Last updated: April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and CV Tally ("Processor") and governs the processing of personal data as required by Article 28 GDPR.
"Personal Data" means any information in the CVs submitted by the Controller that relates to an identifiable individual.
"Processing" means any operation performed on Personal Data as described herein.
| Subject matter | AI-assisted CV screening and analysis |
|---|---|
| Duration | For the period of the order, maximum 48 hours |
| Nature | Storage, AI analysis, PDF generation, transmission via secure link |
| Purpose | To generate candidate rankings, fit assessments, and interview questions at the Controller's request |
| Data types | CV contents: names, contact details, employment history, education, skills, and any other data contained in uploaded documents |
| Data subjects | Job candidates whose CVs are submitted by the Controller |
The Processor shall:
The Controller authorises the Processor to engage the sub-processors listed in the Privacy Policy (Cloudflare, Anthropic, Resend). The Processor shall ensure sub-processors are bound by equivalent data protection obligations. The Processor will inform the Controller of any intended changes to sub-processors.
The Controller warrants that it has a lawful basis to process and transfer the Personal Data contained in the uploaded CVs, and that it has complied with applicable obligations regarding notice to data subjects.
Processing occurs within the EU where possible. Transfers to Anthropic (USA) are covered by Anthropic's Standard Contractual Clauses. The Controller accepts these transfer mechanisms by submitting CVs for processing.
The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow audits conducted by the Controller or a mandated auditor, upon reasonable notice.
DPA enquiries: privacy@cvtally.com