Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller ("Customer"): The entity that has agreed to the HireStates Terms of Service.
• Data Processor ("HireStates"): KVN-International US Inc., 16192 Coastal Highway, Lewes, Delaware 19958, USA.

2. Scope and Purpose

This DPA governs the processing of personal data by HireStates on behalf of the Customer in connection with the HireStates compliance platform. HireStates processes personal data solely to provide the services described in the Terms of Service, including: generating employment documents, providing AI compliance guidance, and monitoring employment law changes.

3. Types of Personal Data Processed

• Employee data: Names, job titles, compensation details, employment dates, and other data entered by the Customer to generate employment documents.
• Account data: Customer name, email, organization name, and billing information.
• Usage data: Chat session content, document generation history, and compliance queries.

4. Data Subjects

The data subjects are the Customer's employees, prospective employees, and authorized users of the HireStates platform.

5. Duration

This DPA remains in effect for the duration of the Customer's use of HireStates services. Upon termination, HireStates will delete all Customer personal data within 30 days, unless retention is required by law.

6. Obligations of HireStates (Data Processor)

HireStates shall:

• Process personal data only on documented instructions from the Customer, including for transfers to third countries (Standard Contractual Clauses apply where necessary).
• Ensure that persons authorized to process personal data have committed to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS 1.3) and at rest.
• Not engage another processor without prior written authorization of the Customer. Current sub-processors are listed in Section 10.
• Assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
• Assist the Customer in ensuring compliance with obligations regarding data breach notification (within 72 hours), data protection impact assessments, and prior consultation.
• Delete or return all personal data after the end of the provision of services, at the choice of the Customer.
• Make available to the Customer all information necessary to demonstrate compliance with GDPR Article 28 obligations.

7. Data Location and Transfers

All Customer data is stored and processed within the European Union:

• Database: Neon PostgreSQL, EU (Frankfurt, Germany)
• Vector database: Upstash Vector, EU (Frankfurt, Germany)
• Cache: Upstash Redis, EU (Frankfurt, Germany)
• Application hosting: Vercel, EU (Frankfurt, Germany)

Where data must be transferred outside the EU (e.g., for AI processing via Anthropic or OpenAI APIs), Standard Contractual Clauses (SCCs) as adopted by the European Commission apply. No personal data is stored outside the EU.

8. Security Measures

• Encryption in transit: TLS 1.3 for all connections
• Encryption at rest: AES-256 for database storage
• Access control: Role-based access (Owner, Admin, Editor, Viewer)
• Authentication: Secure session management with httpOnly cookies
• Audit logging: All data access and modifications are logged
• Rate limiting: Protection against abuse and automated attacks
• Security headers: HSTS, X-Frame-Options, CSP, CSRF protection
• Regular security reviews and vulnerability assessments

9. Data Breach Notification

In the event of a personal data breach, HireStates shall notify the Customer without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Sub-Processors

HireStates uses the following sub-processors:

• Neon Inc. - Database hosting (EU region)
• Upstash Inc. - Vector database and caching (EU region)
• Vercel Inc. - Application hosting and edge functions (EU region)
• Anthropic PBC - AI language model for compliance guidance (data processed, not stored)
• OpenAI Inc. - Embedding generation for search (data processed, not stored)
• Stripe Inc. - Payment processing (PCI DSS compliant)
• Resend Inc. - Transactional email delivery

The Customer will be notified of any intended changes to sub-processors with at least 30 days prior notice.

11. Data Subject Rights

HireStates provides the following mechanisms for data subject rights:

• Right of access: Users can view all their data via the Settings page.
• Right to rectification: Users can edit their profile and company data at any time.
• Right to erasure: Users can delete their account and all associated data via Settings.
• Right to data portability: Users can export all their data in JSON format via Settings.
• Right to restriction: Contact hirestates@kvn-international.com.
• Right to object: Contact hirestates@kvn-international.com.

12. Governing Law

This DPA shall be governed by the laws of the Federal Republic of Germany, without regard to its conflict of laws provisions. For EU customers, the competent supervisory authority shall be determined in accordance with GDPR Article 55.

13. Contact

KVN-International US Inc., 16192 Coastal Highway, Lewes, DE 19958, USA. Email: hirestates@kvn-international.com