Data Processing Agreement
Effective Date: April 18, 2026 · Version 1.0
This Data Processing Agreement ("DPA") forms part of the CVPRO Terms of Service between Talpro India Pvt Ltd ("CVPRO", "Processor") and the customer ("Controller", "you") identified in the applicable Order Form. It governs the processing of Personal Data by CVPRO under the Digital Personal Data Protection Act, 2023 (India) ("DPDP") and, where applicable, the EU General Data Protection Regulation ("GDPR") and the UK GDPR.
1. Definitions
- "Applicable Data Protection Laws" means the DPDP, the GDPR, the UK GDPR, and any other privacy or data protection law applicable to the Processing of Personal Data under the Agreement.
- "Customer Data" means any Personal Data the Controller or its authorised users upload to, or generate through the use of, the CVPRO Services, including candidate resumes, interview responses, recruiter notes, and related identifiers.
- "Data Principal" / "Data Subject" means the individual to whom Personal Data relates (e.g., a candidate or recruiter end-user).
- "Sub-processor" means any third party engaged by CVPRO to Process Customer Data.
- Capitalised terms not defined here have the meaning given in the CVPRO Terms of Service or in the Applicable Data Protection Laws.
2. Scope and Roles
The Controller determines the purposes and means of Processing Customer Data. CVPRO acts as a Data Processor (DPDP §2(k)) / Processor (GDPR Art. 4(8)) and Processes Customer Data only on documented instructions from the Controller, which are set out in the Agreement, this DPA, and as reasonably inferable from the Controller's configuration of the CVPRO platform.
3. Subject Matter, Duration, Nature and Purpose of Processing
- Subject matter: provision of the CVPRO AI-powered hiring intelligence Services.
- Duration: the term of the Agreement, plus any post-termination period required for data export and deletion (see §11).
- Nature of Processing: collection, storage, retrieval, analysis (including AI-assisted candidate evaluation), transmission, and deletion.
- Purpose: enabling the Controller to screen, evaluate, shortlist, and communicate with candidates for its own hiring processes.
- Categories of Data Subjects: job candidates; Controller's employees, recruiters and administrators.
- Categories of Personal Data: name, contact details, CV content, employment history, education, skills, AI-generated evaluation scores, interview responses, and usage metadata.
- Special / Sensitive Personal Data: CVPRO does not solicit special-category data. Controllers are instructed not to upload such data except where strictly required and lawful.
4. Obligations of the Processor
- Process Customer Data only on documented instructions from the Controller, except where required by law (in which case CVPRO will notify the Controller unless the law prohibits it).
- Ensure that persons authorised to Process Customer Data are bound by written confidentiality obligations.
- Implement the technical and organisational measures listed in Annex B.
- Not engage a Sub-processor without prior general authorisation (§6).
- Assist the Controller by appropriate measures to respond to requests from Data Principals / Data Subjects exercising their rights (DPDP §11–15, GDPR Arts. 15–22).
- Assist the Controller with Data Protection Impact Assessments and prior consultations (GDPR Arts. 35–36) where applicable.
- Delete or return all Customer Data after the end of Services provision (§11).
- Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits (§8).
5. Security Measures
CVPRO implements and maintains the technical and organisational measures described in Annex B, including TLS 1.2+ in transit, AES-256 at rest for database storage, least-privilege access, MFA for administrative access, quarterly access reviews, encrypted off-site backups, vulnerability scanning, and incident response tooling. These measures are commensurate with the risk presented by the Processing.
6. Sub-processors
The Controller grants CVPRO general written authorisation to engage the Sub-processors listed in Annex A and to add or replace Sub-processors, provided CVPRO:
- gives the Controller at least 15 days' prior notice (via the CVPRO trust page / email) of any intended addition or replacement;
- imposes on each Sub-processor, by written contract, data-protection obligations no less protective than those of this DPA; and
- remains fully liable to the Controller for the performance of each Sub-processor's obligations.
The Controller may object to a new Sub-processor on reasonable data-protection grounds within the 15-day notice period. If the parties cannot agree on a resolution, the Controller may terminate the affected Services without penalty.
7. Cross-Border Transfers
CVPRO primarily hosts Customer Data in India. Where transfers outside India or outside the EEA/UK occur (e.g., to a Sub-processor), CVPRO will rely on a lawful transfer mechanism, which, for EU/EEA and UK Personal Data, means the Standard Contractual Clauses adopted by the European Commission (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, both of which are hereby incorporated by reference and executed by the parties on acceptance of this DPA. For Indian Personal Data, CVPRO complies with DPDP §16 transfer restrictions as notified by the Central Government from time to time.
8. Audits
CVPRO will, on reasonable prior written notice and not more than once per twelve-month period (except following a confirmed Security Incident affecting the Controller), make available to the Controller summaries of its most recent independent audit reports (e.g., ISO 27001, SOC 2 Type II) and reasonable written responses to the Controller's security questionnaires. On-site audits require reasonable advance notice and execution of a mutual NDA; costs are borne by the requesting Controller unless the audit reveals material non-compliance.
9. Security Incidents
CVPRO will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident involving Customer Data, providing: (i) nature of the incident; (ii) categories and approximate numbers of Data Subjects and records concerned; (iii) likely consequences; and (iv) measures taken or proposed. CVPRO will cooperate with the Controller's statutory notification obligations under DPDP §8(6) and GDPR Art. 33–34.
10. Data Principal / Data Subject Requests
If CVPRO receives a request from a Data Principal or Data Subject to exercise any right under Applicable Data Protection Laws, CVPRO will, unless legally prohibited, promptly forward the request to the Controller and will not respond directly. CVPRO will provide the Controller with reasonable technical assistance (self-service export and deletion tools, plus ticketed support) to respond to such requests within statutory deadlines.
11. Return and Deletion of Data
On termination or expiry of the Agreement, CVPRO will, at the Controller's written election, delete or return all Customer Data within 30 days, and delete all existing copies unless storage is required by law. Backups containing Customer Data will be overwritten in the ordinary backup rotation (maximum 35 days). CVPRO will issue a written certification of deletion on request.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits either party's liability where such limitation is prohibited by Applicable Data Protection Laws.
13. Order of Precedence; Governing Law
In the event of any conflict between this DPA and the Agreement, this DPA prevails in respect of the Processing of Personal Data. This DPA is governed by the laws of India and, where GDPR applies, the mandatory provisions of the GDPR. Courts at Hyderabad, India have exclusive jurisdiction, without prejudice to any mandatory statutory jurisdiction.
Annex A — Authorised Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic PBC | AI evaluation (Claude API) | USA |
| Hostinger International Ltd | Hosting / VPS | India / EU |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | Global |
| Resend | Transactional email | USA |
| Razorpay Software Pvt Ltd | Payment processing (billing only) | India |
| Google LLC (GA4) | Aggregated website analytics | USA |
The authoritative list is maintained at cvpro.in/security#subprocessors and is updated with at least 15 days' prior notice before any addition or change.
Annex B — Technical and Organisational Measures
- Encryption: TLS 1.2+ in transit; AES-256 at rest for database and backups.
- Access Control: role-based access, least privilege, MFA for administrators, quarterly access reviews.
- Network Security: WAF, rate limiting, HSTS, CSP, strict CORS, security headers sentinel.
- Backups: daily encrypted backups with off-site (R2) replication; documented restore drills.
- Monitoring: centralised logging, application error tracking (Sentry), uptime monitoring.
- Vulnerability Management: dependency scanning on every build; critical patches within 7 days.
- Incident Response: documented runbook, 72-hour Controller notification SLA, blameless post-mortems.
- Personnel: background checks, confidentiality agreements, security-awareness training, least-privilege onboarding/offboarding.
- Physical Security: data-centre controls delegated to hosting Sub-processors (ISO 27001 / SOC 2-aligned).
- Data Minimisation: customer-configurable retention; AI training opt-out (default OFF; no model training on Customer Data).
Contact
For DPA-related matters, including DSR escalation or incident notifications, contact the CVPRO Data Protection Officer at dpo@cvpro.in. For execution of a counter-signed DPA on enterprise letterhead, contact legal@talpro.in.
Talpro India Pvt Ltd · Registered Office: Hyderabad, Telangana, India