Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between VUMY Technologies ("Processor") and the customer ("Controller") for the use of vumyo and its constituent products. Capitalized terms not defined here have the meanings given in the GDPR or the underlying services agreement.

1. Subject matter and purpose

Processor processes Personal Data on behalf of Controller solely to provide the vumyo services — applicant tracking, scheduling, e-signature, identity verification, CRM, supplier coordination, and the AI workspace assistant — and for no other purpose.

2. Categories of data subjects and personal data

• Data subjects: Controller's employees, candidates who apply through the platform, contacts in Controller's CRM, suppliers, and authorized end-users.
• Categories of personal data: identifiers (name, email, phone), application history, resume contents, interview schedules, signed documents and audit trails, identity verification artifacts, communication metadata.

3. Sub-processors

Processor maintains a public list of sub-processors at /subprocessors with a machine-readable feed (/subprocessors.json, /subprocessors.xml). Controller is notified of additions or material changes via the RSS feed; Controller may object to a new sub-processor within 30 days.

4. Confidentiality

Processor ensures personnel authorized to process Personal Data are bound by confidentiality obligations no less protective than those in this DPA.

5. Security measures

Technical and organizational measures are documented at /security. Highlights: TLS 1.3 in transit, encryption at rest, PostgreSQL Row-Level Security for tenant isolation, OCSP-checked certificates on signatures, audit logging on every workspace mutation, field-level encryption for PII.

6. International transfers

Where Personal Data is transferred outside the EEA, Processor relies on the Standard Contractual Clauses (Module Two — Controller to Processor) approved by Commission Implementing Decision (EU) 2021/914. The current data residency is documented per-region; the default region is us-east-1.

7. Data subject rights

Processor assists Controller in fulfilling data subject access, rectification, erasure, restriction, and portability requests. End-users can also exercise these rights directly via /self/privacy on the product site.

8. Personal data breach notification

Processor notifies Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's data, providing the information specified in GDPR Article 33(3).

9. Audits

Controller may audit Processor's compliance with this DPA on reasonable notice once per year, via written request and through the Processor's documented audit channel. Pre-existing certifications (SOC2 Type II, when issued) satisfy the audit obligation.

10. Deletion or return of data

On termination, Processor deletes or returns Personal Data within 90 days, except where retention is required by law. Identity verification artifacts are purged per the workspace's configured retention window.

11. Negotiated DPA

Customers requiring a negotiated DPA may contact VUMY Technologies. The public template above is the default; the negotiated template incorporates customer-specific addenda and counter-signatures.