Data Processing Addendum

Capitalised terms not defined here have the meaning given in the GDPR. Personal Data means any information relating to an identified or identifiable natural person processed by Maven on behalf of Controller in the course of providing the Services. Sub-processor means any third party engaged by Maven to process Personal Data. Data Subject means a candidate, employer user, or other identifiable individual whose Personal Data is processed.

Controller acts as the data controller and Maven acts as the data processor with respect to all Personal Data processed under the Services. Each party shall comply with its respective obligations under applicable Data Protection Laws.

Subject matter: processing of candidate and employer personal data to deliver the Services. Duration: for the term of the master agreement plus any applicable retention period. Purpose: evaluation of candidate skills, behavioral analysis of coding sessions, hiring decision support, and related analytics.

• Identification: name, email address, hashed password, role.
• Profile: optional resume, headline, bio, avatar, GitHub / LinkedIn / website URLs, skill tags.
• Submission data: source code, AI conversation transcripts, edit and run telemetry.
• Behavioral signals: typing cadence, keystroke timing, focus events, derived attention scores (no raw video; see §11).
• Proctoring events: enumerated event types and bounding-box metadata only.
• Usage metadata: IP address, browser fingerprint, session timestamps.

• Candidates invited to or completing assessments.
• Employer users with seats on Controller's account.
• Reviewers and administrators within Controller's organisation.

Maven shall:

• Process Personal Data only on documented instructions from Controller.
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Implement the technical and organisational measures set out in §10.
• Engage Sub-processors only in accordance with §8.
• Assist Controller in responding to Data Subject requests under Articles 12–22.
• Notify Controller without undue delay (within 72 hours) of any Personal Data Breach.
• Make available all information necessary to demonstrate compliance with this DPA.

Maven provides Controller with self-service tooling to fulfil access, rectification, erasure, portability, and restriction requests. Candidates can self-erase their accounts and all associated submission data via the in-product “Delete account” flow. For Controller-initiated requests, Maven will respond within five (5) business days.

Controller authorises Maven to engage the following Sub-processors. Maven will give Controller at least thirty (30) days' prior notice of any change.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Maven relies on the European Commission's Standard Contractual Clauses (SCCs, Module Two — Controller to Processor) and, for transfers to the United Kingdom, the UK International Data Transfer Addendum. SCCs are deemed incorporated by reference into this DPA.

• TLS 1.3 in transit; AES-256 at rest in Postgres and Redis.
• JWT-based authentication with bcrypt password hashing (cost factor 10).
• Role-based access control enforced server-side on every request.
• Per-endpoint rate limiting on authentication, AI, and code-execution paths.
• Structured logs with mandatory redaction of passwords, tokens, and authorisation headers.
• Audit log of every blind-review identity reveal with reviewer identifier and timestamp.
• Daily encrypted backups with 30-day retention.
• Annual penetration testing and continuous dependency vulnerability scanning.

• Maven calls Anthropic and DeepSeek under their default API terms which prohibit training on customer-submitted data. Every Anthropic request is tagged with a salted, hashed user identifier solely for Trust & Safety scoping; the raw user identifier is never transmitted.
• Webcam frames are processed in the candidate's browser via MediaPipe. Only derived enum events (e.g. looking-away, multiple-faces) and bounding-box metadata are transmitted to Maven's servers; raw video and raw frames are never collected.
• Maven does not use Personal Data to train, fine-tune, or evaluate any of its own models.

On reasonable prior notice (at least thirty days), Controller may, at its expense and not more than once per twelve-month period, audit Maven's compliance with this DPA. Maven may satisfy this obligation by providing Controller with then-current third-party attestations (e.g. SOC 2 Type II) and responses to a reasonable security questionnaire.

Within thirty (30) days of termination of the master agreement, Maven shall, at Controller's choice, delete or return all Personal Data and delete existing copies, except to the extent applicable law requires otherwise.

Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the master agreement.

This DPA takes effect on the Effective Date and continues for the term of the master agreement. In the event of conflict between this DPA and the master agreement with respect to the processing of Personal Data, this DPA prevails.