CeeVeeMatch← Home

⚠ Draft — pending legal review

This document is a working draft. It is not yet legally binding and may change. For questions or to request the final version, email legal@ceeveematch.com.

Legal

Data Processing Agreement

Last updated: 2026-06-03

This Data Processing Agreement ("DPA") forms part of, and is subject to, our Terms of Service. It governs CeeVeeMatch's processing of personal data on behalf of customers and is designed to satisfy the requirements of GDPR Art. 28, UK GDPR, PDPA Section 40, and equivalent processor-controller laws.

1. Roles

You (the "Customer") are the data controller with respect to personal data contained in the CVs and job descriptions you submit ("Customer Personal Data"). CeeVeeMatch is the data processor and processes Customer Personal Data only on your documented instructions.

2. Subject matter, nature, and purpose

  • Subject matter: processing of candidate CV data to generate match scores against a job description.
  • Nature of processing: storage, AI-based extraction, scoring, ranking, retrieval, and deletion.
  • Purpose: to provide the CeeVeeMatch Service to the Customer.
  • Categories of data subjects: candidates whose CVs the Customer uploads, and the Customer's own staff who use the Service.
  • Categories of personal data: identity (name, email, phone), employment history, education, skills, and the unstructured contents of CVs.
  • Duration: the term of the Customer's subscription plus the retention period set out in the Privacy Policy.

3. Customer instructions

We process Customer Personal Data only on the Customer's documented instructions, including the instructions embodied in these Terms and the operation of the Service. We will inform the Customer promptly if we believe an instruction violates applicable data protection law.

4. Sub-processors

The Customer authorizes CeeVeeMatch to engage the sub-processors listed in our Privacy Policy Section 5. We will notify the Customer of any intended addition or replacement of a sub-processor at least 30 days in advance, allowing the Customer to object on reasonable grounds related to data protection.

Each sub-processor is bound by data protection terms no less protective than those in this DPA.

5. Security

We implement and maintain the following technical and organizational measures:

  • Encryption: AES-256 at rest (Postgres, Cloudflare R2); TLS 1.3 in transit.
  • Access control: role-based access; all production access is org-scoped and audit-logged. Employees access Customer Personal Data only on a need-to-know basis.
  • Authentication: SSO/MFA for internal admin tools; passwords stored hashed.
  • PII redaction: emails, phones, and URLs are redacted from logs and from CV embeddings before they reach the vector store.
  • Network: WAF, rate limiting, DDoS protection via Cloudflare.
  • Monitoring: error monitoring (Sentry), uptime monitoring, and append-only audit log of CV-data access events.
  • Backups: daily encrypted backups, 30-day retention.
  • Vulnerability management: dependency scanning on every release; critical security patches deployed within 7 days.

6. Personnel

Our personnel are bound by confidentiality and receive privacy and security training appropriate to their role.

7. Data subject requests

We will assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing tools in the Service and, where the tools are insufficient, by reasonable support on request.

If we receive a data subject request directly, we will redirect the data subject to the Customer (as controller) and notify the Customer without undue delay.

8. Personal data breaches

We will notify the Customer of a confirmed personal data breach affecting Customer Personal Data without undue delay and in any event within 72 hours of becoming aware. The notice will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. Data protection impact assessments

We will provide the Customer with reasonable assistance, taking into account the nature of processing and the information available to us, in carrying out data protection impact assessments and prior consultations with supervisory authorities.

10. Audits

The Customer may, no more than once per 12 months and with at least 30 days' notice, request reasonable information from us to verify compliance with this DPA. For routine assurance we will provide copies of our most recent third-party security reports (e.g. SOC 2, ISO 27001) when available. Customers requiring an on-site audit must do so at their cost and at a mutually agreed time.

11. International transfers

Where the Customer is in the EEA, UK, or Thailand and we transfer Customer Personal Data to a country not benefiting from an adequacy decision, the transfer is governed by:

  • European Commission Standard Contractual Clauses (Module 2),
  • UK International Data Transfer Addendum, and
  • for PDPA, the cross-border transfer mechanism under Section 28 PDPA.

These instruments are incorporated by reference and apply automatically on signature of the underlying Terms.

12. Deletion or return of data

On termination of the Customer's subscription, we will delete or return Customer Personal Data within the retention period set out in the Privacy Policy (Section 7), unless retention is required by law.

13. Liability and conflict

Liability under this DPA is subject to the limitations in the Terms of Service. In the event of conflict between this DPA and the Terms, this DPA prevails with respect to the processing of Customer Personal Data.

14. Term

This DPA enters into force on the date the Customer accepts the Terms and continues until all Customer Personal Data has been deleted or returned in accordance with Section 12.

15. Contact

Data protection inquiries: privacy@ceeveematch.com