← Back to pick.me

Data Processing Agreement

Parties

This Data Processing Agreement ("DPA") is entered into between:

• Controller: the agency or partner company subscribing to the Service ("you", "Customer").
• Processor: Archie Recruitment, sole proprietor Artur Seredziuk, Poland, operating the pick.me and Outsor services ("we", "Processor").

This DPA is concluded under Art. 28(3) of Regulation (EU) 2016/679 (GDPR) and forms part of the Terms of Service.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to deliver the pick.me / Outsor service. This DPA is effective for as long as the Customer subscription is active, plus any post-termination period necessary for data return or deletion (up to 30 days).

2. Nature and purpose of processing

Processing consists of storage, retrieval, organisation, transmission, AI-assisted analysis and translation, and deletion of candidate-related personal data, performed to provide an applicant tracking system, partner submission portal, public job board and supporting features.

3. Categories of data subjects

• Candidates (job seekers added by Customer or registered themselves);
• Customer's employees who use the Service (recruiters, partners);
• Client contacts the Customer interacts with via the Service.

4. Types of personal data

• Identification: name, email, phone, city.
• Professional: job title, employment history, skills, CV file, certificates, work photos, references.
• Application data: status, notes, recruiter feedback, AI analysis output.
• Account / sign-in: email, password hash, IP, audit events.
• Optional: voice and video self-presentations (only with candidate opt-in).

The Customer agrees not to upload special categories of personal data (Art. 9 GDPR) unless strictly necessary for a documented purpose for which the Customer holds a separate legal basis.

5. Processor obligations

The Processor will:

1. Process personal data only on documented instructions from the Controller, which are deemed given when the Controller uses the standard features of the Service. Any instruction outside the standard features must be in writing.
2. Ensure persons authorised to process the data are bound by confidentiality.
3. Implement appropriate technical and organisational measures (Art. 32) as described in Schedule A below.
4. Assist the Controller in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection).
5. Assist the Controller in complying with Articles 32 to 36 (security, breach notification, impact assessments, prior consultation).
6. Notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal-data breach affecting the Controller's data, with the information required by Art. 33(3).
7. At the Controller's choice, delete or return all personal data after the end of the provision of the services, and delete existing copies unless storage is required by Union or Member State law.
8. Make available all information necessary to demonstrate compliance with this DPA and allow for audits (Section 11).

6. Sub-processors

The Controller authorises the engagement of the following sub-processors:

Sub-processor	Role	Location	Transfer mechanism
Google LLC / Firebase	Hosting, storage, authentication, scheduled jobs	EU (multi-region)	EU — no transfer needed
Anthropic PBC	AI parsing, analysis and translation of CV content	United States	EU Standard Contractual Clauses (Module 3, processor-to-processor)
Postmark or SendGrid (planned)	Transactional email delivery	EU	EU — no transfer needed

The Processor will notify the Controller in writing at least 30 days before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds; in that case the Parties will discuss in good faith. If no resolution is reached, the Controller may terminate the affected services.

7. International transfers

Where personal data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards under Chapter V GDPR, currently Standard Contractual Clauses with Anthropic PBC. The Processor will assist with transfer impact assessments on reasonable request.

8. Data subject rights

The Processor implements technical features that enable the Controller to fulfil data-subject requests, in particular:

• Retrieval of personal data via the in-app candidate detail view and CSV export;
• Rectification through the standard edit flows;
• Erasure through the delete operations in the app (subject to retention obligations of Section 14);
• Portability via the export feature (planned: structured JSON export of all data tied to a candidate);
• Restriction by marking a record with the "blacklisted" or "archived" status that the Customer can choose.

If the Processor receives a request directly from a data subject, the Processor will forward the request to the Controller without responding to the substance.

9. Security measures (Art. 32)

Detailed in Schedule A below. By signing this DPA, the Controller acknowledges receipt of and accepts these measures.

10. Personal data breach

The Processor will notify the Controller without undue delay and at the latest within 72 hours of becoming aware of a personal-data breach. The notification will include, to the extent known: nature of the breach, categories and approximate number of data subjects, categories and approximate number of records, likely consequences, measures taken or proposed.

11. Audits

The Processor will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, no more than once per twelve-month period, on at least 30 days notice, during business hours, without unreasonably disrupting the operation of the Service. The Controller bears its own costs of the audit. The Processor may satisfy this obligation by providing a recent independent third-party security report (e.g., SOC 2 Type II) once such reports become available.

12. Confidentiality

Personnel authorised by the Processor to process personal data are subject to a duty of confidentiality, either by employment contract or by separate undertaking.

13. Liability

The liability of each Party under this DPA is governed by the Terms of Service. Statutory liability of each Party as controller or processor under GDPR is unaffected.

14. Term, return and deletion

This DPA terminates automatically when the Terms of Service terminate. Within 30 days after termination the Processor will, at the Controller's choice:

• delete all personal data held on behalf of the Controller; or
• return the data to the Controller in a structured, commonly-used, machine-readable format.

Audit log entries and records required by Union or Member State law are retained for the period required and remain subject to the security measures in Schedule A.

15. Governing law

This DPA is governed by the law of the Republic of Poland. Disputes are subject to the jurisdiction agreed in the Terms of Service.

Schedule A — Technical and organisational measures (Art. 32)

A.1 Confidentiality

• Access to production data limited to authorised personnel under confidentiality undertakings.
• Role-based access control inside the application (recruiter / partner / candidate, each with explicit permissions).
• Strict tenant isolation enforced in Firestore Security Rules and Storage rules — verified by automated regression each deploy.
• Default-deny security posture: any access not explicitly allowed is blocked.
• Optional time-based one-time password (TOTP) two-factor authentication for recruiter accounts.

A.2 Integrity

• HTTPS / TLS for all client-server traffic.
• Audit log of destructive actions (immutable append-only collection with userId + timestamp).
• Storage upload validator deletes files that do not match the uploader's tenant within seconds.

A.3 Availability and resilience

• Hosting on Google Cloud / Firebase EU multi-region with managed scaling.
• Firestore Point-in-Time Recovery (7-day window).
• Daily database snapshot exported to a separate EU-region Google Cloud Storage bucket.

A.4 Resilience to attacks

• Per-user and per-company rate limits on AI endpoints.
• Per-file size limits in Storage rules.
• File listing disabled; download URLs include random unguessable tokens.

A.5 Restoration of access

• Restore from daily exports possible within 24 hours of a request.
• Point-in-Time Recovery allows rollback to any second within the prior 7 days.

A.6 Procedure for testing

• Manual testing of critical flows (signup, upload, AI parse, presentation consent) before each production deploy.
• Automated security-rule and syntax checks in the deploy pipeline.
• Planned: scheduled penetration test once we exit the early-customer phase.

A.7 Pseudonymisation and encryption

• Encryption at rest (AES-256, Google-managed keys).
• Passwords stored as bcrypt hashes by Firebase Authentication.
• TOTP secrets stored encrypted by Firebase MFA infrastructure.