This Data Processing Addendum ("DPA") is entered into by and between the entity signing or agreeing to this document ("Customer" or "Data Controller") and Manatal ("Company" or "Data Processor"). This DPA supplements the Subscription Agreement or Terms and Conditions https://www.manatal.com/terms-and-conditions ("Agreement") between the parties.
1. Definitions
● "Applicable Data Protection Law" means all worldwide privacy and data protection laws applicable to the Processing of Personal Data under the Agreement, including the EU/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA), as amended.
● "Personal Data" means any information relating to an identified or identifiable natural person processed by Manatal on behalf of the Customer in connection with the Services.
● "Data Subject" means the individual to whom the Personal Data relates (e.g., job applicants, candidates, employees).
● "Security Incident" means any actual, confirmed unlawful destruction, loss, alteration, unauthorized disclosure of, or malicious access to Customer’s Personal Data.
2. Scope and Role of the Parties
● 2.1 Relationship: The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller and Manatal is the Data Processor.
● 2.2 Customer Instructions: Manatal will only Process Personal Data on behalf of and in accordance with the documented instructions of the Customer, including with respect to transfers of Personal Data, unless required to do so by applicable law. The Agreement and this DPA constitute the Customer’s complete instructions.
3. Technical and Organizational Measures (Security)
● 3.1 Security Program: Manatal shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
● 3.2 Confidentiality: Manatal ensures that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Subprocessors
● 4.1 Prior Authorization: Customer grants a general written authorization to Manatal to engage Subprocessors to provide infrastructure, hosting, and core software services. A current list of Subprocessors is available here.
● 4.2 Notification of Changes: Customer can turn on notifications and receive changes or replacements concerning Manatal Subprocessors giving the Customer the opportunity to object on reasonable data protection grounds.
● 4.3 Downstream Flow-Down: Manatal will impose data protection obligations upon any Subprocessor it engages that are no less restrictive than those contractual obligations imposed on Manatal under this DPA.
5. Data Subject Rights & Cooperation
● 5.1 Assistance: Taking into account the nature of the processing, Manatal will provide reasonable assistance to the Customer, insofar as this is possible, to enable the Customer to respond to requests from Data Subjects exercising their rights (e.g., access, deletion, or portability requests).
● 5.2 Direct Requests: If a Data Subject contacts Manatal directly regarding Personal Data belonging to the Customer, Manatal will forward the request to the Customer without undue delay and will not respond directly unless legally required.
6. Incident Management and Notification
● 6.1 Notification: Manatal will notify Customer without undue delay, and in any event within seventy two (72) hours, after becoming aware of a confirmed Security Incident.
● 6.2 Details: The notification will contain sufficient information to allow the Customer to meet its obligations under Applicable Data Protection Law, including the nature of the breach, the categories of data affected, and the mitigation steps taken or planned.
7. Audit Rights
● 7.1 Documentation: Manatal will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.
● 7.2 Formal Audits: To the extent Customer requires an audit to verify compliance, Customer may request a third-party security certification or audit report (SOC 2 Type 2) held by Manatal. If further inspection is legally required, it shall be conducted during regular business hours, no more than once per year, at the Customer's expense, and subject to strict confidentiality agreements.
8. International Data Transfers
● 8.1 Transfer Mechanisms: To the extent that the provision of Services involves a transfer of Personal Data originating from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, the parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission shall apply and are incorporated herein by reference.
9. Return and Deletion of Data
● 9.1 Termination: Upon termination or expiration of the Agreement, Manatal shall, at the choice and expense of the Customer, delete or return all Personal Data in its possession, custody, or control, unless applicable law requires the continued storage of the Personal Data.
Exhibit A: Details of Processing
Exhibit B: Technical & Organizational Security Measures
Manatal maintains a robust, enterprise-grade security posture designed to guarantee the confidentiality, integrity, and availability of Customer Data. The Company continually reviews and improves these measures, maintaining compliance with SOC 2 Type II standards.
1. Data Encryption & Privacy
Data in Transit: All communication between Customer users and Manatal production servers is mandatory over HTTPS, utilizing secure SSL/TLS 1.2 or higher encryption protocols.
Data at Rest: All core customer databases and files are fully encrypted at rest using industry-standard AES-256 encryption algorithms.
Credentials Security: User authentication credentials are safely transformed using advanced one-way cryptographic hashing algorithms; plain-text passwords are never stored anywhere within the system.
2. Infrastructure & Hosting Security
Top-Tier Cloud Infrastructure: All Services run exclusively in a secure multi-tier network environment hosted on Amazon Web Services (AWS) in the United States.
Data Center Compliance: Physical infrastructure centers are managed by AWS and maintain strict adherence to global standards, accredited under ISO 27001, SOC 1, SOC 2, SSAE 16, and ISAE 3402.
Resilience & Uptime: Built with modern disaster-recovery and failover infrastructure to guarantee a contractual service uptime level of 99.9% or higher.
3. Business Continuity & Backup Lifecycle
Daily Snapshots: Manatal runs full, automated daily backups of all system databases to protect against catastrophic events.
Backup Integrity: Backups are securely encrypted, stored isolated from production environments, and rigorously tested to ensure immediate availability.
Retention Policy: All daily automated backups are permanently overwritten and naturally purged on a strict 7-day retention cycle.
4. Identity & Access Control
Internal Personnel Restrictions: Access to underlying systems and customer environments is strictly restricted to a limited pool of authorized key engineering staff on a "need-to-know" basis, governed by signed corporate confidentiality agreements.
Privileged System Access: Internal operational access to AWS, GitHub, and production backends strictly enforces complex password policies and mandatory Multi-Factor Authentication (MFA / 2FA).
Customer Role-Based Access Control (RBAC): The software platform provides customizable, multi-tier user role permissions, ensuring that Customer data is partitioned internally so users can only view records they are explicitly authorized to access.
5. Vulnerability Management & Engineering
Secure Development Practices: Engineering teams utilize strict secure coding practices heavily aligned with defending against the OWASP Top 10 web application security risks.
Continuous Detection: Deployment of automated vulnerability detection software and real-time security scanning to actively monitor environment changes.
Proactive Threat Mitigation: Continuous infrastructure monitoring with real-time automated threat alarms configured to immediately flag anomalies to on-call engineering response teams.
Responsible Disclosure: Maintenance of an active, monitored Vulnerability Disclosure Program allowing vetted security researchers to responsibly report zero-day bugs directly to security engineers via dedicated channels (vulnerability-report@manatal.com).