Data Processing Agreement (DPA) – NEXML

This Data Processing Agreement (“Agreement”) forms part of the Terms of Use and governs the processing of personal data by NEXML in accordance with Regulation (EU) 2016/679 (GDPR).

1. Parties and roles

  • Data Controller: The customer (company or legal entity) using the NEXML platform for recruitment purposes.
  • Data Processor: NEXML.

The Controller determines the purposes and means of processing candidate personal data. NEXML processes data solely on documented instructions from the Controller.

2. Scope and purpose of processing

NEXML processes personal data exclusively for the purpose of assisting recruitment workflows, including:

  • Uploading and analyzing CVs
  • AI-based scoring and prioritization of candidates
  • Generating analytical insights for HR decision support

3. Categories of data subjects and data

  • Data subjects: job candidates
  • Personal data: information contained in CVs (e.g. work experience, education, skills, contact details, as provided by the Controller)

4. Processing characteristics

  • Processing occurs temporarily and only for analysis purposes
  • No reuse of candidate data for training or secondary purposes
  • No sale, profiling, or marketing use of personal data

5. Obligations of NEXML (Processor)

  • Process personal data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests where applicable
  • Notify the Controller without undue delay in case of a personal data breach

6. Obligations of the Controller

  • Ensure a lawful basis for processing candidate data
  • Provide required privacy information to data subjects
  • Ensure instructions provided to NEXML comply with GDPR
  • Maintain records of processing activities

7. Sub-processors

NEXML does not engage sub-processors for processing candidate CV data, except for infrastructure services strictly necessary for hosting and security. Any such sub-processors are bound by equivalent data protection obligations.

8. Data retention and deletion

Personal data is retained only for the duration necessary to perform the requested analysis. Upon termination of the service or at the Controller’s request, data is deleted or rendered inaccessible, unless retention is required by law.

9. International transfers

NEXML does not intentionally transfer personal data outside the European Union. If such transfer becomes necessary, it will be conducted in accordance with GDPR Chapter V.

10. Audits

Upon reasonable request, NEXML will provide information necessary to demonstrate compliance with this Agreement, subject to confidentiality and security considerations.

11. Liability

Each party is liable only for its own GDPR violations, in accordance with Article 82 GDPR.

12. Governing law

This Agreement is governed by the laws of Romania and applicable European Union legislation.

13. Contact

For data protection matters: contact@nexml.dev