This DPA forms part of the Terms of Service between you (the controller) and Hi-Mind Ltd (the processor). It applies whenever we process personal data on your behalf.
"Personal data", "controller", "processor", "sub-processor", and "data subject" have the meanings given in GDPR Art. 4.
We process candidate CVs (and the metadata you supply) for the sole purpose of returning structured JSON. Processing ends when your account ends, plus 90 days.
Our staff are bound by enforceable confidentiality obligations. Access to customer data is RBAC-gated, logged, and reviewed quarterly.
TLS 1.3 in transit, AES-256 at rest, 60-second file retention, EU-pinned processing, RBAC, audit logs, quarterly key rotation. Full schedule in our security page.
AWS (compute & storage, eu-west-2), Stripe (billing only). 30 days' notice before any addition; right to object.
We support you in responding to data subject requests within 5 working days of receipt. No additional charge for reasonable volumes.
Default UK/EU only. Where a transfer is necessary, Standard Contractual Clauses (2021/914 module 3) apply by reference.
On termination, we return or delete all personal data within 30 days. Certified deletion logs are available on request.