optichire

Data Processing Agreement

Effective: 11 May 2026

This Data Processing Agreement (“DPA”) is between you, the recruiter using Optichire (“Controller” / data fiduciary), and Optichire (“Processor” / data processor). It is incorporated into our Terms of Service and governs candidate personal data you upload.

1. Roles

  • You determine the purposes and means of processing candidate data: you are the data fiduciary.
  • We process that data only on your documented instructions: we are the data processor.

2. Subject matter and duration

  • Subject matter: storage, parsing, AI-assisted screening, search, and outreach drafting for candidates you add to the Service.
  • Duration: for as long as you maintain an account, plus the deletion windows in our Privacy Policy.
  • Categories of data subjects: job candidates whose data you choose to upload.
  • Categories of personal data: contact details, employment history, skills, resume text, recruiter notes, interview decisions, communication logs.

3. Our obligations

We will:

  • Process candidate data only on your instructions, as expressed through your use of the Service or in writing to privacy@optichire.com.
  • Ensure personnel with access to candidate data are bound by confidentiality.
  • Implement technical and organisational measures appropriate to the risk (see §6).
  • Not engage a sub-processor without first listing them in the Privacy Policy.
  • Assist you in fulfilling data-subject requests within 7 working days of your request.
  • Notify you without undue delay (and in any case within 72 hours) of a personal data breach affecting your data.
  • On termination, delete or return candidate data within 30 days (encrypted backups within 30 days thereafter).

4. Your obligations

You will:

  • Have a lawful basis for uploading each candidate’s data (typically candidate consent or a legitimate hiring use).
  • Provide candidates with required notice that you use an automated screening tool, where law requires it.
  • Respond promptly to candidate access, correction, and erasure requests for candidates you uploaded.
  • Keep candidate data in the Service accurate and minimised to what is necessary.

5. Sub-processors

You authorise us to engage the sub-processors listed in section 6 of our Privacy Policy: Anthropic, Vercel, Neon, Google, PostHog. We will give 30 days’ notice (by email or in-app) before adding a new sub-processor, giving you the chance to object by terminating your account.

6. Security measures

  • TLS 1.2+ for data in transit
  • AES-256 at rest (provided by Neon and Vercel)
  • OAuth-based authentication; production access role-based and logged
  • Server-side validation of every data access by user ID
  • Resume files parsed in memory; only extracted text is persisted
  • Routine dependency updates and security patching
  • Cookie consent before any non-essential tracking is set

7. International transfers

Some sub-processors operate outside India. We rely on the contractual safeguards of each provider and on India’s DPDP Act provisions permitting transfers unless restricted by the Central Government.

8. Audits

On reasonable written notice (no more than once per 12 months, except after a breach), you may request from us evidence of compliance with this DPA, including descriptions of our security controls and recent attestations from our sub-processors where available.

9. Liability

Each party’s liability under this DPA is subject to the limits in the Terms of Service.

10. Changes

Material changes will be notified with at least 7 days’ notice. Continued use of the Service constitutes acceptance.

Questions? Write to privacy@optichire.com.