This Data Processing Addendum (“DPA”) forms part of the CreamyHire Terms of Service between CreamyHire (“Processor”) and the customer entity (“Controller”) that has accepted these Terms or signed an order form. Where this DPA conflicts with the Terms, this DPA prevails for matters of personal-data processing.
1. Scope
Processor processes Personal Data on behalf of Controller solely to provide the CreamyHire service: AI scoring of candidate resumes against Controller-supplied job descriptions, candidate pipeline management, AI-drafted communications, analytics, and any Controller-enabled integrations (ATS sync, browser-extension capture, webhooks, exports).
2. Definitions
Defined terms have the meanings given in EU GDPR Article 4 and India's Digital Personal Data Protection Act 2023. “Personal Data” includes candidate names, contact details, resume content, AI-generated assessments, and recruiter notes.
3. Customer instructions
Processor processes Personal Data only on documented instructions from Controller. Acceptance of these Terms, the in-product Settings (notification preferences, integration toggles, retention controls), and the API constitute documented instructions. Processor will inform Controller if it believes an instruction infringes applicable law.
4. Sub-processors
Controller authorises Processor to engage the sub-processors listed at /sub-processors. Processor gives Controller at least 30 days' notice of any new core sub-processor and provides a documented right to object during the notice window. Processor remains liable for sub-processor compliance with this DPA.
5. Security measures
Processor implements the technical and organisational measures described at /security. These include TLS 1.2+ in transit, AES-256 at rest, role-based access control, least-privilege production access with hardware MFA, immutable audit logs, structured Sentry error capture with PII scrubbing, and a documented incident-response runbook.
6. Personal-data breach notification
Processor will notify Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data breach affecting Controller's data. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed.
7. Data subject rights
Processor will assist Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection. Self-service tooling is exposed in Settings → Privacy and via GET /me/data/export, POST /me/data/erasure, and the related endpoints documented in our security page. Where Controller cannot fulfil a request itself, Processor will provide reasonable assistance within five business days.
8. International transfers
Where Personal Data is transferred outside the EEA, the United Kingdom, or India, Processor relies on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, both of which are incorporated into this DPA by reference. For Indian transfers, Processor implements equivalent contractual safeguards aligned with DPDP s.16.
9. Term and deletion
This DPA is in effect for the duration of the Terms. On termination, Processor will delete or return all Personal Data within 30 days unless retention is required by law. Backups are purged on rolling rotation per the schedule documented at /security.
10. Audit rights
Processor will, upon written request and no more than once per calendar year, make available the information necessary to demonstrate compliance with this DPA, including current SOC 2 / ISO 27001 attestations once available, the latest penetration-test summary, and Processor's security questionnaire response. On-site audits may be arranged by mutual agreement subject to confidentiality and reasonable scheduling.
11. How to execute
Email legal@creamyhire.comwith your company name, the contracting entity, and (if known) any bespoke clauses you require. We'll counter-sign the standard form within two business days; for negotiated changes plan on a one-week turnaround.