Data Processing Agreement

This page is the public reference point for the Data Processing Agreement (Auftragsverarbeitungsvertrag, DPA/AVV under Art. 28 GDPR) that governs any personal data Prism processes on behalf of a controller. Because Prism is a private application dossier — not a multi-tenant SaaS — an AVV is usually not required: in the normal recruiter flow, Steffen is the sole controller of his own data, and the recruiter is a data subject, not a controller commissioning a processor.

An AVV becomes relevant only when a recruiter, search firm, or employer wants to use data Prism generates (e.g. a downloaded dossier) inside their own HR infrastructure in a way that would constitute their-side processing. If you need a signed AVV for your compliance file, email steffen@heidrich.ai with your legal entity’s name and the scope you intend to process; a countersigned copy is sent back within one working day.

Sub-processors

Under any AVV, the following sub-processors are engaged. All of them have their own Art. 28 agreements with Prism which are incorporated by reference.

• Clever Cloud SAS, 3 rue de l’Allier, 44000 Nantes, France — application hosting, PostgreSQL, object storage (Cellar). Processing region: Paris (EU).
• Anthropic PBC, 548 Market St PMB 90375, San Francisco, CA 94104-5401, USA — generative-AI API for the deep-dive agent and the intent classifier. Processing under Anthropic’s own Data Processing Addendum, with SCCs covering the EU-US transfer and a commercial no-training commitment.

No other processors. No analytics vendors, no advertising networks, no CRM, no email marketing. Steffen is informed in advance of any change to this list and the AVV is updated accordingly.

Technical and organisational measures (summary)

• Transport encryption (TLS 1.2+) for every external connection.
• Encryption at rest on the database and on object storage, managed by Clever Cloud.
• Access control via signed JWTs with short expiry and server-side revocation; admin console separately password-gated.
• Data minimisation: recruiter names never hit the access log; raw agent questions are never persisted (see data policy).
• Logical separation of environments; production secrets live only in Clever Cloud’s env-var store.

Governing law & jurisdiction

The AVV is governed by the laws of the Federal Republic of Germany. Exclusive place of jurisdiction for disputes arising out of the agreement is Mainz.