Data Processing Agreement
1. Definitions
- "Controller" — the hiring company that uses Greenroom to screen candidates.
- "Processor" — Greenroom Technologies, which processes personal data on the Controller's behalf.
- "Candidate Personal Data" — any personal data relating to candidates processed through the Greenroom platform, including name, email, voice audio, interview transcript, AI scores, and integrity signals.
- "GDPR" — Regulation (EU) 2016/679 and its UK equivalent (UK GDPR).
- "Services" — the Greenroom AI candidate screening platform as described at greenroom.dev.
2. Scope and nature of processing
| Field | Detail |
|---|---|
| Subject matter | AI-powered candidate screening for employment purposes |
| Duration | For the term of the Controller's Greenroom subscription, plus the applicable retention periods in Section 6 |
| Nature of processing | Recording, transcription, AI scoring, storage, and delivery of screening results to the Controller |
| Purpose | Enabling the Controller to evaluate job candidates using AI-assisted interviews |
| Types of personal data | Name, email, voice audio, transcript, AI scores, integrity signals |
| Categories of data subjects | Job candidates invited by the Controller to complete a Greenroom screen |
3. Controller obligations
The Controller warrants and agrees that it:
- Has a valid lawful basis for processing Candidate Personal Data under applicable law
- Will provide candidates with legally required notices before using Greenroom to evaluate them (including the 10-business-day notice required by NYC Local Law 144 for NYC-based roles)
- Will publish Greenroom's annual bias audit summary on its careers website where required by NYC LL144
- Will provide candidates a genuine, functional path to request an alternative selection process
- Will ensure a human with actual decision authority reviews Greenroom's AI recommendation before any hiring decision is made — not merely rubber-stamp the AI score
- Will obtain BIPA-compliant written consent from Illinois-resident candidates where Greenroom's hosted consent modal is not used
- Will include Greenroom as a sub-processor in its own privacy documentation
- Will not instruct Greenroom to process Candidate Personal Data in a manner that would violate applicable law
4. Processor obligations
Greenroom (as Processor) agrees to:
- Process Candidate Personal Data only on documented instructions from the Controller (being the use of the Greenroom Services as configured by the Controller) or as required by applicable law
- Ensure all personnel with access to Candidate Personal Data are bound by confidentiality obligations
- Implement and maintain the technical and organisational security measures described in Section 7
- Not engage new sub-processors without giving the Controller at least 30 days' prior written notice and the opportunity to object
- Impose equivalent data protection obligations on all sub-processors via written agreements
- Assist the Controller in responding to data subject rights requests (access, erasure, portability, objection) within the timescales required by applicable law
- Notify the Controller within 72 hours of becoming aware of a personal data breach affecting Candidate Personal Data
- Assist the Controller in conducting Data Protection Impact Assessments where required
- Delete or return all Candidate Personal Data upon termination of Services, and delete existing copies within 30 days unless retention is required by law
- Provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Controller or its designated auditor (on reasonable notice, no more than once per year)
5. Sub-processors
The Controller grants general authorisation to engage the sub-processors listed below. Greenroom will notify the Controller of any changes at least 30 days in advance.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Mistral AI | LLM — scoring, question generation | France (EU) | GDPR applies directly |
| OpenAI | Whisper — voice transcription | USA | EU Standard Contractual Clauses |
| Groq | Fallback transcription | USA | EU Standard Contractual Clauses |
| Supabase | Database storage | USA | EU Standard Contractual Clauses |
| Render | Application hosting | USA | EU Standard Contractual Clauses |
| Cloudflare | CDN / routing | Global | EU Standard Contractual Clauses |
6. Retention and deletion
| Data type | Retention period | Basis |
|---|---|---|
| Voice audio | 90 days → permanently deleted | BIPA: sooner of purpose fulfilled or 3 years |
| Interview transcript | 90 days → permanently deleted | Data minimisation |
| AI scores and recommendation | 4 years | Legal obligation — NYC LL144, CCPA ADMT |
| Written AI summary | 4 years | Legal obligation |
| Integrity signals | 90 days → permanently deleted | Data minimisation |
| Bias audit aggregate data | 4 years minimum | NYC LL144 requirement |
7. Security measures
- Encryption in transit: TLS 1.3
- Encryption at rest: AES-256
- Audio files: encrypted object storage with time-limited, access-controlled signed URLs
- Access controls: role-based, MFA enforced for all internal systems
- Breach notification: within 72 hours of confirmed breach to Controller and affected supervisory authority
- Annual internal security reviews
8. International data transfers
Where Candidate Personal Data originating in the EU, UK, or EEA is transferred to sub-processors in the USA, such transfers are governed by the EU Standard Contractual Clauses (Commission Decision 2021/914) or the UK International Data Transfer Agreement (IDTA), as applicable. Copies are available on request: greenroomprep@gmail.com.
9. Liability
Each party's liability under this DPA is subject to the limitations set out in the main Terms of Service. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.
10. Governing law
This DPA is governed by the same law as the main Terms of Service. For EU and UK customers, this DPA is additionally subject to applicable data protection law, which shall prevail in the event of any conflict.
11. Term and termination
This DPA remains in force for the duration of the Controller's Greenroom subscription. Upon termination, Greenroom will delete all Candidate Personal Data within 30 days, except where retention is required by law (see Section 6). This DPA survives termination of the main agreement to the extent necessary to give effect to those obligations.
Enterprise customers requiring a countersigned DPA for procurement or legal purposes should email greenroomprep@gmail.com with subject "DPA countersignature request." We will respond within 5 business days.