This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (the “Customer”) and ApplyMate Pte Ltd, Singapore (“ApplyMate”) when ApplyMate processes Personal Data on the Customer’s behalf in connection with the Service.
Where ApplyMate processes data of an individual end user who signed up directly, ApplyMate acts as an independent controller; this DPA applies primarily to organisations whose end users (e.g. team members or candidates) use the Service through them, and to the extent ApplyMate is a processor under applicable law.
Need a signed copy? Email privacy@applymate.com with your entity name and we will return a counter-signed PDF.
1. Definitions
- Applicable Law means the data protection laws applicable to the Customer or to ApplyMate in providing the Service, including the EU GDPR, UK GDPR, Singapore PDPA, and US state privacy laws (CCPA, etc.).
- Personal Data, Processing, Controller, Processor, Data Subject have the meanings given in the GDPR, or the equivalents under other Applicable Law.
- Customer Personal Data means Personal Data that the Customer or its users submit to the Service.
- Subprocessor means a third party engaged by ApplyMate to process Customer Personal Data.
2. Subject matter and roles
- Subject matter: the Service described in the Terms of Service — parsing CVs and job postings, generating tailored resumes and cover letters, tracking applications.
- Duration:the term of the Customer’s subscription, plus the retention periods in section 7 of the Privacy Policy.
- Nature and purpose of Processing:hosting, analysing, transforming, and delivering Customer Personal Data through the Service to the Customer’s users.
- Categories of Data Subjects:the Customer’s users (typically the job-seeker themselves).
- Categories of Personal Data: identity (name, email), CV/profile contents (work history, education, skills, etc.), uploaded files, job postings the user saves, generated resumes and cover letters, technical/usage data.
3. ApplyMate’s obligations
- Process Customer Personal Data only on the Customer’s documented instructions, except where required by Applicable Law.
- Ensure persons authorised to process Customer Personal Data are bound by confidentiality.
- Implement and maintain the technical and organisational measures in Annex II.
- Assist the Customer with Data Subject requests and with security, breach notification, and DPIA obligations to the extent reasonably possible.
- Make available the information necessary to demonstrate compliance with this DPA, and contribute to audits as described in section 7.
- Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.
4. Customer’s obligations
- Provide Personal Data on a lawful basis and ensure it has the right to disclose it to ApplyMate.
- Inform its end users of the processing in line with Applicable Law.
- Configure the Service appropriately for its compliance needs.
5. Subprocessors
The Customer authorises ApplyMate to engage the Subprocessors listed below, each of whom is bound by written terms imposing obligations no less protective than those in this DPA.
| Subprocessor | Service | Location |
|---|---|---|
| MongoDB, Inc. | Database (Atlas) | EU / US (per cluster) |
| Vercel Inc. | Application hosting and Blob file storage | US / EU (edge) |
| Anthropic, PBC | Claude AI inference (no model training on inputs/outputs) | US |
| Resend Inc. | Transactional email delivery | US / EU |
ApplyMate will notify the Customer (by email or in-app announcement) at least 30 days before adding or replacing a Subprocessor. The Customer may object on reasonable data-protection grounds; if the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Service.
6. International transfers
Where Customer Personal Data is transferred outside the country of origin (e.g. EEA → US), the parties rely on:
- EU/UK Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor as appropriate), incorporated by reference into this DPA, with the UK International Data Transfer Addendum where applicable.
- Equivalent transfer mechanisms recognised under PDPA Singapore (binding contractual obligations).
- The EU-US / UK-US / Swiss-US Data Privacy Framework where the recipient is certified.
7. Audits
ApplyMate will respond to reasonable written audit questionnaires once per 12-month period and provide the most recent third-party security reports of its Subprocessors where publicly available. On-site audits are limited to documented suspicions of material non-compliance, conducted by a mutually agreed independent auditor under confidentiality, at the Customer’s expense.
8. Return and deletion
On termination of the Service, ApplyMate will delete or return Customer Personal Data in accordance with section 6 (“How long we keep your data”) of the Privacy Policy, unless retention is required by Applicable Law.
9. Liability
Each party’s liability under this DPA is subject to the limitation-of-liability provisions of the Terms of Service. Nothing in this DPA limits a Data Subject’s rights under Applicable Law.
10. Order of precedence
In case of conflict, this DPA prevails over the Terms of Service for matters of personal data processing. The EU/UK Standard Contractual Clauses prevail over this DPA in case of conflict between them.
Annex I — Description of processing
See section 2 above.
Annex II — Technical and organisational measures
- TLS 1.2+ for all data in transit.
- Encryption at rest for the database and file storage.
- Passwords stored with bcrypt (cost factor ≥ 10); plaintext passwords are never stored.
- Server-side authorization on every read and write — users can only access their own data.
- Principle of least privilege for production access; multi-factor authentication for administrative access.
- Network isolation for the database; access only from authorised application servers.
- Separation of staging and production environments.
- Centralised logging with retention limits and access controls.
- Vulnerability monitoring on dependencies; security patches applied promptly.
- Incident-response plan with breach-notification procedures.
- Background checks and confidentiality agreements for personnel with production access.
Contact
ApplyMate Pte Ltd, Singapore
privacy@applymate.com