Data Processing Agreement (DPA)

Last updated: 22 October 2025

1. Parties

This Data Processing Agreement ("DPA") is entered into between ContactVault (Owner: Louis Dauphin), Thomas‑Mann Str., 85080 Gaimersheim, Germany ("Processor"), and the customer using the Service ("Controller").

2. Subject Matter

The Processor provides résumé and message forwarding services. In doing so, the Processor processes personal data on behalf of the Controller as described in this DPA and in the Privacy Policy.

3. Duration

This DPA applies for as long as the Controller uses the Service and the Processor processes personal data on behalf of the Controller.

4. Nature and Purpose of Processing

• Forwarding résumé/CV and message data from Controller to a designated Recipient.
• Operating proof‑of‑work, rate limiting, and moderation measures to secure the Service.
• Storing encrypted message data temporarily for delivery and verification.
• Handling unsubscribe requests and suppression lists.

5. Categories of Data Subjects

Applicants who submit data, Recipients designated by Applicants, and other individuals referenced in résumé/CV content.

6. Types of Personal Data

• Email addresses of Applicants and Recipients.
• Message text and résumé/CV content (education, work history, skills).
• Technical metadata (IP address, user agent, timestamps).
• Optional data such as newsletter subscription or employer ratings.

7. Obligations of the Processor

• Process personal data only on documented instructions from the Controller.
• Ensure confidentiality and train personnel handling personal data.
• Implement appropriate technical and organizational measures, including encryption, access controls, rate‑limiting, and periodic log deletion.
• Assist the Controller in fulfilling data subject rights requests, security, and breach notifications.
• Delete or return personal data upon termination of the Service, unless required by law to retain it.
• Maintain records of processing activities and provide them to supervisory authorities on request.

8. Sub‑Processors

The Controller authorizes the Processor to engage sub‑processors for infrastructure, email delivery, and content moderation as described in the Privacy Policy. The Processor ensures sub‑processors are bound by equivalent data protection obligations.

9. International Transfers

If personal data is transferred outside the EEA/UK, the Processor relies on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms. Transfers initiated by the Controller to Recipients outside the EEA/UK are considered necessary for service delivery.

10. Rights of the Controller

• The Controller may audit compliance with this DPA upon reasonable notice, limited to once per year unless required by law.
• The Processor will make available information necessary to demonstrate compliance, subject to confidentiality obligations.

11. Liability

Liability under this DPA is subject to the limitations of liability agreed in the main Terms & Conditions of the Service.

12. Miscellaneous

If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in effect. This DPA is governed by German law. Disputes may be brought before the competent courts of Ingolstadt, Germany, unless mandatory law provides otherwise.

13. Contact

For DPA matters, contact ContactVault (Owner: Louis Dauphin), Thomas‑Mann Str., 85080 Gaimersheim, Germany. Email: contactvault@tuta.io.