Data Processing Agreement

Terms used but not defined in this DPA have the meanings given to them in the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Swiss Federal Act on Data Protection (“FADP”).

• Authorized User — a natural person authorized by the Customer to access the Service under the Customer’s account.
• Candidate Data — Personal Data relating to consultants, employees, contractors, or candidates uploaded into the Service by the Customer or its Authorized Users.
• Customer Personal Data — all Personal Data Processed by Versio on the Customer’s behalf under the Terms of Service, including Candidate Data.
• Sub-Processor — any third party engaged by Versio to Process Customer Personal Data.
• SCCs — the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.

Subject matter: Processing of Customer Personal Data necessary to provide the Service (CV management, AI-assisted CV generation, candidate matching, document rendering, billing).

Duration: for as long as Versio Processes Customer Personal Data on the Customer’s behalf under the Terms of Service. This DPA survives termination until Versio has deleted or returned all Customer Personal Data in accordance with Section 14.

For Candidate Data and any other Customer Personal Data uploaded by Authorized Users, the Customer is the Controller and Versio is the Processor.

For account, billing, and authentication data of Authorized Users (email, password, Stripe customer ID), Versio acts as a separate Controller. That Processing is governed by our Privacy Policy, not by this DPA.

Versio Processes Customer Personal Data to:

• Host master profiles and CV versions
• Render PDF and Word documents
• Run AI-assisted features when invoked by Authorized Users (CV import, generation, translation, review, ATS check, candidate matching)
• Compute vector embeddings for semantic search and matching
• Provide team and bundle features for batch operations
• Maintain logs for security, abuse prevention, audit, and regulatory compliance

Versio does not Process Customer Personal Data for any other purpose.

The Customer warrants and undertakes that:

• It has a valid lawful basis under Art. 6 (and Art. 9 where applicable) of the GDPR for the Processing it directs Versio to perform.
• It has provided all required notices and obtained all required consents from Data Subjects, including informing Candidates that AI is used in screening and matching (Art. 13/14 GDPR, Art. 26 EU AI Act).
• Its instructions to Versio comply with Applicable Law.
• It is solely responsible for any decision affecting a Data Subject taken on the basis of output produced by the Service, and for ensuring meaningful human review of such output before any decision is taken (GDPR Art. 22, EU AI Act Art. 26).

Versio shall:

• Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do so by Applicable Law (in which case Versio shall inform the Customer of that legal requirement before Processing, unless prohibited by law).
• Ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality.
• Implement the technical and organisational measures set out in Annex III.
• Assist the Customer in fulfilling its obligations to respond to requests for exercising Data Subject rights (Art. 12–22 GDPR), at the Customer’s expense for non-trivial requests.
• Notify the Customer without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the information required by Art. 33(3) GDPR.
• Assist the Customer in carrying out data protection impact assessments (Art. 35) and prior consultations (Art. 36).
• At the choice of the Customer, delete or return all Customer Personal Data after the end of the provision of the Service, in accordance with Section 14.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits in accordance with Section 13.

The Customer provides general written authorisation for Versio to engage the Sub-Processors listed in Annex II. Versio shall:

• Impose on each Sub-Processor data protection obligations no less protective than those set out in this DPA.
• Notify the Customer of any intended changes to the Sub-Processor list at least 30 days in advance. The Customer may object on reasonable data-protection grounds; if no resolution is reached, the Customer may terminate the affected portion of the Service.
• Remain fully liable to the Customer for the performance of any Sub-Processor.

The primary application database and embedding service are hosted in Switzerland. Switzerland benefits from an EU Commission adequacy decision (Decision 2000/518/EC, as amended) for transfers from the EU.

Where Customer Personal Data is transferred outside Switzerland or the EEA — currently to Anthropic (United States) for AI Features, Stripe (United States) for payments, and Cloudflare (global) for bot protection — Versio relies on:

• The EU-US Data Privacy Framework where the recipient is self-certified, or
• The Standard Contractual Clauses (Modules 2 and 3 as applicable), incorporated into Versio’s agreement with the relevant Sub-Processor.

The SCCs are deemed incorporated into this DPA where required, with Versio as data importer in its capacity as Processor and the Customer as data exporter.

Versio implements the technical and organisational measures set out in Annex III, which are designed to ensure a level of security appropriate to the risk (Art. 32 GDPR).

If Versio receives a request directly from a Data Subject, it shall forward the request to the Customer without undue delay and shall not respond to the request itself except to confirm that the request has been received and routed.

Versio provides Customer self-service tools to access, export, rectify, and delete Customer Personal Data through the Service. For requests not covered by self-service, Versio assists the Customer at the Customer’s reasonable request.

The Customer may audit Versio’s compliance with this DPA once per twelve-month period, on at least thirty days’ written notice and during normal business hours. Audits shall be conducted in a manner that does not disrupt the Service. The Customer bears its own audit costs.

Versio may satisfy audit obligations by providing current third-party certifications or audit reports (e.g. SOC 2 Type II, ISO 27001, when available), summaries of penetration tests, and the contents of Annex III.

Versio shall notify the Customer without undue delay and in any case within 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification shall include, to the extent known, the information set out in Art. 33(3) GDPR. Versio shall provide reasonable cooperation to the Customer in connection with the breach.

On termination of the Terms of Service or at any earlier written request by the Customer, Versio shall, at the Customer’s option:

• Make Customer Personal Data available for export via the Service’s standard export functionality for up to 30 days after termination, then delete; or
• Delete all Customer Personal Data within 30 days of termination.

Backups containing Customer Personal Data are overwritten on the rolling backup schedule (maximum 35 days). Versio may retain Customer Personal Data where required by Applicable Law (e.g. Swiss CO Art. 957–958 for billing records).

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a party’s liability to a Data Subject under Art. 82 GDPR.

This DPA is governed by Swiss law. Disputes are subject to the exclusive jurisdiction of the courts of Genève, Switzerland, without prejudice to any mandatory consumer-protection rules under the law of the Data Subject’s habitual residence.

Use-case declaration. The Customer shall identify, on signup or first use of the Candidate Matcher, whether it is acting as a Business Customer or Recruitment Customer. Recruitment Customers acknowledge that the Matcher is a high-risk AI system under Annex III §4(a) and accept the additional deployer obligations set out in Section 6.5 of the Terms of Service.

Current as of the version date above. The live list and notification mechanism is available at contact@versio-cv.com.

Nicolas Dinh
Rue de Lausanne 29bis
1201 Genève, Switzerland
contact@versio-cv.com