Last updated: 27 March 2026

1. Scope and parties

This page describes Data Processing Agreement terms that apply only where ContactVault and a business customer have expressly agreed a Controller/Processor relationship for a defined service scope. Outside such an expressly agreed Controller/Processor arrangement, ContactVault normally acts as an independent Controller for its own core service operations (for example: security, abuse prevention, retention controls, and service administration).

2. Subject matter

Where this DPA applies, ContactVault processes personal data on behalf of the Controller within the agreed service scope to provide applicant-initiated message/CV transmission, related inbox functions, and necessary support operations, as described in this DPA and the Privacy Policy.

3. Duration

This DPA applies for as long as ContactVault processes personal data on behalf of the Controller under the agreed scope.

4. Nature and Purpose of Processing

• Processing applicant-initiated message or application submissions to recipient email addresses designated by the Controller.
• Operating proof‑of‑work, rate limiting, and other security measures necessary to secure the Service.
• Storing encrypted message, thread, and routing context temporarily for verification, delivery, inbox visibility, and accountability.
• Handling unsubscribe requests, suppression lists, and agreed access/session functions where these form part of the defined service scope.

5. Categories of Data Subjects

Applicants, controller-authorized contact persons tied to designated recipient inboxes, and other individuals referenced in résumé/CV content.

6. Types of Personal Data

• Email addresses of Applicants and Recipients.
• Message text and résumé/CV content (education, work history, skills).
• Service metadata (for example timestamps and, at infrastructure level, network metadata such as IP/user-agent when collected in the processing context).
• Thread and routing context (for example job reference, application identifiers, reply mailbox aliases, and structured response markers where relevant to the agreed scope).

7. Obligations of the Processor (where this DPA applies)

• Process personal data within the documented scope agreed with the Controller.
• Ensure confidentiality and train personnel handling personal data.
• Implement appropriate technical and organizational measures, including encryption, access controls, rate‑limiting, and periodic log deletion.
• Assist the Controller in fulfilling data subject rights requests, security, and breach notifications.
• Delete or return personal data upon termination of the Service, unless required by law to retain it.
• Provide reasonable information about relevant processing and safeguards, subject to confidentiality and security constraints.

8. Sub‑Processors

The Controller authorizes the Processor to engage sub‑processors for infrastructure and email delivery as described in the Privacy Policy. The Processor ensures sub‑processors are bound by equivalent data protection obligations.

9. International Transfers

If personal data is transferred outside the EEA/UK, the Processor relies on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms. Transfers initiated by the Controller to Recipients outside the EEA/UK are considered necessary for service delivery.

10. Rights of the Controller

• The Controller may audit compliance with this DPA upon reasonable notice, limited to once per year unless required by law.
• The Processor will make available information necessary to demonstrate compliance, subject to confidentiality obligations.

11. Liability

Liability under this DPA is subject to the limitations of liability agreed in the main Terms & Conditions of the Service.

12. Miscellaneous

If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in effect. This DPA is governed by German law. Disputes may be brought before the competent courts of Ingolstadt, Germany, unless mandatory law provides otherwise.

13. Contact

For DPA matters, contact ContactVault (Owner: Louis Dauphin), c/o IP-Management #9147, Ludwig-Erhard-Straße 18, 20459 Hamburg, Germany. Email: Show email .