HiringCoachAI

Data Processing Agreement (template)

Last reviewed 2026-05-18

This template governs the Processing of Personal Data between Elite Ad Operations, LLC d/b/a JumpYield ("HiringCoachAI") and its customer ("Customer"). It supplements the Terms of Service and is incorporated by reference where a Customer requires a DPA.

A PDF rendering of this document (with signature blocks) is provided on request by emailing [email protected].

1. Definitions

Terms not defined here have the meanings given in the GDPR (EU 2016/679), UK GDPR, and the California Consumer Privacy Act as amended by the CPRA. "Processing" includes collection, use, storage, disclosure, erasure.

2. Roles

For Personal Data submitted by Customer or its end users to the HiringCoachAI service, Customer is the Controller (or "business" under CCPA) and HiringCoachAI is the Processor (or "service provider"). For Personal Data we collect directly about Customer personnel administering the service, we act as a Controller.

3. Subject-matter and scope

  • Nature and purpose: delivering the HiringCoachAI career coaching and job-search platform.
  • Categories of data subjects: Customer's end users (individuals using the service).
  • Categories of personal data: contact details, resumes, job-application content, career history, generated AI output, usage data, authentication identifiers.
  • Duration: for the term of the Agreement, plus deletion period per the data retention policy after termination.

4. Instructions

HiringCoachAI processes Personal Data only on Customer's documented instructions, which are deemed to include:

  • Provision of the service per the ToS
  • Support and incident response
  • Legal obligations

5. Confidentiality

Personnel with access to Personal Data are subject to written confidentiality obligations. See the access control policy.

6. Security

HiringCoachAI implements technical and organizational measures described in Annex 1, aligned with NIST CSF 2.0 and CIS Critical Controls v8 IG1, including:

  • HTTPS in transit with HSTS and managed certificates; Cloudflare edge minimum TLS is set to TLS 1.2 and TLS 1.3 is enabled
  • Administrator and non-administrator authorization enforced in API routes and Firestore Security Rules; default-deny database rules with user-scoped access
  • Append-only audit log with two-year retention covering sign-in, sign-out, session, account, MFA enrollment and challenge, OAuth account-linking, account-deletion, AI-feedback, cookie-consent, and administrator events
  • Static analysis and dependency scanning (SAST, SCA, SBOM); unauthenticated external DAST baseline; authenticated pre-release DAST smoke; vulnerability triage with documented SLAs per the Patch Management Policy
  • Secure SDLC with code review

7. Sub-processors

Customer authorizes HiringCoachAI to engage the sub-processors listed at https://hiringcoach.ai/sub-processors, and future sub-processors subject to:

  • 30 days' advance notice (via trust-center update plus email if Customer subscribes)
  • Customer's right to object for reasonable cause within the notice period
  • HiringCoachAI remaining liable for sub-processor performance

If HiringCoachAI engages a new sub-processor over Customer's timely reasonable objection, Customer may terminate the affected portion of the service for convenience, without penalty, by written notice within 30 days of HiringCoachAI's decision to proceed. HiringCoachAI will refund any prepaid fees on a prorated basis for the terminated portion.

Each sub-processor is bound by data-protection terms no less protective than this DPA.

8. Data-subject requests

Taking into account the nature of the Processing, HiringCoachAI assists Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to data-subject requests under Chapter III of the GDPR (Art. 28(3)(e)). Assistance includes the self-service tools made available to Customer's end users (account deletion at /account/delete, data export at /account/export, cookie-consent management) and processor-level support for verified requests routed through Customer. Where HiringCoachAI receives a data-subject request directly, we will forward it to Customer and will not act on it except as required by law or on Customer's documented instruction.

9. Personal-data breach

HiringCoachAI notifies Customer without undue delay, and in any event within 72 hours of confirming a qualifying personal-data breach, per the breach notification policy. Where investigation-stage facts indicate Customer Personal Data may be affected before confirmation, HiringCoachAI provides preliminary notice when required by the Agreement, DPA, or applicable law. Initial notice may be preliminary; HiringCoachAI will update Customer as material facts are established. Notice includes the nature and scope of the breach, categories and approximate number of records or individuals affected to the extent known, the contact for follow-up, likely consequences, and measures taken or proposed.

10. Data-protection impact assessments

HiringCoachAI provides reasonable assistance with DPIAs and prior consultations with supervisory authorities.

11. International transfers

Personal Data may be transferred to the United States. Transfers rely on:

  • The 2021 EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Module 2 (controller to processor), which are incorporated by reference
  • The UK International Data Transfer Addendum where UK data subjects are involved
  • Adequacy decisions where applicable

For the purposes of Clauses 17 and 18 of the 2021 EU Standard Contractual Clauses, the parties select Irish law and the Irish courts, unless Clauses 17–18 specify a different governing law and forum based on Customer's place of establishment. The UK International Data Transfer Addendum is governed by the laws of England and Wales, with disputes subject to the exclusive jurisdiction of the English courts.

12. Return or deletion

On termination, HiringCoachAI deletes Personal Data per the data retention policy. Customer may request export before deletion via the standard account-export feature or, for bulk needs, via [email protected].

For planned service retirement, business wind-down, or other planned discontinuation of the HiringCoachAI service, HiringCoachAI will provide at least 90 days' advance notice where legally permitted and operationally feasible, and will maintain commercially reasonable export or migration assistance during that transition period. If a bankruptcy proceeding, court order, legal obligation, or security emergency prevents a full 90-day period, HiringCoachAI will provide as much notice and export assistance as legally and operationally possible.

13. Audit

Customer may audit HiringCoachAI's compliance by:

  • Reviewing our published trust-center documentation
  • Receiving our completed HECVAT 4.1.5 response and evidence bundle
  • If those resources are not sufficient for Customer's risk posture, requesting a reasonable third-party audit or evidence-review process, subject to mutually agreed confidentiality, scope, timing, and cost allocation, with at least 60 days' notice and conducted outside business-critical windows

14. Accessibility

HiringCoachAI will maintain the HiringCoachAI web application against a contractual accessibility baseline of WCAG 2.1 Level AA, with WCAG 2.2 Level AA as a stated forward-looking target, and will provide its current Accessibility Conformance Report / VPAT at https://hiringcoach.ai/vpat. Verified accessibility defects are triaged and remediated under the response and remediation commitments in the public accessibility statement, subject to any documented exceptions in the current ACR / VPAT.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying Agreement between the parties. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including, where applicable, GDPR Art. 82 and equivalent provisions of UK GDPR and U.S. state privacy law.

16. Term and termination

This DPA takes effect on execution and continues while HiringCoachAI processes Customer's Personal Data.

17. California (CCPA / CPRA)

HiringCoachAI acts as a "service provider" and will not:

  • Sell or share Personal Data
  • Retain, use, or disclose Personal Data outside the business purposes in this DPA
  • Combine Personal Data with other sources except as permitted by CPRA §1798.140(ag)(1)(C)

HiringCoachAI certifies its understanding of these restrictions.

18. Governing law

This DPA is governed by the law and venue specified in the main Agreement between HiringCoachAI and Customer. If no such agreement exists or is silent on governing law, this DPA is governed by the laws of the State of California, without regard to its conflict-of-law provisions, and the exclusive venue for disputes arising out of or relating to this DPA is the state and federal courts located in San Francisco, California.

This Section 18 does not displace the governing law and forum provisions of the international transfer instruments incorporated under Section 11, which remain governed by their own choice-of-law and forum clauses.

19. FERPA

HiringCoachAI does not currently solicit or receive "education records" as that term is defined under 34 CFR §99.3 from institutional Customers. The platform processes career content provided directly by individual end users (resumes, application drafts, interview practice content), which is not, by itself, an education record under §99.3.

If Customer is an educational institution subject to the Family Educational Rights and Privacy Act (FERPA) and wishes to share education records with HiringCoachAI or direct end users to share institution-controlled education records through the service, the parties will execute a FERPA addendum before any such records are submitted. That addendum will, at minimum:

  • Designate HiringCoachAI as a "school official" with a legitimate educational interest under 34 CFR §99.31(a)(1)(i)(B), under Customer's direct control with respect to the use and maintenance of the education records,
  • Prohibit redisclosure of education records except as permitted by 34 CFR §99.33(a),
  • Address directory-information handling, parental and eligible-student rights, deletion on Customer request, and retention limits,
  • Identify the categories of education records in scope and any AI processing limits Customer wishes to impose.

In the absence of an executed FERPA addendum, Customer represents that no education records as defined under §99.3 will be submitted to the service.

Annex 1: Technical and organizational measures

Summarized; full detail in HiringCoachAI's compliance policies published at https://hiringcoach.ai/trust.

  • Access control: administrator and non-administrator authorization enforced in API routes and Firestore Security Rules; default-deny database rules with least privilege; TOTP-based application-level multi-factor authentication available as an opt-in user setting; current administrative accounts required by policy to use Google Account MFA; quarterly access review.
  • Encryption: HTTPS in transit with HSTS and managed certificates; at-rest encryption provided by Google Cloud; field-level AES-256-GCM for select restricted fields. Cloudflare edge minimum TLS is set to TLS 1.2 and TLS 1.3 is enabled.
  • Segregation: multi-tenant Firestore with default-deny rules and user-scoped access.
  • Logging: tamper-resistant audit log (2-year retention); Sentry for application errors.
  • Vulnerability management: Dependabot, SAST, SBOM generation through the manual security workflow.
  • Backups: Google Cloud managed durability, Firestore PITR (7-day window), managed daily Firestore backups with 98-day retention, and a US multi-region backup/export bucket with versioning, 90-day soft delete, and a 90-day retention policy.
  • Incident response: documented runbook; 72-hour regulator notification; post-mortem publication.
  • Personnel:
  • Personnel with operational or sensitive-system responsibilities complete security and privacy training at onboarding and annually thereafter
  • Written confidentiality / acceptable-use expectations for approved collaborators
  • Security Officer approval required before sensitive-system access
  • Third-party background screening required before any worker is granted production, customer-data, source-code, or vendor-dashboard access; documented emergency-access exceptions follow the exception process in the patch-management policy
  • Change management: Security Officer review, local pre-push checks, manual security workflows, SDLC doc.

Annex 2: Signatures

Elite Ad Operations, LLC d/b/a JumpYield   Customer
Name:                                      Name:
Title:                                     Title:
Date:                                      Date:
Signature:                                 Signature:

Customers may also countersign via DocuSign on request.

← Back to the trust center

showUpgradeModal: false, modalType: migration, planName: