Data Processing Addendum

The Controller determines the purposes and means of processing of candidate personal data ingested into its workspace from sources outside the marketplace (e.g. ATS imports). The Processor acts on documented instructions from the Controller. Processing the Processor conducts as a controller (account, billing, security) is governed by the Privacy Policy.

The subject matter is the operation of the Ultra Luxury Jobs marketplace and related services. Duration: for as long as the Controller uses the service plus any retention period required by law.

Nature: cloud hosting, storage, transmission, retrieval, organization, deletion. Purpose: provide the marketplace. Data subjects: candidates, employer users. Categories: identification, contact, professional history, communications, and (where supplied by Controller) verification documents.

• Process only on documented instructions, unless required by law.
• Ensure personnel are bound by confidentiality.
• Implement and maintain technical and organizational measures described in our Security Statement.
• Engage sub-processors only under written contracts no less protective than this DPA, and notify Controller of changes.
• Assist Controller, taking into account the nature of processing, with data-subject requests and security/breach obligations.
• Notify Controller of a personal-data breach without undue delay and within 72 hours where feasible.
• Make available information necessary to demonstrate compliance and allow audits, including inspections by Controller or its mandated auditor, on reasonable notice.

Where personal data is transferred outside the EEA or UK, the parties incorporate by reference the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum, with Ultra Luxury Jobs as the data importer.

• Supabase Inc. — hosted Postgres, authentication, storage (EU region)
• Stripe, Inc. — payments and tax
• Resend, Inc. — transactional email delivery
• Cloudflare, Inc. — edge network and security
• Sentry / functional-source — error monitoring
• Identity-verification vendor (Persona) — verification workflows
• Background-check vendor (Checkr) — pre-employment screening on request

We will notify Controller of additions or replacements at least 30 days in advance. Controller may object on reasonable data-protection grounds; if unresolved, Controller may terminate the affected services.

On termination of the services, the Processor will, at Controller's choice, delete or return all personal data processed on its behalf, except where retention is required by law.

Liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a data subject's rights under applicable law.

The Controller's acceptance of the Terms of Service constitutes acceptance of this DPA. A countersigned copy is available on request to legal@ultraluxuryjobs.com.