New:What Replaces the Resume
    Vetano

    Data Processing Addendum

    Version 1.1 · Effective June 1, 2026

    Download or request a signed copy

    Self-serve copies below, or email us for a countersigned PDF (within 2 business days).

    Signed DPA

    1. Scope & roles

    This Data Processing Addendum ("DPA") supplements the agreement between Vetano, Inc. ("Vetano", "Processor") and the customer ("Controller") whose use of the Vetano Platform involves the processing of personal data subject to the EU GDPR, UK GDPR, the Swiss FADP, and/or US state privacy laws including CCPA/CPRA. For US state laws, Vetano acts as a "service provider" or "processor" and will not "sell" or "share" personal information except as directed by the Controller.

    2. Subject matter & duration

    Vetano processes personal data on behalf of the Controller for the purpose of providing the Vetano Platform (hiring, candidate verification, video assessments, messaging, analytics, billing) for the duration of the underlying agreement, plus any retention period required by law.

    3. Categories of data subjects & data

    • Data subjects: Controller's employees, candidates, job applicants, and end users.
    • Personal data: contact details, employment history, skills, profile photos, skill demonstration videos and audio, identity verification artifacts, device and usage data, billing data.
    • Special categories: biometric identifiers contained in voluntarily uploaded videos/audio; processed only with appropriate legal basis or consent.

    4. Processor obligations

    • Process personal data only on documented Controller instructions.
    • Ensure persons authorized to process the data are bound by confidentiality.
    • Implement appropriate technical and organizational measures (see Annex II).
    • Assist the Controller with data subject requests and DPIAs.
    • Notify the Controller without undue delay (and within 72 hours of confirmation) of any personal data breach.
    • At the Controller's choice, delete or return all personal data at the end of the service.
    • Make available all information necessary to demonstrate compliance and allow for audits.

    5. Sub-processors

    The Controller provides general authorization for Vetano to engage sub-processors. The current list is maintained at /legal/subprocessors. Vetano will provide at least 30 days' notice of any intended changes via email or in-product notice, giving the Controller the opportunity to object on reasonable data-protection grounds.

    6. International transfers

    Where personal data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914), Module 2 (Controller-to-Processor), with the UK International Data Transfer Addendum and the Swiss FDPIC addendum where applicable. Vetano will implement supplementary measures (encryption in transit and at rest, access controls, transparency reporting) consistent with EDPB recommendations.

    7. Security (Annex II)

    Vetano maintains the technical and organizational measures described at /security, including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege role-based access, MFA for administrators, immutable audit logging, automated backups with point-in-time recovery, and vulnerability management aligned with the ISO 27001 control framework.

    8. Audits

    Vetano will provide third-party attestations and reports (e.g., SOC 2 Type II once issued, ISO 27001 certificates of underlying infrastructure providers, penetration test summaries) on request and under NDA. On-site audits may be conducted no more than once per year on 60 days' notice during business hours, at the Controller's expense, subject to confidentiality.

    9. CCPA / CPRA terms

    For California personal information, Vetano acts as a "service provider" and shall not (a) sell or share the personal information; (b) retain, use, or disclose it outside the direct business relationship; or (c) combine it with personal information received from other sources, except as permitted by the CPRA. Vetano certifies it understands and will comply with these restrictions.

    10. Liability & order of precedence

    Liability under this DPA is subject to the limitations set out in the underlying agreement. In the event of conflict between this DPA and the underlying agreement on data protection matters, this DPA controls.

    11. Contact

    Privacy & DPA inquiries: privacy@vetano.com. Security incidents: security@vetano.com.

    Change log

    What changed between releases and the date each version took effect.

    1. Version 1.1Effective June 1, 2026

      CCPA service-provider clarifications and a transparent change-management workflow.

      • Added CCPA/CPRA service-provider terms (no sale, no share, no combining) in Section 9.
      • Set a 30-day notice window for sub-processor changes with a right to object.
      • Added downloadable HTML and PDF copies of the DPA for self-serve procurement.
      • Clarified breach notification: within 72 hours of confirmation.
    2. Version 1.0Effective May 31, 2026

      Initial DPA published.

      • Established GDPR Article 28 processor obligations.
      • Incorporated EU Standard Contractual Clauses Module 2 (Controller-to-Processor).
      • Added UK International Data Transfer Addendum and Swiss FDPIC addendum.
      • Published Annex II technical and organizational measures (TOMs).