DPA

This Data Processing Agreement (“DPA”) governs how Penroll processes personal data on behalf of Customers in the course of providing the Penroll service. It forms part of the Terms of Service and supersedes any prior arrangement on the same subject.

1. Roles

For data the Customer or its candidates submit to Penroll — recruiter accounts, candidate CVs, screening answers, offer letters, and any other content created in the dashboard — the Customer acts as the data Controller and Penroll acts as the Processor. Penroll processes the data only on documented instructions from the Customer, which instructions are reflected in the configuration of the Customer’s workspace.

2. Scope and duration

Processing under this DPA continues for as long as the Customer uses Penroll. Upon termination, candidate data is retained for the period set out in the Privacy Policy (currently 90 days post-rejection / inactivity) and then deleted from production storage. Backups expire on a 30-day rolling window.

3. Categories of data

• Recruiter accounts: name, email, role, plan, credit balance, audit logs.
• Candidate applications: applicant name, email, CV file, parsed CV text, screening answers, AI ranking output, interview details, offer letters, and the candidate’s consent record.
• Operational telemetry: error logs, rate-limit counters, audit-trail entries. No candidate data in plain text.

4. Sub-processors

Penroll engages the sub-processors listed at /legal/sub-processors. We give 14 days’ notice via email and a banner in the dashboard before adding a new sub-processor. Customers on the Scale or Enterprise plan may object in writing during the notice period; we will work in good faith to find an acceptable alternative.

5. Security measures

• EU-resident production database (Supabase EU region).
• Row-level security enforced at the database layer so a compromised application credential cannot read another tenant’s data.
• TLS 1.2+ for all data in transit; AES-256 at rest.
• Per-user AI rate limits on every model-calling endpoint.
• Cloudflare in front of the application stack for DDoS mitigation, WAF, and bot management.
• Production access restricted to named operators; access is revoked within 24 hours of an operator leaving.

6. International transfers

Personal data is stored on EU-resident infrastructure. Where a sub-processor operates outside the EU (e.g. AI model providers located in the US), the transfer is governed by the European Commission’s Standard Contractual Clauses (SCCs) and additional technical safeguards (prompt redaction, data minimisation).

7. Breach notification

Penroll will notify affected Customers without undue delay — and in any event within 72 hours — of becoming aware of a personal data breach. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and the measures we have taken or propose to take.

8. Data subject rights

Penroll provides tools in the dashboard for Customers to fulfil their obligations under GDPR Articles 15–22 (access, erasure, rectification, portability, objection). Where a Customer cannot self-serve a request, Penroll will assist within 30 days of a written request to privacy@penroll.app.

9. Audits

On reasonable written notice (no more than once per twelve-month period), Customers on the Scale or Enterprise plan may request a report covering Penroll’s compliance with this DPA. Penroll will respond with our current security posture and any attestations available.

10. Signing

For Customers who require a signed copy, email privacy@penroll.app and we will return a signed PDF within two business days. For Free and Starter plans the publicly-posted version of this DPA is the legally binding agreement.

This DPA is a template document. For complex deployments — healthcare, regulated industries, public-sector procurement — please get in touch to negotiate a bespoke agreement.