Legal

Data Processing Agreement

Effective: April 29, 2026  ·  Version: 1.0  ·  Last Updated: April 29, 2026  ·  Controller: PIXONIQ LLC, Troy, Michigan

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms have the meanings set forth below:

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable US law. In the context of WiHire.ai, this includes candidate names, email addresses, resumes, employment history, skills data, salary expectations, location preferences, work style preferences, and consent records.
  • Processing: Any operation performed on Personal Data, including but not limited to collection, storage, use, transmission, deletion, or destruction.
  • Data Controller: PIXONIQ LLC, the entity that determines the purposes and means of processing candidate Personal Data through the WiHire.ai platform.
  • Data Processor: The Recruiter or Employer entity that accesses candidate Personal Data through WiHire.ai for lawful hiring purposes.
  • Sub-processor: Any third-party service provider engaged by PIXONIQ LLC to process Personal Data on behalf of the Data Controller.
  • Candidate Data: All Personal Data submitted by candidates to the WiHire.ai platform, including profiles, resumes, consent records, and AI-generated content.
  • Consent Record: A timestamped, write-protected log entry documenting a candidate's explicit grant or withdrawal of consent for a specific recruiter to access their data.
  • Zeyla™: The AI agent powered by Anthropic's Claude API that performs candidate screening, profile scoring, and resume generation on the WiHire.ai platform.

2. Scope and Purpose of Processing

PIXONIQ LLC operates WiHire.ai as a consent-first AI hiring platform. This section defines the scope and purpose of data processing under this DPA:

2.1 Purpose Limitation

Recruiters may only access Candidate Data for lawful hiring purposes related to the specific role for which the candidate has provided consent. Access is strictly gated by explicit, per-match candidate consent records.

2.2 Consent-Gated Access

WiHire.ai's core architecture requires a logged, timestamped Consent Record before any recruiter can access candidate PII. Recruiters acknowledge this mechanic and agree not to attempt to circumvent it. The platform enforces this through:

  • All candidate data is anonymised by default
  • Recruiters see only anonymised AI match scores until consent is granted
  • Candidate identity and resume are shared only upon affirmative, per-match consent
  • All consent grants and withdrawals are recorded in write-protected audit logs

2.3 Restrictions on Use

Recruiters shall not:

  • Export, download, or copy Candidate Data beyond what is necessary for the specific hiring purpose
  • Resell, repurpose, or share Candidate Data with any third party
  • Use Candidate Data for any purpose other than evaluating candidates for the specific consented role
  • Attempt to de-anonymise or re-identify candidates whose data is anonymised

2.4 Employer Blocking

Recruiters associated with a blocked Employer Identification Number (FEIN) cannot access any candidate data regardless of other permissions. PIXONIQ LLC reserves the right to block employers who violate this DPA or the WiHire.ai Terms of Service.

3. PIXONIQ LLC Obligations as Data Controller

PIXONIQ LLC, as the Data Controller, undertakes the following obligations:

  • Consent Management: Maintain complete Consent Records in Supabase for all candidate consent grants and withdrawals, with timestamps and audit trails.
  • Candidate Rights: Provide candidates with the ability to access, correct, and delete their Personal Data. Honor deletion requests within thirty (30) days.
  • Breach Notification: Notify affected recruiters within seventy-two (72) hours of confirming any security breach that may affect candidate data.
  • Audit Logging: Maintain audit logs of all data access events, including which recruiters accessed which candidate data and when.
  • Sub-processor Notification: Notify recruiters thirty (30) days before engaging any new Sub-processor to process Candidate Data.

4. Recruiter Obligations as Data Processor

As a Data Processor, the Recruiter agrees to the following obligations:

4.1 Purpose Limitation

Use Candidate Data only for the specific hiring purpose for which consent was granted by the candidate.

4.2 No Unauthorized Sharing

Do not share, sell, or transfer Candidate Data to any unauthorized third party. Sub-processors engaged by the Recruiter must be bound by data protection obligations at least as restrictive as this DPA.

4.3 Data Deletion

Upon candidate request or contract termination, delete all Candidate Data within thirty (30) days. Pseudonymization may be used for CCPA erasure to preserve referential integrity, but data must not be re-identifiable.

4.4 Breach Reporting

Report any suspected security breach involving Candidate Data to privacy@wihire.ai within forty-eight (48) hours of discovery. Include a description of the incident, the types of data affected, and steps taken to mitigate the breach.

4.5 Compliance with US Hiring Law

Comply with all applicable US federal and state employment discrimination laws, including Title VII, the Age Discrimination in Employment Act (ADEA), the Americans with Disabilities Act (ADA), and state equivalents. Do not use AI match scores as the sole basis for excluding candidates from consideration.

5. AI-Specific Obligations

Recruiters using Zeyla™ AI screening acknowledge and agree to the following obligations:

5.1 AI Use Disclosure

WiHire.ai provides automated disclosure to candidates that AI is being used in the evaluation process. Recruiters must not misrepresent the role of AI in their hiring decisions.

5.2 Human Review Requirement

Do not override Zeyla™ recommendations without documented human review. All overrides must be recorded with a business justification for audit purposes.

5.3 Bias Audit Cooperation

Cooperate with annual bias audit requirements as may be required by applicable law. Recruiters operating in New York City acknowledge the annual independent bias audit obligation under NYC Local Law 144.

5.4 Colorado AI Act Compliance

Recruiters in Colorado must ensure their use of Zeyla™ meets the algorithmic transparency requirements of Colorado SB 24-205 by the compliance deadline of June 30, 2026. This includes providing candidates with the right to appeal AI-based decisions and to request human review.

5.5 NYC Local Law 144

Recruiters using WiHire.ai to fill roles in New York City must independently satisfy the obligations under NYC Local Law 144, including conducting and publishing annual independent bias audits of automated employment decision tools.

6. Sub-processor List and Approval

PIXONIQ LLC engages the following Sub-processors to operate the WiHire.ai platform. By accepting this DPA, Recruiters consent to these Sub-processors:

  • Supabase: Database hosting and user authentication — data stored in US-region servers
  • Stripe: Payment processing for recruiter accounts
  • Resend: Transactional email delivery (zeyla@wihire.ai)
  • Anthropic: AI screening via Claude API (powers Zeyla™)
  • Cloudflare: Web hosting (Cloudflare Pages), DNS management, and CDN
  • Eleven Labs: Conversational AI agent for candidate interactions (voice-based screening)

PIXONIQ LLC will notify Recruiters thirty (30) days in advance of engaging any new Sub-processor. Recruiters may object to a new Sub-processor by contacting privacy@wihire.ai within fifteen (15) days of notification.

7. Data Retention and Deletion

  • Candidate Data: Retained per candidate consent settings. Candidates may withdraw consent at any time, triggering re-anonymisation within seventy-two (72) hours.
  • Recruiter Data: Retained for seven (7) years for tax and audit purposes following contract termination.
  • Deletion Requests: Honored within thirty (30) days. Pseudonymization is used for CCPA erasure to preserve referential integrity rather than hard delete.
  • Consent Audit Records: Retained for seven (7) years in write-protected, append-only format to satisfy legal and regulatory obligations.

ElevenLabs Voice Data (Release 2)

When Zeyla™ voice persona is enabled, the following data handling applies:

  • Data Processed: Candidate voice input, real-time speech-to-text transcription, session metadata
  • Retention: Per ElevenLabs data processing terms. Voice sessions are limited to three (3) minutes per interaction.
  • Post-Session: AI-generated summaries produced by Claude (Anthropic) and delivered to candidates via Resend email. Voice recordings are not retained after summarisation.
  • Candidate Consent: Voice interaction requires explicit candidate consent before session initiation.

8. Security Standards

PIXONIQ LLC Security Measures

  • Row-Level Security (RLS) enforced on all Supabase tables
  • TOTP two-factor authentication mandatory for all recruiter accounts
  • Encryption of data at rest and in transit using industry-standard protocols
  • Audit logging on all PII access events
  • Regular encrypted backups stored in geographically distributed locations
  • EIN-based identity verification for recruiter accounts

Recruiter Security Obligations

Recruiters must maintain reasonable access controls on their end, including:

  • Restricting access to WiHire.ai accounts to authorized personnel only
  • Not sharing login credentials
  • Implementing password policies consistent with industry best practices
  • Reporting any suspected unauthorized access immediately to privacy@wihire.ai

9. Governing Law and Dispute Resolution

This DPA is governed exclusively by the laws of the State of Michigan and the applicable federal laws of the United States of America, without regard to conflict-of-law principles.

Arbitration

Any dispute arising under or relating to this DPA shall be resolved exclusively by binding arbitration in Oakland County, Michigan, in accordance with the rules of the American Arbitration Association. The arbitrator's decision shall be final and binding, and judgment upon the award may be entered in any court of competent jurisdiction.

Class Action Waiver

Each party agrees that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated, or representative action. Neither party shall participate in or seek to consolidate or aggregate claims with those of any other party.

10. DPA Acceptance

Acceptance of this DPA occurs when the Recruiter completes registration on WiHire.ai. The following occurs at acceptance:

  • Recruiter acknowledges having read and understood this DPA
  • Checkbox acknowledgment during recruiter onboarding constitutes binding acceptance
  • Timestamp and IP address are logged in Supabase at acceptance
  • This DPA is incorporated by reference into the WiHire.ai Terms of Service

Annex A — Resume & Document Processing

This Annex describes the technical and organisational measures applied to candidate resumes and recruiter job descriptions uploaded to WiHire.ai. It supplements Sections 6 (Sub-processors), 7 (Retention), and 8 (Security) and is binding on all parties to this DPA.

A.1 Subject Matter, Duration & Data Subjects

  • Subject matter: processing of candidate resume documents and recruiter job description documents necessary to operate the WiHire.ai consent-first matching service.
  • Duration: for the duration of the candidate's or recruiter's account, plus the retention horizons specified below.
  • Categories of data subjects: candidates (job seekers) registered on WiHire.ai whose resumes are uploaded; recruiters (employer representatives) whose job descriptions are uploaded.
  • Categories of personal data: file content (resume / JD), filenames, MIME types, file sizes, SHA-256 file hashes, AI-derived parsed text (when consented), upload timestamps, access timestamps, IP addresses and user-agent strings (audit log only).

A.2 Original Format Preservation & Integrity

  • Original uploaded files are stored unchanged in private Supabase Storage buckets (wihire-resumes, wihire-jds); upload uses upsert: false to prevent overwrite.
  • Each file's SHA-256 hash is captured at upload time and recomputed before every authorised access. Hash mismatch ⇒ file is not served and a critical security event is logged.
  • The fields original_file_path and original_file_hash are immutable after insert (database trigger-enforced).

A.3 AI-Derived Content (Optional, Consent-Gated)

Zeyla™ extracts and analyses parsed text from a resume only when the candidate has explicitly opted in (ai_processing_consent = true) at upload or in Privacy Settings. Derived text is encrypted at rest using AES-256-GCM column-level encryption (12-byte IV prepended to ciphertext) before being persisted, and is never disclosed to recruiters or any third party in place of the original file. Sub-processor Anthropic PBC may receive parsed text strictly for the purpose of producing match results and only when this consent is active; revoking consent triggers deletion of derived analysis within thirty (30) days.

A.4 Append-Only Audit Log

WiHire maintains separate resume_audit_log and jd_audit_log tables. Each is append-only (database trigger blocks UPDATE / DELETE) and captures, for every state-changing event: actor identifier, actor role, action, resource identifier, IP address, user-agent, structured metadata, and timestamp. Recruiter access events additionally record the consent identifier, employer FEIN, role context, and signed-URL expiry, providing the regulatory chain of custody required by GDPR Article 5(2), CO SB-205, CCPA, and NYC Local Law 144.

A.5 Retention Horizons (Resume & JD)

  • Original resume / JD files: account duration plus ninety (90) days following account closure (or earlier on candidate / recruiter request).
  • AI-derived parsed text: until the candidate withdraws AI-processing consent, plus thirty (30) days for purge propagation.
  • Resume / JD audit logs: seven (7) years (regulatory chain-of-custody requirement); PII fields (ip_address, user_agent) pseudonymised on GDPR Article 17 erasure.

A.6 GDPR Article 17 Erasure Flow

On a verified erasure request, the database function fn_gdpr_erase_candidate_resumes atomically: (a) soft-deletes all resume rows for the candidate, (b) clears parsed_text and parsed_text_encrypted across the candidate's parsed-text rows, (c) pseudonymises PII fields in resume_audit_log while preserving the row count and timestamps. The gdpr-erase-resume Edge Function then physically purges the candidate's storage prefix (candidates/{id}/...) and appends a final gdpr_erasure audit entry with stage='storage_purge_complete' and legal_basis='GDPR Article 17'.

A.7 Sub-processor Confirmation

The sub-processors named in Section 6 of this DPA are the only third-parties that receive resume or JD content. Anthropic PBC receives parsed text only under candidate consent (per A.3); Supabase Inc. hosts the encrypted database and storage buckets on US-region AWS infrastructure; Cloudflare Inc. serves the front-end and provides TLS termination; Resend Inc. delivers transactional notifications (e.g. resume-ready emails) but never receives resume or JD payloads.

A.8 Contact for Resume / Document Matters

For all resume- or document-specific privacy and integrity matters under this Annex, contact zeyla@wihire.ai. General DPA correspondence remains directed to privacy@wihire.ai.

A.9 Agent-Principal Data Processing

Where an enterprise agent-principal customer (consulting firm, staffing firm, vendor manager, or managed service provider) uses WiHire to produce AI-tailored derivative resumes for their own client job descriptions, the following additional controls apply on top of A.1–A.8:

  • Identity verification. An agent-principal organisation must complete FEIN verification by a WiHire administrator before is_active is set; batch-mode submission additionally requires verified_at to be set, enforced at the database trigger level.
  • Authority chain. Every tailoring or onward-delivery operation requires a valid, unrevoked, in-window credential from authority_chain_credentials. Credentials are JWS records (RFC 7515; ECDSA over secp256k1, FIPS 186-4) with hash-verified integrity. Issuer / subject IDs are intentionally non-FK so that the chain survives entity deletion under GDPR Article 17(3)(b).
  • Per-resume consent. Each tailoring run verifies the data-subject's AI processing consent on the source resume. A batch submission does not bypass per-resume consent — the gate runs on every item.
  • Candidate approval gate. No tailored output is delivered to any onward client until the candidate explicitly approves that specific version. The fn_prevent_unapproved_delivery trigger blocks delivery at the database layer.
  • Append-only audit. Every tailoring, integrity, consent, and delivery event is written to tailoring_audit_log. UPDATE and DELETE on this table are blocked by trigger; event records are linked by SHA-256 hash chain for tamper evidence.
  • GDPR erasure independent of originals. The candidate-self-service gdpr-erase-tailored endpoint allows tailored versions to be erased without affecting the original resume record.
  • Sub-processor for tailoring AI. Anthropic PBC processes the parsed resume text and the JD text under the F4 factual-integrity system prompt to produce the tailored output. Anthropic does not retain content for training. The model identifier (e.g. claude-sonnet-4-20250514) and the SHA-256 hash of the system prompt are stored on every tailored_resumes row for reproducibility audit.
  • Data residency. Each onward client carries a data_residency_region attribute (US / EU / UK / CA). Where the value is eu, processing is restricted to EU-hosted Supabase regions and EU-routed Anthropic endpoints.

Questions about this DPA?

Email privacy@wihire.ai
PIXONIQ LLC · Troy, Michigan · USA
This DPA does not constitute legal advice. Consult a qualified attorney for legal guidance specific to your situation.