Data Processing Addendum

Last Updated: March 3, 2026

This Data Processing Addendum forms part of the Terms of Service between Innovia Software Corp., a Delaware corporation operating Reordinal, and the Customer using the Service.

This DPA applies when Reordinal processes Personal Data on behalf of Customer through the Service.

If there is a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls.

1. Definitions

“Customer” means the company, recruiting firm, hiring team, client, organization, or business user that uses the Service.

“Reordinal,” “we,” “us,” and “our” mean Innovia Software Corp.

“Service” means Reordinal’s software, website, application, browser extension, public job application forms, integrations, AI-assisted workflows, applicant management tools, and related services.

“Personal Data” means any information relating to an identified or identifiable person that Reordinal processes on behalf of Customer.

“Candidate Data” means Personal Data relating to job candidates, applicants, prospects, or individuals considered for a role.

“Customer Data” means data, files, content, records, job posts, application forms, resumes, notes, criteria, candidate profiles, and other information submitted to or processed through the Service by Customer or on Customer’s behalf.

“Data Protection Laws” means privacy, data protection, and security laws that apply to the processing of Personal Data under this DPA.

“Controller” means the party that determines the purposes and means of processing Personal Data.

“Processor” means the party that processes Personal Data on behalf of a Controller.

“Business,” “Service Provider,” “Contractor,” “Consumer,” “Sell,” and “Share” have the meanings given under applicable California privacy laws.

“Subprocessor” means a third party engaged by Reordinal to process Personal Data on behalf of Customer.

“Security Incident” means a confirmed unauthorized breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Reordinal on behalf of Customer.

2. Roles of the Parties

For Candidate Data and Customer Data processed through the Service:

  • Customer is the Controller or Business.
  • Reordinal is the Processor, Service Provider, or Contractor.

Customer determines the purposes and means of processing Personal Data.

Reordinal processes Personal Data only on behalf of Customer and according to Customer’s instructions.

Customer’s instructions include:

  • The Terms of Service
  • This DPA
  • Customer’s use of the Service
  • Customer’s account settings
  • Customer’s written instructions accepted by Reordinal

3. Scope of Processing

Reordinal will process Personal Data only to:

  • Provide the Service
  • Host and store Customer Data
  • Create and manage accounts
  • Process job posts and application forms
  • Import and organize candidates
  • Parse resumes
  • Generate AI-assisted summaries, scores, and rankings
  • Support hiring collaboration workflows
  • Provide product support
  • Process usage, job credits, and AI credits
  • Maintain security
  • Prevent abuse
  • Debug errors
  • Improve reliability and performance
  • Comply with law
  • Enforce the Terms
  • Protect the Service, Customers, candidates, and third parties

Reordinal will not process Personal Data for purposes outside this DPA unless legally required or authorized by Customer.

4. Customer Responsibilities

Customer is responsible for:

  • Providing lawful instructions
  • Having a lawful basis to process Candidate Data
  • Providing candidate notices where required
  • Obtaining candidate consent where required
  • Configuring job posts and application forms lawfully
  • Using AI outputs lawfully
  • Responding to candidate rights requests
  • Setting retention rules
  • Managing team access
  • Complying with employment, hiring, privacy, AI, and anti-discrimination laws

Customer must not use the Service to process Personal Data in a way that violates Data Protection Laws.

5. Reordinal Responsibilities

Reordinal will:

  • Process Personal Data only according to Customer’s instructions
  • Maintain reasonable security measures
  • Limit access to authorized personnel
  • Require personnel to protect Personal Data
  • Use Subprocessors only as permitted by this DPA
  • Assist Customer with data rights requests where reasonably possible
  • Notify Customer of Security Incidents as described below
  • Delete or return Personal Data as described below
  • Make reasonable compliance information available to Customer

6. Confidentiality

Reordinal will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.

Reordinal will limit access to Personal Data to personnel who need access to provide, secure, maintain, or support the Service.

7. Security Measures

Reordinal will maintain administrative, technical, and organizational safeguards designed to protect Personal Data.

These safeguards may include:

  • Encryption in transit
  • Encryption at rest where supported by infrastructure providers
  • Role-based access controls
  • Access logging
  • Data export logging
  • Authentication controls
  • Infrastructure security controls
  • Backup controls
  • Monitoring and logging
  • Restricted production access
  • Internal access limitations
  • Vendor security review
  • Incident response procedures

Customer understands that no system is perfectly secure.

Customer is responsible for managing its own users, access permissions, devices, passwords, identity providers, internal policies, and secure use of the Service.

8. Security Incidents

Reordinal will notify Customer without undue delay after confirming a Security Incident affecting Personal Data processed on behalf of Customer.

The notice may include, where available:

  • Nature of the Security Incident
  • Categories of Personal Data affected
  • Approximate number of affected records
  • Likely consequences
  • Measures taken or planned
  • Recommended customer actions

Reordinal’s notice of a Security Incident is not an admission of fault or liability.

Customer is responsible for determining whether notice to candidates, regulators, or other parties is required.

9. Subprocessors

Customer authorizes Reordinal to use Subprocessors to provide the Service.

Subprocessors may include providers for:

  • Cloud hosting
  • Database infrastructure
  • File storage
  • AI processing
  • Authentication
  • Payments
  • Analytics
  • Email delivery
  • Logging and monitoring
  • Security
  • Customer support
  • Product infrastructure

Current Subprocessors may include:

  • Google Cloud Platform
  • Amazon Web Services
  • Supabase
  • MongoDB
  • OpenAI
  • Google Gemini
  • Stripe
  • Google Identity
  • Google Calendar API
  • Gmail API
  • Google Analytics
  • Email delivery providers
  • Logging and monitoring providers
  • Security providers
  • Customer support providers

Reordinal will require Subprocessors to protect Personal Data under obligations that are materially consistent with this DPA.

Reordinal remains responsible for Subprocessors’ processing of Personal Data to the extent required by applicable law.

10. Subprocessor Changes

Reordinal may add, replace, or remove Subprocessors from time to time.

Reordinal will provide notice of material Subprocessor changes by updating its Privacy Policy, subprocessor list, or another public page.

Customer may object to a new Subprocessor by contacting Reordinal within 10 days after notice.

Customer’s objection must explain the reasonable privacy or security basis for the objection.

If Reordinal cannot reasonably resolve the objection, Customer may stop using the affected part of the Service.

11. AI Subprocessors

The Service may use AI Subprocessors to generate candidate summaries, resume analysis, scores, ranking support, and related outputs.

AI processing may involve sending job descriptions, evaluation criteria, resumes, application answers, recruiter inputs, and Candidate Data to AI Subprocessors.

Reordinal configures AI Subprocessors, where available, so Customer Data and Candidate Data are not used to train or improve general-purpose AI models.

AI Subprocessors may process and retain data according to their applicable terms, data processing agreements, abuse monitoring practices, security practices, and legal obligations.

Customer remains responsible for human review and all hiring-related decisions.

12. Data Subject Requests

If Reordinal receives a request from a candidate or other person relating to Personal Data processed on behalf of Customer, Reordinal may:

  • Redirect the person to Customer
  • Notify Customer
  • Respond according to Customer’s instructions
  • Respond where required by law

Customer is responsible for responding to data rights requests where Customer is the Controller or Business.

Reordinal will reasonably assist Customer with access, correction, deletion, export, restriction, or objection requests where required by Data Protection Laws and where technically feasible.

13. Deletion and Return

During the term, Customer may export available Customer Data through the Service where supported.

Upon termination or Customer request, Reordinal will delete or return Personal Data according to the Service functionality, Customer instructions, and Reordinal’s retention practices.

Deleted Personal Data may remain in backups, logs, audit records, security records, billing records, tax records, legal records, or archival systems for a limited period.

Reordinal may retain Personal Data where required for legal compliance, security, fraud prevention, dispute resolution, accounting, or enforcement of agreements.

14. Customer Audit Rights

Reordinal will make reasonable information available to demonstrate compliance with this DPA.

This may include:

  • Security summaries
  • Policy summaries
  • Subprocessor information
  • Data processing descriptions
  • Compliance documentation
  • Reasonable written responses to security questions

Audits must be reasonable, limited, and designed to avoid disruption.

For self-serve customers, Reordinal may satisfy audit obligations through documentation, written responses, certifications, reports, or summaries instead of onsite audits.

Customer may not conduct penetration tests, vulnerability scans, onsite inspections, or technical testing of the Service without Reordinal’s prior written approval.

15. Assistance with Compliance

Taking into account the nature of processing and information available to Reordinal, Reordinal will provide reasonable assistance to Customer with:

  • Data subject requests
  • Security obligations
  • Security incident response
  • Data protection impact assessments
  • Prior consultations with regulators
  • Deletion and export requests

Reordinal may charge reasonable fees for assistance that is outside standard Service functionality or support.

16. International Transfers

Customer acknowledges that Reordinal is based in the United States and stores primary production data in the United States.

Customer authorizes Reordinal and its Subprocessors to process Personal Data in the United States and other countries where Reordinal or its Subprocessors operate.

Where Data Protection Laws require a transfer mechanism for Personal Data transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction to the United States or another country, the applicable Standard Contractual Clauses or other lawful transfer mechanism will apply.

17. Standard Contractual Clauses

For transfers of Personal Data from the European Economic Area to Reordinal in the United States, the EU Standard Contractual Clauses, Module Two, Controller to Processor, are incorporated by reference where required.

For transfers of Personal Data from the United Kingdom, the applicable UK international data transfer addendum or other lawful UK transfer mechanism applies where required.

For transfers of Personal Data from Switzerland, the EU Standard Contractual Clauses apply with modifications required by Swiss law where required.

For purposes of the EU Standard Contractual Clauses:

  • Customer is the data exporter.
  • Reordinal is the data importer.
  • The competent supervisory authority is determined according to the Standard Contractual Clauses.
  • The details of processing are described in Schedule 1.
  • The technical and organizational measures are described in Schedule 2.
  • The Subprocessors are described in Schedule 3.

If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control only to the extent of the conflict.

18. California Privacy Terms

Where California privacy laws apply, Reordinal acts as a Service Provider or Contractor for Personal Data processed on behalf of Customer.

Reordinal will not:

  • Sell Personal Data
  • Share Personal Data for cross-context behavioral advertising
  • Retain, use, or disclose Personal Data outside the business purposes described in this DPA
  • Retain, use, or disclose Personal Data for a commercial purpose other than providing the Service
  • Retain, use, or disclose Personal Data outside the direct business relationship with Customer
  • Combine Personal Data received from Customer with Personal Data from other sources, except as permitted by California privacy laws
  • Use Personal Data to build or modify household or consumer profiles unrelated to the Service

Reordinal will provide the same level of privacy protection required of Service Providers and Contractors under applicable California privacy laws.

Reordinal will notify Customer if it determines it can no longer meet its obligations under applicable California privacy laws.

Customer may take reasonable and appropriate steps to help ensure that Reordinal uses Personal Data consistently with Customer’s obligations.

Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

19. No Sale of Candidate Data

Reordinal does not sell Candidate Data.

Reordinal does not share Candidate Data for cross-context behavioral advertising.

Reordinal does not use Candidate Data to target advertising to candidates.

20. Aggregated and De-Identified Data

Reordinal may process aggregated, anonymized, or de-identified data to:

  • Analyze usage
  • Improve the Service
  • Monitor performance
  • Develop features
  • Maintain security
  • Understand product trends

Reordinal will not attempt to reidentify de-identified data except to test whether de-identification measures work.

21. Legally Required Disclosure

If Reordinal is legally required to disclose Personal Data, Reordinal will notify Customer unless prohibited by law or legal process.

Reordinal will only disclose the Personal Data required by the legal demand.

22. Term

This DPA remains in effect while Reordinal processes Personal Data on behalf of Customer.

Obligations relating to confidentiality, security, deletion, return, and legal compliance survive termination as needed.

23. Liability

The liability limits in the Terms of Service apply to this DPA, except where prohibited by law or by applicable Standard Contractual Clauses.

24. Contact

For privacy or data processing questions, contact:

Innovia Software Corp.

1007 N Orange St., 4th Floor, 3415

Wilmington, DE 19801

New Castle, United States

Email: contact@reordinal.com

Schedule 1, Processing Details

A. Subject Matter

Reordinal processes Personal Data to provide applicant tracking, job application, candidate import, resume parsing, AI-assisted review, candidate scoring, candidate ranking, collaboration, and related hiring workflow software.

B. Duration

Reordinal processes Personal Data for the duration of Customer’s use of the Service and as needed after termination for deletion, backup, legal, tax, security, accounting, fraud prevention, and dispute resolution purposes.

C. Nature and Purpose of Processing

Reordinal may collect, receive, host, store, organize, parse, analyze, transmit, display, modify, delete, export, and otherwise process Personal Data to provide the Service.

Processing purposes include:

  • Account management
  • Organization management
  • Job post management
  • Application form hosting
  • Candidate import
  • Resume parsing
  • AI-assisted candidate summaries
  • AI-assisted candidate scoring
  • AI-assisted candidate ranking
  • Team collaboration
  • Candidate workflow tracking
  • Customer support
  • Security monitoring
  • Usage tracking
  • Billing support
  • Product reliability
  • Legal compliance

D. Categories of Data Subjects

  • Account users
  • Recruiters
  • Hiring managers
  • Customer team members
  • Administrators
  • Job candidates
  • Applicants
  • Prospective candidates
  • Support contacts
  • Billing contacts

E. Categories of Personal Data

Account data:

  • Name
  • Email address
  • Organization name
  • Role
  • Account settings
  • Permissions
  • Authentication data

Candidate Data:

  • Name
  • Email address
  • Phone number
  • Location
  • LinkedIn profile URL
  • Resume
  • Work history
  • Education history
  • Skills
  • Portfolio links
  • Application answers
  • Screening responses
  • Recruiter notes
  • Interview notes
  • Tags
  • Candidate status
  • Evaluation criteria
  • AI-generated summaries
  • AI-generated scores
  • AI-assisted ranking information

Technical data:

  • IP address
  • Device information
  • Browser information
  • Operating system
  • Log data
  • Usage events
  • Security logs
  • Error logs

Billing and business data:

  • Company name
  • Billing contact
  • Billing address
  • Tax information
  • Purchase history
  • Stripe customer ID
  • Payment status
  • Credit usage

F. Sensitive Personal Data

The Service is not designed to process sensitive Personal Data unless Customer chooses to upload or collect it.

Customer must not intentionally collect or upload sensitive Personal Data unless Customer has a lawful basis and has provided all required notices and obtained all required consents.

Sensitive Personal Data may appear in resumes, application answers, notes, or candidate materials provided by Customer or candidates.

G. Frequency of Processing

Continuous while Customer uses the Service.

H. Customer Instructions

Customer instructs Reordinal to process Personal Data as needed to provide the Service under the Terms of Service and this DPA.

Schedule 2, Technical and Organizational Measures

Reordinal maintains measures designed to protect Personal Data, including:

  • Access controls
  • Role-based permissions
  • Encryption in transit
  • Encryption at rest where supported
  • Audit logs
  • Data export logs
  • Authentication controls
  • Production access restrictions
  • Security monitoring
  • Logging and error monitoring
  • Backup procedures
  • Incident response procedures
  • Vendor management
  • Subprocessor review
  • Internal confidentiality obligations
  • Least-privilege access practices
  • Secure development practices
  • Account suspension controls
  • Abuse monitoring

These measures may be updated from time to time, provided Reordinal does not materially reduce the overall level of protection for Personal Data.

Schedule 3, Subprocessors

Reordinal may use the following categories of Subprocessors:

  • Cloud infrastructure providers
  • Database providers
  • File storage providers
  • AI providers
  • Authentication providers
  • Payment processors
  • Analytics providers
  • Email delivery providers
  • Logging and monitoring providers
  • Security providers
  • Customer support providers
  • Integration providers

Current named Subprocessors may include:

  • Google Cloud Platform
  • Amazon Web Services
  • Supabase
  • MongoDB
  • OpenAI
  • Google Gemini
  • Stripe
  • Google Identity
  • Google Calendar API
  • Gmail API
  • Google Analytics

Reordinal may update this list from time to time.