Back to Hireverse

Data Processing Addendum

Last updated: June 11, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Hireverse, Inc. ("Hireverse," "Processor") and the customer ("Controller," "you") that has accepted Hireverse's Terms of Service, an order form, or a Master Services Agreement (the "Principal Agreement"), and reflects the parties' agreement with respect to the processing of Personal Data under EU and UK data protection law.

For a signed counterpart of this DPA, email legal@hireverse.ai.

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR. "Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data Hireverse processes on behalf of the Controller in providing the Service.

2. Roles of the parties

The parties acknowledge that, for the purposes of processing Customer Personal Data, Hireverse is the Processor and the Controller is the Controller. Where Hireverse processes Personal Data for its own purposes (for example, to run, secure, and improve the Service), Hireverse is an independent Controller, as described in our Privacy Policy.

3. Scope, nature, and purpose

The subject matter, nature, and purpose of the Processing are the provision of the Service under the Principal Agreement. The duration of the Processing matches the duration of the Principal Agreement plus the retention periods set out in our Privacy Policy.

4. Types of Personal Data and categories of Data Subjects

The Processing covers:

  • Types of Personal Data: contact details, professional information, account credentials, content uploaded to the Service, candidate resumes, interview feedback, project briefs, messages, and any other Personal Data submitted by or on behalf of the Controller.
  • Categories of Data Subjects: the Controller's users, employees, contractors, candidates, customers, and other individuals whose Personal Data is submitted to the Service.

5. Processor obligations

Hireverse will:

  • Process Customer Personal Data only on documented instructions from the Controller, including with regard to transfers, except as required by law.
  • Ensure that personnel authorized to process Customer Personal Data are under appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR). A description of the current measures is set out in Annex 2.
  • Engage sub-processors only with the Controller's general written authorization, listed in Annex 3. We will notify the Controller of any intended changes to that list and give the Controller an opportunity to object.
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection, automated decision-making).
  • Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to Hireverse.
  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide reasonable cooperation with breach investigation and notification.
  • At the choice of the Controller, delete or return all Customer Personal Data at the end of the Service, unless retention is required by applicable law.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 7.

6. International transfers

Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) into this DPA, together with the UK Addendum or Swiss Annex as applicable. Hireverse will implement supplementary measures (e.g., encryption in transit and at rest, strict access controls) appropriate to the transfer.

7. Audits

Hireverse will make available to the Controller, on reasonable written notice and no more than once per year (except where required by a Supervisory Authority or after a Personal Data Breach), information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g., SOC 2 if and when available). On-site audits may be conducted by the Controller or its mandated auditor under reasonable confidentiality and security protections.

8. Sub-processors

The Controller authorizes Hireverse to engage the sub-processors listed in Annex 3. Hireverse will impose obligations on each sub-processor that are no less protective than those in this DPA.

9. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Principal Agreement.

10. Term and termination

This DPA takes effect when the Controller accepts the Principal Agreement and remains in force until the Principal Agreement terminates, except for obligations that by their nature should survive (including post-termination return / deletion and confidentiality).

Annex 1 — Processing description

  • Subject matter: provision of the Hireverse Service under the Principal Agreement.
  • Nature and purpose: hosting, processing, and supporting the Controller's use of the Service, including AI-assisted matching, sourcing, and workspace tooling.
  • Duration: the term of the Principal Agreement plus any retention periods required by law or set out in our Privacy Policy.
  • Categories of Data Subjects: Controller's users, employees, contractors, candidates, and customers.
  • Categories of Personal Data: identification, contact details, professional information, content submitted to the Service, candidate materials, interview feedback, project communications.

Annex 2 — Security measures

  • Encryption in transit (TLS 1.2+) and at rest.
  • Multi-factor authentication for administrative access and for any payment-mutating operations.
  • Principle of least privilege for internal access; access logged and reviewed.
  • Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy).
  • Regular dependency vulnerability scanning and remediation.
  • Rate limiting and abuse protection on API endpoints.
  • Separated environments for development, staging, and production.
  • Incident response procedure with 72-hour breach notification commitment.
  • Annual third-party penetration testing once SOC 2 readiness is reached.

Annex 3 — Authorized sub-processors

Hireverse uses the following sub-processors. Each is bound by data-protection obligations no less protective than this DPA.

  • Google LLC / Google Cloud (incl. Firebase, Vertex AI, Cloud Functions, App Hosting) — infrastructure, AI, and identity. United States.
  • Stripe, Inc. — payment processing. United States.
  • Anthropic, PBC — large-language-model inference for select AI features. United States.
  • OpenAI, OpCo, LLC — large-language-model inference for select AI features. United States.
  • Nango GmbH — third-party integration brokerage. European Union / United States.
  • GitHub, Inc. — source control and hosting (production deploys). United States.

The current list will be updated as sub-processors change. To receive notifications of changes, email legal@hireverse.ai.

    Data Processing Addendum | Hireverse AI