Terms of servicePrivacy policyCookie policyData privacy agreement

DATA PROCESSING AGREEMENT (DPA)

(Version 1.1)

This Data Processing Agreement ("DPA") forms part of the agreement between:

Data Controller: The Customer ("you"), the business entity using the JobMojito platform for recruitment and hiring workflows. The Data Controller determines the purposes and means of processing candidate personal data and is responsible for all hiring decisions.

Data Processor: JobMojito ("we", "us", "our"), operated by FreshMint ai OÜ, an Estonian entity with registered address at Sepapaja tn 6, 15551, Tallinn, Estonia. JobMojito delivers the platform technology, hosts data, and processes personal data on behalf of the Customer. This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the JobMojito platform.

For more information about JobMojito's security practices and compliance, please visit trust.jobmojito.com.

1. Roles of the Parties

1.1 The Controller determines the purposes and means of processing Personal Data.
1.2 The Processor processes Personal Data solely on documented instructions from the Controller.
1.3 The parties agree that they are not joint controllers for the processing activities governed by this DPA.

2. Subject Matter & Duration

2.1 Subject Matter

Processing of candidate interview data within the JobMojito platform for recruitment and hiring workflows.

2.2 Duration

Processing shall continue for the duration of the underlying services agreement and any applicable retention period defined therein.

3. Nature & Purpose of Processing

Processing activities may include:

  • Hosting and storage of candidate interview data;

  • AI-assisted transcript generation;

  • Application of Controller-defined scoring rubrics;

  • Optional behavioural and speech analytics where enabled by Controller;

  • Generation of structured summaries;

  • Maintenance of system logs for audit and security purposes.

The Processor:

  • Does not autonomously accept or reject candidates;

  • Does not make fully automated employment decisions;

  • Does not use identifiable candidate interview data for AI model training or independent product development;

  • Uses only aggregated and anonymised statistical insights for product improvement.

4. Categories of Data Subjects

  • Job applicants or candidates invited by Controller;

  • Controller-authorised platform users.

5. Categories of Personal Data

May include:

  • Name and contact details;

  • CV or application materials;

  • Audio and/or video recordings;

  • Interview transcripts;

  • Structured scoring outputs;

  • Behavioural/speech analytics (if enabled);

  • Technical metadata and system logs.

Biometric voiceprint data is excluded from this DPA unless separately agreed under a dedicated biometric processing addendum.

6. Processor Obligations (Article 28(3) GDPR)

The Processor shall:

6.1 Process Personal Data only on documented instructions of the Controller.
6.2 Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.
6.3 Implement appropriate technical and organisational measures ("TOMs") as described in Annex 1.
6.4 Assist the Controller in responding to requests from data subjects.
6.5 Assist the Controller in ensuring compliance with Articles 32-36 GDPR, including support with DPIAs where reasonably required.
6.6 Notify the Controller without undue delay upon becoming aware of a Personal Data Breach, in accordance with Section 9.
6.7 Delete or return Personal Data upon termination of the services in accordance with Section 10.

7. Sub-Processors

7.1 The Controller authorises the Processor to engage sub-processors listed in Annex 2.
7.2 The Processor shall:

  • Enter into written agreements with sub-processors imposing data protection obligations equivalent to those in this DPA;

  • Remain liable for sub-processor compliance.

7.3 The Processor shall provide prior notice of intended sub-processor changes. The Controller may object on reasonable data protection grounds.

8. International Transfers

8.1 EU customer data is hosted within AWS EU regions.
8.2 Where Personal Data is transferred outside the EEA or UK:

  • Standard Contractual Clauses (SCCs) or the UK Addendum shall apply where required;

  • Appropriate technical safeguards shall be implemented.

9. Security & Incident Management

9.1 The Processor implements technical and organisational measures as set out in Annex 1, including encryption, access controls, logging, and tenant separation.
9.2 The Processor maintains an Incident Response & Breach Notification Policy.
9.3 In the event of a confirmed Personal Data Breach, the Processor shall notify the Controller without undue delay following confirmation and provide:

  • Description of the nature of the breach;

  • Categories of data affected;

  • Likely consequences;

  • Measures taken or proposed;

  • Contact point for further information.

9.4 The Processor shall cooperate with the Controller in fulfilling regulatory reporting obligations.

10. Data Retention & Deletion

10.1 Candidate interview data is retained for 12 months by default (configurable by Controller).
10.2 Behavioural scoring data is retained only as long as the associated interview record.
10.3 Security and scoring logs are retained for 12 months.
10.4 Infrastructure logs are retained for 30-90 days.
10.5 Encrypted backups operate on a rolling cycle not exceeding 30 days. Deleted data is purged automatically upon expiry of the backup cycle.
10.6 Upon termination of services, Personal Data shall be deleted or returned in accordance with Controller instructions, subject to backup retention cycles.

11. Audit Rights

11.1 The Controller may conduct one audit per calendar year upon reasonable written notice.
11.2 Audits shall:

  • Be limited to data protection compliance;

  • Be conducted remotely unless otherwise required;

  • Be subject to confidentiality;

  • Not disrupt other customers;

  • Be at the Controller's expense.

11.3 Additional audits may occur following a confirmed Personal Data Breach affecting the Controller.

12. Liability

12.1 Liability under this DPA shall be subject to the limitations set out in the underlying services agreement.
12.2 Nothing in this DPA limits liability that cannot lawfully be limited.

Annex 1 - Technical & Organisational Measures

For a detailed overview of the technical and organisational measures implemented by JobMojito, please visit our Trust Centre at trust.jobmojito.com.

Annex 2 - Sub-Processors

For a current list of sub-processors, please visit our Trust Centre at trust.jobmojito.com.

Last updated on March 2026

Our Brands:
InterviewMojito.comCareerMojito.comConsumer portalJobInterview.coachResumeCheck.netCVGrader.com