This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between Fast Hiring LLC, doing business as FastHiring (“FastHiring,” “Processor,” “Service Provider,” “we,” “our,” or “us”) and the Customer (“Controller,” “Business,” “you,” or “your”). The terms “Controller/Business” and “Processor/Service Provider” reflect the applicable terminology under relevant state privacy laws, including CCPA/CPRA (Business/Service Provider) and Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and Oregon OCPA (Controller/Processor).
GDPR Notice. This DPA is designed for compliance with U.S. state privacy laws. It does not constitute a GDPR-compliant data processing agreement under Article 28 of the EU General Data Protection Regulation. Customers who require GDPR compliance for processing of EU, EEA, or UK data subjects’ personal data should contact FastHiring at support@fasthiring.ai to discuss supplementary terms.
This DPA applies to the extent that FastHiring processes Personal Data on behalf of Customer in connection with the Services.
1. DEFINITIONS
"Personal Data" means any information that identifies or relates to an identifiable individual, including “personal information” as defined under applicable U.S. state privacy laws.
"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, disclosure, and deletion.
"Controller / Business" means Customer, the entity that determines the purposes and means of processing Personal Data.
"Processor / Service Provider" means FastHiring, the entity that processes Personal Data on behalf of Customer.
"Subprocessor" means any third party engaged by FastHiring to process Personal Data in connection with the Services.
"Security Incident" means any confirmed or reasonably suspected unauthorized access to, acquisition, disclosure, loss, alteration, or destruction of Personal Data, or any event that compromises the security, confidentiality, or integrity of Personal Data processed under this DPA.
"Applicable Privacy Law" means all applicable U.S. federal and state privacy and data protection laws, including without limitation the CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Oregon OCPA, and any successor or equivalent state laws.
2. ROLES OF THE PARTIES
Customer acts as the Controller / Business. FastHiring acts as the Processor / Service Provider and processes Personal Data only on documented instructions from Customer, except as otherwise required by applicable law. If FastHiring reasonably determines that a Customer instruction would violate Applicable Privacy Law, FastHiring will notify Customer and may suspend processing of the affected Personal Data until the instruction is corrected or withdrawn.
3. SCOPE OF PROCESSING
Subject Matter
Processing of Personal Data in connection with providing the FastHiring platform and Services.
Duration
For the duration of the Agreement and any applicable retention period as set forth in Section 9.
Nature and Purpose
Processing includes storing candidate and user data; facilitating hiring workflows; enabling communication between employers and candidates; sending email and SMS communications on Customer’s behalf; maintaining and supporting the platform; and processing payments.
Categories of Data Subjects
Job candidates; employer account users; platform administrators and billing contacts.
Categories of Personal Data
Names, email addresses, phone numbers, and other contact information; employment history and qualifications; application and screening question responses; interview scheduling data; IP addresses and approximate geolocation; browser type and cookie identifiers; audio/video session metadata including connection and performance data (audio/video content is not stored); platform usage and device data; inferences drawn from usage data for platform performance and security; billing and transaction records; consent and legal acknowledgement records, including consent timestamps and agreement versions.
4. PROCESSOR / SERVICE PROVIDER OBLIGATIONS
4.1 Processing Instructions
FastHiring will process Personal Data only as necessary to provide the Services and in accordance with Customer’s documented instructions.
4.2 CCPA / Multi-State Service Provider Certification
FastHiring agrees that with respect to Personal Data received from Customer:
(a) FastHiring will not retain, use, or disclose Personal Data for any purpose other than the business purposes in this DPA and the Agreement;
(b) FastHiring will not retain, use, or disclose Personal Data outside of the direct business relationship between FastHiring and Customer;
(c) FastHiring will not combine Personal Data received from Customer with Personal Data from other sources, except as necessary to: (i) detect data security incidents; (ii) protect against malicious, deceptive, fraudulent, or illegal activity; (iii) prosecute those responsible; or (iv) as specifically required by applicable law;
(d) FastHiring will not sell or share Personal Data as defined under the CCPA/CPRA;
(e) FastHiring will notify Customer if it determines it can no longer meet its obligations as a service provider under Applicable Privacy Law;
(f) Customer has the right to take reasonable steps to ensure FastHiring uses Personal Data consistently with Customer’s obligations under Applicable Privacy Law;
(g) Customer has the right to stop and remediate any unauthorized use of Personal Data by FastHiring upon written notice;
(h) FastHiring certifies that it understands and will comply with the restrictions in this Section 4.2.
4.3 Confidentiality
FastHiring will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.
4.4 No Sale or Advertising Use
FastHiring does not sell Personal Data, share Personal Data for cross-context behavioral advertising, or use Personal Data for its own advertising or marketing purposes.
4.5 AI and Automated Processing
FastHiring does not use Personal Data to train, fine-tune, or develop machine learning or artificial intelligence models without Customer’s prior written consent. FastHiring does not perform automated scoring, ranking, or evaluation of candidates.
4.6 Sensitive Personal Information
FastHiring acknowledges that Personal Data processed under this DPA may incidentally include sensitive personal information — including racial or ethnic origin, religious beliefs, or other protected characteristics — contained in resumes, cover letters, or interview content. FastHiring processes such information solely to facilitate the hiring workflow on behalf of Customer and does not use sensitive personal information for any purpose beyond providing the Services. Customer is responsible for providing any required notices to data subjects regarding sensitive personal information.
5. SECURITY MEASURES
FastHiring implements and maintains the following safeguards to protect Personal Data:
(a) Encryption in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent;
(b) Role-based access controls limiting Personal Data access to personnel with a legitimate need;
(c) Secure cloud infrastructure on Google Cloud Platform with industry-standard security controls;
(d) Access controls reviewed at least annually and updated as needed;
(e) Audit logs of access to systems containing Personal Data maintained for a minimum of twelve (12) months;
(f) A documented incident response plan reviewed at least annually;
(g) Periodic security assessments including vulnerability scanning, conducted at minimum upon any material infrastructure change;
(h) Employee and contractor confidentiality obligations and data protection training.
FastHiring will respond to reasonable written security questionnaires upon request, subject to confidentiality obligations.
6. SUBPROCESSORS
FastHiring engages the following subprocessors to support the Services:
Google Cloud Platform (including Firebase) — Cloud infrastructure, authentication, real-time database, and hosting — United States
Stripe — Payment processing and billing — United States
Postmark — Transactional email delivery — United States
Mailivery — Email deliverability and domain warming — United States
Twilio — SMS communications — United States
Zoho Desk — Customer support ticketing — United States
FastHiring will notify Customer of any subprocessor change — including adding a new subprocessor, changing a subprocessor’s location, or changing the categories of Personal Data a subprocessor accesses — at least thirty (30) days in advance by updating the Privacy Policy and providing direct email notice. Customer may object within fourteen (14) days. If the parties cannot resolve the objection, Customer may terminate the Agreement without penalty upon written notice within thirty (30) days of the original notification.
7. DATA SUBJECT RIGHTS
If FastHiring receives a request directly from an individual regarding their Personal Data processed under this DPA, FastHiring will notify Customer within two (2) business days of receipt and will not respond substantively without Customer’s authorization, except as required by law. FastHiring will provide reasonable assistance to enable Customer to respond to verified data subject rights requests within Customer’s applicable legal deadline.
8. SECURITY INCIDENTS
In the event of a Security Incident, FastHiring will:
(a) Notify Customer at the primary account email address without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Incident;
(b) Provide Customer with available information about the nature of the incident, categories of Personal Data affected, approximate volume affected, likely consequences, and measures taken or proposed;
(c) Provide all information reasonably necessary for Customer to fulfill its breach notification obligations under Applicable Privacy Law;
(d) Take reasonable steps to contain, investigate, and mitigate the incident;
(e) Cooperate with Customer in fulfilling breach notification obligations.
Customer is responsible for notifying affected individuals and relevant regulatory authorities. FastHiring’s notification does not constitute an acknowledgment of fault or liability.
9. DATA RETENTION AND DELETION
FastHiring retains Personal Data only as necessary to provide the Services. Upon termination, FastHiring will retain Customer’s Personal Data for one hundred eighty (180) days, during which Customer may request an export. Data exports will be provided in a structured, machine-readable format such as JSON within ten (10) business days of a written request. Following the 180-day period, FastHiring will delete or anonymize Personal Data in accordance with its data lifecycle procedures. Notwithstanding the foregoing, FastHiring retains certain records indefinitely as required by law, including email bounce records, unsubscribe records, consent logs, and legal acknowledgement records. These records contain limited Personal Data (primarily email addresses and timestamps) and are retained for CAN-SPAM compliance and legal proof of consent. FastHiring will confirm deletion upon written request.
10. AUDITS AND COMPLIANCE
FastHiring will, upon reasonable written request, provide information necessary to demonstrate compliance with this DPA, including responses to security questionnaires.
Formal audits may be requested no more than once per year with at least thirty (30) days’ advance written notice, during normal business hours, and subject to a reasonable scope that does not disrupt FastHiring’s operations or compromise other customers’ data. Audit costs are borne by Customer.
11. CUSTOMER OBLIGATIONS
Customer agrees to: (a) comply with all Applicable Privacy Law; (b) ensure a lawful basis for collecting and uploading Personal Data; (c) provide appropriate privacy notices to candidates and data subjects; (d) obtain any required consents, including TCPA consent for SMS; (e) be solely responsible for hiring decisions, candidate communications, and the legality of candidate data uploaded; (f) ensure the accuracy of Personal Data uploaded and promptly process correction requests from data subjects.
12. LIMITATION OF LIABILITY
Liability under this DPA is subject to the limitations and exclusions in the Agreement. Nothing in this DPA expands either party’s liability beyond the limits in the Agreement.
13. GOVERNING LAW AND CONFLICT
This DPA is governed by the laws specified in the Agreement. To the extent Applicable Privacy Law requires specific data processing obligations that conflict with any provision of this DPA or the Agreement, Applicable Privacy Law governs that specific obligation. In the event of a conflict between this DPA and the Agreement on data processing matters, this DPA governs.
14. TERM
This DPA remains in effect for the duration of the Agreement. Confidentiality, security incident notification, deletion, and audit cooperation obligations survive termination.
15. UPDATES
FastHiring may update this DPA to reflect changes in Applicable Privacy Law or its data processing practices. For material changes, FastHiring will provide at least thirty (30) days’ advance notice. Customer may object to material changes within thirty (30) days; if unresolved, Customer may terminate the Agreement without penalty. Non-material updates take effect upon posting with appropriate notice.