VEYR Back home

Legal

Data Processing Agreement

Last updated: 15 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ali Karim, operating as VEYR ("Processor"), and the Customer ("Controller") who uses the Service at getveyr.com. This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the GDPR.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR.

2. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Service. Processing continues for the duration of the Controller's subscription and ends upon termination as described in the Terms of Service.

3. Nature and Purpose of Processing

Processing is carried out to provide recruiting intelligence services, including but not limited to: candidate management, AI-assisted screening, scenario assessments, candidate dossier generation, scheduling, and related communications.

4. Categories of Data Subjects

  • Candidates engaging with the Controller through the Service
  • Employees of the Controller using the Service

5. Categories of Personal Data

  • Identification data (name, email, contact details)
  • Professional data (CV, work history, role information)
  • Assessment responses and AI-generated insights
  • Communication content (chat, screening responses, notes)
  • Calendar and scheduling data

6. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures as set out in Annex A
  • Assist the Controller in responding to data subject requests
  • Notify the Controller without undue delay upon becoming aware of a personal data breach
  • Delete or return all Personal Data at the end of the provision of services
  • Make available to the Controller all information necessary to demonstrate compliance

7. Sub-Processors

The Controller authorizes the Processor to engage sub-processors as listed in Annex B. The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

8. International Transfers

Personal Data is primarily processed within the EU. Where transfers outside the EEA are necessary, they are protected by appropriate safeguards including Standard Contractual Clauses.

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

10. Liability

Liability under this DPA is governed by the Terms of Service.

Annex A · Technical and Organizational Measures

  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest
  • Row-Level Security for company isolation
  • Email/password authentication via Supabase Auth
  • Daily automated backups with point-in-time recovery
  • Rate limiting on public endpoints
  • Regular security reviews

Annex B · Authorized Sub-Processors

  • Supabase (EU/Frankfurt) · Database, authentication, storage
  • Lovable (EU) · Hosting and deployment
  • Stripe (EU/Global) · Payment processing
  • Resend (EU) · Transactional email
  • Google Gemini via Lovable AI Gateway (EU-routed) · AI processing

Contact

Ali Karim
Passeig de la Verneda 97
Barcelona, Spain
Email: contact@getveyr.com

To execute this DPA for your organization, contact contact@getveyr.com.