AINA logo

TECH DUCK L.L.C.-FZ

Data Processing Agreement (DPA)

Last updated:

September 2025

This Data Processing Agreement ("DPA") is entered into by and between:

  • Controller: the Client (employer) using the AINA platform,
  • Processor: TECH DUCK L.L.C.-FZ, Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

1. Subject matter and duration

The Processor shall process personal data on behalf of the Controller in connection with the Client's use of the AINA SaaS platform. This DPA is effective for the duration of the main service agreement and until all personal data has been deleted or returned to the Controller.

2. Categories of data and subjects

Data subjects: job applicants, candidates, Client's employees.

Categories of data: resumes, contact details, interview recordings, chat messages, assessment results, account data.

Special categories (sensitive data) are not required by AINA. If uploaded, the Controller is responsible for obtaining valid consent.

3. Obligations of the Processor (AINA)

The Processor agrees to:

  • Process data only on documented instructions from the Controller.
  • Ensure confidentiality and limit access to authorized personnel only.
  • Implement appropriate technical and organizational measures (encryption, access control, backups, monitoring).
  • Assist the Controller in fulfilling obligations to respond to data subject rights (access, rectification, erasure, restriction, portability).
  • Notify the Controller without undue delay of any personal data breach.
  • Delete or return all personal data after the end of the provision of services, unless storage is required by law.

4. Obligations of the Controller (Client)

The Controller agrees to:

  • Ensure it has a valid legal basis to collect and process candidate data.
  • Obtain candidate consent where required (e.g., under GDPR or local law).
  • Provide accurate instructions to the Processor.
  • Not upload excessive or irrelevant data.
  • Inform data subjects that their data will be processed using AINA as a processor.

5. Sub-processors

The Processor may engage sub-processors to provide hosting, storage, payment processing, analytics, AI/ML, or other technical services necessary to deliver the AINA Service.

Current sub-processors:

  • Amazon Web Services (AWS, EU) – hosting and infrastructure services within the European Union.
  • Selectel (Russia) – hosting and infrastructure services within the Russian Federation (used for compliance with data localization requirements).
  • Analytics providers (Google Analytics) – for collecting and analyzing website usage data.
  • OpenAI (USA) – for processing candidate text data (resumes, answers, and communications) to generate AI-based recommendations.
  • Google (Gemini, USA/EU depending on service region) – for processing candidate responses and interview data to support AI-assisted analysis.

Planned sub-processors (to be added once integrated):

  • Payment providers (e.g., Stripe) – for processing subscription and payment transactions.

The Controller will be notified of any material changes to the list of sub-processors. The most recent and updated list of sub-processors will be published on the AINA legal page.

6. International transfers

Personal data may be transferred outside the EEA, provided that adequate safeguards are implemented (e.g., Standard Contractual Clauses, adequacy decisions).

For Russian citizens, data shall be initially collected and stored on servers located in the Russian Federation (localization requirement).

7. Data subject rights

The Processor shall assist the Controller, to the extent possible, in fulfilling data subjects' rights under GDPR or local law. Requests from data subjects received directly by the Processor will be forwarded to the Controller.

8. Liability

The Controller is responsible for the lawfulness of the collection and processing of personal data.

The Processor is responsible for maintaining appropriate security and following the Controller's documented instructions.

Each party's liability is limited as defined in the main service agreement.

9. Governing law

This DPA shall be governed by and construed in accordance with the laws of Dubai, U.A.E., unless otherwise required by mandatory applicable law (e.g., GDPR for EU Controllers).

10. Miscellaneous

This DPA is part of the main service agreement between the parties.

In case of conflict, this DPA prevails with respect to data protection.

Updates may be published by AINA on its legal page; continued use of the Service constitutes acceptance.

Candidate data will be deleted within 30 days after the vacancy is closed, unless the Controller has obtained explicit consent from the candidate to retain the data for a longer period (e.g., for inclusion in a talent pool or consideration for future positions), or unless otherwise required by law.

The Controller may request deletion or return of candidate data at any time via the AINA admin panel or by contacting support (main@aina-tech.com).

The Controller is responsible for informing candidates that their personal data will be processed using AINA as a data processor.

For citizens of the Russian Federation, personal data shall be initially collected and stored on servers located in Russia (Selectel) in compliance with localization laws.