Data Processing Addendum
Effective date: [Effective date]
This Data Processing Addendum ("DPA") forms part of the Terms of Service, Order, master services agreement, or other agreement between the customer identified in the applicable agreement ("Customer") and Attia AS ("Attia") for Attia ATS and related services (the "Agreement").
Attia AS is located at Solheimgata 1a, 0267 Oslo, Norway. Organization number: [organization number pending]. Contact: hello@attia.app. Data protection contact: Njål Wiik.
This DPA is written for Attia's B2B applicant tracking and recruiting workflow software. It governs Attia's processing of customer-controlled personal data as processor or subprocessor. Attia's Privacy Policy governs Attia's own controller processing, such as account administration, billing, support, security, legal compliance, analytics where used, and business communications.
Items marked "Needs confirmation" should be confirmed before publication or replaced with Attia's approved operational facts.
1. Parties and Scope
Parties
This DPA is between Customer and Attia AS. Customer may enter into this DPA for itself and, where permitted by the Agreement and Data Protection Laws, for its affiliates that are authorized to use the Service.
Scope
This DPA applies when Attia processes Customer Personal Data on behalf of Customer in connection with Attia ATS, including recruiting workflows, candidate records, workspace content, files, prompts, integrations, support, security, and related service operations.
No controller processing under this DPA
This DPA does not govern Attia's processing of personal data as an independent controller. Attia controller processing is described in Attia's Privacy Policy and may include account administration, customer relationship management, billing, product security, legal compliance, vendor management, analytics or diagnostics where used, and marketing communications.
2. Definitions
"Customer Personal Data" means personal data contained in Customer Data that Attia processes on behalf of Customer.
"Customer Data" has the meaning given in the Agreement and includes data, content, files, records, prompts, outputs, and information submitted to or processed through the Service by or on behalf of Customer, including Candidate Data.
"Candidate Data" means personal data and recruiting records relating to candidates, applicants, prospective applicants, referrals, employees, or other individuals whose information is submitted to the Service in connection with recruiting or hiring.
"Data Protection Laws" means the GDPR, the Norwegian Personal Data Act, the UK GDPR, the Swiss Federal Act on Data Protection, and other privacy or data protection laws applicable to the relevant processing.
"GDPR" means Regulation (EU) 2016/679. "SCCs" means the European Commission standard contractual clauses for international transfers of personal data, as updated or replaced.
The terms "controller", "processor", "data subject", "personal data", "processing", "personal data breach", and "supervisory authority" have the meanings given in the GDPR.
3. Roles of the Parties
Customer is the controller of Customer Personal Data, or a processor acting on behalf of another controller. Attia is Customer's processor, or subprocessor where Customer is a processor.
Customer is responsible for the lawfulness of Customer Personal Data and Customer's recruiting and hiring activities. This includes providing notices, identifying lawful bases, obtaining consents or authorizations where required, responding to data subject requests, setting retention rules, and complying with employment, anti-discrimination, accessibility, background-check, immigration, recordkeeping, and other laws that apply to Customer.
Attia will process Customer Personal Data only as described in this DPA, the Agreement, Customer's configuration and use of the Service, and Customer's documented instructions.
4. Customer Instructions
Customer instructs Attia to process Customer Personal Data to provide, secure, support, maintain, and improve the Service as permitted by this DPA, the Agreement, Customer's settings and use of the Service, and any other documented instructions.
Attia will not process Customer Personal Data for purposes outside Customer's instructions unless required by applicable law. If Attia is legally required to process Customer Personal Data outside Customer's instructions, Attia will inform Customer before the processing unless the law prohibits notice on important grounds of public interest.
Attia will notify Customer if, in Attia's opinion, an instruction infringes Data Protection Laws, unless legally prohibited from doing so.
5. Processing Details
The subject matter, duration, nature, purpose, data subjects, data categories, and processing operations are described in Annex 1.
Attia may process Customer Personal Data by hosting, storing, organizing, retrieving, displaying, transmitting, securing, supporting, deleting, exporting, backing up, and otherwise processing Customer Personal Data as necessary to provide the Service and follow Customer's documented instructions.
6. Sensitive or Regulated Data
The Service is not intended for processing special-category personal data under GDPR Article 9, criminal-offense data, children's data, biometric data, government identifiers, health or disability data, immigration data, background-check data, or other regulated data unless Customer has confirmed that such processing is lawful, necessary, supported by appropriate safeguards, and expressly permitted by Attia in writing where required.
Because recruiting workflows may include free-form notes, resumes, attachments, messages, prompts, files, and integrations, Customer may technically submit sensitive or regulated data to the Service. Customer is responsible for ensuring that any such submission is lawful, necessary, proportionate, and covered by appropriate notices, lawful bases, safeguards, and retention rules.
Customer should not submit sensitive or regulated data to AI features unless Customer has confirmed that the feature, provider configuration, DPA terms, transfer safeguards, and Customer's own lawful basis are appropriate for that data.
7. Confidentiality
Attia will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality duties.
Attia will restrict access to Customer Personal Data to personnel, contractors, and subprocessors who need access to provide, secure, support, or maintain the Service, or to comply with law.
8. Security Measures
Taking into account the state of the art, costs of implementation, nature, scope, context, and purposes of processing, and the risk to individuals, Attia will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, alteration, or disclosure.
Current technical and organizational measures are described in Annex 2. Several operational details are marked Needs confirmation because they could not be verified from the repository materials.
9. Subprocessors
Customer gives Attia general written authorization to engage subprocessors to provide the Service.
Attia will impose written data protection obligations on subprocessors that are materially equivalent to those in this DPA. Attia remains responsible to Customer for subprocessors' performance of those obligations.
Attia will maintain a public subprocessor list and provide advance notice of new subprocessors before they process Customer Personal Data. Notice period: 30 days - Needs confirmation. Customer may object to a new subprocessor on reasonable data-protection grounds by contacting hello@attia.app during the notice period.
If Customer reasonably objects and Attia cannot provide a commercially reasonable alternative, Customer may stop using the affected part of the Service. Any refund or termination rights are governed by the Agreement unless mandatory Data Protection Laws require otherwise.
Current subprocessors and open vendor confirmations are listed in Annex 3.
10. International Transfers
Attia is established in Norway. Based on known facts, Attia's production servers are located in the EU/EEA. Attia does not state that all Customer Personal Data remains in the EU/EEA unless every vendor, support, logging, AI, backup, monitoring, integration, and access path has been verified.
Some vendors, support personnel, optional integrations, AI providers, payment providers, email providers, analytics providers, or support systems may process or access limited Customer Personal Data outside the EU/EEA.
Where Customer Personal Data is transferred outside the EU/EEA, United Kingdom, or Switzerland, Attia will use appropriate safeguards required by applicable Data Protection Laws. These may include adequacy decisions, SCCs, the UK International Data Transfer Addendum or International Data Transfer Agreement, Swiss transfer requirements, transfer impact assessments where required, and supplementary technical and organizational measures.
For EU transfers where the SCCs are required, Module Two applies where Customer is a controller and Attia is a processor, and Module Three applies where Customer is a processor and Attia is a subprocessor. The SCC annexes are completed by the processing details, subprocessors, and technical and organizational measures in this DPA.
11. AI Providers and AI Features
AI features are optional or customer/user-triggered where applicable. When Customer or its Users enable or use AI features, Attia may process Customer Personal Data through AI providers or AI gateway providers to provide the requested functionality.
AI processing may include prompts, selected text, workspace content, candidate or job information, files if included, instructions, metadata, model configuration, and AI-generated outputs. AI-specific terms are described in Annex 4.
Attia will not promise no training, zero retention, or EU-only AI processing unless the relevant provider contracts, account settings, gateway settings, and data residency controls have been confirmed.
12. Data Subject Requests
If Attia receives a request from a data subject relating to Customer Personal Data, Attia will, where legally permitted, direct the requester to Customer or notify Customer.
Taking into account the nature of the processing, Attia will reasonably assist Customer in responding to data subject requests, including requests for access, correction, deletion, restriction, portability, objection, withdrawal of consent, or information about automated processing, where Customer cannot reasonably respond without Attia's assistance.
13. DPIA and Regulator Assistance
Taking into account the nature of processing and information available to Attia, Attia will reasonably assist Customer with data protection impact assessments, prior consultations, and supervisory-authority inquiries relating to Customer Personal Data.
Customer remains responsible for determining whether a DPIA, bias assessment, automated-employment-decision assessment, or similar review is required for Customer's use of the Service, including any AI or automated features.
14. Security Incidents
Attia will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.
Attia's notice will include information reasonably available to Attia, which may include the nature of the breach, affected categories of data subjects and personal data, likely consequences, mitigation steps, and a contact point for follow-up.
Attia will reasonably cooperate with Customer's breach assessment, regulator notification, and data subject notification obligations. Attia's notice or cooperation is not an admission of fault or liability.
15. Deletion and Return
Upon termination, expiry, or Customer's written request, Attia will return, export, delete, or de-identify Customer Personal Data in accordance with the Agreement and Customer's instructions, unless applicable law requires retention.
Export window after termination or workspace deletion: Needs confirmation.
Deletion or de-identification period after termination or workspace deletion: Needs confirmation.
Backup deletion cycle and isolation process: Needs confirmation.
Deletion from backups may take longer than deletion from active systems, but backup data should be isolated from ordinary processing and overwritten according to the applicable backup cycle.
16. Audits and Compliance Information
Attia will make available information reasonably necessary to demonstrate compliance with this DPA.
Customer may request audits or inspections where required by Data Protection Laws, subject to reasonable notice, confidentiality, security restrictions, scope limits, and measures to avoid disruption to Attia's business or other customers.
Attia may satisfy audit requests by providing current security documentation, third-party certifications, summaries, completed questionnaires, or other appropriate compliance information where such materials are reasonably sufficient under Data Protection Laws. Formal certification status: Needs confirmation.
17. Government and Law-Enforcement Requests
Attia will not voluntarily disclose Customer Personal Data to law enforcement or government authorities unless legally required.
Where legally permitted, Attia will notify Customer of a government or law-enforcement request for Customer Personal Data and reasonably cooperate with Customer's efforts to limit or challenge the request.
If legally compelled to disclose Customer Personal Data, Attia will seek to disclose only the minimum amount required by law.
18. Order of Precedence
For data-processing matters, the order of precedence is: mandatory transfer terms such as SCCs or the UK Addendum, this DPA, the Agreement, and then other referenced documents.
The Agreement governs commercial terms unless they conflict with mandatory data-processing obligations. This DPA does not add broad liability waivers, payment terms, or product disclaimers beyond what is necessary for data-processing matters.
19. Contact Details
Privacy and DPA questions can be sent to:
Attia AS
Organization number: [organization number pending]
Solheimgata 1a
0267 Oslo
Norway
Email: hello@attia.app
Data protection contact: Njål Wiik
Annex 1: Processing Details
| Field | Details |
|---|---|
| Subject matter | Attia's provision of B2B applicant tracking and recruiting workflow software. |
| Duration | Subscription term plus any export, deletion, backup, legal-retention, or dispute period. Exact periods: Needs confirmation. |
| Nature and purpose | Hosting, storing, organizing, retrieving, displaying, transmitting, securing, supporting, deleting, exporting, and otherwise processing Customer Personal Data to provide recruiting workflows and related service operations. |
| Data subjects | Candidates, applicants, prospective applicants, referrals, employees, recruiters, hiring-team members, workspace users, customer admins, and support contacts. |
| Personal data categories | Names, contact details, resumes, applications, profiles, employment and education history, skills, communications, interview notes, evaluations, attachments, job preferences, pipeline status, user and account metadata, prompts, AI outputs, logs, and integration data. |
| Sensitive data | Not intended unless expressly agreed and lawful. May be technically submitted by Customer in resumes, notes, files, prompts, messages, or integrations. |
| Processing operations | Collection on Customer's behalf, storage, structuring, retrieval, consultation, use, disclosure to subprocessors, transmission, restriction, erasure, export, backup, support, security monitoring, and optional AI processing. |
| Customer obligations | Lawful basis, candidate notices, consents, retention, access controls, human review, anti-discrimination compliance, AI-use assessment, special-data safeguards, and data subject request handling. |
Annex 2: Technical and Organizational Measures
| Measure | Details |
|---|---|
| Security governance | Attia maintains safeguards appropriate to risk. Formal policies and review cadence: Needs confirmation. |
| Access control | Access should be limited by role, least privilege, unique accounts, and timely removal. MFA or SSO enforcement: Needs confirmation. |
| Confidentiality | Personnel with access to Customer Personal Data must be bound by confidentiality obligations. Training cadence: Needs confirmation. |
| Encryption in transit | HTTPS/TLS should protect data in transit. Exact coverage and TLS versions: Needs confirmation. |
| Encryption at rest | Data should be encrypted at rest where supported by infrastructure providers. Exact stores and key management: Needs confirmation. |
| Tenant separation | Customer workspaces should be logically separated. Implementation details: Needs confirmation. |
| Availability and backups | Backups, restore procedures, and resilience measures should be maintained. Backup region, cadence, and restore testing: Needs confirmation. |
| Logging and monitoring | Security, access, and operational logs should support investigation and reliability. Coverage and retention: Needs confirmation. |
| Secure development | Code review, dependency management, secret handling, and vulnerability remediation should be used. Cadence: Needs confirmation. |
| Incident response | Attia should maintain incident triage, containment, investigation, and notification procedures. Runbook status: Needs confirmation. |
| Vendor management | Subprocessors should be reviewed and bound by DPAs or SCCs where needed. Vendor register status: Needs confirmation. |
| Deletion and export | Customer export and deletion procedures should exist. Exact periods and backup deletion behavior: Needs confirmation. |
| AI controls | AI features should be optional or customer-triggered, avoid unnecessary prompt and content logging, and use provider controls where available. Production configuration: Needs confirmation. |
Annex 3: Subprocessors
| Vendor | Service | Data processed | Region/location | Transfer mechanism | Retention if known | DPA/SCC status | Status |
|---|---|---|---|---|---|---|---|
| Production hosting or infrastructure provider | Hosting application and production servers | Customer Data, Candidate Data, logs, metadata | EU/EEA production servers known; exact provider and region need confirmation | EEA processing or SCCs/adequacy if non-EEA access | Needs confirmation | Needs confirmation | Needs confirmation |
| Vercel, if used | Hosting/deployment, Speed Insights, AI Gateway | Request metadata, performance data, logs, AI routing data | Needs confirmation | DPA/SCCs/UK terms to confirm | Needs confirmation | Needs confirmation | Verified in repo context, production role needs confirmation |
| OpenAI, if enabled | Optional AI model provider | Prompts, context, files if included, outputs, metadata | Needs confirmation | DPA/SCCs or gateway terms to confirm | Needs confirmation | Needs confirmation | Known possible provider |
| Google, if enabled | Optional AI model provider | Prompts, context, files if included, outputs, metadata | Needs confirmation | DPA/SCCs or gateway terms to confirm | Needs confirmation | Needs confirmation | Known possible provider |
| Anthropic, if enabled | Optional AI model provider | Prompts, context, files if included, outputs, metadata | Needs confirmation | DPA/SCCs or gateway terms to confirm | Needs confirmation | Needs confirmation | Known possible provider |
| Authentication provider | Login, sessions, SSO/MFA | Account, authentication, session metadata | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Database provider | Production database | Customer Data, Candidate Data, account data, logs depending on schema | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Object/file storage provider | File uploads, attachments, exports, backups | Resumes, files, attachments, exports, metadata | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Email/notification provider | Service and transactional email | Email addresses, names, message metadata and content | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Payment/billing provider | Payments, invoices, tax | Billing contacts, payment metadata, invoice and tax data | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Support/customer-success provider | Support tickets and customer communications | Support messages, attachments, customer details, workspace context if provided | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Product analytics, error monitoring, or logging provider | Analytics, diagnostics, errors, security logs | Usage events, logs, IP/device metadata, errors, request metadata | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation | Needs confirmation |
| Customer-enabled integrations | Job boards, HRIS, email/calendar, assessments, background checks, video interviews, APIs | Integration data and Candidate Data | Depends on integration | Customer/provider-specific | Provider-defined | Needs classification | Needs confirmation |
Annex 4: AI Processing
AI features are optional or customer/user-triggered where applicable. Customer controls whether to use AI features and is responsible for determining whether the use is lawful for its recruiting and employment workflows.
Data sent to AI providers may include prompts, selected text, workspace content, files, instructions, document context, job or candidate information, metadata, and AI outputs.
Providers may include OpenAI, Google, Anthropic, Vercel AI Gateway, or other gateway/model providers confirmed in Attia's subprocessor list.
Attia should not promise no training, zero retention, or EU-only AI processing unless the relevant provider contracts, account settings, gateway settings, and data residency controls are confirmed.
Customer should not submit sensitive, special-category, children's, health, biometric, government ID, background-check, immigration, criminal-offense, or other regulated data to AI features unless Customer has confirmed lawful basis, safeguards, provider configuration, and DPA coverage.
AI outputs are decision-support only. Customer must not use AI outputs as the sole basis for hiring, rejection, promotion, compensation, or other employment decisions where human review or other safeguards are required by law.
| Topic | DPA position |
|---|---|
| Trigger | Optional or customer/user-triggered where applicable. |
| Inputs | Prompts, instructions, selected text, workspace content, files if included, metadata, and context. |
| Outputs | AI-generated summaries, drafts, classifications, edits, recommendations, or other outputs depending on the feature. |
| Providers | OpenAI, Google, Anthropic, Vercel AI Gateway, or other confirmed AI providers. |
| Training and retention | Needs confirmation. Do not claim no training, zero retention, or EU-only processing unless verified. |
| Sensitive data | Do not submit unless lawful basis, safeguards, provider controls, and DPA coverage are confirmed. |
| Employment decisions | Outputs are decision-support only and must not be the sole basis for employment or hiring decisions where prohibited or where human review is required. |
Open Questions
- Confirm Attia AS organization number, effective date, governing law and venue, and legal notice address.
- Confirm production hosting, database, object storage, backup, logging, monitoring, auth, email, support, payment, and analytics vendors and regions.
- Confirm all vendor DPAs, SCCs, transfer mechanisms, and subprocessor notice process.
- Confirm export window, deletion period, backup cycle, log retention, audit-log retention, and support-ticket retention.
- Confirm live AI features, providers, gateway, retention, no-training or zero-data-retention settings, EU residency settings, prompt logging, and customer disable controls.
- Confirm whether special-category, background-check, immigration, government ID, demographic, disability, or accommodation data is allowed or prohibited.
- Confirm security controls actually in place, including MFA, encryption at rest, backups, restore tests, vulnerability management, incident response, vendor review, and access logging.
- Confirm customer-enabled integrations and whether each is Attia's subprocessor, Customer's independent vendor, or both.