Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement between VUMY Technologies ("Processor") and the customer ("Controller") for the use of vumyo and its constituent products. Capitalized terms not defined here have the meanings given in the GDPR or the underlying services agreement.
1. Subject matter and purpose
Processor processes Personal Data on behalf of Controller solely to provide the vumyo services — applicant tracking, scheduling, e-signature, identity verification, CRM, supplier coordination, and the AI workspace assistant — and for no other purpose.
2. Categories of data subjects and personal data
- Data subjects: Controller's employees, candidates who apply through the platform, contacts in Controller's CRM, suppliers, and authorized end-users.
- Categories of personal data: identifiers (name, email, phone), application history, resume contents, interview schedules, signed documents and audit trails, identity verification artifacts, communication metadata.
3. Sub-processors
Processor maintains a current list of sub-processors. The list is provided to Controller on request and is updated when material changes occur. Controller is notified in advance of new sub-processors and may object within thirty days of notice.
4. Confidentiality
Processor ensures personnel authorized to process Personal Data are bound by confidentiality obligations no less protective than those in this DPA.
5. Security measures
Technical and organizational measures are documented in the security overview. Summary: industry-standard transport encryption, managed encryption at rest, tenant isolation enforced at the data layer, real-time certificate validation on electronic signatures, comprehensive audit logging on workspace activity, and additional field-level encryption applied to personally identifiable information.
6. International transfers
Where Personal Data is transferred outside the EEA, Processor relies on the Standard Contractual Clauses (Module Two — Controller to Processor) approved by Commission Implementing Decision (EU) 2021/914. The current data residency is documented per-region; the default region is us-east-1.
7. Data subject rights
Processor assists Controller in fulfilling data subject access, rectification, erasure, restriction, and portability requests. End-users can also exercise these rights directly via /self/privacy on the product site.
8. Personal data breach notification
Processor notifies Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Controller's data, providing the information specified in GDPR Article 33(3).
9. Audits
Controller may audit Processor's compliance with this DPA on reasonable notice once per year, via written request and through the Processor's documented audit channel. Pre-existing certifications (SOC2 Type II, when issued) satisfy the audit obligation.
10. Deletion or return of data
On termination, Processor deletes or returns Personal Data within 90 days, except where retention is required by law. Identity verification artifacts are purged per the workspace's configured retention window.
11. Negotiated DPA
Customers requiring a negotiated DPA may contact VUMY Technologies. The public template above is the default; the negotiated template incorporates customer-specific addenda and counter-signatures.