Data Processing Addendum
Effective Date: 1/1/1970
1. Introduction and Definitions
This Data Processing Addendum ("DPA") forms part of the agreement between Curriculo ("Processor," "we") and our customer ("Controller," "you") and governs the processing of Personal Data submitted to our Services.
Key terms such as "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" shall have the meanings ascribed to them in the EU General Data Protection Regulation (GDPR) and Brazil's Lei Geral de Proteção de Dados (LGPD).
2. Roles and Responsibilities
The parties acknowledge that in the context of the Services, the Customer is the Data Controller, and Curriculo is the Data Processor. We will only process Personal Data on behalf of and in accordance with your documented instructions.
As the Controller, you are responsible for ensuring that you have a lawful basis for the processing of Personal Data and for the accuracy, quality, and legality of the data provided to us.
3. Scope of Data Processing
Nature and Purpose: We process Personal Data solely to provide, maintain, and improve the Services as described in our Terms and Conditions, primarily for matching candidates with employment opportunities.
Types of Personal Data and Categories of Data Subjects:
For Candidates (Data Subjects):
- Identity & Contact Data: Includes name, email address, phone number, and location.
- Professional Data: Includes employment history, educational background, skills, resume/CV content, and professional certifications.
- Technical Data: Includes IP address and device identifiers as part of service interaction logs.
For Employer Representatives (Data Subjects):
- Identity & Contact Data: Includes name, business email address, job title, and phone number.
- Account & Billing Data: Includes user ID, account settings, and billing information.
Duration: Processing will continue for the duration of the service agreement, subject to the data retention policies outlined in our Privacy Policy.
4. Automated Decision-Making
Our Services utilize automated systems and AI algorithms to analyze data and suggest potential matches between candidates and job opportunities. This processing is a core feature designed to enhance efficiency for both parties.
We confirm that these automated processes serve as recommendations and do not result in decisions based *solely* on automated processing that produce legal or similarly significant effects on individuals. Final hiring decisions and other significant employment actions remain the responsibility of the human user (Controller).
Under GDPR and LGPD, where automated processing is involved, Data Subjects have the right to obtain human intervention, express their point of view, and contest a decision. We will provide reasonable assistance to you in fulfilling these requests.
5. Security Measures
We implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are detailed further in our Privacy Policy and internal security documentation.
6. Sub-processors
You acknowledge and agree that we may engage third-party sub-processors to support the delivery of our Services. We will notify you of any intended changes to our list of sub-processors via the email address associated with your account, giving you an opportunity to object.
We remain fully liable for the performance of our sub-processors and will ensure they are bound by data protection obligations no less protective than those in this DPA.
7. Data Subject Rights
We will provide you with reasonable assistance to help you respond to requests from Data Subjects seeking to exercise their rights under GDPR and LGPD (e.g., access, rectification, erasure). You are responsible for validating and responding to such requests.
8. International Data Transfers
Where the processing of Personal Data involves a transfer outside the European Economic Area (EEA) or Brazil, we will ensure such transfers are conducted in compliance with applicable data protection laws, primarily by relying on mechanisms like the Standard Contractual Clauses (SCCs).
9. Data Breach Notification
In the event of a Personal Data Breach, we will notify you without undue delay after becoming aware of it. We will provide you with sufficient information to allow you to meet your notification obligations to supervisory authorities and Data Subjects.
10. Audits and Inspections
Upon reasonable request, we shall make available to you the information necessary to demonstrate compliance with our obligations under this DPA. We will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, upon reasonable notice and during regular business hours, to ensure the processing of Personal Data is in accordance with this DPA.
11. Deletion or Return of Data
Upon termination of the service agreement, we shall, at your choice, delete or return all Personal Data to you. We will delete existing copies unless applicable law requires storage of the Personal Data. This is subject to our standard data retention and backup cycles as outlined in our Privacy Policy.
12. Contact
For any questions related to this DPA, please contact our legal team:
- By email: legal@curriculo.link