1. Definitions

2. Scope and Purpose

This Data Processing Agreement (DPA) governs the processing of personal data by TailorCV as a data processor on behalf of you (the data controller) when you use our AI-powered resume optimization services.

Processing Activities: Resume analysis, optimization, formatting, and related AI-powered services to help users tailor their resumes to specific job descriptions.

3. Categories of Personal Data

We process the following categories of personal data:

3.1 Identity Data

• Name and contact information
• Email address
• Account credentials

3.2 Professional Data

• Resume content and career history
• Work experience and qualifications
• Skills and competencies
• Educational background

3.3 Technical Data

• IP addresses and device information
• Usage patterns and service interactions
• Cookies and tracking data

4. Processing Purposes

Personal data is processed for the following purposes:

• Providing AI-powered resume optimization services
• Analyzing and matching resumes to job descriptions
• Improving our algorithms and service quality
• Account management and customer support
• Security and fraud prevention
• Legal compliance and regulatory requirements

5. Legal Basis for Processing

The legal basis for processing personal data under GDPR Article 6 includes:

• Consent (Art. 6(1)(a)): When users explicitly consent to data processing
• Contract (Art. 6(1)(b)): Processing necessary for service provision
• Legitimate Interest (Art. 6(1)(f)): Improving services and security
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws

6. Processor Obligations

6.1 Processing Instructions

We will process personal data only on documented instructions from you, including with regard to transfers of personal data to third countries.

6.2 Confidentiality

All persons authorized to process personal data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

6.3 Security Measures

We implement appropriate technical and organizational measures to ensure:

• Pseudonymization and encryption of personal data
• Ongoing confidentiality, integrity, availability, and resilience
• Ability to restore availability and access in case of incidents
• Regular testing and evaluation of security measures

6.4 Sub-Processing

We may engage sub-processors with your general written authorization. We maintain a list of sub-processors and will inform you of any intended changes.

7. Data Subject Rights

We assist you in fulfilling data subject rights under GDPR Articles 15-22:

• Right of Access (Art. 15): Provide access to personal data
• Right to Rectification (Art. 16): Correct inaccurate data
• Right to Erasure (Art. 17): Delete personal data
• Right to Restriction (Art. 18): Limit processing activities
• Right to Portability (Art. 20): Provide data in structured format
• Right to Object (Art. 21): Object to processing

8. Data Breach Notification

In case of a personal data breach, we will:

• Notify you without undue delay after becoming aware of the breach
• Provide detailed information about the nature of the breach
• Describe the likely consequences and measures taken
• Assist you in fulfilling your notification obligations to supervisory authorities

9. Data Retention

Personal data will be retained only for as long as necessary to fulfill the purposes outlined in this DPA:

• Account Data: Until account deletion or 3 years of inactivity
• Resume Content: Until user deletion or account closure
• Usage Data: Up to 2 years for service improvement
• Legal Compliance: As required by applicable laws

10. International Transfers

When transferring personal data outside the EEA, we ensure adequate protection through:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Certification schemes and codes of conduct

11. Audits and Compliance

We will:

• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits and inspections
• Maintain appropriate records of processing activities
• Cooperate with supervisory authorities

12. Data Protection Impact Assessments

We will assist you in carrying out Data Protection Impact Assessments (DPIAs) where required under GDPR Article 35, including providing information about our processing activities and security measures.

13. Termination and Data Return

Upon termination of services, we will:

• Return or delete all personal data at your option
• Delete existing copies unless storage is required by law
• Provide certification of deletion upon request
• Maintain confidentiality obligations after termination

14. Liability and Indemnification

Each party will be liable for its own violations of data protection laws. We will indemnify you against claims arising from our breach of this DPA or applicable data protection laws.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the jurisdiction where the data controller is established, with disputes resolved in the competent courts of that jurisdiction.

16. Contact Information

For questions about this DPA or data processing activities, please contact: