Data Processing Agreement

1. Introduction and scope

This Data Processing Agreement (“DPA”) forms part of the agreement between Resodro AI (“Processor,” “we,” “us,” or “our”) and the organization that accepts this DPA (“Controller,” “you,” or “your”).

This DPA applies when you use the Services (defined below) on behalf of an organization and provide personal data about individuals other than yourself in that capacity (for example employees, contractors, or job candidates). Examples include creating Accounts for staff, uploading their career materials, or storing interview practice data that relates to those individuals.

This DPA does not apply when an individual uses the Services only for their own personal career. In that case, Resodro AI generally acts as described in the Privacy Policy at https://resodro.ai/legal/privacy-policy.

Services means:

• https://resodro.ai and its pages (the “Website”); and
• https://app.resodro.ai (the “App”),

including related features, APIs, and support described in the Terms of Service at https://resodro.ai/legal/terms-of-service.

Incorporation. This DPA is incorporated by reference into the Terms of Service when it applies to you. You may also accept this DPA by checkbox at Account registration (where offered), by executing an order form, or by a separate written agreement. If you execute a separate written agreement with Resodro AI (including an enterprise order form), that agreement controls over this DPA to the extent of any conflict.

Priority. For data-processing matters, this DPA controls over the Terms of Service to the extent of any conflict. For non-data matters (for example billing disputes not involving personal data), the Terms of Service control unless a separate agreement says otherwise.

Contact (privacy and DPA): https://resodro.ai/contact

We have not appointed a separate Data Protection Officer or EU/UK representative. Use the contact page above for privacy and DPA inquiries.

2. Definitions

Capitalized terms not defined here have the meanings in the Terms of Service or Privacy Policy.

3. Roles and responsibilities

3.1 Controller and Processor

3.2 Controller obligations

You represent and warrant that:

• you have a lawful basis (and, where required, appropriate notices and consents) to submit Personal Data to the Services and to instruct us to process it;
• you will provide privacy notices to Data Subjects that accurately describe processing through Resodro AI, including AI Features and Subprocessors as described at https://resodro.ai/legal/subprocessors and in the Privacy Policy;
• you will not submit Personal Data about children under 18 (the Services are not intended for children);
• you will not instruct us to process special categories of personal data (for example health data, biometric data used to uniquely identify an individual, or government ID numbers) unless you have a lawful basis and we have agreed in writing where required;
• your instructions comply with Applicable Data Protection Law and our Acceptable Use Policy at https://resodro.ai/legal/acceptable-use-policy; and
• you have authority to bind your organization to this DPA.

3.3 Processor obligations

We will process Personal Data only:

• to provide, maintain, secure, and improve the Services;
• to comply with law and enforce our Terms and policies;
• as described in the Privacy Policy, Cookie Policy, and Subprocessors list; and
• on your documented instructions through your use of the Services and reasonable written instructions that are consistent with the Services.

If we believe an instruction violates Applicable Data Protection Law, we will inform you without undue delay.

4. Subject matter, duration, and nature of processing

4.1 Subject matter

Processing of Personal Data submitted by Controller through the Services to operate career-development and recruitment-related tooling Controller enables for designated Data Subjects.

4.2 Duration

Processing continues for the term of your use of the Services and until Personal Data is deleted or returned as described in Section 14, subject to legal retention and backup cycles.

4.3 Categories of Data Subjects

May include, as determined by Controller:

• employees and former employees;
• contractors and consultants;
• job applicants and candidates; and
• other individuals whose data Controller uploads or generates in the App.

4.4 Categories of Personal Data

Depending on features used, Personal Data may include:

Controller should avoid submitting unnecessary sensitive data (see Section 3.2).

4.5 Processing operations

Processing may include hosting; storage and retrieval; organization; AI-assisted drafting, evaluation, and transformation; transcription; relevance assistance for job postings; transactional communications; aggregation/display of third-party postings; backups; security monitoring; deletion; and support.

4.6 AI Features

Personal Data may be submitted to AI Subprocessors only to provide the Services you enable. The current Subprocessors list identifies relevant categories and providers. Controller is responsible for informing Data Subjects as required and reviewing AI outputs before external use, as described in the Terms of Service and Disclaimer at https://resodro.ai/legal/disclaimer.

5. Documented instructions

5.1 Instructions through the Services

Your primary instructions are:

• your configuration and use of the Services (including Account settings, features enabled, and content submitted); and
• the Terms of Service, this DPA, and applicable policies.

5.2 Additional written instructions

You may send additional written instructions to https://resodro.ai/contact if they are:

• consistent with the Services’ functionality;
• technically feasible; and
• compliant with Applicable Data Protection Law.

We may charge reasonable fees for non-standard requests that require material engineering effort.

5.3 Unlawful instructions

We will not follow instructions we reasonably believe are unlawful. We will notify you where permitted by law.

6. Confidentiality

We ensure that persons authorized to process Personal Data are bound by confidentiality obligations (contractual or statutory) and process Personal Data only as instructed.

7. Security measures

7.1 Technical and organizational measures

We implement appropriate technical and organizational measures designed to protect Personal Data against Security Incidents, taking into account the nature of processing and risks involved. Measures may include, as applicable:

• access controls and authentication (including optional multi-factor authentication where supported);
• session security mechanisms for the App as described at a high level in our Cookie Policy;
• encryption in transit (TLS) for data transmitted over public networks;
• logical separation within our systems appropriate to a multi-tenant service;
• password safety checks using industry-appropriate methods where used;
• monitoring and logging for security and abuse prevention;
• backup and recovery procedures; and
• vendor management for Subprocessors.

We do not currently publish a SOC 2 report or dedicated security certifications page. Specific measures may evolve over time.

7.2 Controller security responsibilities

You are responsible for:

• safeguarding Account credentials;
• configuring sign-in methods appropriately for your organization;
• managing who in your organization may access Data Subjects’ data in your Account; and
• promptly notifying us at https://resodro.ai/contact if you suspect unauthorized access.

7.3 No absolute guarantee

You acknowledge that no method of transmission or storage is completely secure. See the Disclaimer and Terms of Service limitation of liability.

8. Subprocessors

8.1 Authorization

You provide general written authorization for us to engage Subprocessors as listed and categorized at:

https://resodro.ai/legal/subprocessors

That page is the authoritative inventory for named providers and categories. This DPA does not replace that page for day-to-day updates.

8.2 Changes to Subprocessors

We may add or replace Subprocessors. We will update the Subprocessors page and, where required by Applicable Data Protection Law, notify Controller of material changes (for example by email to the Account email or a notice in the App) with reasonable advance notice (typically at least 30 days).

If you object to a new Subprocessor on reasonable data-protection grounds, contact https://resodro.ai/contact within the notice period. If we cannot accommodate your objection through commercially reasonable alternatives, you may terminate the affected Services as your sole remedy, subject to the Cancellation and Refund Policy for prepaid fees.

8.3 Subprocessor agreements

We impose data protection obligations on Subprocessors through contracts or standard terms that require appropriate protection of Personal Data, to the extent applicable to the service.

9. International transfers

Personal Data may be processed in India and in other countries where we or our Subprocessors operate (including the United States and other regions where cloud services are provided).

Where Applicable Data Protection Law requires safeguards for transfers (for example from the EEA, UK, or Switzerland), we will implement appropriate mechanisms, which may include:

• Standard Contractual Clauses approved by the European Commission (Module Two: Controller to Processor, and/or Module Three as applicable), incorporated by reference into this DPA upon request or as set out in Annex B (if we provide an execution copy);
• the UK International Data Transfer Addendum or UK IDTA, where required for UK transfers; and
• other lawful transfer tools or derogations where applicable.

You may request information about transfer mechanisms at https://resodro.ai/contact.

India: Cross-border transfers under the DPDP Act are subject to applicable rules and notifications. Controller is responsible for ensuring lawful transfer mechanisms for data it originates outside India, where required.

10. Assistance with Data Subject rights

10.1 Controller’s primary responsibility

Data Subjects should direct requests to exercise rights (access, correction, deletion, restriction, portability, objection, and others) to Controller, not to Resodro AI as their employer or data controller.

10.2 Processor assistance

Taking into account the nature of processing, we will assist Controller by appropriate technical and organizational measures, where possible, in responding to Data Subject requests, including:

• in-app settings where available (for example Account deletion flows); and
• requests sent to https://resodro.ai/contact that identify Controller, the Data Subject, and the right exercised.

We may require Controller to confirm authority and scope. We will respond within timeframes required by Applicable Data Protection Law, typically within 30 days unless extended where permitted.

10.3 Fees

We do not charge for reasonable assistance. Manifestly unfounded or excessive requests may be refused or charged a reasonable fee where permitted by law.

11. Security incidents

11.1 Notification

We will notify Controller without undue delay after becoming aware of a Security Incident affecting Personal Data processed under this DPA, and in any event within 72 hours where notification is required under the GDPR.

11.2 Content of notice

Notice will include, to the extent known:

• description of the nature of the incident;
• categories and approximate number of Data Subjects and records concerned;
• likely consequences; and
• measures taken or proposed to address the incident.

We may provide updates as more information becomes available.

11.3 Cooperation

We will cooperate with Controller’s reasonable requests for information needed for Controller’s regulatory notifications, subject to confidentiality and legal restrictions.

11.4 Controller notification to us

Controller will notify us without undue delay at https://resodro.ai/contact if Controller becomes aware of a Security Incident affecting the Services or credentials used to access them.

12. Data protection impact assessments and prior consultation

We will provide reasonable assistance to Controller with data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Law, taking into account the nature of processing and information available to us. Additional fees may apply for extensive assistance beyond standard support.

13. Audits and reports

13.1 Information

Upon reasonable written request no more than once per 12 months, we will provide information reasonably necessary to demonstrate compliance with this DPA (for example a summary of security measures and the current Subprocessor list), subject to confidentiality.

13.2 Audits

If required by Applicable Data Protection Law and not satisfied by the information above, Controller may conduct an audit (or appoint an independent auditor bound by confidentiality) during normal business hours with at least 30 days’ notice. Audits must:

• not unreasonably interfere with our operations;
• protect confidential information of Resodro AI and other customers; and
• be limited to processing relevant to Controller.

Controller bears its own costs unless an audit reveals material non-compliance attributable to us.

We do not currently offer SOC 2 Type II reports.

14. Return and deletion of Personal Data

14.1 During the term

Controller may delete User Content through the Services where features allow, and may request Account deletion through in-app settings or https://resodro.ai/contact.

14.2 Account deletion grace period

Account deletion may be subject to a grace period (for example 30 days) during which deletion may be canceled by signing in again, as described in the Terms of Service.

14.3 After termination

Upon termination of the Services or this DPA, we will delete or de-identify Personal Data from active systems within a reasonable period, unless:

• Applicable Data Protection Law requires retention; or
• backup copies persist for a limited period under our backup cycle (backups are overwritten on a rolling basis).

14.4 Operational retention

Certain categories of operational data may have default retention schedules that vary by feature and deployment. Retention specifics for product areas are summarized in the Privacy Policy where we publish them.

14.5 Return on request

If Controller requires export before deletion and the Services support export for the relevant data, Controller should complete export before requesting deletion. We are not obligated to provide proprietary formats beyond standard export features.

15. California and U.S. state privacy laws

Where Controller is a business subject to the California Consumer Privacy Act / CPRA or similar U.S. state laws and provides Personal Data to us, the parties agree that Resodro AI processes Personal Data as a service provider / processor on Controller’s behalf. We will not:

• sell or share Personal Data (as those terms are defined under applicable U.S. state law) for cross-context behavioral advertising;
• retain, use, or disclose Personal Data for any purpose other than performing the Services, as permitted by law, or as instructed by Controller; or
• combine Personal Data with data we receive from other sources except as permitted by applicable law.

Controller will not provide us with sensitive personal information unless permitted and necessary for the Services.

16. Restricted transfers and sanctions

Controller will not provide Personal Data subject to export control or sanctions restrictions in a manner that would cause us to violate applicable law. Controller represents that it is not prohibited from using the Services under applicable sanctions or export rules.

17. Liability

Liability arising from processing under this DPA is subject to the limitation of liability and indemnification provisions in the Terms of Service (including the greater of fees paid in the prior 12 months or USD 100 cap, and exclusions for indirect damages), except where liability cannot be limited under Applicable Data Protection Law (for example certain GDPR violations where fault is established).

Each party’s liability under this DPA is aggregate with liability under the Terms of Service unless a separate written agreement states otherwise.

18. Dispute resolution and governing law

For disputes relating to this DPA, the governing law, informal resolution, arbitration, and courts provisions in Section 25 of the Terms of Service apply, except where mandatory data protection law of the EEA, UK, or Controller’s establishment requires otherwise.

Nothing in this DPA prevents Data Subjects from lodging complaints with supervisory authorities where they have that right under Applicable Data Protection Law.

19. Changes to this DPA

We may update this DPA from time to time. We will post the current version at https://resodro.ai/legal/data-processing-agreement and update the “Last updated” date at the top.

For material changes, we may provide additional notice (for example, by email to your Account email, a notice in the App, or a banner on the Website).

Changes apply going forward and do not reduce data protection for Personal Data already processed where prohibited by law.

Your continued use of the Services for organizational processing after the “Last updated” date constitutes acceptance where permitted by law. If you do not agree, stop submitting Personal Data about others through the Services and contact us regarding termination.

If you do not agree and have a paid subscription, you may cancel as described in the Cancellation and Refund Policy at https://resodro.ai/legal/cancellation-and-refund-policy.

20. Related documents

21. Contact

Resodro AI (Processor)

Kankarbagh, Patna, Bihar-800020, India

DPA and privacy inquiries: https://resodro.ai/contact

Website: https://resodro.ai

App: https://app.resodro.ai