Data Processing Agreement

• ·Personal Data — Any information relating to an identified or identifiable natural person, as defined under applicable data protection law including GDPR and CCPA.
• ·Processing — Any operation performed on Personal Data including collection, storage, analysis, retrieval, and deletion.
• ·Controller — The enterprise customer who determines the purposes and means of processing Personal Data.
• ·Processor — BioCareerAI LLC, which processes Personal Data on behalf of the Controller.
• ·Sub-Processor — Any third party engaged by BioCareerAI to assist in processing Personal Data. See Schedule A.
• ·Data Subject — The individual whose Personal Data is being processed (e.g., job candidates, employees).

BioCareerAI processes Personal Data on behalf of the Controller solely for the following purposes:

• ·Providing AI-powered candidate matching and fit scoring services
• ·Operating the enterprise hiring platform including candidate pipeline management
• ·Generating workforce analytics, skill gap analysis, and hiring intelligence
• ·Facilitating communication between employers and candidates who have applied
• ·Maintaining platform security, audit logs, and compliance records

BioCareerAI will not process Personal Data for any purpose other than those specified above or as instructed in writing by the Controller.

The Controller represents and warrants that:

• ·It has a valid legal basis for providing Personal Data to BioCareerAI for processing
• ·It has provided all required privacy notices to Data Subjects
• ·It has obtained any necessary consents required under applicable law
• ·Its instructions to BioCareerAI comply with applicable data protection laws
• ·It will notify BioCareerAI promptly of any changes to applicable legal requirements

BioCareerAI agrees to:

• ·Process Personal Data only on documented instructions from the Controller
• ·Ensure authorized personnel are bound by appropriate confidentiality obligations
• ·Implement and maintain appropriate technical and organizational security measures (see Section 7)
• ·Assist the Controller in responding to Data Subject rights requests
• ·Notify the Controller of any Personal Data breach without undue delay and in accordance with applicable legal requirements
• ·Delete or return Personal Data upon termination of services, at the Controller's election, subject to backup retention schedules and applicable legal obligations
• ·Provide information necessary to demonstrate compliance with this DPA upon written request

BioCareerAI will provide reasonable assistance to enable the Controller to fulfill Data Subject rights requests including access, rectification, erasure, portability, restriction, and objection. The Controller is responsible for receiving and directing Data Subject requests. BioCareerAI will respond to requests forwarded by the Controller within 30 days.

BioCareerAI primarily stores production Personal Data within the United States (AWS us-east-2, Ohio). Certain subprocessors may process data in other jurisdictions as necessary to deliver their services. For transfers from the European Economic Area (EEA) or United Kingdom, BioCareerAI will execute appropriate transfer documentation upon request:

• ·EU Standard Contractual Clauses (SCCs) — available upon request
• ·UK International Data Transfer Agreement — available upon request

Contact hello@biocareerai.com to execute transfer documentation.

Technical Measures

• ·Encryption in transit: TLS 1.2+ enforced on all connections (HTTPS)
• ·Encryption at rest: AWS RDS encryption enabled with AWS KMS; S3 server-side encryption
• ·Database isolation: RDS hosted in private AWS VPC — no public endpoints
• ·Access control: Role-based access; principle of least privilege on all AWS IAM roles
• ·Credential security: Symmetric encryption for sensitive stored credentials (e.g., ATS integration keys)
• ·Audit logging: AWS CloudTrail enabled with KMS encryption, log file validation, and CloudWatch monitoring
• ·Session security: Cryptographically random HttpOnly session tokens with automatic expiry
• ·Password storage: bcrypt hashing — plaintext passwords never stored or logged

Organizational Measures

• ·Production system access restricted to authorized personnel only
• ·Multi-factor authentication required on all administrative AWS accounts
• ·Incident response procedure with 72-hour breach notification commitment
• ·Periodic security reviews and vulnerability remediation conducted

BioCareerAI engages the sub-processors listed in Schedule A below. BioCareerAI will provide advance written notice of any intended changes to sub-processors where required by applicable law. If the Controller objects and BioCareerAI cannot accommodate the objection, the Controller may terminate the affected services without penalty. BioCareerAI imposes data protection obligations on all sub-processors no less protective than those in this DPA.

Upon reasonable written notice (minimum 30 days) and no more than once per calendar year, BioCareerAI will provide information to demonstrate compliance with this DPA, including security documentation and responses to security questionnaires.

• ·Active subscription: Personal Data retained for the duration of the enterprise subscription
• ·Post-termination: Personal Data deleted within 30 days of contract end, subject to backup retention schedules (up to 90 days) and applicable legal obligations
• ·Encrypted backups: Retained for up to 90 days then permanently deleted
• ·Written confirmation: Available upon Controller request

Each party's liability under this DPA is subject to the limitations set out in BioCareerAI's Terms of Service. BioCareerAI's aggregate liability under this DPA shall not exceed the fees paid by the Controller in the 12 months preceding the claim.

This DPA is governed by the laws of the Commonwealth of Massachusetts, United States. To the extent required by applicable data protection law, EU and UK data protection laws will take precedence with respect to Data Subject rights and lawful processing requirements.

• ·General: hello@biocareerai.com
• ·Breach notifications: hello@biocareerai.com — subject: DATA BREACH NOTIFICATION
• ·DPA execution: hello@biocareerai.com — subject: DPA Execution Request
• ·Data deletion: hello@biocareerai.com — subject: Data Deletion Request

This Addendum applies to Personal Information of California residents. For purposes of the CCPA and CPRA, BioCareerAI is a "Service Provider" and agrees to:

• ·Not sell or share Personal Information as defined under CCPA/CPRA
• ·Not retain, use, or disclose Personal Information for any commercial purpose other than providing the contracted services
• ·Not retain, use, or disclose Personal Information outside the direct business relationship with the Controller
• ·Assist the Controller in responding to consumer rights requests including: right to know, right to delete, right to correct, right to opt-out, and right to limit use of sensitive personal information