Skip to main content

Data Processing Agreement

Last updated: May 2, 2026

1. Who this is for

If you use JobMason on behalf of an organization (a "Customer") and we process personal data of your end users, employees, or candidates on your behalf, this Data Processing Agreement ("DPA") governs that processing. The DPA forms part of, and is incorporated into, our Terms & Conditions.

Individual consumer accounts are governed by our Privacy Policy and do not require a signed DPA.

2. Roles

For personal data submitted to or generated by JobMason on your behalf, you are the Controller (or, where applicable, the Processor for your own customer) and Vantaso (SMC-Private) Limited, a single-member private limited company registered in the Islamic Republic of Pakistan ("Vantaso"), is the Processor. We process Customer Personal Data only on your documented instructions, including with regard to international transfers.

3. Categories of data and data subjects

  • Data subjects: end users of the Customer's account (including job seekers, recruiters, hiring managers, and any individual whose personal data the Customer chooses to enter).
  • Categories of personal data: identification (name, email), professional history (education, work experience, skills, languages, projects, courses), contact details, profile photos, job-application content (cover letters, resumes, emails, Q&A), and the content of any job descriptions submitted.
  • Special categories of data: we do not request or require special-category data. If a Customer chooses to submit it (e.g. health information, religious affiliation, trade-union membership), Customer represents it has a lawful basis to do so.

4. Sub-processors

Customer authorizes Vantaso to engage sub-processors as listed at /policies/sub-processors. We will give Customer at least 30 days' notice before adding a new sub-processor that processes personal data and will give Customer a reasonable opportunity to object.

5. Security

We maintain appropriate technical and organizational measures, including: TLS encryption in transit, encryption of data at rest, access controls based on least privilege, audit logging, structured logging with PII redaction, automated dependency scanning, error tracking, and a documented incident-response process. A current summary is available on request.

6. International transfers

Personal data may be transferred to and processed in jurisdictions outside the data subject's country, including the United States. For transfers from the EEA, UK, or Switzerland, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2 - controller to processor) by reference, supplemented by the UK International Data Transfer Addendum and Swiss FADP-specific terms where applicable. The countersigned annexes are available on request.

7. Data subject requests

Vantaso will reasonably assist Customer to fulfill data-subject requests for access, correction, deletion, portability, restriction, and objection. JobMason includes a self-serve export from each user's Settings → Privacy & data; Customer may also request bulk export by contacting contact@vantaso.org.

8. Personal-data breach notification

We will notify Customer without undue delay (and where feasible, within 72 hours) after becoming aware of a personal-data breach affecting Customer Personal Data, with the information required by Article 33(3) GDPR.

9. Audits

Customer may exercise audit rights by submitting written requests to contact@vantaso.org. We'll respond with up-to-date documentation (security overview, sub-processor list, latest pen-test summary). For Customers with a contractual right to on-site audit, we'll coordinate with reasonable scope and frequency at Customer's expense.

10. Return or deletion of data

On termination, we will, at Customer's choice, delete or return Customer Personal Data within 30 days, unless retention is required by law. Backups expire on a rolling 30-day cycle.

11. Sign or download a countersigned copy

To execute a countersigned DPA (PDF) tailored to your jurisdiction or to add the EU SCCs / UK IDTA annexes, email contact@vantaso.org with your legal entity name, billing address, and Privacy Officer contact. We typically return signed within 5 business days.