Data Processing Agreement

1.1 Definitions

In this Agreement:

• •"Controller": The entity that determines the purposes and means of processing personal data (you, the user)
• •"Processor": New Indigo Solutions, which processes personal data on behalf of the Controller through the CandidateHub platform
• •"Personal Data": Any information relating to an identified or identifiable natural person
• •"Processing": Any operation performed on personal data, including collection, storage, use, and deletion
• •"Data Subject": The individual whose personal data is being processed
• •"Sub-processor": Any third party engaged by New Indigo Solutions to process personal data

1.2 Data Protection Laws

This Agreement ensures compliance with applicable data protection regulations including:

• •General Data Protection Regulation (GDPR) - European Union
• •California Consumer Privacy Act (CCPA) - United States
• •Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
• •Other applicable national and regional data protection laws

2.1 Controller Responsibilities

As the data controller, you are responsible for:

• •Determining the purposes and legal basis for processing personal data
• •Ensuring you have lawful authority to share data with New Indigo Solutions
• •Providing clear privacy notices to data subjects
• •Obtaining necessary consents for data processing
• •Ensuring data accuracy and keeping information up to date
• •Responding to data subject requests within legal timeframes

2.2 Processor Obligations

As your data processor, New Indigo Solutions commits to:

• •Process personal data only according to your documented instructions
• •Implement appropriate technical and organizational security measures
• •Ensure processing personnel are bound by confidentiality obligations
• •Assist with data subject rights requests and compliance obligations
• •Delete or return personal data upon termination of services
• •Provide necessary information for compliance audits

3.1 Categories of Data Subjects

We process personal data of the following categories of data subjects:

• •Individual users of the CandidateHub platform
• •Job seekers and career professionals
• •Contacts and references provided by users
• •Website visitors and prospective users

3.2 Categories of Personal Data

The types of personal data we process include:

• •Identity Information: Name, title, photograph
• •Contact Details: Email address, phone number, postal address
• •Professional Information: Work experience, education, skills, achievements
• •Career Data: Job preferences, salary expectations, career objectives
• •Technical Data: IP address, browser type, device information
• •Usage Data: Platform interactions, feature usage, preferences
• •Communication Data: Messages, support requests, feedback

3.3 Processing Purposes

Personal data is processed for the following purposes:

• •Provision of AI-powered profile generation and optimization services
• •Job description analysis and career matching
• •CV/resume and cover letter creation
• •Professional profile hosting and sharing
• •Platform security and fraud prevention
• •Customer support and communication
• •Service improvement and development
• •Compliance with legal obligations

4.1 Individual Rights

Data subjects have the following rights regarding their personal data:

• •Right of Access: Obtain confirmation of processing and copies of personal data
• •Right to Rectification: Correct inaccurate or incomplete personal data
• •Right to Erasure: Request deletion of personal data in certain circumstances
• •Right to Restrict Processing: Limit how personal data is processed
• •Right to Data Portability: Receive personal data in a machine-readable format
• •Right to Object: Object to processing based on legitimate interests
• •Rights Related to Automated Processing: Rights regarding automated decision-making

4.2 Facilitating Rights Requests

New Indigo Solutions will assist in facilitating data subject rights by:

• •Providing technical capabilities for data access and portability
• •Implementing data deletion and restriction functionalities
• •Notifying you promptly of any direct data subject requests
• •Providing information necessary to respond to requests
• •Cooperating in investigations and compliance activities

5.1 Technical Safeguards

We implement comprehensive technical security measures:

• •Encryption: Data encryption in transit and at rest using industry standards
• •Access Controls: Multi-factor authentication and role-based access
• •Network Security: Firewalls, intrusion detection, and secure protocols
• •Data Backup: Secure, encrypted backup systems with regular testing
• •Monitoring: Continuous security monitoring and threat detection

5.2 Organizational Measures

Our organizational security practices include:

• •Staff Training: Regular data protection and security awareness training
• •Access Management: Principle of least privilege and regular access reviews
• •Incident Response: Documented procedures for security incident handling
• •Vendor Management: Due diligence and contractual protections for sub-processors
• •Policy Framework: Comprehensive data protection and security policies

6.1 Transfer Mechanisms

When personal data is transferred internationally, we ensure adequate protection through:

• •Adequacy Decisions: Transfers to countries with adequate protection levels
• •Standard Contractual Clauses: EU Commission approved transfer mechanisms
• •Binding Corporate Rules: Internal data transfer frameworks where applicable
• •Certification Schemes: Recognized privacy certification programs

6.2 Transfer Locations

Personal data may be processed in the following locations:

• •European Union (primary data processing)
• •United States (cloud infrastructure and AI processing)
• •Other jurisdictions as necessary for service provision with appropriate safeguards

7.1 Authorized Sub-processors

We engage the following sub-processors:

• •Google (Gemini AI): AI content generation and analysis - United States
• •Supabase: Database hosting and user authentication - United States
• •Vercel: Frontend application hosting - United States
• •Render: Backend API hosting - United States
• •Polar: Subscription billing and payment processing - United States

7.2 Sub-processor Management

All sub-processors are required to:

• •Provide equivalent data protection guarantees
• •Enter into written agreements with appropriate data protection clauses
• •Undergo due diligence assessment before engagement
• •Submit to regular compliance monitoring
• •Notify us of any changes to their processing activities

8.1 Retention Periods

Personal data is retained according to the following schedule:

• •Active Account Data: Retained while account remains active
• •Profile Information: Until account deletion or withdrawal of consent
• •Usage Analytics: Aggregated and anonymized after 2 years
• •Support Communications: Retained for 3 years for service improvement
• •Legal Compliance: Retained as required by applicable laws

8.2 Secure Deletion

Upon expiration of retention periods or termination of services, we ensure:

• •Secure deletion of personal data from active systems
• •Removal from backup systems according to standard cycles
• •Destruction of physical media containing personal data
• •Certification of deletion upon request where feasible

9.1 Incident Detection

We maintain systems to promptly detect potential data breaches through:

• •Automated monitoring and alerting systems
• •Regular security assessments and penetration testing
• •Staff training on incident identification
• •Third-party security monitoring services

9.2 Breach Notification

In the event of a personal data breach, we commit to:

• •Notify you within 24 hours of becoming aware of the breach
• •Provide detailed information about the nature and scope of the breach
• •Describe measures taken to address the breach and prevent recurrence
• •Assist with any required notifications to supervisory authorities
• •Support communications to affected data subjects where required

10.1 Compliance Monitoring

We maintain ongoing compliance through:

• •Regular internal audits of data processing activities
• •Data protection impact assessments for new processing
• •Compliance training and awareness programs
• •Monitoring of regulatory developments and requirements

10.2 Audit Rights

You have the right to:

• •Request information about our data processing activities
• •Conduct audits of our data protection compliance (with reasonable notice)
• •Request evidence of security measures and certifications
• •Review sub-processor agreements and compliance records

11.1 Termination Events

This Agreement terminates upon:

• •Expiration or termination of our Terms of Service
• •Account deletion by the user
• •Cessation of services by New Indigo Solutions
• •Mutual agreement between parties

11.2 Data Handling Upon Termination

Upon termination, we will:

• •Cease all processing of personal data except as required by law
• •Return or securely delete personal data as instructed
• •Provide confirmation of data deletion upon request
• •Maintain confidentiality obligations beyond termination

12.1 Liability Allocation

Each party is liable for damages caused by their breach of data protection laws, with liability determined according to:

• •The nature of the processing and breach
• •The extent of damage caused
• •Whether the breach was due to controller or processor actions
• •Applicable legal frameworks and limitations

12.2 Mutual Cooperation

Both parties agree to cooperate in:

• •Defending against data protection claims
• •Responding to regulatory investigations
• •Minimizing potential damages and regulatory penalties
• •Sharing relevant information for compliance purposes

This Data Processing Agreement may be updated to reflect:

• •Changes in applicable data protection laws
• •Updates to our data processing activities
• •Improvements to security measures
• •Changes in sub-processor arrangements

Material changes will be communicated with appropriate notice period.