Back to Home

Data Processing Agreement

Legal Document Last updated: December 23, 2025

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is between Coffee Tap Studio SRL (trading as Niju), a company registered in Romania with company number 49753478 ("Processor", "we", or "us"), and you, the customer ("Controller" or "you").

This DPA forms part of our Terms of Service ("Terms") and applies to our processing of Candidate Personal Data on your behalf. By using the Niju Service to process Candidate data, you agree to the terms of this DPA.

1. Key Terms (Plain English)

  • Controller – That's you, the Company (or Agency). You decide to send an interview to a Candidate and you make the hiring decision based on the data provided.
  • Processor – That's us, Niju. We process the Candidate's data only on your behalf to provide you with the interview recording and AI-assisted report.
  • Data Subject – The Candidate you invite to the interview.
  • Personal Data – All data related to a Candidate, as detailed in Section 2.
  • Sub-processor – These are the trusted vendors we use to help run the Niju service, such as hosting providers, authentication providers, and AI model providers.

2. Details of Processing

  • Subject Matter: The provision of the Niju technical screening service as described in the Terms.
  • Purpose of Processing: To enable the Controller to record, analyze, and evaluate Candidates for recruitment purposes.
  • Duration of Processing: For the term of the Controller's use of the Service, subject to the retention policy in Section 4.
  • Categories of Data Subjects: Candidates invited by the Controller to complete a screening interview.
  • Categories of Personal Data:
    • Identity & Auth Data: Name, email address, and authentication metadata (via PropelAuth).
    • Interview Data: Audio recording (microphone), screen recording, video recording (if applicable), and all code written by the Candidate in the editor.
    • Technical Data: IP address, browser/OS user-agent data.
    • Derived Data: AI-generated transcript and AI-generated analysis/report.

3. Roles and Responsibilities

Processor's (Niju's) Responsibilities:
We agree to:

  • Process Personal Data only on your documented instructions. Note: Your specific selection of an "Account Type" (Teams or Agencies) and your use of platform features (such as generating a share link for a client) constitute documented instructions to process data according to the rules of that feature.
  • Ensure all our personnel authorized to process the Personal Data are bound by a duty of confidentiality.
  • Implement and maintain appropriate technical and organizational security measures to protect the data, as detailed in Section 7.
  • Assist you, as reasonably required, in responding to Data Subject Rights requests (e.g., by providing you with the ability to delete Candidate data from your dashboard).
  • Notify you without undue delay after becoming aware of a Personal Data breach.
  • Make available to you all information necessary to demonstrate our compliance with GDPR Article 28 (e.g., this DPA, our list of sub-processors).
  • Not use Candidate Personal Data for any purpose other than providing and improving the Service as agreed.

Controller's (Your) Responsibilities:
You agree and warrant that:

  • You have a lawful basis (e.g., legitimate interest, consent) for all processing of Candidate Personal Data.
  • You are solely responsible for all instructions you give to us (e.g., inviting a Candidate).
  • You are solely responsible for your hiring decisions and will use the Niju Service in a fair, lawful, and non-discriminatory manner, in compliance with all applicable laws.
  • You will inform Candidates about the nature of the processing, including the recording and AI analysis, as described in our Terms.
  • (For Agencies): You are solely responsible for any third parties ("Authorized Viewers") with whom you share Candidate Data via the Service's sharing features. You warrant that you have the necessary rights to share this data with your clients.

4. Data Retention and Deletion

The retention period for Sensitive Data (audio, video, screen recordings, and raw transcripts) is determined by your Account Type:

  • Niju for Teams Accounts: Sensitive Data is automatically and permanently deleted 30 days after the interview is processed.
  • Niju for Agencies Accounts: Sensitive Data is automatically and permanently deleted 90 days after the interview is processed.

Manual Deletion: You may delete this data at any time from your dashboard, which will trigger our deletion process immediately, regardless of the retention period above.

Derived Data: We may retain anonymized, non-identifiable derived data (such as anonymized transcripts or analysis) for service improvement, analytics, and reporting, as permitted by our Terms of Service.

5. Sub-processors

You provide a general authorization for us to engage Sub-processors to provide the Service. We will maintain a list of our Sub-processors and notify you of any new or replacement Sub-processors, giving you an opportunity to object.

Our categories of Sub-processors include:

  • Authentication Providers (for secure identity management, e.g., PropelAuth)
  • Cloud Hosting Providers (for secure data storage, e.g., video files)
  • AI Model Providers (for transcription and analysis)
  • Database Providers
  • Analytics and Monitoring Services

6. International Data Transfers

Our service infrastructure and Sub-processors may be located outside the European Economic Area (EEA). We will ensure that any transfer of Personal Data outside the EEA is done in compliance with GDPR, typically by relying on Standard Contractual Clauses (SCCs), an Adequacy Decision, or other lawful data transfer mechanisms.

7. Security Measures

We implement and maintain appropriate technical and organizational security measures to protect the Personal Data, including:

  • Encryption: All data is encrypted in transit using industry-standard HTTPS/TLS. All core Interview Data is encrypted at rest.
  • Access Control: We enforce strict role-based access controls. Access to Personal Data is limited to personnel who require it to perform their job functions (e.g., customer support).
  • Secure Infrastructure: We use reputable, secure, and established vendors for all our hosting and processing needs.
  • Breach Detection: We maintain monitoring and logging systems to detect and respond to security incidents.

8. AI Processing

You acknowledge that a core part of the Service involves processing Candidate Data using AI to generate transcripts and assistive analysis. As per our Terms, this AI-generated output is assistive only and does not constitute automated decision-making. You, the Controller, are solely responsible for reviewing this output and making the final hiring decision.

9. Governing Law

This DPA is governed by the laws of Romania. Any disputes arising from this DPA will be resolved exclusively in the courts of Bucharest, Romania.

Return to Home