Service and remains in effect for the duration of data processing
• This DPA terminates automatically upon deletion of all Candidate Data following account termination
• Obligations under Sections 5, 10, and 11 survive termination of this DPA

13. Governing Law

This DPA is governed by the laws of the Republic of Poland. Any disputes shall be subject to the exclusive jurisdiction of the courts in Bydgoszcz, Poland. For consumers in the EU, mandatory consumer protection provisions of their country of residence may also apply.

14. Contact

For questions about this DPA or to request a custom agreement:

• Email: duke.vu@correctcontext.com
• Address: Correct Context sp. z o.o., ul. Joachima Lelewela 27, 85-652 Bydgoszcz, Poland