This Data Processing Agreement ("DPA") governs how Matricstek Inc. processes personal data on behalf of its business clients in connection with the delivery of our services.
This Data Processing Agreement ("DPA" or "Agreement") is entered into between MatricsTek Inc., a corporation registered in the State of Delaware, USA ("Data Processor" or "MatricsTek"), and the business entity or individual that engages MatricsTek for services ("Data Controller" or "Client").
This DPA supplements and is incorporated into any Master Services Agreement, Statement of Work, or other binding agreement between the parties (collectively, the "Principal Agreement"). In the event of a conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.
1. Definitions
For the purposes of this Agreement, the following definitions apply:
- Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"), including names, email addresses, employment records, financial data, and any other information defined as "personal data," "personal information," or equivalent under applicable law.
- Processing: Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, erasure, or destruction.
- Data Controller: The Client who determines the purposes and means of processing Personal Data.
- Data Processor: MatricsTek Inc., which processes Personal Data on behalf of the Client.
- Sub-Processor: Any third party engaged by MatricsTek to assist in processing Personal Data.
- Applicable Law: All applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and any other laws in force in the relevant jurisdiction.
- Data Breach: A security incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Purpose of Processing
2.1 Subject Matter
MatricsTek processes Personal Data solely for the purpose of providing the services described in the Principal Agreement, which may include:
- Recruitment Process Outsourcing (RPO) and talent acquisition services
- HR Solutions and workforce management consulting
- Candidate screening, background research, and skills evaluation
- Learning & Development program administration (Zero to Offer, Interview Access Program)
- Professional Analytics and reporting services
- IT Consulting engagements requiring access to client systems or employee data
2.2 Nature of Data Processed
Depending on the service engaged, Personal Data processed may include:
- Candidate and employee identification data (name, contact details, government ID where applicable)
- Professional history, resume/CV content, and educational records
- Assessment results, interview notes, and performance evaluations
- Compensation and financial data (where relevant to placement services)
- Communication records between candidates and the Client
2.3 Duration
Processing shall commence on the effective date of the Principal Agreement and continue until termination of the services or until the Client provides written instructions to cease processing, whichever is earlier.
3. Obligations of MatricsTek (Data Processor)
MatricsTek agrees to:
- Process Personal Data only on documented instructions from the Client, unless required by applicable law.
- Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures as described in Section 5.
- Not engage any Sub-Processor without prior written authorization from the Client, except for the Sub-Processors listed in Section 6.
- Assist the Client in responding to requests from Data Subjects exercising their rights under Applicable Law, to the extent technically feasible.
- Assist the Client in fulfilling its obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
- At the Client's election, delete or return all Personal Data upon termination of services, and delete any existing copies unless retention is required by law.
- Provide all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits or inspections by the Client or a designated auditor.
4. Obligations of the Client (Data Controller)
The Client represents, warrants, and agrees that:
- All Personal Data provided to MatricsTek has been collected and is being shared in compliance with Applicable Law, including obtaining all necessary consents from Data Subjects.
- Processing instructions provided to MatricsTek comply with all Applicable Laws.
- The Client is solely responsible for the accuracy, quality, and legality of Personal Data provided.
- The Client will notify MatricsTek promptly of any changes to applicable data protection requirements that may affect the processing activities.
5. Technical and Organizational Security Measures
MatricsTek implements and maintains the following security measures to protect Personal Data:
5.1 Technical Measures
- TLS/SSL encryption for all data in transit
- Encryption at rest for databases containing Personal Data
- Role-based access controls (RBAC) limiting data access to authorized personnel only
- Secure authentication mechanisms (strong password policies, session management)
- Regular automated backups with tested recovery procedures
- Web application firewalls and intrusion detection systems
- Rate limiting and DDoS protection on all public-facing endpoints
5.2 Organizational Measures
- Staff confidentiality agreements and data protection training
- Internal data access policies with least-privilege principles
- Documented incident response procedures
- Periodic security reviews and vulnerability assessments
- Physical access controls for systems containing Personal Data
6. Sub-Processors
The Client hereby grants general authorization for MatricsTek to engage the following Sub-Processors, each bound by data protection obligations no less protective than those in this DPA:
| Sub-Processor | Purpose | Location |
|---|
| Vercel Inc. | Website hosting and serverless compute | USA / Global CDN |
| MongoDB Atlas (MongoDB, Inc.) | Secure database storage for leads and enrollment records | USA (AWS us-east-1) |
| Upstash Inc. | Redis-based rate limiting (no Personal Data stored) | USA / Global |
| OpenRouter AI | AI-powered features (resume parsing, cover letter generation) | USA |
| PayPal Holdings Inc. | Payment processing and transaction verification | USA / Global |
| Backblaze B2 | File and media storage for blog assets | USA |
MatricsTek will notify the Client of any intended changes to Sub-Processors with at least 14 days' written notice, providing the Client an opportunity to object. If the Client objects on reasonable data protection grounds, the parties shall work together in good faith to resolve the concern.
7. Data Subject Rights
MatricsTek will assist the Client in fulfilling Data Subject requests within 5 business days of receiving a written request, including requests for:
- Access: Providing the Client with a copy of the Personal Data held.
- Rectification: Correcting inaccurate or incomplete data upon instruction.
- Erasure ("Right to be Forgotten"): Deleting data upon instruction, unless legal retention is required.
- Restriction: Ceasing active processing while retaining stored data pending resolution.
- Portability: Exporting data in a machine-readable format (JSON or CSV).
- Objection: Flagging and escalating objections to the Client for determination.
8. Data Breach Notification
In the event of a confirmed or suspected Data Breach involving Client Personal Data, MatricsTek will:
- Notify the Client without undue delay, and no later than 72 hours after becoming aware of the breach, consistent with GDPR Article 33.
- Provide the Client with a written incident report including: the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address the breach.
- Cooperate fully with the Client's investigation and remediation efforts.
- Not publicly disclose the breach without the Client's prior written consent, except where required by law.
Breach notifications should be directed to: contact@matricstek.co
9. International Data Transfers
MatricsTek is based in the United States. Where Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland and is transferred to the USA, MatricsTek relies on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): As adopted by the European Commission, incorporated by reference into this DPA upon request.
- UK International Data Transfer Agreement (IDTA): As applicable for transfers from the United Kingdom.
Where SCCs apply, the Client (as Data Exporter) and MatricsTek (as Data Importer) agree to be bound by the terms of the applicable SCCs. Copies are available upon request.
10. Data Retention and Deletion
MatricsTek retains Client Personal Data only for as long as necessary to perform the contracted services. Upon termination:
- Within 30 days of termination, MatricsTek will securely delete or return all Personal Data at the Client's written election.
- Any copies retained for compliance with legal obligations will be handled in accordance with MatricsTek's data retention schedule and will not be used for any other purpose.
- Upon completion of deletion, MatricsTek will provide the Client with written confirmation.
11. Audit Rights and Compliance Verification
Upon reasonable written notice of no less than 14 business days, the Client may conduct (or appoint a qualified independent auditor to conduct) an audit of MatricsTek's data processing activities and security controls, limited to those relevant to the Client's Personal Data. Such audits shall not occur more than once per calendar year, shall be conducted during normal business hours, and shall be subject to a mutual confidentiality agreement. The costs of any audit shall be borne by the Client.
12. Liability
Each party shall be liable to the other for any damages directly caused by its failure to comply with its obligations under this DPA. MatricsTek's liability shall be limited to actual, direct damages and shall be subject to the limitations set forth in the Principal Agreement.
Where a Data Subject brings a claim against MatricsTek as Data Processor, and it is established that MatricsTek was responsible for the breach causing the damage, MatricsTek shall bear the appropriate portion of liability. MatricsTek shall not be liable for breaches caused by the Client's non-compliant instructions.
13. Term and Termination
This DPA shall remain in force for the duration of the Principal Agreement. Termination of the Principal Agreement automatically terminates this DPA. Provisions regarding data deletion, confidentiality, audit rights, and liability shall survive termination of this DPA.
14. Governing Law and Dispute Resolution
This DPA shall be governed by the laws of the State of Delaware, USA, without regard to its conflict of law provisions. Any disputes arising under this DPA that cannot be resolved amicably shall be submitted to binding arbitration in accordance with the rules of the American Arbitration Association (AAA). Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in a court of competent jurisdiction to prevent irreparable harm.
15. Entire Agreement and Amendments
This DPA, together with the Principal Agreement and any schedules or annexes, constitutes the entire agreement between the parties with respect to data processing. MatricsTek reserves the right to amend this DPA to reflect changes in Applicable Law or business practices, with 30 days' written noticeto the Client. Continued engagement of MatricsTek's services after the notice period constitutes acceptance of the amended DPA.
16. Contact and Data Protection Inquiries
For DPA-related inquiries, to request a signed DPA, or to submit a Data Subject rights request, please contact:
- Company: MatricsTek Inc.
- Address: 8 The Green, Ste R, Dover, DE 19901, USA
- Email: contact@matricstek.co
- Phone: +1 251 346 1258
- Website: www.matricstek.co
Enterprise Clients: If you require a countersigned DPA as part of your vendor onboarding process, please email us at contact@matricstek.cowith the subject line "DPA Request — [Your Company Name]" and we will respond within 3 business days.
