Data Processing Agreement (DPA)

Last updated: 6 June 2026 · Processor: Vladyslav Maksymenko (Atlas Recruit), Poland · Contact: [email protected]

This DPA forms part of the Terms of Service. It applies where the Customer ("Controller") submits candidate personal data to Atlas Recruit ("Processor"). A countersigned copy is available on request for customers who need one.

1. Roles

The Customer is the Controller of candidate personal data. Atlas Recruit (Vladyslav Maksymenko) is the Processor, processing such data only to provide the Service and on the Controller's documented instructions.

2. Subject matter & duration

Processing covers the screening of CVs/résumés submitted by the Controller, for the duration of the subscription and as needed to provide the Service.

3. Nature & purpose

Automated text analysis of CVs against a job description to produce a fit assessment and draft outreach. AI assists; it does not make hiring decisions.

4. Categories of data & data subjects

Data subjects: the Controller's job candidates.
Data: information contained in CVs (name, contact details, work history, skills, etc.). The Controller must avoid submitting special-category data unless lawfully permitted.

5. Processor obligations

Process only on the Controller's instructions and for the Service.
Ensure persons authorised to process are bound by confidentiality.
Apply appropriate technical and organisational security measures (HTTPS, access control, data minimisation).
By default, candidate documents are processed and not stored after analysis. Where the Controller enables "store results", only minimal fields are retained for the configured period and are deletable.
Assist the Controller with data-subject requests and with security/breach obligations.
Delete or return candidate data on termination, save where law requires retention.
Make available information needed to demonstrate compliance.

6. Sub-processors

The Controller authorises the following sub-processors. We will give notice of intended changes so the Controller may object.

Sub-processor	Purpose	Location
Anthropic, PBC	AI model performing the screening	USA (SCC)
Stripe, Inc.	Payment processing	USA / EU (SCC)
Cloudflare, Inc.	Hosting / content delivery	EU region where configured

7. International transfers

Where personal data is transferred outside the EEA (e.g. to the USA), transfers are made under the EU Standard Contractual Clauses (SCC) and the sub-processors' supplementary safeguards.

8. Security & breach

We maintain measures appropriate to the risk and will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data.

9. Audits

On reasonable request and notice, we will provide information necessary to demonstrate compliance with this DPA.

10. Liability & law

Liability is subject to the limitations in the Terms of Service. This DPA is governed by the laws of Poland.

11. Contact

Data protection contact: [email protected].