Candidatoo

Data Processing Agreement (DPA)

Effective: May 2026 — incorporates LGPD, GDPR, CCPA/CPRA and PIPEDA standards

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and Candidatoo ("Processor") and governs the processing of personal data carried out by Candidatoo on behalf of the Controller. It is offered as a pre-signed addendum to our Terms of Use. By using the Service you accept this DPA.

1. Definitions

Terms not defined here have the meaning given by Brazil's LGPD (Lei nº 13.709/2018), the EU/UK GDPR, the California CCPA/CPRA, and Canada's PIPEDA. "Personal Data" means any information relating to an identified or identifiable natural person.

2. Roles

  • The Controller determines the purposes and means of processing.
  • Candidatoo acts as Processor (LGPD: "operador"; CCPA: "service provider"; PIPEDA: "service provider"; GDPR: "processor"), processing data only on documented instructions from the Controller.

3. Subject matter, duration and nature

Subject matter: providing the Candidatoo career platform. Duration: term of the underlying contract plus retention. Nature: storage, organization, structuring, retrieval, AI-assisted generation, and deletion of resume and career data.

4. Categories of data subjects and data

  • Data subjects: the Controller's end users (job candidates).
  • Personal data: identification (name, email, phone), professional history, resumes, cover letters, application records, AI prompts/outputs, and technical data (IP, device).
  • No special categories (health, biometrics, criminal data) are required to use the Service.

5. Processor obligations

  • Process Personal Data only on the Controller's documented instructions.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Section 8).
  • Assist the Controller in responding to data subject rights requests within statutory deadlines (LGPD: 15 days; GDPR: 1 month; CCPA: 45 days; PIPEDA: 30 days).
  • Notify the Controller without undue delay (and within 48 hours) of any confirmed Personal Data Breach.
  • Make available all information necessary to demonstrate compliance and allow for audits.
  • Delete or return Personal Data after the end of the service, unless retention is legally required.

6. Sub-processors

The Controller grants general authorization for the use of the sub-processors listed below. Candidatoo will inform the Controller of any intended changes with at least 30 days' notice and provide an objection mechanism.

  • Supabase Inc. — managed database, authentication, storage (US/EU regions)
  • Cloudflare, Inc. — CDN, WAF, DDoS protection (global)
  • Stripe, Inc. — payment processing (US, billing only)
  • OpenAI / Google / Anthropic via Lovable AI Gateway — AI inference (US/EU). Prompts and outputs are not used to train third-party models.

7. International transfers

Where Personal Data is transferred outside Brazil, the EEA, the UK, or Canada, Candidatoo relies on (a) adequacy decisions where available, (b) Standard Contractual Clauses with supplementary measures, and (c) other mechanisms approved by the ANPD, the EDPB, the ICO, or the OPC.

8. Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control with least-privilege and MFA for administrative access.
  • Row-Level Security on multi-tenant data; data segregation by user.
  • Continuous logging, monitoring and alerting on anomalous access.
  • Daily encrypted backups with 30-day retention and tested restore procedures.
  • Annual penetration tests and dependency vulnerability scanning.
  • Documented incident response plan with defined RTO/RPO.
  • Background checks and annual security training for personnel.

9. Data subject rights

Candidatoo provides Controllers and end users with self-service tools to access, correct, port, restrict, object to, and delete their Personal Data, in line with Arts. 17–22 of the LGPD, Arts. 15–22 of the GDPR, §1798.100 et seq. of the CCPA/CPRA, and Principles 4.9 and 4.10 of PIPEDA.

10. Personal data breaches

Candidatoo will notify the Controller within 48 hours of becoming aware of any confirmed breach, providing the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed. The Controller is responsible for notifying its competent authority and affected individuals where required (LGPD art. 48; GDPR arts. 33–34; PIPEDA s. 10.1; CCPA §1798.82).

11. Audits

Candidatoo will make available, on reasonable request and subject to confidentiality, the most recent SOC 2 / ISO 27001 reports of its sub-processors and the results of its own annual penetration test. On-site audits may be arranged once per year with 30 days' notice.

12. Liability and termination

Liability under this DPA is governed by the limitation-of-liability clause of the underlying Terms of Use. Termination follows the Service Agreement; on termination Candidatoo will delete or, at the Controller's option, return all Personal Data within 30 days, unless retention is legally required.

13. Governing law and jurisdiction

This DPA is governed by the laws of the Federative Republic of Brazil, without prejudice to mandatory provisions of the data subject's country of residence. The forum of São Paulo - SP is elected, except where applicable consumer law assigns a different forum.

14. Contact

Data Protection Officer / Encarregado: info@candidatoo.com.br.