Introvy
Sign In
📄

Data Processing Addendum

Last updated: 6/5/2026

Data Processing Addendum (DPA)

Effective Date: May 8, 2026 Last Updated: May 8, 2026 Document Version: 2026-05-08

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Terms of Service, or other written or electronic agreement (the "Agreement") between Introvy Solutions Inc ("Introvy", "Processor") and the customer entity that subscribes to the Introvy service (the "Customer", "Controller"). It governs the processing of Personal Data by Introvy on behalf of Customer in connection with the Introvy SaaS platform (the "Service").

This DPA is effective without signature upon Customer's acceptance of the Terms of Service or execution of an order form. Customers may also countersign this DPA on request at hello@introvy.ai.

If there is a conflict between this DPA and the Agreement, this DPA governs to the extent of the conflict for matters relating to processing of Personal Data.

1. Definitions

Unless otherwise defined here, capitalized terms have the meaning given in GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss FADP, and the CCPA/CPRA as applicable.

  • Applicable Data Protection Law means GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any other privacy or data protection law applicable to the processing under this DPA.
  • Candidate means a job seeker, job applicant, or interview candidate whose Personal Data is processed via the Service, including candidates submitted by Customer's recruiters (including offshore recruiters).
  • Controller, Processor, Sub-processor, Data Subject, Personal Data, Personal Data Breach, and Processing have the meanings given in GDPR.
  • EU SCCs means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("Decision 2021/914").
  • UK IDTA means the United Kingdom International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office, version B1.0, in force 21 March 2022.
  • Restricted Transfer means a transfer of Personal Data from the EEA, UK, or Switzerland to a country not benefitting from an adequacy decision.
  • Service means the Introvy SaaS platform and any related services described in the Agreement (including Apply, Practice Audio/Video, Research, Thank-You, Interview Prep, ATS integrations, and Introvy MCP/orchestration features).
  • Documented Instructions means Customer's instructions to Introvy regarding processing as set out in (a) the Agreement, (b) this DPA, and (c) Customer's use of the Service through its account configuration and authorized users.

2. Roles and Scope

For Personal Data processed under the Agreement:

  • Customer is the Controller, except where Customer is itself a processor for another controller, in which case Customer is the Processor and Introvy is a Sub-processor. The terms of this DPA flow down accordingly.
  • Introvy is the Processor acting on Customer's Documented Instructions.
  • For the limited categories of data described in Section 4 of the Privacy Policy (account, billing, telemetry, security logs), Introvy is an independent Controller for its own purposes (operating, securing, and improving the Service).

3. Subject-matter, Duration, Nature, Purpose, Categories, and Data Subjects

| Item | Description | |---|---| | Subject-matter | Processing of Personal Data necessary to deliver the Service. | | Duration | The term of the Agreement plus the retention periods set out in Section 9 of the Privacy Policy. | | Nature & Purpose | Hosting, transmission, storage, AI-assisted question generation, transcription, summarization, evaluation, ATS integration, recruiter dashboarding, and related operational processing. | | Categories of Personal Data | Identifiers (name, email, phone), employment & education data, resumes, video/audio recordings, transcripts, AI-generated summaries, recruiter notes, IP addresses, device/browser info, consent records. Excludes special-category data; Customer must not upload special-category data via free-text fields. | | Categories of Data Subjects | Customer's recruiters, account managers, admins, and offshore team members; Candidates submitted by Customer; the recipients of share links (e.g., hiring managers at end-clients). |

4. Customer's Documented Instructions

Customer instructs Introvy to process Personal Data:

  • to provide and operate the Service;
  • to apply Customer-configured workflows (Apply, Practice, Research, Thank-You, Interview Prep);
  • to perform AI inference (question generation, transcription, summarization, evaluation) using the Sub-processors listed in Annex II;
  • to deliver share links to recipients chosen by Customer;
  • to write workflow completion data back to Customer-connected ATS platforms;
  • to provide support; and
  • as otherwise instructed in writing (including by configuring the Service).

Introvy will notify Customer if it considers a Documented Instruction to infringe Applicable Data Protection Law.

5. Confidentiality and Personnel

Introvy will:

  • limit access to Personal Data to personnel who need access to perform the Agreement;
  • ensure all such personnel are bound by written confidentiality obligations or are under a statutory duty of confidentiality;
  • provide regular privacy and security training; and
  • promptly revoke access on personnel offboarding.

6. Security (GDPR Art. 32)

Introvy will implement and maintain appropriate technical and organizational measures, summarized in Annex III and including:

  • TLS 1.2+ in transit, AES-256 at rest;
  • Row-Level Security and least-privilege access controls in Supabase;
  • signed URLs and short-lived tokens for media access;
  • secrets management (no plaintext credentials in code);
  • continuous security monitoring, vulnerability management, and patching;
  • annual penetration testing;
  • 72-hour breach notification process; and
  • documented incident response and business-continuity plans.

Customer is responsible for the security of its own credentials, devices, and offshore team-member access.

7. Sub-processors

Customer authorizes Introvy to engage the Sub-processors listed in Annex II. Introvy will:

  • impose data-protection terms on each Sub-processor that are no less protective than this DPA;
  • maintain a public list at /subprocessors and provide at least 30 days' advance notice before adding a new Sub-processor that processes Personal Data;
  • remain liable for the acts and omissions of its Sub-processors as if they were Introvy's own.

Customer may object to a new Sub-processor on reasonable, documented grounds within 30 days of notification. The parties will work in good faith to resolve. If unresolved, Customer may terminate the affected portion of the Service for refund of pre-paid, unused fees.

8. International Data Transfers

Introvy makes Restricted Transfers under one or more of the following:

| Source jurisdiction | Mechanism | |---|---| | EU/EEA | EU SCCs (Decision 2021/914), Module 2 (controller→processor) where Customer is controller; Module 3 (processor→sub-processor) where Customer is processor; with Annex I, II, and III hereto | | United Kingdom | UK IDTA (version B1.0) appended to the EU SCCs | | Switzerland | EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner | | Other | Other lawful transfer mechanisms as Introvy notifies Customer in writing |

The EU SCCs and the UK IDTA are incorporated by reference into this DPA and the parties are deemed to have signed them as follows:

  • the data exporter is Customer;
  • the data importer is Introvy Solutions Inc;
  • in Module 2/3 Clause 7, the docking option does not apply;
  • in Clause 9(a) of the EU SCCs, Option 2 (general written authorization) applies with a notice period of 30 days;
  • in Clause 11(a), the optional data subject's right to lodge a complaint with an independent body does not apply;
  • in Clause 17, the EU SCCs are governed by the law of Ireland;
  • in Clause 18(b), disputes are resolved before the courts of Ireland;
  • in Annex I.A (List of Parties), Customer is the data exporter and Introvy is the data importer; contact details are the parties' notice addresses in the Agreement;
  • in Annex I.B, the categories of data subjects, categories of Personal Data, special-category data, frequency of transfer, nature, purpose, and retention are as described in this DPA and in Section 9 of the Privacy Policy;
  • in Annex I.C (Competent Supervisory Authority), the supervisory authority is the Irish Data Protection Commission (or, where Module 3 applies and Customer is established in another EU/EEA Member State, the supervisory authority of that Member State);
  • in Annex II of the EU SCCs, the technical and organizational measures are those in Annex III of this DPA;
  • in Annex III of the EU SCCs, the list of Sub-processors is the list in Annex II of this DPA, as updated from time to time at /subprocessors.

For the UK IDTA: Tables 1–3 and Table 4 are populated by reference to the corresponding Annexes of this DPA; the importer's "linked agreement" is this DPA. Transfers from Switzerland use the EU SCCs adapted to refer to the FADP and to the Swiss Federal Data Protection and Information Commissioner.

Introvy and Customer agree to apply the supplementary technical, contractual, and organizational measures set out in Annex III to address the recommendations in EDPB Recommendations 01/2020 ("Schrems II"). The parties will reasonably cooperate on Transfer Impact Assessments where required.

9. Offshore Recruiters and Customer-Authorized Operators

Customer represents that, where it authorizes recruiters or operators outside the country of any Candidate (including in India, the Philippines, Latin America, Eastern Europe, or elsewhere) to access Candidate Personal Data through the Service:

  • Customer remains the Controller for that processing;
  • Customer has completed any required Transfer Impact Assessment and put any onward-transfer mechanism in place between itself and that recruiter or operator;
  • Customer manages access provisioning and timely de-provisioning for those team members;
  • Customer accepts that Introvy provides Row-Level Security, access logging, signed URLs, and SCC-backed processor terms but is not responsible for Customer's internal access management.

Introvy's role with respect to such offshore Customer team members is solely as Processor under this DPA; Introvy does not contract with those team members directly.

10. Data Subject Rights Assistance

Taking into account the nature of processing, Introvy will assist Customer to fulfill its obligations to respond to Data Subject requests under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and rights related to automated decision-making). Specifically:

  • Introvy provides in-product self-service for Candidates to download their data (/api/user/export-data) and to delete their content and account.
  • Introvy provides administrative tooling for Customer to export and delete Personal Data within its tenant.
  • Where a Data Subject contacts Introvy directly with a request relating to Customer's processing, Introvy will route the request to Customer without responding substantively, except as required by law.
  • Introvy will respond to Customer-initiated assistance requests within 5 business days.

11. Personal Data Breach Notification (GDPR Art. 33–34)

Introvy will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required under GDPR Art. 33(3) to the extent then known, and will be supplemented as the investigation progresses. Introvy will reasonably cooperate with Customer to address the breach and to satisfy Customer's notification obligations to supervisory authorities and Data Subjects.

12. Data Protection Impact Assessment

Introvy will provide reasonable assistance to Customer with any data protection impact assessments and consultations with supervisory authorities required under GDPR Art. 35–36.

13. Audit (GDPR Art. 28(3)(h))

To demonstrate compliance, Introvy will:

  • make available to Customer the most recent SOC 2 Type II report (when complete), penetration testing summary, and security policy;
  • on 30 days' written notice, and no more than once per 12 months (except following a Personal Data Breach or as required by a supervisory authority), allow an audit by Customer or an independent auditor mutually agreed by the parties, conducted during business hours, subject to confidentiality obligations, and with the auditor not being a competitor of Introvy. Customer bears the cost of the audit unless the audit reveals material non-compliance attributable to Introvy.

14. Deletion or Return of Personal Data

Upon termination or expiration of the Agreement:

  • Customer may export Customer Personal Data via the in-product export tools or by contacting support, for 30 days after termination;
  • following the export window, Introvy will delete Customer Personal Data from production systems within 30 additional days;
  • consent records, audit logs, and billing records are retained for the periods stated in Section 9 of the Privacy Policy as required by law;
  • backups are aged out within 35 days on a rolling basis; deletion requests propagate as backups roll forward.

Customer may also request deletion at any time during the Agreement and Introvy will action the request without undue delay.

15. CCPA/CPRA Service Provider Terms

Where Customer is a "Business" and Introvy is a "Service Provider" / "Contractor" under CCPA/CPRA:

  • Introvy will not Sell or Share Personal Information (as defined under CPRA), retain, use, or disclose it outside the direct business relationship between the parties, or for any purpose other than the Business Purposes specified in the Agreement and this DPA.
  • Introvy will not combine Personal Information received from or on behalf of Customer with Personal Information received from any other source, except as permitted under CPRA Reg. § 7050(a)(5).
  • Introvy certifies that it understands the foregoing restrictions and will comply with them.

16. Liability and Order of Precedence

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations in the Agreement. In the event of a conflict between this DPA, the EU SCCs, the UK IDTA, and the Agreement, the order of precedence is: (1) EU SCCs / UK IDTA, (2) this DPA, (3) the Agreement.

17. General

  • This DPA may be updated by Introvy on 30 days' notice, except that updates required by Applicable Data Protection Law may take effect immediately and Introvy will notify Customer.
  • Notices to Introvy under this DPA may be sent to hello@introvy.ai.
  • This DPA is governed by the law specified in the Agreement, except that the EU SCCs and UK IDTA remain governed by their own choice-of-law provisions.

Annex I — Description of the Transfer

I.A — List of the Parties

| Role | Party | |---|---| | Data exporter / Controller | Customer (the entity identified in the Agreement / order form) | | Data importer / Processor | Introvy Solutions Inc, New Lenox, Illinois, USA — hello@introvy.ai |

I.B — Description of Transfer

  • Categories of data subjects: Customer's recruiters and admins (including offshore team members); Candidates; recipients of share links.
  • Categories of personal data: identifiers, employment and education data, resumes, video and audio recordings, transcripts, AI-generated summaries, evaluations, recruiter notes, IP and device data, consent records.
  • Sensitive data: not intentionally processed; Customer must not include special-category data in free-text fields, recordings, or transcripts.
  • Frequency of transfer: continuous.
  • Nature of processing: hosting, transcription, AI inference, ATS write-back, sharing.
  • Purpose: provision of the Service.
  • Retention: as set out in Section 9 of the Privacy Policy.

I.C — Competent Supervisory Authority

Irish Data Protection Commission (default) or the supervisory authority of the EU/EEA Member State of the data exporter where Module 3 applies.

Annex II — Sub-processors

The current list is published at /subprocessors and includes:

Supabase (database, auth, storage, US); Vercel (US); Render (US); Netlify (US); Cloudflare (CDN, video; global edge); Stripe (payments, US/EU); Postmark / ActiveCampaign (transactional email, US); OpenAI (AI inference, US — content excluded from training by API default); RecruitCRM (ATS, India / Customer-configured); RecruiterFlow (ATS, US).

Introvy will publish updates to this list on the subprocessors page and will provide 30 days' advance notice to Customers via email or in-product banner before adding a new Sub-processor that processes Personal Data.

Annex III — Technical and Organizational Measures

A. Encryption and Key Management

  • TLS 1.2+ in transit, including for ATS webhooks (HMAC-SHA256 signature verification on inbound).
  • AES-256 at rest for storage objects (Supabase Storage, Cloudflare Stream).
  • Encryption keys held by infrastructure providers under their published key-management practices; bulk keys are not exported.

B. Access Control

  • Single sign-on for production console access (where supported) and MFA-required for service-role admin access.
  • Role-Based Access Control with least privilege; production access limited to a small named group of personnel.
  • Row-Level Security on customer-sensitive tables in Supabase; tenants are isolated by org_id.
  • Signed URLs with short expiry for media access; public anonymous share links carry their own expiry (90/60/30-day classes) and are revocable.
  • IP addresses captured for audit purposes are SHA-256 hashed with a salt; no raw IPs persisted in the consent log.

C. Logging, Monitoring, and Incident Response

  • Structured application and infrastructure logs.
  • PII redaction in logs (emails, phone numbers, transcripts hashed or scrubbed before logging).
  • Documented incident response runbook with 72-hour breach notification target.
  • Periodic restore drills against backups.

D. Application Security

  • Code review and CI security checks.
  • Dependency scanning and timely patching.
  • Annual third-party penetration test.
  • Secrets management with rotation; no plaintext credentials in version control.

E. Data Minimization and Retention

  • Default retention classes enforced server-side (90 days apply links, 60 days thank-you, 30 days practice, 24 months research access).
  • Storage objects purged within 24 hours of soft-delete.
  • Webhook payloads retained ≤ 14 days.
  • Consent records retained 7 years for legal demonstrability; payment records retained 7 years for tax/accounting.

F. Cross-Border Transfer Supplementary Measures (post-Schrems II)

  • All Restricted Transfers covered by EU SCCs / UK IDTA.
  • Government access requests reviewed by counsel; challenged where lacking proper legal basis; affected Customers notified unless prohibited.
  • No "non-essential" backdoors; no exposure of bulk Personal Data to AI providers (content excluded from training).
  • Encryption in transit and at rest as above.

G. Customer Responsibilities

  • Provisioning and de-provisioning of Customer's authorized users (including offshore team members).
  • Lawful basis and notice for any Personal Data Customer or its recruiters submit.
  • Compliance with applicable AI-in-hiring laws (NYC Local Law 144, IL AI Video Interview Act, CO SB 24-205) for hiring decisions made by Customer using AI Features.

Other Legal Documents

Privacy PolicyTerms of ServiceCookie NoticeAccessibility StatementDisclosuresDMCA PolicySecurity PolicyLegal ContactAcceptable Use PolicyAI Content DisclaimerCandidate Video ReleaseSubprocessorsInternational Data Transfers

Cookies & local storage

We use strictly necessary cookies for sign-in, plus optional analytics that we never load until you say yes. We never load advertising trackers. Learn more.