Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement (“DPA”) is entered into between Resume Tailor (Richard Leclezio, richard.leclezio@gmail.com)(“Data Controller” or “Resume Tailor”) and the entity accepting the Terms of Service (“Customer”, “Data Processor”, or “you”) in connection with the use of the Resume Tailorplatform and API (“Services”).

This DPA applies where Resume Tailor processes personal data on behalf of the Customer in the course of providing the Services, including through B2B products such as Outplacement Packages, University/Career Center licenses, Organization accounts, and the Developer API.

2. Definitions

• Personal Data:Any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR Article 4(1) and CCPA §1798.140).
• Processing:Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• Sub-processor:Any third party engaged by Resume Tailor to process Personal Data on behalf of the Customer.
• Data Subject:The individual whose Personal Data is being processed.

3. Nature and Purpose of Processing

Resume Tailor processes Personal Data for the following purposes:

• Resume parsing, tailoring, and AI-assisted content generation
• Cover letter and application document generation
• Career coaching and job search analytics
• Organizational license management (enrollment, access control, usage tracking)
• Placement outcome tracking for institutional reporting and accreditation
• API access management and metered billing
• Email notifications related to the Services

Categories of personal data processed include: name, email address, phone number, employment history, education history, professional skills, job preferences, application outcomes, and usage activity data.

Resume Tailor does not process special categories of personal data (e.g., health data, biometric data, political opinions) and instructs Customers not to submit such data.

4. Customer Obligations

Customer represents and warrants that:

• Customer has a lawful basis to submit Personal Data to Resume Tailor for processing
• Customer has provided appropriate notices to Data Subjects regarding the processing
• Customer will promptly notify Resume Tailor of any data subject rights requests related to data processed via the Services
• Customer will not submit special category data, children's data (under 16), or data of individuals not in the Customer's jurisdiction

5. Resume Tailor Obligations

Resume Tailor agrees to:

• Process Personal Data only on documented instructions from the Customer (i.e., use of the Services)
• Ensure personnel with access to Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 7)
• Assist the Customer in responding to Data Subject rights requests within applicable timeframes
• Notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach
• Delete or return Personal Data upon termination of the Services, at Customer's written request
• Provide information reasonably necessary to demonstrate compliance with this DPA

6. Sub-processors

Customer authorizes Resume Tailor to engage the following sub-processors. Resume Tailor will notify Customer of any changes to this list with at least 14 days' notice, giving Customer the opportunity to object.

7. Security Measures

Resume Tailor implements the following technical and organizational security measures:

• Encryption in transit: TLS 1.3 enforced on all external connections via Vercel Edge
• Encryption at rest: AES-256 encryption via Upstash Redis at-rest encryption
• Access control: Role-based access control; admin access restricted to verified email; API keys stored as SHA-256 hashes
• Audit logging: 90-day privileged access audit trail covering all data access events
• Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options enforced on all responses
• Vulnerability management: Dependencies monitored via automated tooling; annual penetration test (scheduled)
• Incident response: Documented process with 72-hour notification commitment

8. Data Transfers

All Personal Data is stored and processed in the United States. Where Customer is located in the European Economic Area (EEA) or United Kingdom, transfers to the USA are made under the EU-US Data Privacy Framework (for applicable sub-processors) or Standard Contractual Clauses (SCCs) where required. Customers requiring SCCs should contact enterprise@resumetailor.ai.

9. Data Subject Rights

Resume Tailor will assist Customers in fulfilling Data Subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law. Customers should submit such requests to privacy@resumetailor.ai. Resume Tailor will respond within 5 business days and complete fulfillment within 30 days.

10. Term and Termination

This DPA is effective for the duration of the Customer's use of the Services and survives termination for the period during which Resume Tailor retains any Customer Personal Data. Upon termination, Resume Tailor will delete all Customer Personal Data within 30 days of receiving a written deletion request, except where retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws of the State of California, USA, without regard to conflict of law provisions. For customers in the EEA or UK, mandatory local data protection law requirements apply.

12. Contact

For DPA-related inquiries, data subject requests, or to request custom DPA terms for your organization:

• Email: enterprise@resumetailor.ai
• Privacy: privacy@resumetailor.ai
• Security disclosures: security@resumetailor.ai