Data processing addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (“Customer”) and getremotejobs (“we,” “us,” or “Processor”). It applies when Customer's use of the Service involves Processor processing personal data on Customer's behalf that is subject to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, or the Swiss FADP.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

Customer is the “controller” of the personal data it uploads or otherwise provides through the Service. getremotejobs is the “processor,” processing personal data on Customer's documented instructions.

For candidates and job seekers who create their own accounts, we act as a controller in our direct relationship with them. That relationship is governed by our Privacy Policy, not this DPA.

The scope of processing under this DPA is as follows:

• Subject matter: provision of the Service.
• Duration: the term of the Terms of Service, plus any post-termination retention period required to return or delete Customer data.
• Nature and purpose: candidate relationship management, pipeline management, outreach facilitation, and analytics necessary to operate the Service.
• Categories of personal data: names, contact information, employment history, skills, resume content, notes and status updates entered by Customer, and usage metadata.
• Categories of data subjects: Customer's candidates, prospects, employees, and other individuals with whom Customer has a recruiting relationship.

Customer authorizes getremotejobs to engage subprocessors for the provision of the Service. We maintain a current list of our subprocessors at /trust and will notify Customer of material changes at least 30 days in advance by updating that page. Customer may object to a new subprocessor in writing within 30 days of notice, in which case the parties will work in good faith to resolve the objection or terminate the affected service.

We remain responsible for each subprocessor's compliance with obligations equivalent to those in this DPA, and we impose those obligations by written contract.

To the extent that personal data is transferred from the EEA, United Kingdom, or Switzerland to a country that the European Commission (or the corresponding authority) has not determined to provide an adequate level of protection, the transfer will be made under the Standard Contractual Clauses (Module 2, Controller-to-Processor) as approved by Commission Implementing Decision (EU) 2021/914, incorporated here by reference. Module Three applies for onward transfers to our subprocessors. The UK International Data Transfer Addendum issued by the ICO applies for transfers from the UK.

We implement appropriate technical and organizational measures:

• Encryption of personal data in transit (TLS 1.2+) and at rest.
• Least-privilege access controls, with row-level security at the database layer and multi-factor authentication required for administrative access.
• Regular backups, tested restore procedures, and documented incident response playbooks.
• Secure software development practices, including code review, dependency auditing, and static analysis.
• Ongoing security training for employees with access to production systems.

Full details are available under NDA at /trust.

Where Customer is the controller, Customer is responsible for responding to requests from data subjects to exercise their rights. We will assist Customer, to the extent practicable, by appropriate technical and organizational measures, in fulfilling its obligations to respond to such requests. Our self-service export and deletion features are the first-line tools for fulfilling these requests.

We will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer's personal data. Notifications will include, to the extent known at the time, the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.

Upon reasonable written request and with reasonable advance notice, we will make available to Customer the information necessary to demonstrate compliance with this DPA. For enterprise-tier customers, we support independent audits no more than once per year, conducted in a manner that does not disproportionately disrupt our operations. We also make our most recent SOC 2 Type II report available under NDA.

Upon termination of the Service, we will, at Customer's choice, delete or return all personal data processed on Customer's behalf, unless retention is required by applicable law. Deletion from live systems occurs within 30 days; deletion from backup media follows the applicable backup cycle and is completed no later than 90 days after termination.