Data Processing Agreement.

The Customer (you, or the company you represent) is the Data Controller of the personal data you submit to SprintJobs.

SprintJobs, Inc. is the Data Processor and processes personal data on the Customer's documented instructions.

Subject matter: the personal data the Customer submits to SprintJobs in the course of using the Service — primarily resume content, contact details, and job-application activity.

Duration: for the length of the Customer's account, plus the retention window described in the Privacy Policy.

The processing supports the concierge job-application service: writing the Customer's resume, drafting cover letters, identifying relevant roles, submitting applications, and reporting outcomes back to the Customer.

No automated decision-making with legal effects is performed without human review.

Categories of data: identification (name, email, phone), professional history, education, skills, geographic and salary preferences, application activity, and any free-form notes the Customer provides.

Categories of data subjects: the Customer themselves (the job seeker). SprintJobs does not knowingly process the personal data of third parties through this Service except for references the Customer chooses to include.

SprintJobs will: (a) process personal data only on the Customer's documented instructions; (b) ensure persons authorized to process the data are under appropriate confidentiality; (c) take all measures required under Article 32 GDPR; (d) assist the Customer with data-subject requests; (e) notify the Customer without undue delay of any personal data breach.

SprintJobs will not engage another subprocessor without giving the Customer 30 days' prior notice and a chance to object.

Transport encryption (TLS 1.2+) for all client and inter-service traffic. Encryption at rest for all database storage. Secrets stored in Supabase Vault. Role-based access controls inside the company. Audit logs for production access. Multi-factor authentication required for all staff accounts.

The current list of subprocessors and their roles is published at sprintjobs.us/subprocessors and is incorporated by reference into this DPA. Customer's continued use of the Service after a published change constitutes acceptance, subject to the objection right above.

Where personal data is transferred outside the EEA / UK to SprintJobs or a subprocessor in the United States, the transfer is governed by the European Commission's Standard Contractual Clauses (2021/914), incorporated here by reference. The UK Addendum applies for UK transfers.

SprintJobs will assist the Customer, taking into account the nature of processing, in responding to data-subject requests for access, rectification, erasure, restriction, portability, and objection.

Requests directed to SprintJobs are forwarded to the Customer within 5 business days unless the Customer has authorized direct response.

Customer may, on reasonable notice and no more than once per year (or after a personal-data breach), request an audit report demonstrating SprintJobs' compliance with this DPA. SprintJobs will respond with our then-current security documentation.

On termination of the Customer's account, SprintJobs will delete or return all personal data within 30 days, except where retention is required by law or for legitimate audit purposes (limited backups expire within 24 months).

This DPA is automatically incorporated into the Terms of Service for any Customer based in the EU, UK, or Switzerland. A countersigned copy is available on request: email team@sprintjobs.us with the subject "DPA request" and the legal entity name.