Data Processing Addendum (DPA)

1. Roles and Scope

(a) Customer is the controller (or equivalent term), HyreSure is the processor (or equivalent). This DPA governs HyreSure’s processing of Personal Data on behalf of Customer while providing the Services.

(b) If HyreSure processes Personal Data as a controller (e.g., website analytics, billing), such processing is outside this DPA and governed by HyreSure’s Privacy Policy.

2. Processing Instructions

HyreSure shall process Personal Data only on documented instructions from Customer as set out in the Agreement, this DPA, and Customer’s in-product configurations. HyreSure shall immediately inform Customer if, in its opinion, an instruction infringes applicable law.

3. Nature, Purpose, and Categories of Data

Nature/Purpose: Provide and support the Services (e.g., JD creation, resume parsing/matching, “Kundli” digital-footprint analytics, assessments, AI interviews), security, availability, and support.

Data Subjects: Customer’s representatives, users, candidates, job applicants.

Categories: Identification and contact data; employment/education data; resume/CV content; interview media/transcripts; assessment responses; product telemetry; limited billing metadata. Sensitive data is not required but may be processed if Customer provides it (Customer remains responsible for lawful collection and instructions).

4. Confidentiality

HyreSure ensures persons authorized to process Personal Data are under confidentiality obligations and receive appropriate data protection training.

5. Security

HyreSure implements appropriate technical and organizational measures, including encryption in transit/at rest, access controls, least privilege, logging/monitoring, vulnerability management, and incident response. Upon request, HyreSure will provide summaries of independent assessments (e.g., SOC 2) and relevant policies.

6. Subprocessors

Customer authorizes HyreSure to engage subprocessors for hosting, storage, analytics, communications, AI inference, transcription, TTS, and video/voice, subject to written agreements imposing data protection obligations no less protective than this DPA.

HyreSure maintains a current list at: /subprocessors and will notify Customer of material changes, allowing reasonable objection where legally required.

7. Assistance

Taking into account the nature of processing, HyreSure will assist Customer with data subject requests, security of processing, breach notifications, DPIAs, and consultations with regulators as required by applicable law.

8. Personal Data Breach

HyreSure will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to assist Customer’s obligations.

9. Return and Deletion

Upon termination or expiry of the Agreement, HyreSure will, at Customer’s choice, delete or return Personal Data and delete existing copies within 90 days, unless retention is required by law or backup constraints necessitate delayed overwriting (in which case data will be isolated from further processing).

10. International Transfers

Transfers will be made under valid mechanisms, including the EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, with supplementary measures as needed. For India, transfers comply with DPDP and any notified restrictions.

11. Audits

Upon reasonable written request, HyreSure will make available information necessary to demonstrate compliance and allow Customer (or an independent auditor) to conduct audits no more than annually, subject to reasonable notice, confidentiality, and minimization to avoid disruption and protect other customers’ data.

12. Liability and Priority

Liability and limitations follow the Agreement. If there is a conflict, this DPA prevails over the Agreement to the extent of the conflict regarding data protection.