RoleApt Data Processing Addendum (DPA)
Last updated: 2 July 2026 Version: 1.2
0. Status and applicability (read first)
This DPA is not the default agreement for individual users. RoleApt is, at launch, a service for individual job seekers who process their own personal data. In that ordinary case RoleApt is a data controller, the relationship is governed by the Privacy Policy, and no DPA applies or is needed. You do not need to sign this document to use RoleApt.
When this DPA becomes operative. This DPA takes effect only where, and from the moment that, RoleApt and a customer enter into a genuine business arrangement under which the customer uses RoleApt to process the personal data of third parties on that customer's behalf (for example a career coach, recruiter, outplacement provider, or agency processing other individuals' CVs and job-application materials). In that scenario the customer is a controller and RoleApt is its processor for that third-party data, and Article 28 GDPR requires these terms.
RoleApt does not currently market or offer a team, agency, recruiter, or organisation tier. Processing third parties' personal data on someone else's behalf is outside the Service's intended use at launch. This DPA is published in advance so that, where such an arrangement is individually agreed and countersigned by both parties (see Section 16), the data-protection terms are ready. Until it is countersigned for a specific customer, the controller-to-data-subject relationship under the Privacy Policy is the only relationship in force, and Sections 1 to 15 below describe how this DPA would operate if and when it is brought into effect.
This DPA is published in advance and is gated to take effect only on countersignature (Section 16); it does not represent any live product tier and does not apply to individual consumers.
1. Introduction and scope
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the RoleApt Terms of Service (the "Agreement") between:
- Bebox EOOD, a company registered in Bulgaria, with its registered office at Prof. Aleksandar Fol 2, en. K, ap. 23, 1700 Sofia, Bulgaria, VAT No. BG205313951, operating the service under the trading name "RoleApt" ("RoleApt", "we", "us", "Processor"); and
- You, the business customer that has entered into the Agreement and into this DPA (by countersignature under Section 16) and that uses RoleApt to process personal data about identifiable individuals other than yourself ("Customer", "you", "Controller").
This DPA governs the processing of Personal Data carried out by RoleApt on behalf of the Customer in connection with the RoleApt service (the "Service") described in the Agreement, subject to the applicability gate in Section 0 and the effectiveness condition in Section 16.
Who this DPA is for. This DPA is directed at business / B2B customers who, by uploading or entering personal data that relates to third parties (for example, where a career coach, recruiter, outplacement provider, agency, or employer uses RoleApt to process the CVs, profiles, or job-application materials of individuals other than the account holder), act as a data controller and engage RoleApt as a data processor for that data.
Individual consumers do not need this DPA. Where you use RoleApt solely to process your own personal data as an individual job seeker, RoleApt acts as a controller of that data and the Privacy Policy governs that relationship, not this DPA.
Order of precedence. If there is any conflict between this DPA and the rest of the Agreement on the subject of the processing of Personal Data, this DPA prevails. If there is any conflict between this DPA and the Standard Contractual Clauses referenced in Section 11, the Standard Contractual Clauses prevail.
2. Definitions
Terms used in this DPA have the meaning given to them in Regulation (EU) 2016/679 ("GDPR") and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни, "ЗЗЛД"). In particular:
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by RoleApt on behalf of the Customer under the Agreement (the "Customer Personal Data").
- "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", "Supervisory Authority", and "Special Categories of Personal Data" have the meanings given in Article 4 and Article 9 GDPR.
- "Data Protection Law" means the GDPR, the ЗЗЛД, the ePrivacy regime as implemented in Bulgaria, and any other applicable data protection or privacy law, in each case as amended or replaced from time to time.
- "Sub-processor" means any third party engaged by RoleApt to process Customer Personal Data on RoleApt's behalf.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Implementing Decision (EU) 2021/914.
- "Customer Personal Data" means Personal Data that RoleApt processes on the Customer's behalf and on the Customer's documented instructions, as described in Annex 1.
3. Roles of the parties
3.1 Customer as Controller; RoleApt as Processor. For the Customer Personal Data that the Customer uploads, pastes, generates, or otherwise submits to the Service about Data Subjects other than the account holder (for example, profile sources, profile photos, synthesized profiles, job-application data, and generated CVs and cover letters relating to those individuals), the Customer is the Controller and RoleApt is the Processor. RoleApt processes that data only on the Customer's documented instructions, as set out in this DPA and the Agreement.
3.2 RoleApt as Controller for its own account, billing, security, and operational data. RoleApt acts as an independent Controller for the limited categories of data it determines the purposes and means of, namely: (a) the Customer's own account identity and authentication data (the business account holder's email, password hashes, OAuth identifier, MFA records); (b) billing and tax data (Stripe customer identifier, transaction ledger, billing name, address, and VAT identifier); (c) security, anti-abuse, and fraud-prevention signals (for example, Cloudflare Turnstile verification and canonicalized-email idempotency keys); (d) product analytics, error, and operational telemetry generated about the use of the Service; and (e) the transactional email RoleApt sends to the account holder (for example purchase confirmations, the durable-medium digital-content-waiver confirmation, and authentication emails). RoleApt's processing of that data is governed by the Privacy Policy, not by this DPA. Where that data also constitutes personal data of the Customer's own personnel, RoleApt processes it as a Controller for the purposes stated in the Privacy Policy.
3.3 No joint controllership. Nothing in this DPA is intended to create joint controllership between the parties within the meaning of Article 26 GDPR.
3.4 Customer's controller obligations. The Customer warrants that, in relation to the Customer Personal Data, it has and will maintain a valid lawful basis under Article 6 GDPR and, where Special Categories of Personal Data are involved, a valid condition under Article 9 GDPR (in particular the explicit consent of the Data Subject under Article 9(2)(a) where required). The Customer is responsible for providing all notices to, and obtaining all consents from, Data Subjects that are required for RoleApt to process the Customer Personal Data lawfully under this DPA, including any consent required for the transfer of Special Categories of Personal Data to RoleApt's Sub-processors outside the EEA (see Section 11.4).
4. Customer instructions
4.1 Documented instructions. RoleApt will process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do otherwise by Union or Member State law to which RoleApt is subject. In the latter case, RoleApt will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2 Scope of instructions. The Customer's complete and final instructions are constituted by: (a) the Agreement; (b) this DPA, including Annex 1; (c) the configuration options and features the Customer selects within the Service; and (d) any further written instructions the Customer gives that the parties agree in writing.
4.3 Unlawful instructions. RoleApt will inform the Customer without undue delay if, in RoleApt's opinion, an instruction infringes Data Protection Law. RoleApt is not obliged to carry out a legal review of the lawfulness of the Customer's instructions.
4.4 Special category data. The Customer acknowledges that uploaded profile sources, pasted text, and profile photos routinely contain Special Categories of Personal Data (for example health, racial or ethnic origin, religion, trade-union membership, political opinions, or sexual orientation). RoleApt does not detect, classify, or strip such data; it processes whatever the Customer submits as part of providing the Service. The Customer instructs RoleApt to process such Special Category data solely to provide the Service, and the Customer warrants that it relies on a valid Article 9 condition (in particular the explicit consent of the relevant Data Subjects) for that processing and for any transfer of that data to a third country (see Section 11.4).
5. Subject matter, nature, purpose, duration, and categories
The details required by Article 28(3) GDPR are set out in Annex 1 to this DPA. In summary:
- Subject matter: RoleApt's provision of the Service to the Customer.
- Duration: for the term of the Agreement, plus the limited post-termination period described in Section 12.
- Nature and purpose: processing the Customer's uploaded and entered materials to synthesize a canonical professional profile, run a job fit-check, and generate tailored draft CVs and cover letters, together with storage, hosting, transmission to the AI model, analytics where applicable, and supporting operations.
- Categories of Data Subjects: the individuals whose CVs, profiles, and job-application materials the Customer processes through the Service (for example the Customer's clients, candidates, or end users), and any third parties named within those materials.
- Categories of Personal Data: as set out in Annex 1, including potentially Special Categories of Personal Data.
6. RoleApt's general obligations as Processor
RoleApt will:
6.1 process Customer Personal Data only on the Customer's documented instructions (Section 4);
6.2 ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
6.3 implement and maintain the technical and organisational measures described in Section 7 and Annex 2 (Article 32 GDPR);
6.4 respect the conditions in Section 8 for engaging Sub-processors;
6.5 taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (Section 9);
6.6 assist the Customer in ensuring compliance with the obligations in Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to RoleApt (Sections 7, 9, and 10);
6.7 at the Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies unless Union or Member State law requires storage (Section 12);
6.8 make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, as described in Section 13.
7. Security measures (Article 32)
7.1 Risk-appropriate measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of Data Subjects, RoleApt implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A description of these measures is set out in Annex 2.
7.2 Summary of current measures. Without limiting Annex 2, RoleApt's current measures include:
- Encryption in transit and at rest. All data is transmitted over TLS. Customer Personal Data at rest (database rows and storage objects) is encrypted at rest by the underlying infrastructure providers (Supabase, Vercel).
- Tenant isolation and access control. The application enforces per-tenant data isolation through row-level security (RLS) policies in the primary database, scoped to the authenticated account. Uploaded files (profile sources, profile photos, generated artifacts) are stored in private storage buckets, partitioned by user identifier, and are not publicly accessible.
- Authentication. Account authentication is managed by Supabase Auth. Passwords are stored only as salted hashes and are never accessible to RoleApt in plaintext. Optional two-factor authentication and bcrypt-hashed recovery codes are supported.
- Card data isolation. Card numbers are never received, processed, or stored by RoleApt. All card data is handled by Stripe within a PCI-DSS-compliant environment. RoleApt uses Stripe-hosted payment pages, so card data never transits RoleApt systems (consistent with PCI-DSS SAQ-A scope).
- Least-privilege backend access. Privileged, RLS-bypassing database access (the service-role credential) is restricted to trusted server-side contexts (webhooks, cron jobs, administrative routines) and is never exposed to the browser.
- Image-source rejection. Image files submitted as profile sources are rejected at intake to reduce the attack surface (a profile photo may separately be uploaded only for the Portrait CV template, into a private bucket).
- Abuse prevention. Signup is protected by Cloudflare Turnstile and a throwaway-domain blocklist; credit operations use idempotency keys to prevent abuse.
- Monitoring and logging. Application and error telemetry is captured to support reliability and security investigations; access to logs is restricted to authorised personnel.
7.3 Changes. RoleApt may update its security measures from time to time, provided that the updated measures do not materially reduce the overall level of protection of Customer Personal Data.
7.4 Customer responsibilities. The Customer is responsible for securing its own access credentials, for configuring its account appropriately, for controlling which of its personnel may access the account, and for the content it chooses to submit to the Service.
8. Sub-processors
8.1 General authorisation. The Customer grants RoleApt a general authorisation to engage Sub-processors to process Customer Personal Data, subject to this Section 8. The Sub-processors engaged as at the date of this DPA are listed in Annex 3.
8.2 Flow-down. Where RoleApt engages a Sub-processor, it does so under a written contract that imposes on the Sub-processor data protection obligations that are, in substance, the same as those imposed on RoleApt under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures (Article 28(4) GDPR). RoleApt remains fully liable to the Customer for the performance of each Sub-processor's obligations.
8.3 Change notice. RoleApt will give the Customer prior notice of any intended addition or replacement of a Sub-processor by updating Annex 3 (which is maintained at https://roleapt.com/dpa) and notifying the Customer by email at least thirty (30) days before the new Sub-processor begins processing Customer Personal Data, except where a shorter period is reasonably required to address a security or service-continuity risk, in which case RoleApt will give as much notice as is practicable. To receive these notices the Customer must keep a current email address on file and may subscribe to sub-processor change notifications via the contact in Section 15.
8.4 Right to object. The Customer may object, on reasonable data-protection grounds, to a new Sub-processor by notifying RoleApt in writing within the notice period in Section 8.3. The parties will work together in good faith to resolve the objection. If the objection cannot be resolved and RoleApt nonetheless chooses to proceed with the Sub-processor, the Customer may, as its sole and exclusive remedy, stop using the Service and request a refund of its unused purchased credits in accordance with the refund policy in the Agreement (the "Terms"). Any such refund is the unused proportion of the price paid, with no deduction of payment-processing fees. Free or promotional credits are not cash-refundable. Because credits are fungible across actions, no attribution of credits to a particular processing activity is made or required.
9. Assistance with data-subject requests
9.1 Forwarding requests. If RoleApt receives a request from a Data Subject to exercise rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, or objection) in respect of Customer Personal Data, RoleApt will, unless legally prohibited, promptly inform the Customer and will not respond to the request directly other than to confirm that the request has been forwarded to the responsible Controller, unless instructed to do so by the Customer.
9.2 Assistance. Taking into account the nature of the processing, RoleApt will assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to such requests. The Service provides self-service tooling that allows the account holder to access, edit, export, and delete the data held in the account, which the Customer may use to satisfy many Data Subject requests directly.
9.3 Data-subject request limitations and storage gaps. The Customer acknowledges the following operational facts about deletion and export, which are relevant to fulfilling erasure and access requests:
- Database erasure. Self-service account deletion hard-deletes the account record and cascades the deletion of linked database rows (profiles, profile sources, snapshots, job applications, generated-artifact records, the credit ledger and credit balances, the Stripe billing-customer link, MFA recovery codes, and raw AI-call transcript tables). Before the credit ledger is removed, RoleApt archives a pseudonymous, content-free accounting record (the financial facts and a per-action usage record, keyed to a one-way hash of the account email) that survives the cascade for the statutory period (see Section 12.3).
- Storage objects. Account deletion removes the files stored in the private storage buckets (uploaded profile sources, profile photos, and generated CV/cover-letter files): the buckets are purged first, so a storage failure aborts the deletion rather than leaving objects behind. Where the Customer needs confirmation of storage-object erasure to satisfy a Data Subject's erasure request, the Customer may request RoleApt's assistance via the contact in Section 15.
- Billing and tax records. The statutory billing and VAT records held independently by Stripe are retained by Stripe for its own statutory accounting period (see Sections 12.3 and 12.4) and are therefore not erased on account deletion to the extent retention is required by law.
9.4 Reasonable assistance. RoleApt may charge a reasonable fee for assistance under this Section 9 only where the requested assistance is excessive or goes materially beyond the standard self-service tooling and the support RoleApt would ordinarily provide; RoleApt will inform the Customer of any such fee before incurring it.
10. Personal data breach
10.1 Notification to Customer. RoleApt will notify the Customer without undue delay, and in any event within forty-eight (48) hours (or sooner where feasible), after becoming aware of a Personal Data Breach affecting Customer Personal Data. This period is set deliberately shorter than the controller's own 72-hour deadline under Article 33(1) GDPR so that the Customer retains time to assess the breach and report onward to its Supervisory Authority where required.
10.2 Content of notification. The notification will, to the extent known and available at the time, describe: (a) the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) a point of contact for further information. Where the information cannot be provided all at once, RoleApt may provide it in phases without further undue delay.
10.3 Cooperation. RoleApt will reasonably cooperate with the Customer and take the reasonable steps the Customer directs to assist in the investigation, mitigation, and remediation of the breach, including assisting the Customer with any notifications the Customer is required to make to a Supervisory Authority (including the Bulgarian Commission for Personal Data Protection, Комисия за защита на личните данни) or to affected Data Subjects under Articles 33 and 34 GDPR.
10.4 No admission. RoleApt's notification of, or response to, a Personal Data Breach is not an acknowledgement by RoleApt of any fault or liability.
10.5 Customer's reporting obligation. As Controller, the Customer is responsible for determining whether the breach is notifiable to a Supervisory Authority or to Data Subjects, and for making any such notification.
11. International transfers
11.1 Transfers outside the EEA. Some Sub-processors process Customer Personal Data outside the European Economic Area, in particular in the United States. The transfer destinations and mechanisms are set out in Annex 3.
11.2 Transfer mechanism. Where RoleApt or a Sub-processor transfers Customer Personal Data to a country outside the EEA that is not the subject of an adequacy decision, the transfer is made subject to the Standard Contractual Clauses (Implementing Decision (EU) 2021/914), supplemented by appropriate technical and organisational measures, or under another valid Article 46 GDPR transfer mechanism. RoleApt relies on each Sub-processor's data processing agreement and SCCs for the relevant transfers.
11.3 SCCs between the parties. To the extent that RoleApt's processing of Customer Personal Data on behalf of the Customer itself involves a restricted transfer requiring the SCCs between the Customer (as data exporter) and RoleApt (as data importer), the SCCs (Module Two: controller to processor, or Module Three: processor to processor, as applicable) are incorporated into this DPA by reference and completed as follows: (a) Clause 7 (docking clause) applies; (b) for Clause 9, Option 2 (general written authorisation) applies, with the notice period in Section 8.3; (c) for Clause 11, the optional independent-dispute-resolution body is not selected; (d) for Clause 17, the SCCs are governed by the law of Bulgaria; (e) for Clause 18, disputes are resolved before the courts of Sofia, Bulgaria; and (f) Annexes 1, 2, and 3 to this DPA populate the corresponding annexes of the SCCs.
11.4 Key US transfers. The principal transfers of Customer Personal Data to the United States are: (a) Anthropic (profile, CV, and job-description text, which may include Special Category data, is transmitted in generation prompts); (b) Stripe (billing identity and tax data; card data held by Stripe); (c) Cloudflare Turnstile (signup token and client IP); (d) Vercel (in-transit data and server logs); and, where activated, (e) Jina AI and (f) Firecrawl (the job-description URL the user pastes - see the characterization note in Annex 3). Transactional email to the account holder (Resend) is RoleApt's own controller-side processing under the Privacy Policy, not processing of third-party Customer Personal Data on the Customer's instruction (see Section 3.2). Several Sub-processors are EU-resident (Supabase eu-central-1, PostHog EU Cloud, Sentry EU region), as set out in Annex 3.
11.5 AI model retention and special-category transfers. RoleApt relies on Anthropic's commercial terms (including its commitment not to train its models on customer inputs or outputs under those terms) and Anthropic's data processing agreement and SCCs. Where the prompt content transferred to Anthropic in the United States contains Special Categories of Personal Data, the Standard Contractual Clauses are the Article 46 transfer mechanism, and the Customer's Article 9(2)(a) explicit consent obtained from the relevant Data Subjects (Sections 3.4 and 4.4) is the separate Article 9 condition permitting the special-category content to be processed. No separate Article 49 derogation is required; Article 49 would in any event be unavailable for these routine, systematic transfers, which must rely on an Article 46 safeguard. RoleApt has carried out and documented a transfer impact assessment for the Anthropic transfer, held on file and available to a Supervisory Authority on request. Zero data retention is not required: under the commercial API, Anthropic does not train on inputs or outputs and retains no prompt or response content at rest by default.
11.6 Region verification. Where Annex 3 states that a Sub-processor is EU-resident, that region has been verified against the provider's live dashboard and signed DPA before being relied upon for the purposes of Section 11.2. RoleApt will not rely on EU residency to dispense with SCCs for any Sub-processor whose region has not been confirmed.
12. Return and deletion on termination
12.1 Choice on termination. Following the end of the provision of the Service, RoleApt will, at the Customer's choice (expressed in writing within thirty (30) days of termination), delete or return all Customer Personal Data, and delete existing copies, unless Union or Member State law requires continued storage.
12.2 Default deletion. If the Customer does not express a choice within that period, RoleApt will delete the Customer Personal Data within a reasonable period thereafter, subject to Section 12.3. Deletion of database records and storage-bucket objects is effected by the account-deletion cascade described in Section 9.3 (storage is purged as part of that cascade).
12.3 Billing and tax records. Account deletion cascades to and removes the live server-side billing and credit ledger (the credit-transaction ledger, credit balances, and the Stripe billing-customer link). Before that cascade runs, RoleApt archives a pseudonymous, content-free accounting record (the financial facts - credit amount, reason, Stripe identifiers, date - and a per-action usage record, keyed to a one-way hash of the account email) that survives deletion for the statutory period. The full statutory billing, invoicing, and VAT records required by Bulgarian accounting and tax law are additionally retained by Stripe, independently of RoleApt, for Stripe's own statutory accounting period - 10 years under the Bulgarian Accountancy Act and the VAT Act (see Section 12.4). Together the pseudonymous server-side record and the Stripe-held records meet the underlying record-keeping obligation without retaining the Customer's content.
12.4 Stripe retention. The Customer acknowledges that Stripe, as RoleApt's payment-processing Sub-processor and as an independent controller for the limited purposes of payment processing and statutory record-keeping, retains the relevant customer, charge, and invoice records for its own statutory accounting period, independently of RoleApt's deletion. These Stripe-held records are the statutory billing/VAT records on which RoleApt currently relies (Section 12.3).
12.5 Certification. On the Customer's written request, RoleApt will confirm in writing that it has complied with this Section 12.
13. Audit rights
13.1 Information. RoleApt will make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, including this DPA, the Privacy Policy, the current Sub-processor list, and a description of its technical and organisational measures (Annex 2).
13.2 Audits. RoleApt will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (Article 28(3)(h) GDPR). To keep audits orderly while not fettering the Customer's mandatory statutory right, the parties will, acting reasonably, observe the following: (a) the Customer gives reasonable prior written notice, ordinarily at least thirty (30) days, except where a Supervisory Authority requires a shorter period or where an audit follows a confirmed Personal Data Breach affecting the Customer's data, in which case the audit may proceed on shorter notice; (b) audits ordinarily take place no more than once in any twelve-month period, save that additional audits may be conducted where a Supervisory Authority requires it, following a confirmed Personal Data Breach, or where a prior audit revealed material non-compliance; (c) audits are conducted during business hours, in a manner that does not unreasonably disrupt RoleApt's operations, and subject to confidentiality undertakings; (d) where the Customer mandates a third-party auditor, RoleApt may require that auditor to sign RoleApt's reasonable confidentiality undertaking before the audit begins; and (e) each party ordinarily bears its own costs, save that the Customer bears RoleApt's reasonable costs of an audit it requests that goes materially beyond the provision of standard documentation. Nothing in this Section 13.2 limits, and the qualifiers in (a) to (e) yield to, the Customer's non-waivable right under Article 28(3)(h) GDPR to mandate audits and inspections.
13.3 Third-party reports. To the extent available, RoleApt may satisfy an audit request by providing relevant up-to-date third-party certifications, audit reports, or attestations held by RoleApt or its Sub-processors, where these reasonably address the scope of the Customer's audit.
13.4 Supervisory authority cooperation. RoleApt will cooperate with, and submit to, audits or inquiries by a competent Supervisory Authority to the extent required by Data Protection Law. Nothing in this Section 13 limits the inspection or investigatory powers of any competent Supervisory Authority.
14. Liability and miscellaneous
14.1 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
14.2 Consumer protections unaffected. Nothing in this DPA limits any mandatory data-protection or consumer-protection rights that an individual Data Subject has under the GDPR, the ЗЗЛД, or other applicable law.
14.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions continue in full force.
14.4 Governing law and jurisdiction. This DPA is governed by the law of Bulgaria, and the courts of Sofia, Bulgaria have exclusive jurisdiction, subject to any mandatory rules of the SCCs (Section 11.3) and any non-waivable rights of Data Subjects.
14.5 Changes to this DPA. RoleApt may update this DPA to reflect changes in Data Protection Law, the Service, or its Sub-processors, provided that no such change materially reduces the protection of Customer Personal Data. Material changes will be notified in accordance with the Agreement.
15. Contact
- Data protection / privacy matters: privacy@roleapt.com
- Legal / contractual matters (including DPA signature and audit requests): legal@roleapt.com
Representative and Data Protection Officer. RoleApt (Bebox EOOD) is established in Bulgaria (the EU), so the Article 27 requirement to appoint an EU representative does not apply. On the Article 37 GDPR question, RoleApt's assessment is that it is not required to designate a Data Protection Officer, because processing of Special Categories of Personal Data is not carried out as a "core activity" on a "large scale" within the meaning of Article 37(1)(c): such data appears incidentally inside user-submitted documents rather than being the object RoleApt sets out to process, and launch-stage volumes are limited. RoleApt keeps this determination under review and will appoint and publish a DPO if the scale or nature of processing changes.
16. Effectiveness and countersignature
16.1 Condition to effectiveness. Consistent with Section 0, this DPA takes legal effect for a given Customer only when it is countersigned by both RoleApt and that Customer (or accepted by that Customer through an equivalent, auditable acceptance mechanism RoleApt designates for B2B customers) in connection with a genuine arrangement under which the Customer processes third parties' personal data through the Service on its own behalf. Absent such countersignature, no controller-to-processor relationship arises, and the Privacy Policy governs the use of the Service.
16.2 Signature blocks.
For Bebox EOOD (t/a RoleApt): Name: ____________________ Title: ____________________ Date: ____________ Signature: ____________________
For the Customer: Name: ____________________ Title: ____________________ Date: ____________ Signature: ____________________
Annex 1 - Details of processing (Article 28(3))
Data exporter: the Customer (Controller). Data importer: Bebox EOOD t/a RoleApt (Processor).
Subject matter of the processing: Provision of the RoleApt Service: synthesizing a canonical professional profile from Customer-supplied materials, running a job fit-check, and generating tailored draft CVs and cover letters, together with the storage, hosting, transmission, and supporting operations required to deliver those features.
Duration of the processing: For the term of the Agreement, plus the post-termination period in Section 12 and any statutory legal-hold period (held by Stripe) in Sections 12.3 and 12.4.
Nature of the processing: Collection, recording, organisation, structuring, storage, transmission to an AI model for inference, retrieval, generation of derived documents, analytics (where applicable), error monitoring, and deletion.
Purpose of the processing: To provide the Service the Customer has instructed: profile synthesis, fit-check, and CV/cover-letter generation, plus the operational, security, and billing functions required to deliver and support it.
Categories of Data Subjects:
- The individuals (for example clients, candidates, or end users) whose professional materials the Customer processes through the Service.
- Any third parties named or referenced within those materials (for example referees, named contacts, or employers).
Categories of Personal Data:
| Category | Examples |
|---|---|
| Identity and contact data | Name, email, phone, postal address, date of birth contained in CVs/profiles |
| Uploaded source materials | CVs and documents (PDF, DOCX, TXT, MD), pasted source text, server-extracted text, file metadata |
| Profile photo / headshot | Headshot image (PNG/JPEG) for the Portrait template |
| Synthesized profile data | Structured profile JSON and markdown, contact data, experiences, education, skills, achievements, version snapshots |
| Job-application data | Job-description URL/text/parsed data, company, role, location, notes, tags, deadlines, named contacts |
| Generated artifacts | Draft CVs and cover letters (DOCX) and the associated generation metadata |
| Raw AI-call transcripts | Full prompt and response content sent to and returned from the AI model (system prompt, user message, raw response) |
Special Categories of Personal Data: The Customer Personal Data routinely contains Special Categories of Personal Data within the meaning of Article 9 GDPR, because CVs, profiles, pasted text, and headshots commonly reveal health, racial or ethnic origin, religion or philosophical beliefs, trade-union membership, political opinions, and sexual orientation. RoleApt does not detect, classify, or strip such data; it processes whatever the Customer submits, strictly to provide the Service. The Customer is responsible for ensuring a valid Article 9(2)(a) explicit-consent (or other Article 9) basis from the relevant Data Subjects, including for any transfer of that data to a third country (Section 11.5).
Frequency of the processing: continuous, for the duration of the Agreement.
Annex 2 - Technical and organisational measures (Article 32)
RoleApt maintains the following technical and organisational measures, which it may update so long as the level of protection is not materially reduced:
1. Encryption.
- TLS for all data in transit.
- Encryption at rest for database storage and file storage, provided by the underlying infrastructure (Supabase, Vercel).
- Passwords stored only as salted hashes; MFA recovery codes stored bcrypt-hashed.
- Card data never received or stored by RoleApt; handled entirely by Stripe (PCI-DSS). RoleApt uses Stripe-hosted payment pages so that card data never transits RoleApt systems (PCI-DSS SAQ-A scope).
2. Confidentiality and access control.
- Per-tenant data isolation via row-level security policies scoped to the authenticated account.
- Private, user-partitioned storage buckets for profile sources, profile photos, and generated artifacts; no public access.
- Privileged, RLS-bypassing database access restricted to trusted server-side contexts (webhooks, cron, admin routines) and never exposed to the client.
- Authorised personnel bound by confidentiality obligations; access on a least-privilege, need-to-know basis.
3. Integrity.
- Idempotency keys on credit and billing operations to prevent duplicate or abusive processing.
- Input validation and rejection of image-type source uploads at intake to reduce the attack surface.
4. Availability and resilience.
- Managed, redundant infrastructure provided by Supabase and Vercel.
- Managed daily backups provided by the database platform (Supabase Pro), plus encrypted (age) nightly off-site backups of the database and all storage objects to EU object storage (Cloudflare R2), retained 35 days (daily) / 400 days (monthly). Disaster recovery is periodically drill-tested by restoring the database and storage into a fresh project, giving a recovery point objective of approximately 24 hours.
5. Abuse and fraud prevention.
- Cloudflare Turnstile bot protection and a throwaway-domain blocklist on signup.
- Canonicalized-email idempotency keys to prevent signup-bonus abuse.
6. Logging and monitoring.
- Application and error telemetry (Sentry, where activated) and structured operational logs (hosting log drain) to support reliability and security investigations; log access restricted to authorised personnel.
7. Organisational measures.
- Documented sub-processor engagement with contractual flow-down of data-protection obligations.
- Data-subject self-service tooling for access, export, edit, and deletion.
- Personal-data-breach process aligned with Section 10.
8. Customer-side measures.
- The Customer is responsible for credential security, account configuration, control of its authorised users, and the lawfulness of the content it submits.
Annex 3 - List of Sub-processors
The following Sub-processors are engaged as at the Last updated date. The current list is maintained at https://roleapt.com/dpa. Analytics Sub-processors (PostHog, Google Analytics) load only after the user gives analytics consent. Where a "Location" entry states an EU region, that region is verified against the provider's live dashboard and signed DPA; RoleApt does not treat an unverified Sub-processor as EU-resident for the purpose of dispensing with SCCs.
| Sub-processor | Role / processing activity | Customer Personal Data processed | Location | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Primary database, authentication, and private file storage | Account identity; all profile sources (may include Special Category data); profile photo; synthesized profile; job-application data; generated artifacts; credit ledger; MFA recovery code hashes; raw AI-call transcripts | EU (eu-central-1) | DPA (signed); EU data residency (eu-central-1); Supabase's DPA incorporates SCCs that cover any incidental non-EU support access. |
| Stripe | Payment processing, hosted checkout, card handling, tax (VAT) calculation and invoicing | Card data (held by Stripe, not RoleApt); buyer name, billing address, VAT/tax id, email, purchase amount; user identifier as metadata | US + EU | Stripe DPA + EU SCCs; PCI-DSS handled by Stripe (RoleApt is SAQ-A via hosted pages) |
| Anthropic (Claude) | AI inference for profile synthesis, JD parsing, fit-check, and CV/cover-letter generation | Profile source text, synthesized profile, and JD text sent in prompts (may include Special Category data) | US | Anthropic Commercial Terms + DPA + EU SCCs; commercial no-training commitment (no technical zero-retention flag set, see Section 11.5). Special-category prompt content additionally relies on the Customer's Article 9(2)(a) explicit consent (Section 11.5) |
| PostHog | Product analytics | Event names and properties (user identifier, application/template identifiers, fit score, verdict, pack size, error code) | EU Cloud (eu.i.posthog.com) | PostHog DPA; EU residency; requires prior analytics consent (ePrivacy) |
| Cloudflare (Turnstile) | Bot/abuse protection on signup; edge protection | Turnstile token and client IP address (not persisted by RoleApt) | US / global edge | Cloudflare DPA + SCCs; transient verification |
| Sentry | Error monitoring | Exception stack traces and context (user identifier, route, action, metadata) | EU region | Sentry DPA; EU region |
| Vercel | Application hosting (Next.js app, serverless functions, edge) | All request/response data in transit; server logs (including user-linked cost/usage log lines) | US / EU edge | Vercel DPA + SCCs for US processing |
| Jina AI (Reader API) | Job-description URL fetch and markdown extraction (paste-a-URL intake, first hop) | The job-description URL the user pastes (see characterization note below) | Global (likely US) | Only the public job-posting URL is transmitted (employer-published content), not treated as Customer Personal Data; transparency-only listing (see the note below). |
| Firecrawl | Fallback job-description URL scrape for JS-heavy sites (paste-a-URL intake, second hop) | The job-description URL the user pastes (see characterization note below) | US | Active only when its API key is set. Only the public job-posting URL is transmitted (employer-published content), not treated as Customer Personal Data; transparency-only listing (see the note below). |
Note on the paste-a-URL fetch and outbound fetches that are not Sub-processors of Customer Personal Data: the paste-a-URL intake path sends only the job-description URL the user pastes to a fetch service (Jina AI, and Firecrawl as a fallback) and may fetch a LinkedIn guest job-posting endpoint or other public job pages directly. The pasted URL generally points to employer-published job-description content, not third-party Customer Personal Data; these are outbound fetches to retrieve public job content. The Jina AI and Firecrawl rows are retained in the table above pending their data-protection contracts; if those hops are confirmed not to process Customer Personal Data, they should be moved into this transparency-only note alongside the direct LinkedIn/public-page fetch, which is listed here for transparency only and is not processing of Customer Personal Data by a Sub-processor.
Note on Resend (transactional email): Resend sends RoleApt's own transactional email (purchase confirmations, the durable-medium digital-content-waiver confirmation, and authentication emails) to the account holder. This is RoleApt's controller-side processing of its customer's own contact data under the Privacy Policy (Section 3.2), not processing of third-party Customer Personal Data on the Customer's instruction, so Resend is listed in the Privacy Policy's sub-processor inventory rather than in the Customer-Personal-Data table above.
End of Data Processing Addendum. This DPA should be reviewed by qualified Bulgarian/EU counsel before publication.