Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Atlas Capital SpA, a company incorporated under the laws of Chile ("CVParserPro," "Processor," "we," "us," or "our"), and the entity agreeing to these terms ("Customer," "Controller," "you," or "your").

This DPA sets forth the terms and conditions under which CVParserPro will process Personal Data on behalf of Customer in connection with the CVParserPro resume parsing services ("Service").

This DPA applies to the extent that CVParserPro processes Personal Data that is subject to Data Protection Laws on behalf of Customer.

2. Definitions

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); (d) the Chilean Law 19.628 on Protection of Private Life and Law 21.719 (when effective); and (e) any other applicable data protection or privacy laws.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by CVParserPro on behalf of Customer in connection with the Service.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

"Subprocessor" means any third party engaged by CVParserPro to process Personal Data on behalf of Customer.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.

"Supervisory Authority" means an independent public authority established pursuant to Data Protection Laws.

3. Scope and Roles

3.1 Processor Role

The parties acknowledge and agree that:

Customer is the Controller of Personal Data processed through the Service
CVParserPro is the Processor acting on behalf of Customer
CVParserPro processes Personal Data solely to provide the Service in accordance with Customer's documented instructions

3.2 Customer Responsibilities

Customer is responsible for:

Ensuring that the processing of Personal Data through the Service has a valid legal basis
Providing all required notices to Data Subjects
Obtaining all necessary consents from Data Subjects
Responding to Data Subject requests
Ensuring the accuracy and lawfulness of Personal Data
Complying with applicable Data Protection Laws

3.3 Processing Details

The details of the processing are set forth in Annex 1 to this DPA.

4. Processing Instructions

4.1 Documented Instructions

CVParserPro shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, CVParserPro shall inform Customer of that legal requirement before processing, unless prohibited by law.

4.2 Scope of Instructions

Customer's instructions for the processing of Personal Data shall comply with applicable Data Protection Laws. Customer instructs CVParserPro to process Personal Data for the following purposes:

Providing the Service as described in the Agreement
Processing initiated by Customer through use of the Service
Processing to comply with Customer's other reasonable instructions consistent with the Agreement

4.3 Additional Instructions

If Customer requires processing beyond the scope of this DPA, the parties shall negotiate in good faith an amendment to this DPA and any associated fees.

5. Confidentiality

5.1 Personnel Obligations

CVParserPro shall ensure that persons authorized to process Personal Data:

Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Process Personal Data only as necessary to perform their duties

5.2 Access Limitations

CVParserPro shall limit access to Personal Data to those personnel who require such access to perform the Service.

6. Security Measures

6.1 Technical and Organizational Measures

CVParserPro shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

(a) Encryption: Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256);

(b) Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege;

(c) Confidentiality: Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;

(d) Recovery: Ability to restore availability and access to Personal Data in a timely manner following an incident;

(e) Testing: Regular testing, assessing, and evaluating the effectiveness of security measures;

(f) Monitoring: Continuous security monitoring, logging, and intrusion detection;

(g) Physical Security: Physical security measures at data center facilities through SOC 2 certified providers.

6.2 Security Measures Documentation

A description of CVParserPro's security measures is set forth in Annex 2 to this DPA.

7. Subprocessors

7.1 General Authorization

Customer provides general authorization for CVParserPro to engage Subprocessors to process Personal Data, subject to the requirements of this Section 7.

7.2 Current Subprocessors

Customer approves the Subprocessors listed in Annex 3 to this DPA as of the Effective Date. The current list of Subprocessors is also available at: https://cvparserpro.com/legal/subprocessors

7.3 Subprocessor Requirements

CVParserPro shall:

Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than this DPA
Ensure each Subprocessor complies with applicable Data Protection Laws
Remain fully liable to Customer for the performance of each Subprocessor's obligations

7.4 New Subprocessors

Before engaging a new Subprocessor, CVParserPro shall:

Notify Customer at least thirty (30) days in advance by email or through the subprocessor notification mechanism
Provide details of the Subprocessor and the processing to be performed

7.5 Objection to Subprocessors

Customer may object to a new Subprocessor by notifying CVParserPro in writing within fourteen (14) days of receiving notice. If Customer objects on reasonable data protection grounds, the parties shall discuss the concerns in good faith. If the parties cannot resolve the objection within thirty (30) days, either party may terminate the affected Service without penalty.

8. Data Subject Rights

8.1 Assistance with Requests

CVParserPro shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligation to respond to Data Subject requests.

8.2 Notification of Requests

If CVParserPro receives a request from a Data Subject regarding Personal Data, CVParserPro shall:

Promptly notify Customer of the request
Not respond to the request except on Customer's documented instructions or as required by law
Provide Customer with reasonable cooperation and assistance

8.3 Response Timeframe

CVParserPro shall respond to Customer's reasonable requests for assistance within ten (10) business days.

9. Personal Data Breach

9.1 Notification

CVParserPro shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

9.2 Notification Contents

The notification shall include, to the extent known:

A description of the nature of the Personal Data Breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Name and contact details of CVParserPro's point of contact
Likely consequences of the Personal Data Breach
Measures taken or proposed to address the breach and mitigate its effects

9.3 Cooperation

CVParserPro shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

9.4 No Admission

Notification of a Personal Data Breach shall not be construed as an acknowledgment of fault or liability.

10. Data Protection Impact Assessments

CVParserPro shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Data Protection Laws and taking into account the nature of the processing and information available to CVParserPro.

11. Audit Rights

11.1 Audit Information

CVParserPro shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or Customer's auditor.

11.2 Audit Process

Audits shall be conducted:

Upon thirty (30) days' prior written notice
During normal business hours
No more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach)
Subject to reasonable confidentiality obligations
At Customer's expense

11.3 Third-Party Certifications

Customer may satisfy its audit rights by reviewing CVParserPro's then-current third-party certifications, audit reports (e.g., SOC 2 Type II), and other documentation provided by CVParserPro.

12. International Data Transfers

12.1 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, such transfer shall be subject to appropriate safeguards, including:

(a) Standard Contractual Clauses: The SCCs attached as Annex 4 to this DPA, which are incorporated by reference;

(b) Supplementary Measures: The technical, contractual, and organizational measures described in Annex 2.

12.2 SCC Module Selection

For transfers governed by the SCCs:

Module 2 (Controller to Processor) applies where Customer transfers Personal Data to CVParserPro
Module 3 (Processor to Processor) applies where CVParserPro transfers Personal Data to Subprocessors

12.3 Transfer Impact Assessment

Customer is responsible for conducting their own Transfer Impact Assessment as required by GDPR and EDPB guidance. Upon request, CVParserPro will provide reasonable information about its technical and organizational measures to assist Customer in completing such assessment.

12.4 Alternative Transfer Mechanisms

If an alternative valid transfer mechanism becomes available (such as adequacy decisions), the parties may agree to rely on such mechanism.

12.5 Customer Responsibility for International Transfers

Customer acknowledges that CVParserPro is incorporated in Chile and operates from Chile and the United States, neither of which has an adequacy decision from the European Commission.

Customer is solely responsible for:

Determining whether their use of the Service involves international data transfers subject to GDPR
Ensuring any such transfers have a valid legal basis
Conducting their own Transfer Impact Assessments as required
Implementing any supplementary measures required for their specific processing activities

CVParserPro provides the SCCs as a transfer mechanism that Customers may rely upon for their compliance purposes. The execution and implementation of appropriate transfer safeguards remains Customer's responsibility as data controller.

13. Data Retention and Deletion

13.1 Retention During Service

CVParserPro shall retain Personal Data only for as long as necessary to provide the Service and comply with Customer's instructions.

13.2 Processing Retention

Resume data processed through the Service is retained only temporarily during processing (typically less than 60 seconds) and is not stored after the parsed results are returned to Customer, except:

Error logs may be retained for up to seven (7) days for debugging purposes
Anonymized data may be retained indefinitely for service improvement

13.3 Deletion Upon Termination

Upon termination of the Agreement, CVParserPro shall, at Customer's choice:

Return Personal Data to Customer in a standard format; or
Delete Personal Data and certify such deletion in writing

This shall be completed within ninety (90) days of termination, except where retention is required by applicable law.

14. Liability

14.1 Liability Allocation

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

14.2 Customer Indemnification for Data Protection Claims

Customer shall indemnify, defend, and hold harmless CVParserPro against any and all claims, damages, losses, liabilities, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

(a) Any claim or enforcement action by a data protection supervisory authority, including but not limited to EU Data Protection Authorities, arising from Customer's use of the Service or Customer's failure to comply with applicable Data Protection Laws;

(b) Customer's violation of GDPR, CCPA, or other Data Protection Laws;

(d) Customer's failure to provide required notices to Data Subjects;

(e) Customer's instructions to CVParserPro that violate applicable law;

(f) Any Data Subject claims arising from Customer's processing of their Personal Data through the Service.

14.3 Limitation on CVParserPro Liability

CVParserPro's liability for any claims arising under this DPA shall not exceed the amounts paid by Customer under the Agreement in the twelve (12) months preceding the claim. CVParserPro shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from this DPA.

15. General Provisions

15.1 Governing Law

This DPA shall be governed by the same law that governs the Agreement, except that the SCCs shall be governed by the law specified therein.

15.2 Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

15.3 Amendments

This DPA may be amended only by a written instrument signed by both parties.

15.4 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

Annex 1: Processing Details

A. Subject Matter of Processing

Processing of Personal Data contained in resumes and CVs uploaded by Customer to the CVParserPro resume parsing service.

B. Duration of Processing

For the term of the Agreement, plus any period required for data deletion.

C. Nature of Processing

Automated processing of resume documents to extract and structure data, including:

Document ingestion and format conversion
Natural language processing and entity extraction
Data structuring and formatting
Return of structured data via API

D. Purpose of Processing

To provide resume parsing services enabling Customer to extract structured data from unstructured resume documents.

E. Categories of Personal Data

Identifiers: Name, email address, phone number, mailing address, social media profiles
Professional Information: Work history, job titles, employers, employment dates, responsibilities, skills, certifications
Educational Information: Schools, degrees, graduation dates, academic achievements
Other Information: Languages, volunteer experience, publications, references

F. Categories of Data Subjects

Job applicants and candidates whose resumes are processed through the Service

G. Special Categories of Data

Resumes may contain or reveal special category data (GDPR Article 9) or sensitive personal information (CCPA), including racial/ethnic origin, religious beliefs, health information, or trade union membership. CVParserPro does not intentionally extract or categorize such data.

Annex 2: Technical and Organizational Security Measures

A. Encryption

Measure	Implementation
Data in Transit	TLS 1.3 for all API communications
Data at Rest	AES-256 encryption for stored data
Key Management	Encryption keys managed through secure key management service

B. Access Controls

Measure	Implementation
Authentication	Multi-factor authentication for all administrative access
Authorization	Role-based access controls with principle of least privilege
Password Policy	Strong password requirements, regular rotation
Session Management	Automatic session timeout, secure session handling

C. Infrastructure Security

Measure	Implementation
Network Security	Firewalls, network segmentation, DDoS protection
Intrusion Detection	Continuous monitoring and alerting
Vulnerability Management	Regular security assessments and patching
Physical Security	SOC 2 certified data center facilities

D. Operational Security

Measure	Implementation
Logging	Comprehensive audit logging of all access and changes
Monitoring	24/7 security monitoring and alerting
Incident Response	Documented incident response procedures
Business Continuity	Regular backups, disaster recovery planning

E. Personnel Security

Measure	Implementation
Background Checks	Conducted for personnel with access to Personal Data
Training	Regular security awareness training
Confidentiality	Confidentiality agreements for all personnel

Annex 3: Subprocessors

The following categories of Subprocessors are authorized to process Personal Data as of the Effective Date:

Category	Processing Activities	Location
Cloud Infrastructure Provider	Server hosting, compute resources, network infrastructure	United States
AI/ML Processing Provider	Machine learning model inference for document parsing	United States
Database Provider	Secure data storage and management	United States

Detailed Subprocessor Information

Enterprise customers requiring specific subprocessor names for their own compliance purposes may request this information under NDA by contacting [email protected].

Subprocessor Change Notification

Subscribe to subprocessor change notifications at: https://cvparserpro.com/legal/subprocessors

Or contact: [email protected]

Annex 4: Standard Contractual Clauses

The Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 are incorporated by reference.

For the purposes of the SCCs:

Module 2 (Controller to Processor)

Data exporter: Customer (Controller)
Data importer: Atlas Capital SpA / CVParserPro (Processor)

Clause 7 (Docking clause): Not applicable

Clause 9 (Use of sub-processors): Option 2 (General written authorization)

Clause 11 (Redress): Optional clause does not apply

Clause 13 (Supervision):

For Customers in the EU: The supervisory authority of the EU Member State in which Customer is established, or where the Data Subjects are located.

Clause 17 (Governing law): The laws of Chile

Clause 18 (Choice of forum and jurisdiction): Courts of Santiago, Chile

Table 1: Parties – As set forth in Annex I.A above
Table 2: Selected SCCs – Module 2, as described above
Table 3: Appendix Information – As set forth in Annexes I-III above
Table 4: Ending the Addendum – Neither party

By using the Service, Customer agrees to this Data Processing Agreement.