This Data Processing Addendum (the "DPA") forms part of the Terms of Service between HAMRA ("Processor") and the customer organization ("Controller") that subscribes to HAMRA on behalf of its members or employees.
Send a counter-signed copy to dpa@hamraofficial.com and we'll sign and return within 5 business days. For most business customers, this stock DPA is sufficient as-is; we'll redline if your procurement requires it.
1. Definitions
Capitalized terms used here have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR") and the Digital Personal Data Protection Act, 2023 of India ("DPDP"), as applicable to the Controller's jurisdiction.
- Personal Data — any information relating to an identified or identifiable natural person who is a member, employee, or end-user of the Controller and who uses HAMRA on the Controller's authorization.
- Subprocessor — any third party engaged by HAMRA to process Personal Data on its behalf.
- Data Subject — the individual user.
2. Roles
The Controller is the data controller. HAMRA is the data processor. HAMRA processes Personal Data only on the documented instructions of the Controller, except where required by law.
3. Scope and purpose of processing
HAMRA processes Personal Data solely to provide the HAMRA service as described in the Terms of Service — career guidance, resume tooling, interview preparation, job matching, and the Application Co-pilot workflow.
4. Types of Personal Data
- Identity (name, email, optional avatar)
- Resume content (text, skills, work history)
- Career preferences, target roles, salary expectations
- Personality assessment responses (DISC)
- Application activity (jobs queued, submitted, outcomes)
- Usage metadata (timestamps, feature events)
HAMRA does not process Special Categories of Personal Data under GDPR Art. 9 except to the extent the user voluntarily includes such data in their resume content. HAMRA discourages this and provides no special-category-specific features.
5. Security measures
HAMRA implements the following technical and organizational measures:
- TLS 1.2+ in transit, AES-256 at rest (managed by our cloud providers).
- Single-tenant database isolation via Supabase Row-Level Security; per-user data is invisible to other tenants and to unauthenticated requests.
- Webhook signature verification on every inbound payment + email event.
- Bearer + cookie dual authentication; long-lived extension sessions revocable from the user's account settings.
- Hosted-checkout payment posture (SAQ-A); HAMRA never sees card data. See /docs/pci-compliance.
- Access control: production database access restricted to two named operators, audited monthly.
- Monthly third-party security review and quarterly internal review.
6. Subprocessors
HAMRA engages the following subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, auth, file storage | AWS ap-south-1 (India) |
| Vercel Inc. | Application hosting and CDN | Global edge |
| Resend Inc. | Transactional + lifecycle email | US |
| Razorpay Software Pvt Ltd | INR payment processing | India |
| Dodo Payments Inc. | International payment processing | Global |
| Google LLC (Vertex AI) | LLM inference for resume + cover-letter generation | US/EU (region-pinned) |
| PostHog Inc. | Product analytics | US (us.i.posthog.com) |
HAMRA will notify the Controller in advance of any new subprocessor and provide the Controller with a reasonable opportunity to object. If the Controller objects on reasonable grounds, the Controller may terminate the Terms of Service without penalty.
7. International transfers
Personal Data is primarily stored in India. Where HAMRA transfers Personal Data outside the European Economic Area or India, such transfers are governed by the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and equivalent safeguards under DPDP.
8. Data Subject rights
HAMRA assists the Controller in responding to Data Subject rights requests under GDPR Articles 15–22 and DPDP §11–§13. Self-serve data export is available to every Data Subject at /api/gdpr/export. Account deletion is available at /settings/account.
9. Data breach notification
HAMRA will notify the Controller without undue delay, and in any case within 72 hours, of becoming aware of a Personal Data breach affecting the Controller's Data Subjects. Notification will include the nature and likely consequences of the breach, the measures taken, and the contact details of HAMRA's grievance officer.
10. Data retention and deletion
HAMRA retains Personal Data for the duration of the customer relationship plus 90 days, after which Personal Data is permanently deleted. Backups containing Personal Data are retained for a maximum of 35 days post-deletion. Anonymized aggregate analytics may be retained indefinitely.
11. Audit rights
The Controller may, no more than once per calendar year and on 30 days' notice, request a copy of HAMRA's most recent third-party security review. On-site audit rights are subject to mutual agreement and the Controller bearing reasonable costs.
12. Grievance and contact
- Grievance Officer (DPDP §10): Rasool, Founder — grievance@hamraofficial.com
- DPA correspondence: dpa@hamraofficial.com
- Security incidents: security@hamraofficial.com
13. Governing law
This DPA is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts of Mumbai, India. Nothing in this Section limits the Controller's statutory rights under applicable data protection law.
---
This DPA template was last updated 2026-05-16. For the latest version, see /docs/data-processing-addendum.