Last updated: 2 March 2026

1. Scope and parties

This page describes Data Processing Agreement terms that apply only where ContactVault and a business customer have expressly agreed a Controller/Processor relationship for a defined service scope. In standard direct consumer use of ContactVault, ContactVault acts as an independent Controller for core service operations (for example: security, abuse prevention, and retention controls).

2. Subject matter

Where this DPA applies, ContactVault provides résumé and message forwarding services and processes personal data on behalf of the Controller within the agreed service scope, as described in this DPA and the Privacy Policy.

3. Duration

This DPA applies for as long as ContactVault processes personal data on behalf of the Controller under the agreed scope.

4. Nature and Purpose of Processing

• Forwarding résumé/CV and message data from Controller to designated Recipients.
• Operating proof‑of‑work, rate limiting, and moderation measures to secure the Service.
• Storing encrypted message data temporarily for delivery and verification.
• Handling unsubscribe requests and suppression lists.

5. Categories of Data Subjects

Applicants who submit data, Recipients designated by Applicants, and other individuals referenced in résumé/CV content.

6. Types of Personal Data

• Email addresses of Applicants and Recipients.
• Message text and résumé/CV content (education, work history, skills).
• Service metadata (for example timestamps and, at infrastructure level, network metadata such as IP/user-agent when collected in the processing context).
• Optional data such as newsletter subscription or employer ratings.

7. Obligations of the Processor (where this DPA applies)

• Process personal data within the documented scope agreed with the Controller.
• Ensure confidentiality and train personnel handling personal data.
• Implement appropriate technical and organizational measures, including encryption, access controls, rate‑limiting, and periodic log deletion.
• Assist the Controller in fulfilling data subject rights requests, security, and breach notifications.
• Delete or return personal data upon termination of the Service, unless required by law to retain it.
• Provide reasonable information about relevant processing and safeguards, subject to confidentiality and security constraints.

8. Sub‑Processors

The Controller authorizes the Processor to engage sub‑processors for infrastructure, email delivery, and content moderation as described in the Privacy Policy. The Processor ensures sub‑processors are bound by equivalent data protection obligations.

9. International Transfers

If personal data is transferred outside the EEA/UK, the Processor relies on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms. Transfers initiated by the Controller to Recipients outside the EEA/UK are considered necessary for service delivery.

10. Rights of the Controller

• The Controller may audit compliance with this DPA upon reasonable notice, limited to once per year unless required by law.
• The Processor will make available information necessary to demonstrate compliance, subject to confidentiality obligations.

11. Liability

Liability under this DPA is subject to the limitations of liability agreed in the main Terms & Conditions of the Service.

12. Miscellaneous

If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in effect. This DPA is governed by German law. Disputes may be brought before the competent courts of Ingolstadt, Germany, unless mandatory law provides otherwise.

13. Contact

For DPA matters, contact ContactVault (Owner: Louis Dauphin), Thomas‑Mann Str., 85080 Gaimersheim, Germany. Email: Show email .