Data Processing Agreement

For personal data processed within recruitment workflows, the recruiting organization acts as the Controllerand Kobenski BV (Orvensa) acts as the Processor.

The Controller determines the purposes and means of processing applicant data. The Processor processes personal data solely on documented instructions from the Controller.

The Processor provides the Orvensa platform, which allows recruiting organizations to manage candidate evaluation and recruitment workflows.

Processing activities may include:

• storing candidate CV files and application data,
• extracting structured information from documents,
• generating AI-assisted candidate evaluation outputs,
• storing recruiter notes and evaluation results,
• processing DSAR requests including deletion, restriction, and rectification.

The Processor processes personal data only on documented instructions from the Controller, including instructions provided through use of the Orvensa platform.

If the Processor believes an instruction violates applicable data protection law, the Processor will inform the Controller.

The Processor implements appropriate technical and organizational measures to protect personal data.

• role-based access control within organization workspaces,
• organization-scoped data separation,
• audit logging of sensitive actions,
• secure authentication flows,
• automatic deletion of CV files when applicant records are deleted,
• infrastructure and hosting security controls.

The Processor may engage subprocessors to operate the service. Current subprocessors include:

• Stripe (billing and subscription management)
• SendGrid (transactional email delivery)
• OpenAI (AI inference services)
• Cloud infrastructure providers used for hosting and storage

The Processor will ensure subprocessors are bound by data protection obligations consistent with this agreement.

Where personal data is transferred outside the European Economic Area, the Processor will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

The Processor will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws.

This includes support for:

• access requests,
• rectification of incorrect data,
• erasure of applicant records,
• restriction of processing,
• objection to automated processing.

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller.

The Controller may request reasonable information necessary to demonstrate compliance with this agreement.

Audit requests must be reasonable, proportionate, and not disrupt normal service operations.

Upon termination of the service, the Controller may request deletion or return of personal data stored in the platform, subject to legal retention requirements.

Categories of data subjects:

• job applicants
• recruiters and hiring managers
• platform users

Categories of personal data:

• names and contact details
• CVs and application documents
• recruitment evaluation data
• user account information

Purpose of processing: recruitment workflow management and candidate evaluation.