Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policyand governs how Persistent Recruiter ("Processor") processes personal data on behalf of customers ("Controller"). It identifies the categories of personal data processed, the sub-processors we rely on, the security measures we maintain, and the rights you can exercise.

Controller. The customer determines the purposes and means of processing candidate data uploaded to the Service. The customer is the controller of that data.

Processor.Persistent Recruiter processes candidate data only on the customer's documented instructions, which are reflected in the features exposed by the Service (pipeline tracking, content generation, email sending, workflows, analytics).

On the customer's behalf, we process the following data about candidates the customer tracks: names, email addresses, phone numbers, resumes, LinkedIn URLs, postal addresses, recruiter notes, stage history, and related pipeline information.

On the customer's behalf, we also process data about recipients of customer-sent emails (welcome, follow-up, drip, lead notifications): email addresses, names, and delivery metadata (open / click / bounce status returned by our email provider).

The Service relies on the following sub-processors, each bound by their own data processing terms. By using the Service you authorize their engagement.

• Supabase (US) — database, authentication, file storage. Hosts all customer data at rest.
• Vercel (US) — application hosting and edge runtime. Processes request data in transit.
• Stripe (US) — billing and subscription management. Processes account email and billing metadata; does not access candidate data.
• Resend (US) — transactional email delivery. Processes recipient email + message body for messages the customer sends through the Service.
• PostHog (US) — product analytics. Processes anonymized usage data with IP redaction; does not receive candidate PII.

We notify customers of new sub-processors by updating this page; the "Last updated" date above reflects sub-processor changes.

All sub-processors above are based in the United States. EU/UK customers acknowledge that personal data is transferred to the US and processed there. We rely on the standard contractual clauses incorporated into our sub-processors' terms; on request we will furnish copies for the chain relevant to your data.

We maintain the following technical and organizational measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase Storage and database).
• Row-Level Security (RLS) on every customer-data table — candidate records are scoped to the owning account and cannot be read by other customers.
• HTTPS-only with HSTS preload; CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers on every response.
• Webhook signature verification on all inbound integrations (Stripe events).
• Access controls: production access limited to founding operator; service-role credentials rotated on operator change.
• Logging and audit trail: server logs retained ≤ 30 days for security and debugging.

Candidates whose data the customer has uploaded can exercise GDPR / CCPA rights (access, correction, deletion, portability) by contacting the customer that uploaded their data. We will support the customer in fulfilling such requests on receipt of a written direction; see legal@persistentmomentum.com for the contact form.

On confirmed personal data breach affecting customer data, we will notify the customer without undue delay and not later than 72 hours after becoming aware, with the information then available, and update the customer as the investigation progresses.

On termination of the customer's account, customer-owned data (candidates, pipeline, content, brand) is retained for 30 days for accidental- deletion recovery, then deleted from active systems. Backups age out within a further 30 days. Customers can request earlier deletion via legal@persistentmomentum.com.

Customers may, upon reasonable written notice, audit our compliance with this DPA no more than once per twelve-month period and at the customer's expense. Audits will be conducted during business hours, will be subject to mutual NDA, and will not unreasonably interfere with operations.

This published DPA satisfies most customer requirements. Customers whose procurement process requires a signed contract may request one at legal@persistentmomentum.com — include your company name and the email address of the signatory.

Privacy, security, or DPA questions: legal@persistentmomentum.com.

Security disclosures: see /.well-known/security.txt.