Data Processing Addendum

1. Roles and scope

This DPA applies when Bodhitva processes personal data on behalf of the Customer in connection with the services provided under the applicable agreement.

• Customer acts as the data controller and determines the purposes and means of processing.
• Bodhitva acts as the data processor and processes personal data only on behalf of and under documented instructions from the Customer.

2. Processing instructions

Bodhitva will process personal data only in accordance with the Customer's documented instructions, unless required to do so by applicable law. In such cases, Bodhitva will inform the Customer of that legal requirement before processing, unless prohibited by law.

3. Nature and purpose of processing

Personal data may be processed for the following purposes in connection with our services:

• Job description creation and management (RecruitFlow)
• Resume and application processing and screening
• Skill assessment and competency scoring (SkillBoard)
• Structured interviewing and conversation analysis (InterviewHub)
• Analytics, reporting, and audit trail generation

Categories of data subjects: Job applicants, candidates, hiring managers, recruiters, and other individuals whose data is submitted through the platform.

Categories of personal data: Name, email, phone number, resume/CV data, employment history, assessment responses, interview recordings and transcripts, and related professional information.

4. Confidentiality

Bodhitva ensures that all personnel authorized to process personal data are bound by appropriate confidentiality obligations, whether by contract or statutory duty.

5. Security controls

Bodhitva implements and maintains appropriate technical and organizational measures to protect personal data, including:

• Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest
• Access controls: Role-based access control (RBAC), multi-factor authentication (MFA), and SSO for platform access
• Least privilege: Access to personal data is restricted to authorized personnel on a need-to-know basis
• Audit logging: Comprehensive logging of data access and processing activities
• Infrastructure: Cloud hosting with SOC 2 certified providers, with redundancy and disaster recovery controls
• Development: Secure SDLC practices including code review, vulnerability scanning, and penetration testing

6. Subprocessors

Bodhitva uses authorized subprocessors to assist in providing services. Subprocessor categories include:

• Cloud hosting and infrastructure providers
• AI inference and model serving providers
• Transcription and text-to-speech services
• Video and voice processing services
• Email and communication services

Bodhitva will notify Customer of any new subprocessors with reasonable advance notice. Customer may object to a new subprocessor on reasonable data protection grounds. All subprocessors are bound by data processing agreements with protections no less stringent than those in this DPA.

7. Data subject rights

Bodhitva will assist the Customer in responding to data subject requests (access, correction, deletion, portability, objection) to the extent technically feasible and commercially reasonable. Bodhitva will promptly forward any data subject requests it receives directly to the Customer.

8. Personal data breach notification

Bodhitva will notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer data. The notification will include:

• A description of the nature of the breach, including categories and approximate number of data subjects affected
• Contact details of Bodhitva's privacy contact
• A description of the likely consequences of the breach
• A description of measures taken or proposed to address the breach

9. Data retention and deletion

Upon termination of the agreement or upon Customer request, Bodhitva will delete or return all personal data within 90 days, unless retention is required by applicable law. Bodhitva will provide written confirmation of deletion upon request.

10. International transfers

Personal data may be processed in the United States and India. Where required by applicable data protection law, Bodhitva relies on the following transfer mechanisms:

• EEA: EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK: UK International Data Transfer Addendum (IDTA) to the EU SCCs
• India: Compliance with the Digital Personal Data Protection (DPDP) Act

Bodhitva will implement supplementary measures where necessary based on transfer impact assessments.

11. Audit rights

Customer may audit Bodhitva's compliance with this DPA once per year, with reasonable advance notice (at least 30 days). Audits shall be conducted during regular business hours and shall not unreasonably interfere with Bodhitva's operations. Bodhitva may satisfy audit requirements by providing relevant certifications, audit reports (e.g., SOC 2), or responses to reasonable information requests.

12. Liability and priority

This DPA is subject to the limitations of liability set forth in the underlying agreement between Customer and Bodhitva. In the event of a conflict between the terms of the agreement and this DPA, the terms of this DPA shall prevail with respect to data protection matters.

13. Contact

For questions about this DPA or data processing practices, please contact:

Bodhitva AI Inc.
1903 Nimblewill Dr, Celina, TX 75009, USA
Email: legal@bodhitva.ai

For product-specific data processing inquiries:
Email: legal@hyresure.ai