The Ishavi DPA is offered to every paying customer at no extra cost. It governs how the platform processes personal data on the customer's behalf and incorporates the sub-processor register, security measures, and breach notification commitments. This page describes the shape; request a signed copy by email.
The body of the DPA is the standard processor-side commitments, written plainly. Annex A lists the technical and organisational measures (TOMs) Ishavi maintains; Annex B is the live sub-processor register, which evolves as the platform does. Annex C is reserved for customer-specific carve-outs (HIPAA, FedRAMP-equivalent, additional jurisdictions) negotiated as needed.
01
Clause 01
Defines the customer as the data controller and Ishavi as the data processor. Names the categories of data subjects (candidates, recruiters), the categories of personal data, the processing operations, and the duration -- which mirrors the term of the underlying subscription agreement.
02
Clause 02
Incorporates the live sub-processor register at /legal/subprocessors by reference. Commits Ishavi to a 30-day notice before adding or substituting a sub-processor, plus the customer's right to object.
03
Clause 03
TLS in transit, AES-256 at rest, MFA on production access, tenant isolation, encrypted backups, vulnerability scanning, penetration testing on a defined cadence, secure development lifecycle, and the on-call response process.
04
Clause 04
Customer right to request the latest SOC 2 report (Type I from Q4 2026; Type II from Q3 2027) under NDA, plus one customer-initiated audit per year on reasonable notice, conducted at the customer's expense by a mutually-agreed auditor.
05
Clause 05
EU customer data: Module 2 Standard Contractual Clauses (controller -> processor) with the EU Commission's 2021 template. UK customers: International Data Transfer Addendum (IDTA) to those SCCs. India customers: equivalent contractual terms drafted to anticipate the DPDP Act's cross-border rules. EU-US Data Privacy Framework self-certification is pending.
06
Clause 06
Ishavi will notify customer of a confirmed personal data breach without undue delay, and in any case within 48 hours of confirmation, including the categories of data, the approximate number of records, the likely consequences, and the measures taken or proposed.
07
Clause 07
Ishavi assists the customer in responding to access, rectification, erasure, restriction, portability, and objection requests from data subjects -- with response within 30 days of receipt. Erasure honours legal retention carve-outs (audit trail; ongoing litigation hold) where they apply.
08
Clause 08
On termination of the subscription, Ishavi returns the customer's personal data in a machine-readable format and deletes its copies within 90 days, except for backup copies subject to the published backup retention cycle and any record required by law.
Include the legal entity name, registered address, and the jurisdiction you operate in. We will return a signed DPA referencing your subscription agreement. Custom redlines welcome; turnaround depends on the redline.