Effective 2026-06-01 · Applies to: EU · Moldova · Ukraine · USA
Data Processing Agreement
DATA PROCESSING AGREEMENT
Controller: [CLIENT NAME] × Processor: HRGuru SRL
STANDALONE CONTRACT — Execute before any candidate CVs are uploaded
MUST BE EXECUTED BEFORE: any B2B client uploads candidate CVs or receives applications through HRGuru. GDPR Art. 28 requires a DPA before any processing.
Last updated: 2026-06-01 · Version 2.0 · For questions: privacy@hrguru.io
Ensure authorised personnel are under confidentiality obligations
Implement technical and organisational security measures (Section 3)
Respect conditions for engaging sub-processors (Section 4)
Assist Controller in fulfilling data subject rights requests
Delete or return all personal data upon termination per Controller's choice
Provide information necessary to demonstrate compliance; allow audits
Notify Controller without undue delay (within 72 hours) of personal data breach
Notify Controller before implementing instructions that would violate data protection law
If HRGuru determines that a Controller instruction infringes applicable data protection law, HRGuru will promptly notify Controller in writing and may suspend processing of the relevant instruction until it is amended, withdrawn, or confirmed with appropriate justification. HRGuru shall not be liable for compliance failures resulting from compliance with Controller’s documented instructions where HRGuru has notified Controller of the concern.
1a. Liability Allocation and Sub-processor Incidents
The Parties agree on the following liability allocation in connection with data processing under this Agreement:
Controller liability: Controller is solely responsible for ensuring it has a valid lawful basis to transfer candidate personal data to HRGuru for processing. HRGuru shall not be liable for Controller’s failure to establish lawful basis, obtain required consents, or comply with applicable data protection law as Controller;
Sub-processor incidents: HRGuru’s liability for personal data breaches or incidents caused by sub-processors (including OpenAI, Vercel, Resend, Upstash) is limited to: (i) reasonable efforts to enforce contractual protections with sub-processors; (ii) assisting Controller in required notifications to data subjects and supervisory authorities; and (iii) taking reasonable remediation steps. HRGuru is not liable for damages arising from sub-processor security incidents that occur despite HRGuru maintaining contractual protections with such sub-processors;
Aggregate cap: HRGuru’s total liability to Controller under this DPA, whether in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid by Controller to HRGuru in the 12 months preceding the event giving rise to the claim. This cap applies separately to each distinct incident;
Nothing in this section limits liability for: wilful misconduct, gross negligence, fraud, or any liability that cannot be excluded by applicable law including under GDPR Article 82.
Special categories: HRGuru does NOT intentionally process Art. 9 special category data. CV text may incidentally reveal such data. Controller is responsible for ensuring appropriate basis exists if special category data is submitted.
3. Security Measures (Art. 32 GDPR)
Measure
Implementation
Encryption in transit
TLS 1.3 for all data transmission
Encryption at rest
AES-256 (Supabase — EU Frankfurt infrastructure)
Access control
Role-based access; Row-Level Security; all access logged
Data minimisation
AI processes minimum necessary text; metadata separate
Pseudonymisation
Candidate IDs used in AI processing logs; names not stored in AI audit logs
Deletion completed within 30 days; written confirmation provided
CV files deleted from storage; AI scores anonymised (aggregate data retained)
Backup data purged within 30 days of primary deletion
6. Bias Audit Cooperation (US / NYC LL 144)
If Controller uses HRGuru to evaluate candidates in New York City or other US jurisdictions requiring automated decision tool audits:
HRGuru will cooperate with Controller's independent third-party bias auditor
HRGuru will provide anonymised, aggregated scoring data to the auditor upon written request
HRGuru will not obstruct or delay legitimate bias audit activities
Cooperation is subject to confidentiality obligations on the auditor's part (NDA required)
NYC LL 144: Controller (the employer) bears primary compliance obligations. HRGuru's cooperation obligation makes it possible for Controller to satisfy audit requirements.
7. Jurisdiction-Specific Provisions
7.1 California — CCPA Data Processing Addendum
HRGuru is a 'service provider' under CCPA, not a third party
HRGuru will not: sell or share personal information; use it for any purpose other than providing services; combine Controller's data with other data sources for cross-context advertising
HRGuru will assist Controller in responding to CCPA consumer rights requests
Retain data only as long as necessary to provide services or as required by law
7.2 Moldova (Law 195/2024, effective August 2026)
Processing is permitted as EU Frankfurt provides adequate protection under Moldovan law
Data subject rights (access, erasure, portability) supported via platform tools
Controller confirms CNPDCP notification obligations met for high-risk processing if applicable
7.3 Ukraine (Law 2297-VI)
Candidate consent basis: Controller confirms valid consent obtained at point of CV submission
Cross-border transfer to EU Frankfurt: permitted — EU regarded as adequate jurisdiction
Data subject rights requests to be addressed within 30 days per Ukrainian law
8. Standard Contractual Clauses
EU Commission SCCs (Module 2: Controller to Processor, Decision 2021/914) are incorporated by reference for EEA-originating data. In case of conflict, SCCs take precedence over this DPA.
9. Audit Rights
Controller may audit compliance once per 12-month period (except post-breach)
30 days written notice required
During business hours; reasonable access only
HRGuru may satisfy audit requirements by providing current third-party security certifications
Audit costs borne by Controller; unless material non-compliance found
10. Termination and Deletion
Upon termination of the Service Agreement:
HRGuru will delete or return all personal data within 30 days of termination
Controller may choose return (CSV export) or deletion
Deletion certified in writing by HRGuru upon completion
Aggregate anonymised analytics data may be retained by HRGuru post-deletion