Beta - under legal review

This DPA is a working draft and is not yet executable. A counsel-reviewed counterpart will be available before HeyOrky's general availability. Enterprise customers needing an executed DPA today should contact legal@heyorky.ai.

Data Processing Agreement

Last updated: April 2026

1. Parties & scope

This Data Processing Agreement (“DPA”) supplements the Terms of Service between HeyOrky, Inc. (“Processor”) and the customer organization (“Controller”) for whom HeyOrky processes candidate personal data. Capitalized terms not defined here have the meaning given in the GDPR.

2. Subject matter & purpose

HeyOrky processes candidate personal data on Controller's behalf for the limited purpose of operating the AI hiring pipeline (resume screening, audio interviews, ranking, and communications) for roles posted by Controller.

3. Categories of data & data subjects

  • Data subjects: job applicants who submit applications to Controller's job postings.
  • Categories: identification (name, email, phone, LinkedIn URL, location), professional history (resume contents), interview content (audio recordings, transcripts, AI evaluations), and - only where the Controller enables it - voluntary EEOC demographic data.
  • Special categories: none collected by default. Where Controller enables EEOC demographic collection, that data is voluntary, kept internal, and never shared with the recruiter or used in scoring.

4. Sub-processors

Processor uses the third-party sub-processors listed at /legal/sub-processors. Controller authorizes the use of these sub-processors. Processor will give 30 days' notice of any new sub-processor before granting them access to Controller data.

5. Security measures

  • Data encrypted in transit (TLS) and at rest (AWS RDS).
  • Resume files stored in S3 with bucket-level encryption.
  • Access controls: JWT in HTTP-only cookies; role-based access within recruiter organizations.
  • Audit logging on all candidate-data accesses (planned).
  • No customer data is used to train AI models.
  • [TODO - counsel + security to expand: incident response, personnel screening, business-continuity, sub-processor onboarding diligence.]

6. Data subject rights

Processor will assist Controller in responding to data subject requests (access, deletion, correction, objection, restriction, portability) within 30 days of Controller's request. Where a candidate contacts Processor directly, Processor will route the request to Controller.

7. International transfers

[TODO - counsel to confirm. HeyOrky operates infrastructure in [region]. Where Controller or Data Subjects are in the EEA/UK and data is transferred outside, the parties agree to the EU Standard Contractual Clauses (SCCs) and the UK IDTA as applicable; clauses to be attached as Annex.]

8. Talent-pool sharing (opt-in only)

Where a candidate explicitly opts in via the apply-form checkbox, HeyOrky may use that candidate's data to surface them as a match for other Controllers' roles. The candidate may revoke consent at any time via the unsubscribe link in any talent-pool email. Controller acknowledges that talent-pool consent flows are between HeyOrky and the candidate, and that Controller does not control candidates who have opted in via a different Controller's job page.

9. Retention & deletion

[TODO - counsel + product to confirm retention windows. Default placeholder: candidate data retained for the duration of the role plus 24 months unless the candidate requests earlier deletion or Controller terminates the agreement.]

10. Audit

Processor will provide reasonable assistance for Controller audits, including a copy of the most recent SOC 2 report (when available). On-site audits require 30 days' notice and are conducted at Controller's expense.

11. Contact

DPA execution requests: legal@heyorky.ai.