Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between 3C Consulting d.o.o. ("Backrow") and the customer identified in the applicable Order Form ("Customer"). It governs the processing of Personal Data by Backrow on behalf of Customer in connection with the Service. In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement. For purposes of this DPA:

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR and Data Protection Act 2018, the Swiss FADP, the California Consumer Privacy Act (CCPA) as amended, and the Croatian Act on the Implementation of the General Data Protection Regulation.
• "GDPR" means Regulation (EU) 2016/679.
• "Personal Data" has the meaning given in the GDPR and includes Candidate Data and any other personal data processed through the Service.
• "Data Subject", "Controller", "Processor", "Sub-processor", "Processing", and "Supervisory Authority" have the meanings given in the GDPR.
• "SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or superseded.
• "UK IDTA" means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner.
• "Personal Data Breach" has the meaning given in Article 4(12) GDPR.

2. Roles of the Parties

With respect to Personal Data processed through the Service, Customer is the Controller and Backrow is the Processor. Where Customer acts as a Processor on behalf of a third-party Controller (for example, an agency customer), Backrow acts as a Sub-processor and the instructions passed down from the ultimate Controller apply through Customer.

Backrow may also process limited Personal Data as an independent Controller in connection with account administration, billing, security monitoring, and fraud prevention. That processing is described in the Backrow Privacy Policy and is not governed by this DPA.

3. Scope and Details of Processing

Backrow processes Personal Data only on documented instructions from Customer, which are set out in the Agreement, this DPA, Customer's configuration of the Service, and any additional written instructions agreed between the parties. If Backrow believes an instruction violates Applicable Data Protection Law, it will notify Customer without undue delay.

3.1 Subject matter and duration

Subject matter: the provision of the Service as described in the Agreement. Duration: the Subscription Term plus the retention periods described in Section 9.

3.2 Nature and purpose

Processing is carried out to host, operate, secure, and support the Service; to enable Customer to manage recruitment workflows; and, where enabled by Customer, to provide AI-assisted features such as resume parsing, matching, and scoring.

3.3 Categories of Data Subjects

• Candidates and job applicants submitted to the Service by or on behalf of Customer;
• Customer's employees, contractors, and other Authorized Users;
• Referees, interviewers, and other individuals named by a candidate or Authorized User.

3.4 Categories of Personal Data

• Identification and contact data (name, email, phone, address);
• Professional data (CV/resume content, employment history, education, skills, references);
• Application data (role applied for, application answers, assessments, notes, ratings, interview feedback);
• Account and login data (Authorized User credentials, IP addresses, device and session information);
• Communication data (emails, messages, and attachments exchanged through the Service);
• Any other Personal Data that Customer or Authorized Users choose to upload or enter.

3.5 Special categories

Customer is not expected to upload special category data (GDPR Art. 9) or criminal conviction data (Art. 10). If Customer chooses to do so, Customer warrants that it has a valid legal basis and will instruct Backrow accordingly.

4. Customer Obligations

Customer is responsible for (a) establishing and maintaining a valid legal basis for processing; (b) providing all required notices and, where required, obtaining consent from Data Subjects; (c) ensuring that its instructions to Backrow comply with Applicable Data Protection Law; (d) the accuracy, quality, and legality of Personal Data it submits; and (e) configuring the Service in a way appropriate to its use case, including retention settings and access controls.

5. Backrow Obligations

• Process Personal Data only on Customer's documented instructions, except where required by EU or Member State law (in which case Backrow will inform Customer unless the law prohibits doing so on important grounds of public interest);
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations;
• Implement and maintain the technical and organizational measures set out in Annex II;
• Assist Customer, by appropriate technical and organizational measures, in responding to Data Subject requests under Articles 12–22 GDPR;
• Assist Customer in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to Backrow;
• Make available to Customer the information necessary to demonstrate compliance with Article 28 GDPR, and allow for audits as described in Section 10.

6. Sub-processors

Customer grants Backrow general authorization to engage Sub-processors, provided that Backrow: (a) enters into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; (b) remains liable for the acts and omissions of Sub-processors as if they were its own; and (c) maintains an up-to-date list of Sub-processors (see Annex III).

Backrow will notify Customer of any intended addition or replacement of a Sub-processor at least 30 days in advance, by email or in-product notification. Customer may object on reasonable data-protection grounds within 14 days of notice. If the parties cannot agree on a resolution, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid, unused fees.

7. International Transfers

The Service is hosted on Amazon Web Services infrastructure in the United States. Certain Sub-processors (listed in Annex III) also process Personal Data outside the European Economic Area. The parties rely on the following transfer mechanisms, in order of precedence:

• Where the recipient is certified under the EU-U.S. Data Privacy Framework (and the UK or Swiss extensions where applicable), transfers rely on that framework;
• Otherwise, transfers rely on the SCCs, which are incorporated into this DPA by reference. Module Two (Controller-to-Processor) applies between Customer and Backrow. Module Three (Processor-to-Processor) applies where Customer is itself a Processor. The options and annexes of the SCCs are completed as set out in Annex I;
• For transfers subject to the UK GDPR, the UK IDTA applies. For transfers subject to the Swiss FADP, the SCCs apply with the adjustments required by the Swiss Federal Data Protection and Information Commissioner.

Backrow has carried out a transfer impact assessment and implements supplementary measures — including encryption in transit and at rest, access controls, and legal challenge procedures for government requests — as described in Annex II.

8. Security and Personal Data Breaches

Backrow implements and maintains the technical and organizational measures described in Annex II to protect Personal Data against a Personal Data Breach. These measures are subject to ongoing improvement to reflect the state of the art, the nature of the processing, and the risks to Data Subjects.

Backrow will notify Customer of any Personal Data Breach affecting Customer's Personal Data without undue delay and in any event within 72 hours of becoming aware of it. The notification will, to the extent known, describe the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed. Backrow will provide updates as more information becomes available and will cooperate with Customer in its breach-handling obligations.

9. Retention, Return, and Deletion

Personal Data is retained for the periods set out in the Backrow Data Retention Policy, which is incorporated by reference and available at Data Retention Policy.

9.1 Customer-configured retention

Customer can configure a retention period for candidate data within the Service (for example, 6 months, 12 months, 24 months), within the bounds set out in the Data Retention Policy. When the retention period elapses for a given candidate record, the record is processed according to the end-of-retention option selected by Customer:

• Permanent deletion — the record is removed from production systems and cannot be recovered, subject only to residual backup-cycle retention; or
• Anonymization — personal data is stripped from the record such that the remaining data can no longer be attributed to an identified or identifiable individual without the use of additional information. Anonymized data falls outside the scope of the GDPR and may be retained by Customer for aggregate analytics.

Backrow will notify Customer's Authorized Users at least 14 days in advance of scheduled deletions or anonymizations. Candidates are not notified automatically; Customer is responsible for any notifications it chooses to provide to Data Subjects.

9.2 Termination

Upon termination or expiration of the Agreement, Customer may export its data through the Service for a period of 30 days. After that period, Backrow will delete or anonymize Customer Personal Data from production systems. Residual copies in encrypted backups are retained for the backup cycle described in the Data Retention Policy and then deleted or overwritten. Backrow may retain Personal Data for longer periods where required by law, in which case the processing is limited to that purpose.

10. Audits

Backrow makes available to Customer, on reasonable request, information necessary to demonstrate compliance with Article 28 GDPR, including third-party audit reports (such as SOC 2 or ISO 27001 reports, when available), summaries of penetration tests, and responses to security questionnaires.

Where such documentation is insufficient to demonstrate compliance, Customer may, at its own cost and no more than once per 12-month period, conduct an audit of Backrow's processing activities. Audits must be conducted by Customer or a qualified, mutually agreed independent auditor who is not a competitor of Backrow, on at least 30 days' prior written notice, during normal business hours, and subject to confidentiality obligations. Backrow may object to an auditor that it reasonably considers unqualified or a competitor, in which case the parties will agree on an alternative. A Supervisory Authority exercising its statutory audit powers is not restricted by this Section.

11. Data Subject Requests

Taking into account the nature of the processing, Backrow will assist Customer, by appropriate technical and organizational measures, in responding to requests from Data Subjects to exercise their rights under the GDPR. Where Backrow receives a request directly from a Data Subject, it will not respond to the request (except to confirm receipt and direct the individual to Customer) and will forward it to Customer without undue delay, unless Backrow is legally required to respond.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Agreement, except that nothing in the Agreement or this DPA limits liability that cannot be limited or excluded under Applicable Data Protection Law, including liability to Data Subjects under Article 82 GDPR.

13. General

This DPA takes effect on the effective date of the Agreement and continues for as long as Backrow processes Personal Data on behalf of Customer. Sections 9, 10, and 12 survive termination. This DPA is governed by the law of the Republic of Croatia and the courts of Zagreb have exclusive jurisdiction, save that where the SCCs specify a different governing law or forum for disputes arising from the SCCs, that law and forum apply to those disputes only.

Annex I — Details of Processing (SCCs)

A. List of Parties

Data exporter: Customer, as identified in the Order Form. Role: Controller (or Processor where applicable).

Data importer: 3C Consulting d.o.o., Sunčana 1, 31500 Našice, Croatia. Role: Processor (or Sub-processor where applicable). Contact: support@backrow.app.

B. Description of Transfer

Categories of Data Subjects, categories of Personal Data, special categories, frequency, nature and purpose of processing, duration, and retention are as set out in Sections 3 and 9 of this DPA.

C. Competent Supervisory Authority

The Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka — AZOP) is the competent supervisory authority for the purposes of Clause 13 of the SCCs.

Annex II — Technical and Organizational Measures

Backrow implements the following measures, which may be updated from time to time provided the overall level of security is not reduced.

Access control

• Role-based access control; least-privilege principle for internal access to production systems.
• Mandatory multi-factor authentication for personnel with access to production.
• Access reviews at least quarterly; timely revocation on role change or departure.

Encryption

• TLS 1.2 or higher for all data in transit.
• AES-256 encryption at rest for databases, object storage, and backups.
• Managed key infrastructure with rotation policies.

Network and infrastructure security

• Deployment in AWS US regions within private networks with restricted ingress.
• Web application firewall and DDoS protection at the edge.
• Continuous vulnerability scanning and periodic third-party penetration testing.

Application security

• Secure software development lifecycle, including code review and dependency scanning.
• Logical tenant isolation between Customer environments.
• Audit logging of security-relevant events.

Operational security

• Documented incident response plan with defined roles and escalation paths.
• Backups with encryption and tested restoration procedures.
• Business continuity and disaster recovery planning.

Personnel

• Background checks where legally permitted.
• Mandatory confidentiality undertakings and annual privacy and security training.

Sub-processor management

• Due diligence on Sub-processors before engagement.
• Contractual obligations imposing equivalent data protection requirements.

Government access requests

• Documented procedure for handling government data requests, including legal review and, where lawful, challenge of overbroad requests.
• Transparency reporting where permitted by law.

Annex III — List of Sub-processors

The table below lists Sub-processors engaged by Backrow as of the Last Updated date.

Note on AI Features: OpenAI and Anthropic are engaged only when Customer has enabled AI Features. Content sent to these providers is limited to what is necessary for the requested inference, processed under API terms that prohibit training on Customer Data, and subject to short or zero retention as configured by Backrow.