Data Processing Addendum

1. Roles

For candidate and application personal data submitted through ApplyBrief, the customer is the controller and ApplyBrief is the processor. ApplyBrief processes that personal data only on the customer's documented instructions, including as configured through the product, except where law requires otherwise. For ApplyBrief's own website, account, billing, security, and product data, ApplyBrief is the controller as described in our Privacy Policy.

2. Processing Instructions And Scope

ApplyBrief processes personal data to provide the service: hosting job application pages, collecting and routing candidate applications, sending transactional communications, and the related features the customer enables. The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are described in the Annex below.

3. Confidentiality

ApplyBrief ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access the data only as needed to provide the service.

4. Security

ApplyBrief implements appropriate technical and organizational measures to protect personal data, including encryption of candidate contact details at rest, access controls, network protections, and monitoring, taking into account the state of the art and the risks of processing.

5. Sub-processors

The customer authorizes ApplyBrief to engage the sub-processors listed on our Sub-processor page, each bound by data-protection terms consistent with this DPA. ApplyBrief will give at least 30 days' notice before adding or replacing a sub-processor that processes the customer's candidate data, and the customer may object on reasonable data-protection grounds.

6. Data-Subject Requests And Assistance

ApplyBrief will, taking into account the nature of the processing, assist the customer with appropriate measures to respond to data-subject requests and to meet the customer's obligations regarding security, breach notification, data protection impact assessments, and prior consultation. If ApplyBrief receives a request directly from a candidate about data the customer controls, ApplyBrief will refer it to the customer or coordinate with the customer.

7. Personal Data Breach

ApplyBrief will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer's personal data and provide information reasonably available to help the customer meet its notification obligations.

8. International Transfers

ApplyBrief is hosted in the United States and operates from Israel, which holds a European Commission adequacy decision. Where personal data is transferred from the EU, the UK, or other regions to a country without an adequacy decision, the parties rely on the applicable Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant), which are incorporated into this DPA by reference.

9. Return And Deletion

On termination of the service, and at the customer's choice, ApplyBrief will delete or return the customer's personal data, except where retention is required by law. Honoring a specific deletion request may currently involve manual steps; we will action verified requests within a reasonable time.

10. Audits

ApplyBrief will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the customer or an auditor it mandates, subject to reasonable confidentiality and security conditions.

11. Annex — Details Of Processing

• Subject matter & nature: hosting and operating job application experiences and routing candidate applications to the customer.
• Duration: for the term of the customer's use of the service, plus any legally required retention.
• Categories of data subjects: candidates and applicants; the customer's account users.
• Types of personal data: identifiers and contact data (name, email, phone), contact-channel preference, screening/application answers, communications metadata, and technical/log data. ApplyBrief uses a no-CV flow and does not collect resumes by default; sensitive data is not requested unless the customer lawfully configures it.
• Sub-processors: as listed on the Sub-processor page.

12. How To Request This DPA

To execute a countersigned DPA or ask about data processing, contact privacy@applybrief.com. This published DPA applies to customers using ApplyBrief; a signed agreement, where one exists, controls in case of conflict.