Data Processing Agreement

Last Updated: March 19, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Curriculo Inc. (“Processor,” “we,” or “Curriculo”) and the entity subscribing to Curriculo ATS (“Controller,” “Customer,” or “you”) for the processing of personal data in connection with the Curriculo ATS platform and related services.

1. Scope and Applicability

This DPA applies to the processing of personal data by Curriculo on behalf of Customers who use the Curriculo ATS platform. It supplements our Terms of Service and Privacy Policy. In the event of any conflict between this DPA and other agreements, this DPA shall prevail with respect to data processing matters.

This DPA does not apply to data processed through the Curriculo AI Resume Builder, where individual users are the data controllers of their own resume data.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person processed through the Curriculo ATS platform.
  • “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, analysis, modification, transmission, and deletion.
  • “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates, primarily job applicants and candidates.
  • “Sub-processor” means any third party engaged by Curriculo to process Personal Data on behalf of the Customer.

3. Types of Personal Data Processed

In the course of providing Curriculo ATS services, we process the following categories of personal data on your behalf:

  • Candidate identity data: Names, email addresses, phone numbers, physical addresses
  • Professional data: Resumes, cover letters, work history, education credentials, skills, certifications
  • Application data: Job applications, interview notes, assessment results, hiring stage progression
  • AI-generated data: Match scores, skill gap analyses, candidate summaries, and Constructive Closure feedback reports
  • Communication data: Emails and messages exchanged between recruiters and candidates through the platform
  • Employer account data: Recruiter names, roles, login credentials, and platform activity logs

4. Purpose and Lawful Basis

Curriculo processes Personal Data solely for the purposes of providing the Curriculo ATS services as instructed by the Customer, including:

  • Candidate management and pipeline tracking
  • AI-powered candidate screening and scoring
  • Skill gap analysis and Constructive Closure feedback generation
  • Interview scheduling and coordination
  • Hiring analytics and reporting
  • Platform functionality, maintenance, and improvement

5. Data Subject Rights

Curriculo will assist the Customer in fulfilling its obligations to respond to Data Subject requests under applicable data protection laws, including requests for:

  • Access: Providing copies of personal data held about the Data Subject
  • Rectification: Correcting inaccurate or incomplete personal data
  • Erasure: Deleting personal data (“right to be forgotten”)
  • Portability: Exporting personal data in a structured, machine-readable format
  • Restriction: Limiting the processing of personal data
  • Objection: Ceasing processing based on legitimate interests

6. Security Measures

Curriculo implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access control with multi-factor authentication for administrative access
  • Infrastructure: Hosted on AWS with SOC 2 Type II certified data centers
  • Monitoring: Continuous security monitoring, vulnerability scanning, and intrusion detection
  • Employee Training: Regular security awareness training for all personnel with access to Customer data
  • Audits: Annual third-party security assessments and penetration testing

7. Sub-processors

Curriculo engages the following sub-processors to provide the Curriculo ATS services:

  • Amazon Web Services (AWS): Cloud infrastructure and data storage (US regions)
  • PostHog: Product analytics (anonymized usage data only)
  • OpenAI: AI processing for candidate scoring, skill gap analysis, and feedback generation (data processed per OpenAI’s enterprise data processing terms with no training on customer data)

We will notify Customers of any intended changes to sub-processors, providing a reasonable period to raise objections.

8. Data Retention and Deletion

  • Candidate data is retained according to the Customer’s configured retention settings within the platform.
  • Upon termination of the Customer’s Curriculo ATS subscription, all Customer data will be deleted within 90 days, unless retention is required by applicable law.
  • Customers may export their data at any time through the platform’s data export functionality.
  • Backup copies are purged within 30 days of primary data deletion.

9. International Data Transfers

Curriculo Inc. is based in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, Curriculo relies on:

  • The EU-US Data Privacy Framework (DPF)
  • Standard Contractual Clauses (SCCs) as approved by the European Commission

10. Data Breach Notification

In the event of a personal data breach affecting Customer data, Curriculo will:

  • Notify the affected Customer without undue delay and within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable the Customer to meet its own breach reporting obligations
  • Take reasonable steps to contain and remediate the breach
  • Cooperate with the Customer and any supervisory authority as required

11. Compliance

This DPA is designed to ensure compliance with applicable data protection regulations, including:

  • GDPR (General Data Protection Regulation) for EEA data subjects
  • UK GDPR for United Kingdom data subjects
  • CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) for California residents
  • Other applicable state and federal privacy laws

12. Contact

For questions about this DPA or to request a signed copy for your records, please contact:

Email: legal@curriculo.me
Curriculo Inc.
Brooklyn, NY, United States