THEIA LogoTheia Jobs

    DATA PROCESSING ADDENDUM (DPA) + CPRA SERVICE-PROVIDER TERMS

    This DPA forms part of the Agreement between THEIA JOBS, Corp ("THEIA") and [Client Legal Name] ("Client").
    Effective date: [DATE] | Order Form: [REFERENCE]

    1. Scope; Roles; Instructions

    (a) Roles. Client is controller/business; THEIA is processor/service provider when processing Personal Data for Client’s hiring purposes.
    (b) Instructions. THEIA will process Personal Data only per the Agreement, this DPA, Client’s written instructions, and applicable law.
    (c) CPRA Service-Provider. THEIA certifies it will not: sell or share Personal Information; not combine Personal Information with data from other sources except for permitted business purposes (fraud/security, debugging, service improvement using de-identified data); and will assist Client with CPRA obligations.

    2. Confidentiality

    THEIA ensures personnel who access Personal Data are bound by confidentiality obligations.

    3. Security

    THEIA maintains appropriate administrative, technical, and physical controls (including encryption in transit/at rest, access controls, logging, vulnerability management, and secure software development practices). Upon request, THEIA will provide a summary of controls and (if available) SOC/ISO reports under NDA.

    4. Subprocessors

    Client authorizes THEIA to use subprocessors listed at [theiajobs.ai/subprocessors]. THEIA will impose data-protection terms no less protective than this DPA and remains responsible for subprocessor performance. THEIA will provide 15 days’ notice for material changes; Client may object on reasonable grounds. THEIA and Client will work in good faith to resolve objections.

    5. Assistance; Requests; DPIAs

    THEIA will assist Client with data subject requests (access, deletion, correction, portability), security notices, and data protection impact assessments, considering the nature of processing and available information.

    6. Security Incidents

    THEIA will notify Client without undue delay and no later than 72 hours after confirming a Security Incident affecting Client Personal Data, providing details and cooperation.

    7. Deletion and Return

    At termination or upon written request, THEIA will delete or return Client Personal Data within 30 days, subject to legal holds or archival requirements.

    8. Audits

    No more than once per 12 months, Client may perform a reasonable audit (questionnaire or on-site review) on 30 days’ notice during business hours, without unreasonably disrupting operations. Reports or summaries (e.g., SOC/ISO, pen-test summaries) may satisfy audit requests.

    9. International Transfers

    Where applicable, the parties incorporate the EU SCCs (Controller-to-Processor) and UK IDTA/Addendum. THEIA will provide a transfer impact assessment summary on request.

    10. Order of Precedence

    If there is conflict, this DPA prevails over the Agreement on privacy/security matters; SCCs/UK terms prevail where applicable.

    Authorized signatories
    [THEIA NAME, TITLE, SIGNATURE, DATE]
    [CLIENT NAME, TITLE, SIGNATURE, DATE]