Skip to main content
Jobby.dev

Data Processing Agreement

Last updated: June 15, 2026

This Data Processing Agreement (“DPA”) supplements Jobby.dev's Terms of Service and Privacy Policyand applies where Jobby.dev processes personal data on behalf of a customer (“Controller”) — for example, when a recruiter uses Jobby.dev to conduct interviews and process candidate data.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
  • “Controller” means the entity that determines the purposes and means of processing.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller.
  • “Data Subject” means the individual whose Personal Data is processed.

2. Roles

When a recruiter uses Jobby.dev to interview and evaluate candidates, the recruiter is the Controller and Jobby.dev acts as a Processor. When Jobby.dev collects data for its own purposes (e.g. account management, analytics, billing), Jobby.dev is the Controller.

3. Scope of processing

Jobby.dev processes Personal Data solely to provide the Service as described in the Terms of Service, including:

  • Matching job seekers with recruiters.
  • Facilitating live video interviews.
  • Generating AI-powered match scores, report cards, and parsed profiles.
  • Processing recordings and transcriptions (Power Play plan only).
  • Sending transactional communications.

Categories of data subjects: job seekers, recruiters, and website visitors.

Types of personal data: name, email, profile information, job preferences, interview metadata, recordings (where applicable), usage data.

4. Controller obligations

  • Ensure a lawful basis exists for the processing (e.g. consent, legitimate interest, contract performance).
  • Provide notice to Data Subjects about the processing as required by applicable law.
  • Respond to Data Subject rights requests, with Jobby.dev's reasonable assistance.

5. Processor obligations

Jobby.dev shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law.
  • Ensure that persons authorised to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organisational security measures.
  • Assist the Controller in responding to Data Subject rights requests.
  • Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach.
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow for audits.

6. Sub-processors

The Controller authorises Jobby.dev to engage the sub-processors listed at jobby.dev/subprocessors. Jobby.dev will provide at least 14 days' notice before adding or replacing a sub-processor. If the Controller objects, they may terminate the Service by providing written notice within that 14-day period.

7. International transfers

Where Personal Data is transferred to a country that does not provide an adequate level of data protection, Jobby.dev relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Agreement, or other lawful transfer mechanisms as applicable.

8. Security measures

Jobby.dev implements the following measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256 via Supabase).
  • Row-level security (RLS) policies on all database tables.
  • Role-based access control for administrative functions.
  • Rate limiting on all public API endpoints.
  • Automated data retention and deletion cron jobs.
  • PII scrubbing in error monitoring (Sentry).
  • Regular dependency updates and security audits.

9. Data breach notification

In the event of a personal data breach, Jobby.dev will notify the Controller without undue delay (and within 72 hours where feasible) and provide sufficient information for the Controller to meet its own notification obligations under GDPR Article 33/34, UK GDPR, or applicable US state privacy laws.

10. Term & termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, Jobby.dev will delete the Controller's Personal Data within 30 days, unless retention is required by law. The Controller may request an export of their data before termination.

11. Governing law

This DPA is governed by the same law that governs the Terms of Service(State of Delaware, USA), except where mandatory data protection law of the Data Subject's jurisdiction requires otherwise.

12. Contact

To request execution of this DPA or for any data processing inquiries, email hi@jobby.dev.