Legal

Data Processing Agreement

Last updated: March 2026. This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy and applies when JobConfident processes personal data on behalf of a customer acting as a data controller under the General Data Protection Regulation ("GDPR").

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing personal data (you, the customer).
• "Processor" means JobConfident, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
• "Sub-processor" means any third party engaged by JobConfident to process personal data.

2. Scope & Purpose of Processing

JobConfident processes personal data solely to provide the interview simulation service as described in the Terms of Service. The categories of personal data and data subjects are described in our Privacy Policy.

3. Obligations of JobConfident (Processor)

We shall:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in our Privacy Policy
• Not engage a sub-processor without prior written authorization from the Controller (see Section 5)
• Assist the Controller with data subject access requests and other GDPR obligations
• Delete or return all personal data upon termination of the service, at the Controller's choice
• Make available all information necessary to demonstrate compliance and allow for audits

4. Obligations of the Controller

The Controller shall:

• Ensure a lawful basis for processing personal data through JobConfident
• Provide clear instructions regarding the processing of personal data
• Fulfill all data subject notification and consent obligations as required by applicable law

5. Sub-processors

JobConfident uses the following sub-processors. By agreeing to this DPA, you authorize the use of these sub-processors:

We will notify you at least 30 days before adding or replacing a sub-processor. If you object, you may terminate the affected service within 30 days of notification.

6. International Data Transfers

Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms. Copies of relevant SCCs are available upon request.

7. Security Measures

JobConfident implements the following categories of security measures:

• Encryption of data at rest and in transit
• Access controls and principle of least privilege
• Regular security assessments
• Incident response procedures
• Employee confidentiality obligations
• Log monitoring and anomaly detection

8. Data Breach Notification

In the event of a personal data breach, JobConfident will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories of data affected, approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

9. Data Subject Requests

JobConfident will promptly assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing the necessary technical capabilities. Self-service tools are available in Settings → Privacy.

10. Duration & Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, JobConfident will delete all personal data within 30 days unless retention is required by law. The Controller may request a data export before termination.

11. Contact

For DPA-related inquiries or to request a countersigned copy, email privacy@jobconfident.com.