UUniformCV← Back to home
⚠️ DRAFT — pending legal review and company details finalization. This document is a template. Placeholders (e.g. company address, tax IDs) will be replaced once the final corporate identity and legal review are in place.

UniformCV · Legal

Data Processing Agreement

Article 28 GDPR processor terms between institutions (controllers) and UniformCV (processor).

Effective date: 3 June 2026 · Version 1.0.0

1. Parties and scope

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween the Institution ("Controller") and Digifox s.r.o.("Processor", "UniformCV"). It governs Processor's handling of personal data submitted by applicants through Controller's templates and reflects the obligations set out in Article 28 GDPR.

2. Subject matter and duration

Processor processes applicant personal data on behalf of Controller for the sole purpose of providing the Service. Processing starts on account creation and continues for the lifetime of the account plus the retention periods described in the Privacy Policy.

3. Categories of data subjects and data

  • Data subjects:applicants who submit a CV through Controller's template.
  • Categories of data: identity, contact, CV content, optional photograph, consent record, abuse-prevention signals (hashed IP, timestamps). Controller must not collect special categories of data (Art. 9) unless it has a valid legal basis and has informed us in writing.

4. Processing instructions

Processor shall process applicant data only on documented instructions from Controller. The creation and publication of a template, together with acceptance of these Terms, constitute such instructions. Processor will inform Controller if, in its opinion, an instruction infringes the GDPR or other EU data-protection law.

5. Sub-processors

Controller authorises Processor to engage the sub-processors listed in the Privacy Policy. If Processor intends to engage a new sub-processor or replace an existing one, it will give Controller at least 30 days' prior notice by email. Controller may object on reasonable data-protection grounds during that window; if the objection cannot be resolved, Controller may terminate the affected part of the Service and receive a pro-rated refund.

6. Technical and organisational measures

Processor maintains at least the following safeguards:

  • Row-level security (RLS) on every database table, preventing cross-Institution access at the Postgres layer.
  • HTTPS / TLS end-to-end for all traffic; HSTS enabled.
  • Passwords hashed with bcrypt via Supabase Auth; plaintext is never stored.
  • Rate limiting on every public mutation endpoint, per-IP and per-template.
  • IP hashing with a rotating salt so raw IPs are never written to disk.
  • Private storage buckets for applicant photos and generated PDFs; access requires a short-lived signed URL.
  • Image hardening: server-side MIME sniffing, EXIF stripping and downscale before persistence.
  • Principle of least privilege: the service-role key is used only in server-side code paths that justify it, and admin routes are gated by a role check in the database.

7. Assistance to Controller

Processor will assist Controller in fulfilling its obligations to respond to data-subject requests, perform data-protection impact assessments and cooperate with supervisory authorities. Standard assistance is included in the Service; extraordinary assistance may be charged at our then-current professional rates after prior written agreement.

8. Incident response

Processor will notify Controller without undue delay and in any event within 72 hoursafter becoming aware of a personal data breach affecting Controller's data. The notice will describe the nature of the breach, categories and approximate number of data subjects concerned, likely consequences and measures taken or proposed to mitigate its effects.

9. Audits

Processor will make available all information necessary to demonstrate compliance with Article 28 GDPR and will allow for audits, including inspections, conducted by Controller or another auditor mandated by Controller. Audits may be conducted no more than once per 12-month period, with 30 days' written notice, during business hours, subject to reasonable confidentiality undertakings.

10. Return or deletion of data

On termination of the Service, Controller may, within 30 days, export all its data via the dashboard or by written request. After that window, Processor will delete all Controller data, including backups, within a further 30 days, except where retention is required by Union or Member State law (e.g. tax records).

11. Liability

Each party is liable for damages caused by its non-compliance with the GDPR as allocated under Article 82 GDPR. The limitation of liability in the Terms of Service applies to this DPA.

12. Contact

Privacy contact and DPA signatory: privacy@uniformcv.com.