Effective date: April 6, 2026 · Last updated: April 6, 2026
This Data Processing Agreement ("DPA") describes how HireAudit processes personal data on your behalf when you use our compliance intelligence service. It is designed to satisfy the requirements of CCPA/CPRA, GDPR (where applicable), and applicable US state privacy laws.
For enterprise customers who require a countersigned DPA, please contact [email protected].
| Commitment | What it means |
|---|---|
| Purpose limitation | Your data is processed only to deliver your compliance report. No other purpose. |
| No AI training | Your documents and data are never used to train, fine-tune, or evaluate any AI model. |
| 30-day deletion | Uploaded documents are automatically and permanently deleted 30 days after your report is delivered. |
| Immediate deletion | You may request deletion of all your data at any time. We complete it within 48 hours. |
| Breach notification | We notify you within 72 hours of becoming aware of any security incident affecting your data. |
| No data sales | Your data is never sold, rented, or shared with third parties for commercial purposes. |
| Data Processor | HireAudit ("HireAudit") |
| Data Controller | The organization or individual purchasing and using the HireAudit service ("Customer") |
| Governing Law | Commonwealth of Pennsylvania, United States |
This Data Processing Agreement supplements the HireAudit Terms of Service and governs the processing of personal data by HireAudit on behalf of the Customer in connection with the HireAudit compliance intelligence service ("Service"). The parties enter into this DPA to ensure compliance with applicable data protection laws, including but not limited to the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR) where applicable, and applicable US state privacy laws.
Personal Data — Any information relating to an identified or identifiable natural person that is included in the documents uploaded by the Customer to the Service.
Processing — Any operation performed on Personal Data, including collection, storage, use, analysis, deletion, or destruction.
Data Controller — The organization that determines the purposes and means of processing Personal Data — in this context, the Customer who uploads documents to the Service.
Data Processor — HireAudit, which processes Personal Data on behalf of and under the instructions of the Data Controller.
Sub-processor — Any third party engaged by HireAudit to process Personal Data in connection with providing the Service.
HireAudit processes the following categories of data on behalf of the Customer:
| Category | Description | Purpose |
|---|---|---|
| Job description content | Text of uploaded job descriptions | Compliance analysis |
| Interview guide content | Text of uploaded interview guides | Compliance analysis |
| AI vendor names | Names of AI tools disclosed by the customer | Vendor risk assessment |
| Contact information | Name and email of the person submitting the audit | Report delivery and communication |
| Company information | Company name, size, and hiring states | Contextualizing the compliance analysis |
HireAudit does not intentionally collect or process personal data of job applicants or employees. The Customer is responsible for ensuring that any documents uploaded do not contain unnecessary personal data of third parties.
Processing begins when the Customer submits documents to the Service and concludes when:
Compliance findings and report summaries (which do not contain personal data) may be retained for up to 12 months to support the Customer's ongoing compliance work, unless earlier deletion is requested.
5.1 Process only on documented instructions
HireAudit will process Personal Data only for the purpose of delivering the compliance analysis service and for no other purpose. HireAudit will not sell, share, or use Personal Data for marketing, advertising, or AI model training.
5.2 Ensure confidentiality
All personnel with access to Personal Data are bound by confidentiality obligations.
5.3 Implement appropriate security measures
HireAudit implements and maintains: TLS 1.3 encryption for all data in transit, AES-256 encryption for all data at rest, access controls limiting data access to personnel who require it to provide the Service, automated document deletion 30 days after report delivery, and security incident monitoring and response procedures.
5.4 Assist with data subject rights
HireAudit will assist the Customer in responding to requests from individuals exercising their rights under applicable law (access, correction, deletion, portability) within 5 business days of receiving a request.
5.5 Notify of security incidents
HireAudit will notify the Customer within 72 hours of becoming aware of a security incident affecting Personal Data, including a description of the nature of the incident, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the incident.
5.6 Delete data upon request
HireAudit will delete all Personal Data within 48 hours of receiving a written deletion request from the Customer.
5.7 No AI training
HireAudit will not use any Personal Data or document content to train, fine-tune, evaluate, or improve any AI model, including the models used to provide the Service.
HireAudit currently uses the following sub-processors in connection with the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Manus Platform (LLM API) | AI-powered compliance analysis | United States |
| Manus Platform (Object Storage) | Encrypted document storage | United States |
| Manus Platform (Database) | Structured data storage | United States |
| Stripe | Payment processing (does not process document content) | United States |
HireAudit will provide at least 14 days' notice before adding or replacing a sub-processor that processes Personal Data. The Customer may object to a new sub-processor within 14 days of notice; if the parties cannot resolve the objection, the Customer may terminate the Service with a full refund of any prepaid fees.
The Customer agrees to:
The Service is operated from the United States. If the Customer is located outside the United States and uploads documents containing personal data of individuals in the European Economic Area (EEA) or United Kingdom, the parties acknowledge that such transfers are made pursuant to the Customer's determination that an appropriate transfer mechanism exists under applicable law.
Upon reasonable written notice (minimum 30 days), the Customer may request documentation of HireAudit's compliance with this DPA, including security practices and sub-processor agreements. HireAudit will respond to such requests within 15 business days.
Each party's liability under this DPA is subject to the limitations set forth in the HireAudit Terms of Service. HireAudit's total liability for any claim arising from a breach of this DPA shall not exceed the fees paid by the Customer in the 12 months preceding the claim.
This DPA is governed by the laws of the Commonwealth of Pennsylvania, consistent with the HireAudit Terms of Service.
This DPA is incorporated by reference into the HireAudit Terms of Service and is effective upon the Customer's acceptance of the Terms of Service. Enterprise customers requiring a countersigned DPA should contact [email protected].
| Party | Name | Title | Date |
|---|---|---|---|
| HireAudit (Data Processor) | |||
| Customer (Data Controller) |
Questions about this DPA? [email protected]