Data Processing Agreement

1. Definitions

• "Controller" means Guymon Inspection Services, Inc., the entity that determines the purposes and means of processing personal data.
• "Processor" means any third-party service provider that processes personal data on behalf of the Controller.
• "Data Subject" means any identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject, including name, email, phone number, work history, certifications, and other professional information.
• "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

2. Scope of Processing

We process personal data for the following purposes:

• Managing contractor profiles, certifications, and employment records.
• Facilitating communication between administrators, clients, and contractors.
• Generating reports, contracts, timesheets, and other business documents.
• AI-powered resume parsing, experience enhancement, and candidate ranking analysis.
• Sending notifications regarding certification expirations, document requests, and account activity.

The categories of data subjects include contractors, employees, client contacts, and administrators. The types of personal data processed include names, contact information, professional history, certifications, financial information (billing details), and employment records.

3. Processor Obligations

Each Processor engaged by the Controller shall:

• Process personal data only on documented instructions from the Controller.
• Ensure that persons authorized to process personal data have committed themselves to confidentiality.
• Implement appropriate technical and organizational security measures.
• Not engage another sub-processor without prior written authorization from the Controller.
• Assist the Controller in responding to Data Subject requests and in ensuring compliance with data protection obligations.
• Delete or return all personal data at the end of the service relationship, at the Controller's choice.
• Make available to the Controller all information necessary to demonstrate compliance with these obligations.

4. Sub-Processors

The Controller authorizes the use of the following sub-processors for the purposes described:

• Supabase — PostgreSQL database hosting and file storage (US region). Stores all application data including contractor profiles, certifications, documents, and communications.
• OpenAI — Resume parsing, schema validation, and AI-powered experience enhancement (GPT-4o and GPT-4o-mini models). Resume text is sent for processing; results are stored in our database.
• Anthropic — AI candidate ranking analysis (Claude). Professional data is sent for evaluation; results are stored in our database.
• Microsoft Azure / Office 365 — Application hosting (Canada Central region), outbound email delivery via SMTP, and inbound email polling via Microsoft Graph API.

We maintain data processing agreements with each sub-processor. The Controller will notify Data Subjects of any changes to sub-processors via updates to this DPA.

5. Data Subject Rights

Data Subjects have the right to:

• Access: Request a copy of their personal data. This can be done via the data export feature in the application or by contacting us.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of their personal data, subject to legal retention requirements.
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Receive their personal data in a structured, machine-readable format (JSON export).
• Objection: Object to processing based on legitimate interests.
• Automated Decision-Making: Request human review of any automated assessment (see Section 10).

To exercise any of these rights, contact us at hr@guymoninspection.com. We will respond within 30 days.

6. Audit Rights

The Controller maintains the right to audit, or appoint an independent auditor to audit, the processing activities of any Processor to verify compliance with this DPA. The Processor shall cooperate with such audits and make available all information necessary to demonstrate compliance. Audits shall be conducted with reasonable notice and during normal business hours.

7. Data Breach Notification

In the event of a personal data breach, we will:

• Notify affected Data Subjects and relevant supervisory authorities within 72 hours of becoming aware of the breach.
• Provide details of the nature of the breach, the categories and approximate number of Data Subjects affected, and the likely consequences.
• Describe the measures taken or proposed to address the breach and mitigate its effects.
• Document all breaches, their effects, and the remedial actions taken.

8. Termination and Data Return

Upon termination of the service relationship or upon request:

• We will provide a complete export of your personal data in a machine-readable format (JSON).
• We will delete all personal data from our systems within 30 days of a verified deletion request, except where retention is required by law.
• We will instruct all sub-processors to delete or return the personal data.
• Anonymized audit log entries may be retained for security purposes.

9. Liability

Each party shall be liable for damages caused by processing that infringes applicable data protection laws. The Controller is responsible for ensuring that processing instructions comply with applicable law. The Processor is liable for damages caused by processing that does not comply with this DPA or that is outside the lawful instructions of the Controller.

10. Automated Decision-Making

We use AI-powered analysis for resume parsing, experience enhancement, and candidate ranking. These analyses are advisory only and are reviewed by human administrators before any employment-related decisions are made. You have the right to request human review of any automated assessment. Contact us at hr@guymoninspection.com to exercise this right.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Province of Alberta, Canada, without regard to its conflict of law provisions. For Data Subjects within the European Economic Area, the provisions of the GDPR shall apply in addition to the terms of this DPA.

12. Contact Us

If you have questions about this Data Processing Agreement, please contact us at:

Guymon Inspection Services, Inc.
Email: hr@guymoninspection.com