Data Processing Agreement
Template DPA — for execution contact legal@dayone.kz
Last updated: May 1, 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between the company using the DayOne platform ("Controller" or "Employer") and DayOne Inc. ("Processor"). This DPA forms part of the Terms of Service and governs the processing of personal data of Candidates on behalf of the Controller.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person (Candidate).
- Processing: Any operation performed on Personal Data, including collection, storage, analysis, and deletion.
- Sub-processor: Any third party engaged by the Processor to assist in processing Personal Data.
- GDPR: Regulation (EU) 2016/679 of the European Parliament.
3. Processing Details
4. Processor Obligations
DayOne Inc. as Processor shall:
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel authorized to process Personal Data are under confidentiality obligations.
- Implement appropriate technical and organizational security measures (Article 32 GDPR).
- Not engage new Sub-processors without prior written consent of the Controller, except those listed in Annex A.
- Assist the Controller in responding to data subject rights requests within 72 hours of receipt.
- Notify the Controller of any Personal Data breach within 72 hours of becoming aware.
- Delete or return all Personal Data at the end of the service relationship upon request.
- Provide all information necessary to demonstrate compliance with this DPA.
5. Controller Obligations
The Controller shall:
- Have a valid legal basis for processing Candidate data (legitimate interest or consent).
- Inform Candidates about the data processing in their privacy notice.
- Obtain explicit consent for webcam proctoring (L4) where required by applicable law.
- Comply with local employment laws, including NY City AEDT Law and Illinois BIPA where applicable.
- Not instruct Processor to process data in violation of applicable laws.
6. Sub-processors
Annex A — Approved Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon Inc. | PostgreSQL database hosting | US (AWS us-east-1) |
| Vercel Inc. | Application hosting & CDN | US / EU |
| Resend Inc. | Transactional email delivery | US |
| Stripe Inc. | Payment processing | US |
| Cloudflare R2 | Webcam recording storage (L4) | EU / US |
| PostHog Inc. | Product analytics (anonymized) | US / EU |
| Sentry Inc. | Error monitoring | US |
| Google LLC (Gemini) | AI essay evaluation & content detection | US |
7. International Transfers
Where Personal Data is transferred outside the EEA, such transfers are made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or to countries with an adequacy decision. Controllers may request copies of applicable SCCs at legal@dayone.kz.
8. Security Measures
DayOne implements: TLS 1.2+ encryption in transit, bcrypt password hashing (cost factor 12), row-level database access controls, JWT authentication with secure HttpOnly cookies, rate limiting on all endpoints, regular dependency auditing, Sentry error monitoring, and Vercel infrastructure security controls.
9. Retention and Deletion
Personal Data of Candidates is retained for the period specified in the Privacy Policy (maximum 2 years for assessment data). Controllers may request earlier deletion via the dashboard or at privacy@dayone.kz. Deletion is completed within 30 days.
10. Execution
This DPA template is incorporated by reference into the Terms of Service. For a countersigned executed version, enterprise agreements, or jurisdiction-specific addenda (CCPA, UK GDPR, Swiss DPA), contact legal@dayone.kz.