Phaedra Solutions · Rubrily
Data Processing Agreement
Effective: 11 July 2026Last updated: 11 July 2026Version: 1.0
This DPA governs how Phaedra Solutions processes candidate data and other personal data on behalf of Rubrily customers. It is incorporated into the Terms for all customers — free and paid — and is written to be relied on as-is. Enterprise customers can request a countersigned copy at legal@rubrily.com.
1. Parties, scope and definitions
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Phaedra Solutions ([CONFIRM: exact registered legal form, e.g. “Phaedra Solutions (Private) Limited”]), headquartered in Lahore, Pakistan ([CONFIRM: full registered company address], registration [CONFIRM: company registration number]) (“Processor”, “we”), and the customer accepting the Terms (“Customer”, “you”). It governs our Processing of Personal Data contained in Customer Content — above all, candidate data — in the course of providing the Rubrily service (the “Service”).
“GDPR” means Regulation (EU) 2016/679, and “UK GDPR” means the GDPR as incorporated into United Kingdom law. “Data Protection Law” means the GDPR, the UK GDPR and any other privacy law applicable to the Processing.
“Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach” have the meanings given in the GDPR.
“Candidate Data” means Personal Data relating to a job candidate that the Customer processes through the Service.
“SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914, as completed in Section 10.
The subject matter, duration, nature and purposes of Processing, the categories of Data Subjects and of Personal Data are set out in Annex I.
2. Roles and instructions
For Candidate Data and other Personal Data in Customer Content, the Customer is the Controller (or a processor acting for another controller, in which case we are a subprocessor and this DPA applies accordingly) and Phaedra Solutions is the Processor.
We Process such Personal Data only on the Customer’s documented instructions — these Terms, this DPA, and the Customer’s configuration and use of the Service’s features are those instructions — including with regard to international transfers, unless required to do otherwise by law that applies to us; in that case we inform the Customer of the legal requirement before Processing, unless the law prohibits that on important grounds of public interest. We will promptly inform the Customer if, in our opinion, an instruction infringes Data Protection Law.
The Customer is responsible for the lawfulness of the Personal Data it collects and the instructions it gives — including having a lawful basis, providing candidate notices, and configuring the Service consistently with its obligations.
3. Confidentiality of personnel
We ensure that every person we authorize to Process Personal Data — employees and contractors alike — is bound by a contractual or statutory duty of confidentiality, is granted access on a need-to-know basis under the access controls in Annex II, and receives appropriate data-protection training.
4. Security of Processing (Art 32)
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks to Data Subjects, we implement and maintain the technical and organizational measures set out in Annex II. We may update those measures as technology evolves, provided the protection of Personal Data is not materially reduced.
5. Subprocessors
The Customer grants a general authorization to engage the subprocessors listed in Annex III (maintained at rubrily.com/subprocessors). We impose on every subprocessor, by contract, data protection obligations no less protective than this DPA, and we remain fully liable to the Customer for a subprocessor’s performance.
We will give the Customer at least 30 days’ notice by email before adding or replacing a subprocessor (default — confirm). The Customer may object on reasonable data-protection grounds within the notice period; we will then work with the Customer in good faith on an alternative, and if none is reasonably available the Customer may terminate the affected part of the Service with a pro-rata refund of prepaid fees.
6. Assistance to the Customer (Arts 28(3)(e)–(f), 32–36)
Taking the nature of the Processing into account, we assist the Customer with appropriate technical and organizational measures — as far as possible — in fulfilling the Customer’s obligation to respond to Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). In practice: the Service’s export functions and its built-in erasure workflow let the Customer answer most requests directly; for anything else, we assist on request at privacy@rubrily.com.
If a Data Subject contacts us directly about Candidate Data, we do not respond on the merits; we route the request to the Customer without undue delay and tell the Data Subject we have done so — the routing described in the Candidate Privacy Notice.
We also assist the Customer, taking into account the nature of the Processing and the information available to us, with the Customer’s obligations under Articles 32–36 GDPR: security, breach notification to authorities and Data Subjects, data protection impact assessments, and prior consultation.
7. Personal Data Breach notice
We notify the Customer of a Personal Data Breach affecting Customer Content without undue delay and in any case within 72 hours of becoming aware(default — confirm). The notice describes, to the extent known: the nature of the breach, the categories and approximate numbers of Data Subjects and records affected, likely consequences, the measures taken or proposed, and a contact point. We provide updates as our investigation progresses and cooperate with the Customer’s own notification obligations. Our notice is not an admission of fault.
8. Deletion and return at end of Service
On termination or expiry of the Service, the Customer has an 30-day export window (the Service provides CSV and PDF export). After that window we delete all Personal Data in Customer Content within 30days (defaults — confirm), unless law applicable to us requires storage — in which case we isolate and protect the data, Process it for no other purpose, and delete it when the requirement ends. On written request we confirm deletion in writing. During the term, the Customer can delete Candidate Data at any time using the Service’s erasure workflow.
9. Audits and information
We make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR — starting with this DPA, Annex II, our security pageand completed security questionnaires. Where that information is insufficient, the Customer (or an independent auditor that is not our competitor) may audit our compliance: on reasonable prior notice, at most once per year (except after a Personal Data Breach or where a supervisory authority requires it), during business hours, under confidentiality, without access to other customers’ data, and at the Customer’s cost. We may satisfy an audit request with a recent third-party report to the extent it covers the scope requested.
10. International transfers
We are headquartered in Lahore, Pakistan, and Processing involves the countries shown in Annex III. Where Processing involves a transfer of Personal Data protected by the GDPR to a country without an adequacy decision, the parties incorporate the SCCs (2021/914), Module Two (controller → processor) into this DPA by reference — and Module Three (processor → processor) where the Customer acts as a processor for another controller — completed as follows: Clause 7 (docking) included; Clause 9(a) Option 2 with the notice period in Section 5; Clause 11 optional redress not selected; Clause 17 Option 1 with the law of Ireland; Clause 18 the courts of Ireland; Annexes I–III of the SCCs are completed by Annexes I–III of this DPA. For transfers subject to UK GDPR, the UK International Data Transfer Addendum (version B.1.0) applies with the same appendix information ([CONFIRM: UK customers targeted]).
We are not certified under the EU–US Data Privacy Framework and this DPA makes no DPF claim. Where a transfer assessment identifies supplementary measures, we implement them per Annex II.
11. Liability, order of precedence and signature
Each party’s liability under this DPA is subject to the exclusions and caps in the Terms of Service; nothing in this DPA limits a Data Subject’s rights or either party’s liability where Data Protection Law does not allow it to be limited.
If documents conflict: the SCCs prevail over this DPA; this DPA prevails over the Terms for Processing of Personal Data; the Terms govern everything else.
This DPA is incorporated into the Terms for all customers and needs no signature to bind the parties. Enterprise customers that need a countersigned copy can request one at legal@rubrily.com ([CONFIRM: countersigning offer and process]).
Annex I — Details of Processing
Subject matter: provision of the Rubrily applicant tracking and AI screening service.
Duration: the term of the Terms of Service, plus the export and deletion windows in Section 8.
Nature and purposes:hosting and storage; conducting asynchronous AI interviews (including recording and transcription); AI evaluation of CVs and interview responses against Customer-defined rubrics, producing per-criterion scores with written justifications and blended Fit Scores; pipeline and talent-pool management; candidate communications on the Customer’s instruction; export, reporting and analytics for the Customer; security, support and troubleshooting.
Data Subjects:the Customer’s job candidates; the Customer’s users (account holders); the Customer’s staff appearing in hiring records (e.g. reviewers, note authors).
Categories of Personal Data: identification and contact data (name, email, phone); application data and CV content (career history, education, skills); pre-screening answers; interview audio/video recordings and transcripts; assessment outputs (scores, justifications, strengths/gaps, integrity flags); usage and technical data (device checks, language preference, logs); user account data.
Special categories:not requested by the Service. The Service’s structured fields do not solicit special-category data, and Customers are instructed (Terms §6, §8) not to solicit it through free-text or interview questions. Incidental special-category data volunteered by a candidate is processed only as part of the record it appears in. [CONFIRM: product stance and any filtering]
Frequency: continuous, for the duration of the Service.
Annex II — Technical and Organizational Measures
These measures mirror the commitments on the security page; where a measure is pending confirmation it is marked, not overstated.
- Tenant isolation.Each Customer organization’s data lives in an isolated tenant enforced with row-level security; no other customer can query, see or match against it, and it is not used to train models across customers.
- Access control.Role-based access (Owner / Admin / Member) with project-level scoping inside the Customer’s tenant; SSO and advanced RBAC available on the Scale plan. Our own personnel access Customer Content on a need-to-know basis for support and operations, under confidentiality (Section 3).
- Candidate consent gates. Interviews cannot begin recording before the candidate is shown the monitored-interview conditions and gives explicit, separate consent to the conditions and to the recording.
- Erasure workflow.Deletion of a candidate’s personal data (profile, CV, recordings, transcripts) is a built-in product workflow, without engineering tickets.
- Data minimization in sharing. Client-share report links are anonymized with personally identifying details scrubbed.
- Encryption. Traffic to the sites and Service is encrypted in transit (TLS). [CONFIRM: encryption-at-rest posture of the application database and file storage]
- Logging and monitoring. Security-relevant events are logged (up to 90 days — default, confirm); [CONFIRM: alerting and review cadence].
- Backups and resilience. [CONFIRM: backup schedule, encryption and restore testing]
- Personnel. Confidentiality obligations and data-protection training for everyone with access; access revoked on role change or departure.
- Subprocessor management. Contracts imposing equivalent obligations, plus the notice-and-objection process in Section 5.
Annex III — Authorized Subprocessors
| Subprocessor | Function | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. | Website and application hosting, CDN, serverless compute | All data transiting the site and Service (form submissions, account data, server logs) | United States (global edge network) | EU Standard Contractual Clauses (2021/914) |
| Rubrily application infrastructure — [CONFIRM: database / storage / compute provider(s) behind app.rubrily.com, with region(s)] | Application database, file storage (CVs, recordings), compute | Customer account data; candidate application data, CVs, assessment responses, recordings, transcripts, scores | [CONFIRM: region(s)] | EU Standard Contractual Clauses (2021/914) |
| Resend, Inc. | Transactional email delivery (invites, notifications, form receipts) | Names, email addresses, message content | United States [CONFIRM: Resend data region] | EU Standard Contractual Clauses (2021/914) |
| AI model provider(s) — [CONFIRM: name the provider(s) used for CV evaluation, interview conduct and scoring] | Large-language-model inference for CV evaluation, interview questioning and rubric scoring | CV text, interview transcripts and responses, rubric criteria (pseudonymised where feasible) | [CONFIRM: provider region / zero-retention configuration] | EU Standard Contractual Clauses (2021/914) |
| PostHog, Inc. (planned) | Product analytics on the marketing site (consent-gated) | Usage events, device and page data, first-touch campaign attribution | United States (US cloud) | EU Standard Contractual Clauses (2021/914) |
The live list, with change notifications, is maintained at rubrily.com/subprocessors. Some features let your organization connect its own services — for example connecting your own Gmail mailbox so candidate emails send from your address. Data handled by a service you connect is governed by your agreement with that provider, not by our subprocessor list.
Contact
Phaedra Solutions ([CONFIRM: exact registered legal form, e.g. “Phaedra Solutions (Private) Limited”]), Lahore, Pakistan · [CONFIRM: full registered company address]
Privacy: privacy@rubrily.com · Legal: legal@rubrily.com · General: contact@rubrily.com