Data Processing Agreement (DPA)

1. Background and scope

1.1 Roles. For interview content (audio, transcripts, interview responses, and related metadata), Customer is the Controller and InterviewRelay is the Processor. For website, account, billing, security logs, and marketing data, InterviewRelay acts as Controller under its Privacy Policy (outside the scope of this DPA).

1.2 Purpose. InterviewRelay will process Personal Data only to provide the AI‑conducted voice interview platform (real‑time interview execution, transcription, storage, delivery, and related support), and strictly in accordance with Customer's documented instructions and this DPA.

1.3 MVP note. This DPA meets GDPR Article 28 requirements while keeping operational overhead appropriate for a startup MVP; enterprise features (e.g., SOC 2 reports, extended audit exports) may be added later as referenced alternatives.

2. Definitions

"Data Protection Laws" means GDPR and applicable UK/EU/EEA Member State data protection laws.
"Personal Data", "processing", "Controller", "Processor", and "Data Subject" have the meanings in GDPR.
"Services" means InterviewRelay's AI voice interview SaaS, APIs, and related support.
"Sub‑processor" means a third party engaged by InterviewRelay to process Personal Data for the Services.

3. Details of processing (Article 28(3))

Subject matter: Processing of interview content within the Services.
Duration: Term of the Agreement and retention periods chosen by Customer (see §9).
Nature & Purpose: Real‑time voice interviews, transcription, storage, retrieval, export/webhooks, and translations/localization.
Categories of Data Subjects: Interview participants (candidates/respondents), Customer's staff who configure campaigns.
Types of Personal Data (non‑exhaustive): Participant identifiers (name/email if provided), voice audio recordings, transcripts, responses, timestamps, session/IP/locale metadata, and technical logs tied to sessions. Data model includes invites, sessions, messages, and stored audio/artifacts.

4. Processor obligations

4.1 Instructions. InterviewRelay shall process Personal Data only on documented instructions from Customer, including regarding transfers to third countries, unless required by law. InterviewRelay will notify Customer if an instruction violates Data Protection Laws (where legally permitted).

4.2 Confidentiality. InterviewRelay ensures personnel with access to Personal Data are bound by confidentiality obligations.

4.3 Security (Article 32). InterviewRelay implements appropriate technical and organizational measures ("TOMs") described in Annex 3 (encryption at rest/in transit; Postgres Row‑Level Security; JWT‑based auth; RBAC; signed URLs; rate limiting; monitoring and audit trails).

4.4 Sub‑processors. Customer authorizes InterviewRelay to use Sub‑processors listed in Annex 2 for infrastructure, AI runtime, email, and payments. InterviewRelay imposes data protection obligations on Sub‑processors equivalent to this DPA and will notify Customer 30 days in advance of material changes to the list, allowing objection for reasonable, documented security grounds.

4.5 Assistance. Taking into account the nature of processing and the MVP stage, InterviewRelay will commercially reasonably assist Customer with:
(a) Data Subject requests (access, deletion, portability, objection, restriction) via product features and exports;
(b) Security, breach notifications, DPIAs, and prior consultations (see Annex 4 for DPIA assistance details);
(c) Consent records (timestamp, IP, policy version) surfaced to Customer.
Reasonable costs may apply for effort beyond self‑serve features.

4.6 Personal Data breach. InterviewRelay will notify Customer without undue delay and within 72 hours of becoming aware of a Personal Data Breach affecting Customer data. Notifications will include:
(a) The nature of the breach (categories of data, approximate number of records/subjects affected);
(b) Name and contact details of InterviewRelay's data protection contact (business@instantflows.com);
(c) Likely consequences of the breach;
(d) Measures taken or proposed to mitigate and remediate the breach;
(e) Updates as further information becomes available.

InterviewRelay will cooperate with Customer's investigation and regulatory reporting obligations.

4.7 Return/Deletion. Upon termination/expiry of the Agreement or upon Customer request, InterviewRelay shall delete or return Personal Data after the applicable retention period, except where law requires storage. Deletes cascade across transcripts, messages, audio files, and related artifacts.

5. Customer responsibilities

5.1 Lawful basis & notices. Customer is responsible for establishing a lawful basis and providing all required notices to Data Subjects (including disclosure that an AI system conducts the interview). Customer configures scripts to avoid eliciting special category data unless legally permitted and documented.

5.2 Consent. Where required, Customer obtains valid consent; InterviewRelay provides consent capture tooling and stores consent records for evidencing.

5.3 Webhooks & sharing. Customer's configured webhooks/integrations are Customer's own data disclosures; Customer is responsible for securing endpoints and entering required downstream DPAs.

6. Sub‑processors (summary; full list in Annex 2)

• Supabase (database, auth, storage; EU/US residency options).
• OpenAI (real‑time AI voice and transcription; API data retained for 30 days for abuse monitoring then automatically deleted; zero‑retention option available for enterprise customers).
• Stripe (payments; PCI DSS L1).
• SendGrid (email delivery).
• ipapi.co (transient IP geolocation; no data retention).

7. International transfers

7.1 Data residency. Customer may select EU or US project residency. Where Personal Data is transferred outside the EEA/UK to a country without adequacy, InterviewRelay ensures appropriate safeguards including:
(a) Encryption in transit (TLS 1.2+) and at rest (AES-256);
(b) Strict access controls and authentication requirements;
(c) Contractual restrictions on government access in Sub-processor agreements;
(d) Standard Contractual Clauses (and, where applicable, UK IDTA/UK Addendum).

A Transfer Impact Assessment documenting supplementary measures is available upon request.

7.2 SCCs. The EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and completed as set out in Annex 5 (Module 2: Controller→Processor; docking clause included; NL law/courts). For onward transfers to Sub‑processors, Module 3 applies as appropriate. UK transfers attach the UK Addendum/IDTA as set out in Annex 5.

8. Audit and compliance

8.1 Evidence. On written request, InterviewRelay will make available summary security documentation, policy excerpts, and responses to a reasonable security questionnaire. If available, third‑party assessments (e.g., penetration test summaries) may be provided as an alternative to onsite audits.

8.2 Onsite audit. Customer may conduct an onsite audit of relevant processing systems:
(a) Once annually as a matter of routine;
(b) Additional audits following: (i) a Personal Data breach affecting Customer data, (ii) regulatory request or investigation, or (iii) material change to Sub-processors or security measures.

Audits require 30 days' notice (or 5 days for cause), occur during business hours without disrupting operations, and are subject to reasonable confidentiality obligations and reimbursement of InterviewRelay's reasonable costs. Scope is limited to processing of Customer's Personal Data and relevant TOMs.

9. Retention & deletion

Default retention is plan‑based and configurable. Indicative defaults:

• PAYG/Micro: 90 days
• Starter: 180 days (6 months)
• Growth/Scale: 360 days (12 months)
• Enterprise: extended retention available

Product automatically purges sessions and cascades deletions to messages/files once retention elapses. Customer may delete data earlier via dashboard or API. Sub-processor retention: see Annex 2.

10. DPIA and consultations

InterviewRelay will reasonably assist Customer with Data Protection Impact Assessments (where Customer's use case involves high-risk processing) by providing documentation as detailed in Annex 4. InterviewRelay will cooperate with Customer consultations with supervisory authorities under Article 36 where required.

11. Liability and general terms

11.1 GDPR liability. Under GDPR Article 82, each party is liable only for damages caused by its own failure to meet GDPR obligations. InterviewRelay is not liable for damages caused by Customer's instructions or failures.

11.2 Limitation. Subject to mandatory law, total liability under this DPA is limited to the lesser of: (a) amounts paid by Customer in the 12 months preceding the claim, or (b) any limitation set forth in the Agreement. This limitation does not apply to liabilities that cannot be limited under applicable law (e.g., intentional misconduct, gross negligence).

11.3 Notices. Notices under this DPA should be sent to:
Customer: Account owner email on file
InterviewRelay: business@instantflows.com (copy to: privacy@interviewrelay.com)

11.4 Amendments. InterviewRelay may update Annex 2 (Sub‑processors) with prior notice under §4.4. Material changes to other terms require mutual written agreement.

12. Signatures

Annex 1 — Description of processing

A. Data subjects: Interview participants (candidates/respondents), Customer staff who design or administer interviews.

B. Categories of Personal Data:

• Identity/Contact (if collected): name, email (invites).
• Voice data (biometric): audio recordings (e.g., WebM format).
• Transcripts & responses: conversation text, timestamps, structured outputs.
• Session/technical metadata: IP address, locale, duration, tokens, logs, consent records.
• Customer content/config: interview scripts, prompts, branding.

C. Processing purposes/operations: collection, recording, storage, retrieval, playback, transcription, translation/localization, structured analysis, secure transmission (dashboard/API/webhooks), export, deletion.

D. Retention: Per §9; automated cleanup (cron) and cascade deletion across messages/files.

E. Data location/residency: EU or US, selectable per project; see Annex 2 for vendor locations.

F. Special categories: Voice recordings constitute biometric data; discouraged for identification/authentication unless explicit Art. 9(2)(a) consent and DPIA completed; Customer must not elicit other Art. 9 data (health, beliefs, etc.) without documented legal basis.

Annex 2 — Authorized Sub‑processors

Change management: InterviewRelay will provide 30 days' prior notice of material changes to this list via email to account owner. Customer may object on reasonable, documented security grounds within 15 days.

Annex 3 — Technical & Organizational Measures (TOMs)

• Encryption: TLS 1.2+ in transit; AES‑256 at rest (Supabase); HMAC (SHA‑256) webhook signing; hashed tokens.
• Access control: Postgres RLS; JWT auth; org/project scoping; RBAC (owner/admin/member); short‑lived signed URLs (24h); 2FA for admin accounts.
• Network security: HTTPS enforced; CORS; rate limiting; IP‑based geo‑restrictions (configurable).
• Monitoring & logging: Security event logging; admin audit trails; error tracking; webhook retries/observability.
• Data isolation: Multi‑tenant, org‑scoped segregation; invite‑token isolation for participants.
• Personnel & org: Background checks for privileged staff; security training; least privilege; incident response with 72‑hour notice commitment; vendor due diligence and DPAs.

Annex 4 — Processing instructions & DPIA assistance

Processing Instructions

1. Process only for Services and Customer's configurations (scripts, languages, voice selection).
2. Consent: present consent text before recording; store timestamp, IP, and policy version in sessions.consent_given_at; do not start interviews without consent unless Customer configures another lawful basis.
3. Webhooks: deliver via HTTPS with HMAC signature; retry with exponential backoff; Customer secures endpoints and onward processors.
4. Exports: provide JSON/PDF/audio downloads and API access; signed URLs expire in 24 hours.
5. Deletion: honor Customer‑initiated deletes promptly; automated cron purges on retention lapse with cascading deletes.
6. Fair use in employment/education: no emotion recognition features; ensure human review for impactful decisions; Customer ensures fairness and DPIAs where required.

DPIA Assistance

When Customer conducts a Data Protection Impact Assessment for high-risk use cases, InterviewRelay will provide upon reasonable request:

• Processing details: Annex 1 (categories of data, purposes, retention)
• Security measures: Annex 3 (TOMs, encryption, access controls)
• Sub-processor information: Annex 2 (list, locations, safeguards)
• Risk mitigation measures: Technical documentation of security controls
• Data flow diagrams: Visual representation of data processing flows
• Consultation per Article 36: Cooperation with supervisory authority inquiries

Requests should be sent to business@instantflows.com with reasonable advance notice (typically 15 business days).

Annex 5 — International transfers (SCCs/UK Addendum)

EU SCCs (2021/914) — incorporated by reference.

• Module 2 (C→P) applies to transfers from Customer (EEA) to InterviewRelay where required.
• Module 3 (P→P) applies to onward transfers from InterviewRelay to Sub‑processors outside the EEA.
• Clause 7 (Docking clause): included.
• Clause 9(a) (Sub‑processor changes): general authorization; 30‑day notice under §4.4.
• Clause 17 (Governing law): Netherlands.
• Clause 18 (Forum): Netherlands (Rotterdam District Court).
• Annex I(A) Parties: Exporter = Customer; Importer = InterviewRelay (and, as applicable, each Sub‑processor for Module 3).
• Annex I(B) Description: See Annex 1.
• Annex I(C) Supervisory Authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority) or Customer's competent authority, as applicable.
• Annex II: TOMs in Annex 3.

UK: The UK Addendum to the EU SCCs (IDTA) is incorporated for UK transfers with the same annex mappings.