This Data Processing Agreement ("DPA") is incorporated by reference into the Resume Bestie Terms of Service between Resume Bestie ("Processor") and the customer entity ("Controller") and applies whenever Resume Bestie processes Personal Data on behalf of the Controller in connection with the Service.
1. Definitions
Terms not defined here have the meanings given in the EU GDPR / UK GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed by Resume Bestie on behalf of the Controller.
2. Subject Matter, Duration, Nature & Purpose
The subject matter is the provision of AI-assisted resume, cover letter, ATS scoring and interview-prep features. Duration matches the Controller's subscription term plus any agreed deletion period. Nature: hosting, storing, transforming, transmitting, and applying machine-learning models to Personal Data. Purpose: enabling the Controller and its authorized end users to use the Service.
3. Types of Personal Data & Categories of Data Subjects
- Types: identification (name, email), professional history (work, education, skills, certifications), contact details, authored Content, AI prompts and outputs, payment metadata (handled by Stripe), usage logs, IP and device data.
- Data subjects: the Controller's end users, employees, candidates, or other individuals whose data the Controller submits to the Service.
4. Processor Obligations
Resume Bestie will: (a) process Personal Data only on the Controller's documented instructions (the Terms and this DPA constitute such instructions); (b) ensure personnel authorized to process Personal Data are bound by confidentiality; (c) implement the technical and organizational measures described in Section 8; (d) assist the Controller in responding to data-subject requests; (e) assist with security, breach-notification, DPIA, and prior-consultation obligations under Articles 32–36 GDPR; and (f) delete or return Personal Data at the end of the engagement (Section 10).
5. Sub-Processors
The Controller authorizes Resume Bestie to use the sub-processors listed below. Resume Bestie remains liable for sub-processors' acts and omissions and will impose data-protection terms no less protective than this DPA.
- Supabase Inc. — authentication, Postgres database, file storage (US/EU).
- Stripe, Inc. — payment processing and tax (global).
- Cloudflare, Inc. — hosting, CDN, WAF, DDoS protection.
- Lovable AI Gateway — large language model inference; no third-party training on Controller data.
- Transactional email provider — delivery of account, security, and billing emails.
We will give the Controller at least 30 days' notice of any new or replacement sub-processor by email or in-app notice; the Controller may object on reasonable data-protection grounds.
6. International Transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum. The Controller is the "data exporter" and Resume Bestie is the "data importer."
7. Data Subject Rights
Resume Bestie will provide reasonable assistance, by appropriate technical and organizational measures, to enable the Controller to respond to requests from data subjects to exercise their rights under applicable law.
8. Security (Technical & Organizational Measures)
- Encryption in transit (TLS 1.2+) and at rest (AES-256 on managed storage).
- Row-Level Security on user-owned tables; least-privilege role separation; audited service-role keys.
- OAuth and password-based authentication with industry-standard hashing.
- Centralized logging, error monitoring, and access auditing.
- Automated daily database backups with point-in-time recovery on the database tier.
- Vendor risk reviews and annual policy updates.
- Personnel security: confidentiality undertakings and access on a need-to-know basis.
9. Personal Data Breach Notification
Resume Bestie will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data, providing the information required by Article 33(3) GDPR to the extent then known and updates as the investigation progresses.
10. Return or Deletion of Personal Data
On termination of the Service or at the Controller's written request, Resume Bestie will, at the Controller's choice, return or delete Personal Data (and all copies) within 30 days, except where retention is required by law.
11. Audits
The Controller may, no more than once per 12-month period and on at least 30 days' written notice, audit Resume Bestie's compliance with this DPA. Audits will be conducted during business hours, subject to confidentiality, and may be satisfied by Resume Bestie's then-current third-party reports or certifications where available.
12. Liability & Order of Precedence
Liability under this DPA is subject to the limitations in the Terms. In the event of a conflict between this DPA and the Terms with respect to processing of Personal Data, this DPA controls.