Aster Logo

Data Protection Agreement (DPA)

Effective Date: March 1, 2025

This Data Protection Agreement ("DPA") is incorporated into and forms part of the Terms of Service ("Agreement") between Aster ("Processor") and the Customer ("Controller") who uses Aster's Services.

By using Aster's Services, the Customer agrees to the terms of this DPA.

1. Definitions

  • Personal Data means any information relating to an identified or identifiable individual, including candidate resumes and related profile information.
  • Processing means any operation performed on Personal Data, including collection, storage, use, or deletion.
  • Controller means the Customer who determines the purposes and means of processing Personal Data.
  • Processor means Aster, which processes Personal Data on behalf of the Controller.
  • Subprocessor means a third party engaged by Aster to process Personal Data on its behalf.

2. Scope of Processing

Aster will process Personal Data solely for the purpose of providing the Services, including delivering AI-driven talent insights, recommendations, improving the Services, and supporting customer operations, in accordance with Customer's instructions and applicable data protection laws.

3. Processor Obligations

Aster shall:

  • Implement appropriate technical and organizational measures to protect Personal Data.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Assist the Customer, where reasonably possible, with responding to data subject requests (e.g., access, correction, deletion).
  • Notify the Customer without undue delay after becoming aware of a Personal Data breach.

4. Subprocessors

The Customer authorizes Aster to use Subprocessors to assist in providing the Services, such as hosting and analytics providers. Aster will ensure that Subprocessors are bound by obligations that are no less protective than those in this DPA. A current list of Subprocessors is available upon request.

5. Security Measures

Aster implements industry-standard security measures appropriate to the risk, including encryption, access controls, secure hosting environments, and regular system monitoring to protect Personal Data.

6. Data Transfers

If Personal Data is transferred outside the country where it was collected, Aster will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or other lawful transfer mechanisms.

7. Data Retention and Deletion

Upon termination of the Services, Customer data will be deleted upon written request, unless retention is required by law. Anonymized, non-identifiable data may be retained for service improvement purposes.

8. Liability

Liability for any breaches of this DPA shall be subject to the limitations of liability set forth in the Agreement between the parties.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of California, without regard to conflict of law principles.