Data Processing Agreement (DPA)

Last updated: October 23, 2025

This Data Processing Agreement ("DPA") is between Coffee Tap Studio SRL (trading as Niju), a company registered in Romania with company number 49753478 ("Processor", "we", or "us"), and you, the customer ("Controller" or "you").

This DPA forms part of our Terms of Service ("Terms") and applies to our processing of Candidate Personal Data on your behalf. By using the Niju Service to process Candidate data, you agree to the terms of this DPA.

1. Key Terms (Plain English)

Controller – That's you, the Company. You decide to send an interview to a Candidate and you make the hiring decision based on the data provided.
Processor – That's us, Niju. We process the Candidate's data only on your behalf to provide you with the interview recording and AI-assisted report.
Data Subject – The Candidate you invite to the interview.
Personal Data – All data related to a Candidate, as detailed in Section 2.
Sub-processor – These are the trusted vendors we use to help run the Niju service, such as hosting providers and AI model providers.

2. Details of Processing

Subject Matter: The provision of the Niju technical screening service as described in the Terms.
Purpose of Processing: To enable the Controller to record, analyze, and evaluate Candidates for recruitment purposes.
Duration of Processing: For the term of the Controller's use of the Service, subject to the retention policy in Section 4.
Categories of Data Subjects: Candidates invited by the Controller to complete a screening interview.
Categories of Personal Data:
- Identity Data: Name, email address.
- Interview Data: Video recording (webcam), audio recording (microphone), screen recording, and all code written by the Candidate in the editor.
- Technical Data: IP address, browser/OS user-agent data.
- Derived Data: AI-generated transcript and AI-generated analysis/report.

3. Roles and Responsibilities

Processor's (Niju's) Responsibilities: We agree to:

Process Personal Data only on your documented instructions (i.e., your use of the Service to invite and review Candidates).
Ensure all our personnel authorized to process the Personal Data are bound by a duty of confidentiality.
Implement and maintain appropriate technical and organizational security measures to protect the data, as detailed in Section 7.
Assist you, as reasonably required, in responding to Data Subject Rights requests (e.g., by providing you with the ability to delete Candidate data from your dashboard).
Notify you without undue delay after becoming aware of a Personal Data breach.
Make available to you all information necessary to demonstrate our compliance with GDPR Article 28 (e.g., this DPA, our list of sub-processors).
Not use Candidate Personal Data for any purpose other than providing and improving the Service as agreed.

Controller's (Your) Responsibilities: You agree and warrant that:

You have a lawful basis (e.g., legitimate interest, consent) for all processing of Candidate Personal Data.
You are solely responsible for all instructions you give to us (e.g., inviting a Candidate).
You are solely responsible for your hiring decisions and will use the Niju Service in a fair, lawful, and non-discriminatory manner, in compliance with all applicable laws.
You will inform Candidates about the nature of the processing, including the recording and AI analysis, as described in our Terms.

4. Data Retention and Deletion

We will automatically and permanently delete all raw, identifiable Candidate Interview Data (video, audio, screen recording, IP address) 30 days after the interview is completed.

You may also delete this data at any time from your dashboard, which will trigger our deletion process sooner.

We may retain anonymized, non-identifiable derived data (such as anonymized transcripts or analysis) for service improvement, analytics, and reporting, as permitted by our Terms of Service.

5. Sub-processors

You provide a general authorization for us to engage Sub-processors to provide the Service. We will maintain a list of our Sub-processors and notify you of any new or replacement Sub-processors, giving you an opportunity to object.

Our categories of Sub-processors include:

Cloud Hosting Providers (for data storage, e.g., video files)
AI Model Providers (for transcription and analysis)
Database Providers
Analytics and Monitoring Services

6. International Data Transfers

Our service infrastructure and Sub-processors may be located outside the European Economic Area (EEA). We will ensure that any transfer of Personal Data outside the EEA is done in compliance with GDPR, typically by relying on Standard Contractual Clauses (SCCs), an Adequacy Decision, or other lawful data transfer mechanisms.

7. Security Measures

We implement and maintain appropriate technical and organizational security measures to protect the Personal Data, including:

Encryption: All data is encrypted in transit using industry-standard HTTPS/TLS. All core Interview Data is encrypted at rest.
Access Control: We enforce strict role-based access controls. Access to Personal Data is limited to personnel who require it to perform their job functions (e.g., customer support).
Secure Infrastructure: We use reputable, secure, and established vendors for all our hosting and processing needs.
Breach Detection: We maintain monitoring and logging systems to detect and respond to security incidents.

8. AI Processing

You acknowledge that a core part of the Service involves processing Candidate Data using AI to generate transcripts and assistive analysis. As per our Terms, this AI-generated output is assistive only and does not constitute automated decision-making. You, the Controller, are solely responsible for reviewing this output and making the final hiring decision.

9. Governing Law

This DPA is governed by the laws of Romania. Any disputes arising from this DPA will be resolved exclusively in the courts of Bucharest, Romania.