Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement (“DPA”) is entered into between Resume Builder (Richard Leclezio, richard.leclezio@gmail.com)(“Data Controller” or “Resume Builder”) and the entity accepting the Terms of Service (“Customer”, “Data Processor”, or “you”) in connection with the use of the Resume Builderplatform and API (“Services”).

This DPA applies where Resume Builder processes personal data on behalf of the Customer in the course of providing the Services, including through B2B products such as Outplacement Packages, University/Career Center licenses, Organization accounts, and the Developer API.

2. Definitions

• Personal Data:Any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR Article 4(1) and CCPA §1798.140).
• Processing:Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• Sub-processor:Any third party engaged by Resume Builder to process Personal Data on behalf of the Customer.
• Data Subject:The individual whose Personal Data is being processed.

3. Nature and Purpose of Processing

Resume Builder processes Personal Data for the following purposes:

• Resume parsing, tailoring, and AI-assisted content generation
• Cover letter and application document generation
• Career coaching and job search analytics
• Organizational license management (enrollment, access control, usage tracking)
• Placement outcome tracking for institutional reporting and accreditation
• API access management and metered billing
• Email notifications related to the Services

Categories of personal data processed include: name, email address, phone number, employment history, education history, professional skills, job preferences, application outcomes, and usage activity data.

Resume Builder does not process special categories of personal data (e.g., health data, biometric data, political opinions) and instructs Customers not to submit such data.

4. Customer Obligations

Customer represents and warrants that:

• Customer has a lawful basis to submit Personal Data to Resume Builder for processing
• Customer has provided appropriate notices to Data Subjects regarding the processing
• Customer will promptly notify Resume Builder of any data subject rights requests related to data processed via the Services
• Customer will not submit special category data, children's data (under 16), or data of individuals not in the Customer's jurisdiction

5. Resume Builder Obligations

Resume Builder agrees to:

• Process Personal Data only on documented instructions from the Customer (i.e., use of the Services)
• Ensure personnel with access to Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 7)
• Assist the Customer in responding to Data Subject rights requests within applicable timeframes
• Notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach
• Delete or return Personal Data upon termination of the Services, at Customer's written request
• Provide information reasonably necessary to demonstrate compliance with this DPA

6. Sub-processors

Customer authorizes Resume Builder to engage the following sub-processors. Resume Builder will notify Customer of any changes to this list with at least 14 days' notice, giving Customer the opportunity to object.

7. Security Measures

Resume Builder implements the following technical and organizational security measures:

• Encryption in transit: TLS 1.3 enforced on all external connections via Vercel Edge
• Encryption at rest: AES-256 encryption via Upstash Redis at-rest encryption
• Access control: Role-based access control; admin access restricted to verified email; API keys stored as SHA-256 hashes
• Audit logging: 90-day privileged access audit trail covering all data access events
• Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options enforced on all responses
• Vulnerability management: Dependencies monitored via automated tooling; annual penetration test (scheduled)
• Incident response: Documented process with 72-hour notification commitment

8. Data Transfers

All Personal Data is stored and processed in the United States. Where Customer is located in the European Economic Area (EEA) or United Kingdom, transfers to the USA are made under the EU-US Data Privacy Framework (for applicable sub-processors) or Standard Contractual Clauses (SCCs) where required. Customers requiring SCCs should contact enterprise@resume2builder.com.

9. Data Subject Rights

Resume Builder will assist Customers in fulfilling Data Subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law. Customers should submit such requests to privacy@resume2builder.com. Resume Builder will respond within 5 business days and complete fulfillment within 30 days.

10. Term and Termination

This DPA is effective for the duration of the Customer's use of the Services and survives termination for the period during which Resume Builder retains any Customer Personal Data. Upon termination, Resume Builder will delete all Customer Personal Data within 30 days of receiving a written deletion request, except where retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws of the State of California, USA, without regard to conflict of law provisions. For customers in the EEA or UK, mandatory local data protection law requirements apply.

12. Contact

For DPA-related inquiries, data subject requests, or to request custom DPA terms for your organization:

• Email: enterprise@resume2builder.com
• Privacy: privacy@resume2builder.com
• Security disclosures: security@resume2builder.com