PAIR – Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and RIGHT-WAY.AI e.U., operating the PAIR platform (“Processor”), regarding the processing of personal data on behalf of the Controller.

2. Subject Matter, Nature and Purpose

The Processor provides AI-based hiring automation services, including the analysis of candidate data, AI-generated summaries and, where enabled, AI screening calls. The Processor processes personal data solely for the purpose of providing the Services as described in the main agreement and this DPA.

3. Categories of Data and Data Subjects

The processing may concern in particular:

Data subjects: job applicants, candidates, customer’s HR staff or other users.
Data categories: identification data (name, contact details), CV and application data, professional background, call and interview data (including recordings and transcripts where applicable), HR evaluation notes and metadata related to the use of the PAIR platform.

4. Duration

This DPA applies for the duration of the underlying service agreement and as long as the Processor processes personal data on behalf of the Controller. Upon termination, data will be returned or deleted in accordance with section 10 and the main agreement.

5. Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law.

The Controller’s initial instructions are set out in the main agreement and this DPA. Additional instructions must be mutually agreed and may affect fees or technical feasibility.

6. Confidentiality

The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

7. Security of Processing

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including in particular:

Access controls and authentication mechanisms,
Encryption and pseudonymisation where appropriate,
Secure hosting and network protection,
Regular security updates and monitoring,
Backup and recovery procedures.

More detailed measures may be described in a separate security annex or documentation made available to the Controller.

8. Sub-Processors

The Controller authorises the Processor to engage sub-processors for the provision of the Services, including infrastructure providers, AI service providers and email or communication providers.

The Processor shall conclude written agreements with sub-processors imposing data protection obligations at least equivalent to those set out in this DPA. The Processor shall be responsible for the acts and omissions of its sub-processors.

9. International Data Transfers

Where personal data is transferred to countries outside the EU/EEA that do not provide an adequate level of protection, the Processor shall ensure appropriate safeguards, such as the EU Standard Contractual Clauses and, where necessary, additional technical and organisational measures.

10. Deletion or Return of Data

After the end of the provision of processing services, the Processor shall, at the choice of the Controller, delete or return all personal data and delete existing copies, unless Union or Member State law requires storage of the personal data.

Operational backups may be retained for a limited time period in accordance with the Processor’s retention schedules and will be securely overwritten in due course.

11. Data Subject Requests

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising data subjects’ rights.

12. Assistance, Audits and Documentation

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with the agreed audit procedures.

13. Liability

The allocation of liability between the parties for damages arising from data protection infringements shall follow the applicable provisions of the underlying service agreement and the GDPR.

Data Processing Agreement (DPA)