LevelHire

Data Processing Agreement

For customers subject to GDPR, LFPDPPP, or equivalent data protection regulations

Request the full DPA document

Our standard DPA (GDPR Article 28 compliant) is available to any customer upon request. Send an email to privacy@levelhire.ai with your company name and country, and we will send you the signed DPA within 2 business days.

Request DPA →

What Is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally binding contract required under GDPR Article 28 whenever a company (the "Data Controller") uses a third-party service (the "Data Processor") to process personal data on its behalf.

If you use LevelHire to collect and evaluate candidate assessments, LevelHire acts as a Data Processor with respect to the personal data of your candidates. You, as the employer, are the Data Controller. The DPA formalizes the obligations and responsibilities of each party.

Who Needs a DPA?

  • Companies with employees or candidates located in the European Union or EEA (GDPR obligation).
  • Companies subject to the UK GDPR (post-Brexit equivalent).
  • Companies whose privacy program requires processor agreements regardless of jurisdiction.
  • Enterprises with procurement processes that require a signed DPA before vendor onboarding.

Mexican customers: the LFPDPPP has similar requirements. Our DPA covers obligations under both GDPR and LFPDPPP as applicable.

What Our DPA Covers

Our standard DPA addresses the requirements of GDPR Article 28 and includes:

Art. 28(3)(a)Processing only on documented instructions from the Controller.
Art. 28(3)(b)Confidentiality obligations for personnel authorized to process data.
Art. 28(3)(c)Technical and organizational security measures (encryption, access control, RLS).
Art. 28(3)(d)Sub-processor obligations — including Supabase, Vercel, Anthropic, Resend, and Stripe.
Art. 28(3)(e)Assistance to the Controller with data subject rights requests (access, erasure, portability).
Art. 28(3)(f)Data deletion or return upon termination of services.
Art. 28(3)(g)Audit rights and provision of information to demonstrate compliance.
Art. 28(3)(h)Immediate notification if a processing instruction infringes GDPR.
Art. 33–34Data breach notification procedures (72-hour notification to Controller).
Annex ISubject matter, nature, purpose, type of data, and categories of data subjects.
Annex IITechnical and organizational security measures in detail.
Annex IIIList of authorized sub-processors and their roles.

Sub-Processors

LevelHire uses the following sub-processors to deliver its services. All sub-processors are bound by data protection agreements at least as protective as this DPA:

SupabaseUSA (AWS us-east-1)

Database hosting, authentication, file storage

SOC 2 Type II, DPA available

VercelUSA / Edge (global)

Application hosting, CDN, edge functions

SOC 2 Type II, DPA available

AnthropicUSA

AI-powered challenge generation and response evaluation

Enterprise DPA with zero data retention for API calls

StripeUSA (EU data stored in EU)

Payment processing and billing

PCI DSS Level 1, DPA available

ResendUSA

Transactional email delivery

DPA available

We will provide advance notice of at least 30 days before adding or replacing a sub-processor that handles personal data governed by this DPA.

International Data Transfers

LevelHire is incorporated in Mexico and primarily serves customers in the US and Mexico, with a growing number of EU customers. For transfers of personal data from the EU/EEA to the United States, we rely on:

  • Standard Contractual Clauses (SCCs): Our DPA incorporates the EU Commission's 2021 SCCs (Module 2: Controller to Processor) for transfers to LevelHire in Mexico/USA.
  • Sub-processor SCCs: Where sub-processors receive EU personal data, they are bound by equivalent SCCs or operate under an adequacy decision.

Data Retention and Deletion

Upon termination or expiration of your LevelHire subscription, or upon your written request:

  • All candidate assessment data associated with your account will be permanently deleted within 30 days.
  • You may request an export of your data before deletion via your account dashboard or by contacting privacy@levelhire.ai.
  • Billing records are retained for 7 years as required by applicable tax law (US IRS, Mexican SAT), but are segregated from operational data.
  • Data stored in backups is purged within 90 days of the deletion request.

Security Measures

LevelHire implements appropriate technical and organizational measures to protect personal data, including:

  • AES-256 encryption at rest; TLS 1.2+ in transit.
  • PostgreSQL Row-Level Security (RLS) for tenant data isolation.
  • Role-based access control within customer accounts.
  • No plaintext storage of passwords or API keys.
  • Camera data processed locally — never uploaded to our servers.
  • Regular security audits and dependency patching.

For a full description of our security controls, see our Security page.

How to Request the Full DPA

To receive a copy of our signed, executable DPA document:

  1. Email privacy@levelhire.ai with subject line "DPA Request".
  2. Include your company name, registered country, and primary contact name.
  3. We will send a pre-signed DPA within 2 business days.
  4. Counter-sign and return one copy for our records.

If your legal team requires modifications to the standard DPA, please indicate this in your email. Negotiated DPAs are available for Enterprise customers.

← Back to LevelHire
Privacy PolicyTerms of ServiceCookie PolicySecurity