This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Service between CVTechSupport Ltd.("Processor") and the Partner SaaS identified in the relevant order form ("Controller"). It sets out the parties' obligations in relation to the processing of personal data by CVTechSupport on behalf of the Controller, in connection with the customer-support, refund-handling, and transactional-email functions of the Service.
1. Definitions
Terms not defined here have the meanings given in the UK GDPR and the EU GDPR. "Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, the EU GDPR, and any other data-protection laws applicable to the parties' processing under this DPA.
2. Roles and scope
For the personal data of Subscribers and other individuals submitted to the Service by the Controller — or sent by a Subscriber to a support address operated by the Controller and routed into the Service — the Controller acts as data controller and CVTechSupport acts as data processor.
CVTechSupport will process such personal data only on documented instructions from the Controller, which the parties agree are constituted by the Terms of Service, this DPA, the Acceptable Use Policy, the Controller's lawful use of the Service, and any refund and cancellation policies the Controller communicates to its support agents inside the Service.
3. Subject matter, duration, nature, and purpose
| Subject matter | Provision of the CVTechSupport customer-support platform, including ticket management, refund and cancellation workflows, technical-issue triage, and transactional email delivery. |
|---|---|
| Duration | For the term of the underlying subscription, plus the retention period described in the Privacy Policy. |
| Nature and purpose | Hosting, organising, storing, retrieving, displaying, transmitting, and securely deleting personal data of Subscribers and Controller staff; sending transactional support and account emails on the Controller's behalf; assisting the Controller in resolving Subscriber support cases. |
| Categories of data subjects | Subscribers of the Controller (free trial or paid users of the Controller's CV-builder / cover-letter / resume-template product); the Controller's employees and contractors who use the Service as agents, supervisors, or admins. |
| Categories of personal data | Identification and contact data; account identifiers on the Controller's product; subscription and billing status (plan, last invoice, refund eligibility, Stripe or other PSP reference identifiers); ticket subject and body; conversation history; attachments uploaded by the Subscriber (which may include CVs, cover letters, screenshots); technical metadata captured with bug reports (browser, OS, page URL, console errors); authentication and audit data; consent records. |
| Special category data | Not required by the Service. Controllers must not upload special category data unless they have a valid Article 9 lawful basis and have notified CVTechSupport in writing. |
4. Controller obligations
The Controller warrants and represents that:
- It has obtained all necessary consents and provided all required notices for the processing instructed under this DPA.
- Its instructions, including refund and cancellation decisions executed through the Service, comply with Applicable Data Protection Law and applicable consumer-protection law.
- It has a lawful basis for transferring personal data to CVTechSupport and for the processing CVTechSupport performs.
- It uses the Service in accordance with the Acceptable Use Policy.
5. Processor obligations
CVTechSupport will:
- Process personal data only on the Controller's documented instructions, and inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
- Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
- Implement the technical and organisational measures described in Annex II below.
- Engage sub-processors only in accordance with section 6 below.
- Taking into account the nature of the processing, assist the Controller by appropriate measures, insofar as possible, to fulfil its obligations to respond to data subject requests received via the support inbox or directly.
- Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK and EU GDPR, taking into account the nature of the processing and the information available.
- At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, in accordance with section 9.
6. Sub-processors
The Controller grants CVTechSupport general authorisation to engage sub-processors to provide infrastructure for the Service. The current list of authorised sub-processors is maintained at our Sub-processors page.
CVTechSupport will:
- Notify the Controller of any intended addition or replacement of a sub-processor at least 30 days in advance, giving the Controller the opportunity to object on reasonable data-protection grounds.
- Impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA.
- Remain fully liable to the Controller for the performance of its sub-processors.
7. Data subject requests
CVTechSupport will, where technically and legally possible, assist the Controller to respond to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection. Where a request is made directly to CVTechSupport (for example, into the support inbox), we will route it to the Controller without undue delay.
8. Personal data breach notification
CVTechSupport will notify the Controller without undue delay, and in any case within 48 hours, of becoming aware of a personal data breach affecting the Controller's personal data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
9. Audit
CVTechSupport will make available to the Controller, on reasonable written request and no more than once per 12-month period, summary information about its security controls and most recent third-party assessments (such as penetration test summaries). The Controller may conduct an on-site audit at CVTechSupport's premises, at the Controller's cost, on at least 30 days' written notice, subject to reasonable confidentiality and security restrictions, unless a more urgent audit is required by a competent supervisory authority or a personal data breach.
10. International transfers
Where personal data is transferred from the UK or EEA to a country not deemed to offer an adequate level of protection, the parties agree that the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) are incorporated by reference into this DPA. CVTechSupport will additionally implement supplementary measures (technical, organisational, and contractual) as appropriate.
11. Liability
The parties' liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law, including a data subject's right to compensation under Article 82 of the UK or EU GDPR.
12. Term and termination
This DPA enters into force on the date the Terms of Service take effect and continues for so long as CVTechSupport processes personal data on the Controller's behalf. Termination of the underlying Terms of Service terminates this DPA, subject to obligations of return, deletion, and confidentiality that survive termination.
Annex I — Details of processing
As described in section 3 above.
Annex II — Technical and organisational measures
- Encryption — AES-256 encryption of stored tickets, attachments, and database records; TLS 1.2+ enforced on all network connections.
- Access control — role-based access control with least-privilege defaults; separate roles for support agents, finance approvers (refund / cancellation), engineering escalations, and admins; mandatory two-factor authentication for staff accounts; quarterly access reviews.
- Network security — VPC segmentation, firewall rules denying inbound traffic by default, managed WAF, and DDoS protection.
- Application security — secure software development lifecycle, peer code review, dependency scanning, and at least annual third-party penetration tests.
- Logging and monitoring — centralised, tamper-evident audit logs of authentication, ticket access, refund actions, and high-privilege actions; 24/7 alerting on security events.
- Backups and disaster recovery — encrypted daily backups with point-in-time recovery; documented disaster recovery plan tested at least annually.
- Personnel — background checks where lawful, signed confidentiality agreements, and mandatory annual security and data-protection training.
- Sub-processor management — written data-protection contracts, due-diligence reviews, and continuous monitoring of incidents.
- Data minimisation and retention — collection limited to data required for the Service; retention schedules documented in the Privacy Policy; secure deletion at end of retention.
For any question, request, or notice in connection with this Data Processing Agreement, including data subject requests, abuse reports, and legal notices, contact us at:
CVTechSupport Ltd., Office 16, 33 York Street Business Centre, 33 York Street, Wolverhampton, WV1 3RN, United Kingdom.