Data Processing Agreement

1. Definitions

For purposes of this Data Processing Agreement, the following terms have the meanings set forth below:

• "Customer" (also "Data Controller" or "Business") means the business entity that has entered into a service agreement with SafeReq and on whose behalf personal information is processed.
• "SafeReq" (also "Service Provider" or "Data Processor") means SafeReq Inc., acting as a Service Provider as defined under CCPA § 1798.140(ag).
• "Personal Information" has the meaning set forth in CCPA § 1798.140(v) and includes any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
• "Processing" means any operation or set of operations performed on Personal Information, including but not limited to collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, and destruction.
• "Services" means SafeReq's job requisition compliance analysis platform, including automated analysis through the JobReqIQ engine, manual review by compliance specialists (where applicable), and related reporting and account management features.
• "Sub-processor" means any third party engaged by SafeReq to process Personal Information on behalf of Customer in connection with the Services.
• "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Information that compromises the security, confidentiality, or integrity of such information.
• "Consumer" has the meaning set forth in CCPA § 1798.140(i) and refers to any natural person who is a California resident.

2. Scope and Purpose of Processing

2.1 Service Provider Role

SafeReq processes Personal Information solely as a Service Provider on behalf of Customer and only for the specific business purposes described in this DPA and the Terms of Service. SafeReq does not sell Personal Information, does not share Personal Information for cross-context behavioral advertising, and does not retain, use, or disclose Personal Information for any purpose other than performing the Services specified herein.

2.2 Business Purposes

SafeReq processes Personal Information exclusively for the following business purposes:

• Receiving, parsing, and analyzing job requisition documents submitted by Customer for potential areas of concern under California employment law
• Running automated compliance analysis through the JobReqIQ detection engine
• Facilitating manual review by compliance specialists (on applicable service tiers)
• Storing analysis results, findings, and reports in SafeReq's PostgreSQL database for Customer retrieval
• Maintaining Customer user accounts, authentication, and role-based access control
• Processing billing transactions and maintaining credit ledger records
• Providing customer support related to the Services
• Maintaining, monitoring, and improving the security and functionality of the Services

2.3 Types of Personal Information Processed

In connection with the Services, SafeReq may process the following categories of Personal Information on behalf of Customer:

• Contact identifiers: Names, email addresses, and phone numbers of Customer's authorized users
• Professional information: Company name, job titles, and department of Customer's authorized users
• Job requisition content: The text and content of job postings, job descriptions, and related documents submitted for analysis, which may incidentally contain names or other identifiers of individuals
• Account data: Usernames, hashed passwords, authentication tokens, and role assignments
• Usage data: Platform activity logs, analysis request history, and feature usage records
• Billing data: Transaction records and credit ledger entries (payment card data is handled exclusively by Stripe and never touches SafeReq systems)

2.4 Data Subjects

The data subjects whose Personal Information may be processed include Customer's employees and authorized users of the SafeReq platform, as well as any individuals whose Personal Information may be incidentally included in job requisition documents submitted by Customer for analysis.

3. SafeReq's Obligations as Service Provider

3.1 CCPA/CPRA Service Provider Certifications

SafeReq certifies that it understands and will comply with the restrictions and obligations set forth in CCPA/CPRA applicable to Service Providers. Specifically, SafeReq certifies that it:

• Will not sell or share Personal Information received from Customer
• Will not retain, use, or disclose Personal Information for any purpose other than performing the Services specified in this DPA, including for any commercial purpose other than providing the Services
• Will not retain, use, or disclose Personal Information outside the direct business relationship between SafeReq and Customer
• Will not combine Personal Information received from Customer with Personal Information received from other sources or collected from SafeReq's own interactions with consumers, except as expressly permitted under CCPA/CPRA
• Will comply with all applicable provisions of CCPA/CPRA and provide the same level of privacy protection as required thereunder
• Will notify Customer if it determines that it can no longer meet its obligations under CCPA/CPRA
• Grants Customer the right to take reasonable and appropriate steps to ensure SafeReq uses Personal Information in a manner consistent with Customer's obligations under CCPA/CPRA

3.2 Security Measures

SafeReq implements and maintains appropriate technical and organizational security measures to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. These measures include but are not limited to:

• Encryption at rest: All data stored in PostgreSQL databases and file storage is encrypted using AES-256
• Encryption in transit: All data transmitted between systems is protected by TLS 1.2 or higher
• Access control: Role-based access control (RBAC) ensuring personnel access only the data necessary for their role
• Authentication: Secure password hashing, session management with HttpOnly cookies, and account lockout protections
• Audit logging: Comprehensive logging of all access to and operations on Personal Information
• Network security: Firewalls, network segmentation, and DDoS protection via cloud infrastructure
• Data isolation: Multi-tenant architecture with strict organization-level data segregation; every database query filters on the Customer's organization identifier
• Vulnerability management: Regular security assessments, dependency scanning, and timely patch application
• Employee training: Mandatory data privacy and security training for all personnel with access to Personal Information

3.3 Confidentiality

SafeReq ensures that all personnel authorized to process Personal Information are bound by written confidentiality obligations. Access to Customer data is limited to personnel who require it to perform the Services, and all access is logged and subject to periodic review.

4. Sub-processors

4.1 Authorized Sub-processors

Customer acknowledges and agrees that SafeReq may engage the following categories of Sub-processors to assist in providing the Services:

• Amazon Web Services (AWS): Cloud infrastructure hosting, database hosting, storage, and content delivery. Data is processed and stored in AWS data centers located in the United States.
• Stripe, Inc.: Payment processing for subscription and credit purchases. Stripe processes billing data as an independent data controller under its own privacy policy. SafeReq does not transmit job requisition content or analysis data to Stripe.
• Resend (for production email delivery): Transactional email delivery for account notifications, analysis completion alerts, and other service communications. Email content may include recipient names and email addresses.

4.2 Sub-processor Obligations

SafeReq ensures that each Sub-processor is bound by written data protection obligations that are no less protective than those in this DPA, including obligations to:

• Process Personal Information only for the purposes specified by SafeReq
• Implement appropriate technical and organizational security measures
• Notify SafeReq promptly of any Security Incident
• Delete or return Personal Information upon termination of the sub-processing agreement

4.3 Changes to Sub-processors

SafeReq will notify Customer at least 30 days in advance of engaging any new Sub-processor or making material changes to existing Sub-processor arrangements. Notifications will be sent to the email address associated with the Customer's account. If Customer objects to a new Sub-processor on reasonable data protection grounds, Customer must notify SafeReq in writing within 15 days of receiving the notification. SafeReq will make commercially reasonable efforts to address Customer's objection. If the objection cannot be resolved, either party may terminate the affected Services without penalty upon 30 days written notice.

5. Data Transfers

All Personal Information processed by SafeReq is stored and processed within the United States. SafeReq does not transfer Personal Information outside the United States unless required to provide the Services and only with appropriate safeguards in place.

If a transfer of Personal Information outside the United States becomes necessary (for example, due to a change in Sub-processor infrastructure), SafeReq will notify Customer in advance and ensure that adequate data protection measures are in place, including any contractual, technical, or organizational safeguards required by applicable law.

6. Data Subject Rights

SafeReq will provide reasonable assistance to Customer in responding to verifiable requests from Consumers exercising their rights under CCPA/CPRA, including:

• Right to Know: Requests to know what Personal Information has been collected, used, disclosed, or sold
• Right to Delete: Requests to delete Personal Information held by SafeReq
• Right to Correct: Requests to correct inaccurate Personal Information
• Right to Opt-Out of Sale/Sharing: SafeReq does not sell or share Personal Information, so this right is not applicable; however, SafeReq will cooperate with any such requests directed to Customer
• Right to Limit Use of Sensitive Personal Information: SafeReq will assist Customer in honoring requests to limit the use of sensitive Personal Information, if applicable

Customer is responsible for verifying the identity of data subjects and determining the appropriate response to each request. Upon receiving a verified request from Customer, SafeReq will provide the requested assistance within 10 business days. SafeReq will not independently respond to Consumer requests unless directed to do so by Customer.

7. Data Retention and Deletion

7.1 Retention During Service Term

SafeReq retains Personal Information only for as long as necessary to provide the Services and fulfill the purposes described in this DPA. Job requisition documents and analysis results are retained in SafeReq's PostgreSQL database for the duration of the Customer's active account to enable access to analysis history and reports.

7.2 Deletion Upon Termination

Upon termination of the Services or upon Customer's written request, SafeReq will:

• Delete all Personal Information within 30 days of the termination date or the date of Customer's request
• Direct all Sub-processors to delete Personal Information within the same timeframe
• Provide written certification of deletion upon Customer's request

SafeReq may retain Personal Information beyond the deletion period only where required by applicable law (e.g., tax records, audit logs required by regulation). Any retained data will continue to be protected under the terms of this DPA.

7.3 Data Export

Prior to termination, Customer may request an export of their data in a commonly used, machine-readable format. SafeReq will make such export available within 15 business days of the request.

8. Security Incidents and Breach Notification

8.1 Incident Notification

SafeReq will notify Customer without undue delay, and in no event later than 72 hours, after becoming aware of any Security Incident affecting Customer's Personal Information. Notification will be sent to the primary email address on Customer's account and, where applicable, through the SafeReq platform dashboard.

8.2 Notification Content

Security Incident notifications will include, to the extent reasonably available at the time of notification:

• A description of the nature of the Security Incident, including the categories of Personal Information affected
• The approximate number of data subjects and records affected
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to address the incident, including measures to mitigate potential harm
• The name and contact details of SafeReq's designated point of contact for further information

8.3 Cooperation

SafeReq will cooperate with Customer in investigating, mitigating, and remediating any Security Incident. SafeReq will provide ongoing updates as additional information becomes available, assist Customer in meeting any regulatory notification obligations, and provide a post-incident report documenting the root cause, impact, and corrective actions taken.

9. Audits and Compliance Verification

9.1 Audit Rights

Customer may, upon at least 30 days written notice and no more than once per 12-month period, audit SafeReq's compliance with this DPA. Audits will be conducted during normal business hours and in a manner that does not unreasonably disrupt SafeReq's operations. Customer may engage a qualified, independent third-party auditor (subject to confidentiality obligations acceptable to SafeReq) to conduct the audit.

9.2 Security Documentation

Upon Customer's reasonable request, SafeReq will provide:

• A summary of SafeReq's current security measures and controls
• Results of recent penetration tests or security assessments (under NDA)
• Evidence of employee security training completion
• Current list of Sub-processors and their security certifications

9.3 Remediation

If an audit reveals material non-compliance with this DPA, SafeReq will promptly develop and implement a remediation plan to address the identified issues. SafeReq will provide Customer with a written remediation plan within 15 business days of the audit findings and will complete remediation within a commercially reasonable timeframe.

10. Liability and Indemnification

10.1 Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party's liability for breach of its data protection obligations, including a Security Incident caused by a party's negligence or willful misconduct, shall be limited by such caps.

10.2 Indemnification

SafeReq will indemnify, defend, and hold harmless Customer from and against any third-party claims, losses, damages, and expenses (including reasonable attorneys' fees) arising from SafeReq's breach of this DPA or its obligations under applicable data protection law, provided that Customer gives SafeReq prompt notice of any such claim, reasonable cooperation, and sole control of the defense and settlement.

11. Term and Termination

This DPA takes effect on the date Customer first uses the Services and remains in effect for as long as SafeReq processes Personal Information on behalf of Customer. The obligations imposed by this DPA regarding the processing and security of Personal Information shall survive any termination or expiration of this DPA for as long as SafeReq retains Personal Information.

Either party may terminate this DPA if the other party materially breaches this DPA and fails to cure such breach within 30 days of receiving written notice. Upon termination, SafeReq's data deletion obligations as set forth in Section 7 apply.

12. Changes to This DPA

SafeReq may update this DPA to reflect changes in legal requirements, our processing activities, or our Sub-processor arrangements. Material changes will be communicated to Customer via email at least 30 days before the changes take effect.

If Customer objects to a material change, Customer may terminate the affected Services by providing written notice within 30 days of receiving the change notification. Continued use of the Services after the effective date of a change constitutes acceptance of the updated DPA.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law principles. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Terms of Service.

14. Contact Information

For questions about this Data Processing Agreement, to request a signed copy of this DPA, or to exercise data processing rights, please contact: