Data Processing Addendum
This Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Service between Novah AI ("Processor", "we") and the customer ("Controller", "you") for the use of NovaHunt. It applies whenever Novah AI processes personal data on behalf of a B2B customer — typically when a company provides NovaHunt to its employees, contractors, or recruiting staff under a single billing relationship.
When NovaHunt is used by an individual job seeker for their own search, Novah AI acts as controller of their personal data and the consumer Privacy Policy governs. This DPA does not apply in that case.
This DPA reflects the obligations under EU GDPR Article 28, UK GDPR Article 28, the California Consumer Privacy Act ("CCPA") as amended by the CPRA, and similar laws.
1. Definitions
Capitalised terms not defined here have the meaning given to them in the GDPR, the UK GDPR, or the CCPA, as applicable. "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for international transfers (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), and the UK International Data Transfer Addendum issued under the UK GDPR.
2. Scope and roles
For Customer Personal Data processed under the Agreement:
- the Controller determines the purposes and means of processing;
- the Processor (Novah AI) processes only on documented instructions from the Controller, with the Agreement, the operative subscription, and any written instructions transmitted via the NovaHunt admin console constituting those instructions.
Where the Processor is engaged by another processor (the Controller's own processor) — for example, a recruiting outsourcer that uses NovaHunt — Novah AI acts as a sub-processor, and module 3 of the SCCs applies.
3. Subject matter and duration
| Item | Detail |
|---|---|
| Subject matter | Provision of the NovaHunt agentic job-search service |
| Duration | The term of the underlying subscription, plus any retention windows required by law |
| Nature of processing | Storage, structured extraction, automated scoring, draft generation, conditional delivery (only on per-action user confirmation) |
| Purpose | Helping the Controller's authorised users (typically employees) conduct or assist job searches |
| Categories of data subjects | Authorised end users; recipients of outreach drafted on their behalf |
| Categories of personal data | Identification (name, email); resume content (work history, education, achievements); job preferences; job activity (searches, matches, applications); outreach drafts and metadata; billing identifiers (Stripe IDs only — Novah AI does not see card data); operational telemetry |
| Special categories of data | None expected. The Controller must not upload special-category data (Article 9 GDPR) or sensitive personal information (CCPA) without first agreeing additional safeguards with us in writing. |
4. Controller obligations
The Controller represents and warrants that:
- it has a valid lawful basis under Article 6 GDPR (and, where relevant, an Article 9 condition) for all personal data it instructs us to process;
- it has provided all required notices and obtained any required consents from the data subjects;
- its instructions to us comply with applicable data protection law.
Novah AI will tell the Controller without undue delay if, in our reasonable opinion, an instruction infringes data protection law, but we are not obliged to perform legal analysis on the Controller's behalf.
5. Processor obligations
Novah AI will:
- process Customer Personal Data only on documented Controller instructions and only to the extent necessary to provide the service;
- ensure persons authorised to process Customer Personal Data are under an appropriate confidentiality obligation;
- implement and maintain the technical and organisational measures described in Section 8;
- assist the Controller, taking into account the nature of processing, in responding to data subject requests (Section 6) and in carrying out its own obligations under Articles 32–36 GDPR;
- not engage a new sub-processor without the prior authorisation set out in Section 7;
- on termination, return or delete Customer Personal Data as set out in Section 12.
6. Data subject requests
If we receive a request directly from a data subject relating to Customer Personal Data, we will not respond except to confirm receipt and direct them to the Controller, unless the law requires otherwise. We will pass the request on to the Controller within 5 business days.
Where a Controller asks us to assist with an access, rectification, erasure, restriction, portability, or objection request, we will use the tools provided in the admin console (export, delete, redact) and, where the tools are insufficient, provide reasonable additional assistance. We may charge a reasonable fee for assistance that goes substantially beyond the standard export/delete flows.
7. Sub-processors
The Controller authorises Novah AI to engage the sub-processors listed below, on the understanding that we will impose data-protection obligations on each sub-processor that are no less protective than this DPA.
| Sub-processor | Role | Location |
|---|---|---|
| Anthropic | Claude model inference (resume parsing, matching, drafting) | United States |
| Railway | Application hosting, Postgres database, Redis cache | United States |
| Resend | Transactional email delivery (magic link, daily briefing, notifications) | United States |
| Sentry | Error monitoring (optional; off unless SENTRY_DSN is set) | United States |
| Stripe | Payments, subscriptions, credit packs, invoicing | United States |
| Adzuna | Job-board API (public listings) | United Kingdom |
| JSearch (via RapidAPI) | Job-board API (public listings) | United States |
| Greenhouse | ATS job-board API | United States |
| Lever | ATS job-board API | United States |
| Ashby | ATS job-board API | United States |
| Workable | ATS job-board API | Greece / United States |
Changes. We will provide the Controller with at least 30 days' written notice of any intended addition or replacement of a sub-processor that processes Customer Personal Data. The Controller may object on reasonable, data-protection-related grounds within that 30-day window. If we cannot accommodate the objection, the Controller may terminate the affected portion of the subscription for cause and receive a prorated refund of pre-paid fees.
8. Security measures
Novah AI implements and maintains the following technical and organisational measures. We do not currently hold SOC 2 or ISO 27001 certification, and we will not represent that we do.
Encryption.
- TLS 1.3 in transit on all public endpoints.
- Disk-level encryption at rest on the Postgres database via Railway-managed storage.
- AES-GCM encryption for any tenant-stored third-party credential (Greenhouse, Lever, Ashby, Workable, Adzuna, JSearch, Resend API keys), with the key derived from the per-deployment
APP_SECRET. Plaintext credentials are never written to disk and are zeroed in memory after use.
Access control.
- Magic-link authentication (Auth.js) for end-user access; no passwords are stored.
- Role-based access (
client/admin) at the application layer. - RED-tier privileged actions (account deletion, credential changes, spend-cap overrides, application submission) require a fresh re-authentication.
- Production database and infrastructure access is limited to a small number of named operators on hardware-key-protected upstream accounts.
Auditability.
- Hash-chained, tamper-evident audit log (WARDEN): every privileged action appends a row whose hash incorporates the previous row's hash; tampering is detectable.
- Append-only operational logs for agent runs (
agent_runs) and MCP calls (mcp_calls). - 7-year retention on the audit trail.
Spend and abuse controls.
- TURNSTILE pre-authorises every Claude call against per-user, tenant, and global ceilings.
- CANARY rule engine and ABACUS pattern analyst detect abuse deterministically and over time, with a halt-and-approve workflow before action.
- Three-tier ceiling structure (user / tenant / global) so one compromised account cannot exhaust shared resources.
Network and operational.
- Railway-managed network isolation between services.
- Dependency updates monitored and applied at least monthly.
- Backups retained for 30 days, restorable to point-in-time within that window.
- Defined breach-response runbook (Section 9).
What we do not yet do. We do not yet operate a formal information security management system certified to ISO 27001 or audited to SOC 2. We do not yet offer SAML SSO, hardware-key 2FA for end users, or customer-managed encryption keys. These are on the roadmap, not in production. If your procurement process requires any of them, please raise it with us before signing.
9. Personal data breach notification
If Novah AI becomes aware of a personal data breach affecting Customer Personal Data, we will notify the Controller without undue delay, and in any event within 72 hours of becoming aware. The notification will include, to the extent then known:
- the nature of the breach and the categories and approximate number of data subjects and records concerned;
- the likely consequences;
- the measures taken or proposed to address the breach and mitigate its effects;
- a contact point for further information.
If we cannot provide all of this information at once, we will provide it in stages and update the Controller as the investigation progresses. We will cooperate with the Controller's own breach-notification obligations.
10. International transfers
Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a third country that does not benefit from an adequacy decision, the parties shall be bound by the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, both of which are incorporated by reference into this DPA. Module selection:
- where Controller is the controller and Novah AI is the processor: Module 2;
- where Controller is itself a processor and Novah AI acts as sub-processor: Module 3;
- where Controller is a controller in the EEA/UK and Novah AI re-engages a processor outside the EEA/UK: Modules 2 and 3 cascade as applicable.
For the avoidance of doubt, the docking clause applies (Clause 7) and the optional Clause 11(a) "redress" mechanism is not selected. The competent supervisory authority under Clause 13 is the supervisory authority of the EEA member state in which the data exporter is established (or, where the exporter is not in the EEA, the supervisory authority of the EEA member state in which the data subjects are located). The governing law under Clause 17 is the law of the Republic of Ireland. The forum under Clause 18 is the courts of Ireland.
11. Audit rights
Novah AI will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the Controller or a mandated third-party auditor, on reasonable prior written notice (no less than 30 days except in a real-time security incident) and no more than once per calendar year, except where a regulator requires more.
To minimise duplicated audit burden, the Controller agrees to first review and rely on any then-current third-party attestations or reports we have made available (when and if we obtain them). Audits will be conducted during normal business hours, will not unreasonably interfere with our operations, and will be subject to confidentiality obligations.
12. Return or deletion at end of contract
On termination of the subscription, the Controller may instruct us in writing (within 30 days of termination) to return or delete all Customer Personal Data. Unless the Controller instructs otherwise within that window, we will delete Customer Personal Data per the retention schedule in our Privacy Policy. We may retain the hash-chained audit log and tax/accounting records for the period required by law (7 years).
We will provide a written confirmation of deletion on request.
13. Liability and miscellaneous
Liability under this DPA is subject to the limitations and exclusions in the underlying Terms of Service. In the event of conflict between this DPA and the Terms, this DPA controls with respect to the processing of personal data.
This DPA is governed by the same law as the Terms (California), except where the SCCs or applicable mandatory law require otherwise.
14. Contact
DPO / privacy contact: privacy@trynovahunt.com Legal contact: legal@trynovahunt.com Security incidents: security@trynovahunt.com
Last updated: 2026-05-19
Contact: legal@trynovahunt.com
Questions? Email legal@trynovahunt.com.