Data Processing Agreement

Last Updated: April 02, 2026

This Data Processing Agreement ("DPA") is entered into between Themis ("Processor", "we", "us") and the user of the Themis Service ("Controller", "you"). This DPA supplements and forms part of the Terms of Service and Privacy Policy.

This DPA applies where and to the extent that Themis processes Personal Data on behalf of the Controller in the course of providing the Service, and such processing is subject to the EU General Data Protection Regulation (GDPR), UK GDPR, or other applicable data protection laws.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, modification, or deletion.
  • "Data Subject" means the individual whose Personal Data is processed.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Service" means the Themis resume optimization platform and related services.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller, which includes:

  • Optimizing resumes and cover letters using AI technology
  • Managing user accounts and authentication
  • Processing payments and managing subscriptions
  • Providing customer support
  • Sending transactional and service-related communications

Categories of Data Subjects

Registered users of the Themis Service.

Types of Personal Data Processed

  • Identity data: name, email address, phone number
  • Resume content: work history, education, skills, professional summary
  • Payment data: processed by Stripe (we do not store card numbers)
  • Usage data: generation history, login records, IP addresses
  • Location data: country, state/region, timezone

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational security measures as described in Section 4.
  • Not engage Sub-processors without prior written authorization from the Controller (see Section 5).
  • Assist the Controller in responding to Data Subject requests (see Section 6).
  • Notify the Controller without undue delay of any Data Breach (see Section 7).
  • Delete or return all Personal Data at the end of the service relationship, at the Controller's choice (see Section 9).
  • Make available all information necessary to demonstrate compliance and allow for audits (see Section 8).

4. Security Measures

The Processor implements and maintains the following technical and organizational measures to protect Personal Data:

Technical Measures

  • Encryption: All data is transmitted over TLS 1.2+ (HTTPS). Passwords are hashed using bcrypt with appropriate salt rounds.
  • Access Controls: Role-based access control (RBAC), multi-factor authentication for admin access, JWT-based session management with token rotation.
  • Database Security: Parameterized queries (preventing SQL injection), automated backups with integrity verification, WAL mode for data consistency.
  • Application Security: Content Security Policy (CSP) headers, CSRF protection, rate limiting, input validation and HTML sanitization.
  • Logging: PII-scrubbed audit logs, security event monitoring, login attempt tracking.

Organizational Measures

  • Access to production systems limited to authorized personnel only.
  • Regular review of access permissions.
  • Automated database backup with 14-day retention.
  • Incident response procedures documented and maintained.

5. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

Sub-processor Purpose Location
OpenAI AI-powered resume optimization and content generation United States
Stripe Payment processing and subscription management United States
Resend Transactional email delivery United States
Google Analytics (GA4) Website analytics (with user consent) United States

The Processor will notify the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object to a new Sub-processor by contacting us at privacy@themis.careers within that period.

6. Data Subject Rights

The Processor assists the Controller in fulfilling Data Subject requests under applicable data protection laws. Users can exercise the following rights directly through the Service:

  • Right of Access: Export all personal data via the Account Settings page.
  • Right to Rectification: Update personal information via the Profile page.
  • Right to Erasure: Request account deletion via the Account Settings page (30-day grace period, then permanent deletion).
  • Right to Data Portability: Download data in machine-readable JSON format.
  • Right to Object: Contact privacy@themis.careers to object to specific processing activities.
  • Right to Restrict Processing: Contact privacy@themis.careers to request processing restrictions.

For requests that cannot be handled through the Service interface, please contact us at privacy@themis.careers. We will respond to Data Subject requests within 30 days.

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data:

  • The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR.
  • The notification shall include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • The Processor shall cooperate with the Controller and provide all reasonable assistance to fulfill the Controller's obligations to notify supervisory authorities and Data Subjects.
  • The Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken.

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. The Processor shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice of any audit request.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
  • The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor.

9. Data Return and Deletion

Upon termination of the Service or upon the Controller's request:

  • The Controller may export their data in machine-readable format (JSON) at any time via their Account Settings.
  • Upon account deletion, Personal Data will be permanently deleted within 30 days (grace period for recovery), subject to legal retention requirements.
  • Certain data may be retained as required by law (e.g., financial transaction records for 7 years).
  • Data shared with Sub-processors will be deleted in accordance with the Sub-processor's data retention policies, subject to applicable legal requirements.

10. International Data Transfers

The Service is operated from the United States. Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • Sub-processor compliance with applicable data transfer mechanisms (e.g., Stripe and OpenAI maintain their own transfer safeguards).

11. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. The obligations regarding confidentiality and data protection shall survive termination of this DPA.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the main Terms of Service. To the extent that the GDPR or other data protection laws impose additional requirements, those requirements shall apply regardless of the governing law.

13. Contact

For questions about this DPA, data processing practices, or to exercise Data Subject rights:

Related Policies

Privacy Policy | Terms of Service