LAST REVISION: Feb 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Use ("Agreement") between Invisible and Customer.
1.1. "Customer Data" means any personal data that Customer or its authorized users submit to the Services, including Candidate data.
1.2. "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA/CPRA, and state biometric privacy laws (BIPA, CUBI, RCW 19.375).
1.3. "Sub-processor" means any third party engaged by Invisible to process Customer Data.
2.1. Customer as Controller. Customer is the controller of Customer Data. Invisible processes Customer Data as a processor on Customer's behalf.
2.2. Processing Scope. Invisible will process Customer Data solely to provide the Services, including:
3.1. Lawful Basis. Customer is responsible for ensuring it has a lawful basis for processing Customer Data, including obtaining all required consents from Candidates.
3.2. Biometric Consent. Where Customer enables features involving facial image processing, Customer shall obtain all consents required under applicable biometric privacy laws, including written consent where required by BIPA, CUBI, or similar laws.
3.3. Notice. Customer shall provide Candidates with notice of data processing practices, including disclosure that third-party AI providers may process assessment data.
4.1. Processing Instructions. Invisible will process Customer Data only in accordance with Customer's documented instructions, unless required by law.
4.2. Confidentiality. Invisible personnel authorized to process Customer Data are bound by confidentiality obligations.
4.3. Security. Invisible will implement appropriate technical and organizational measures to protect Customer Data, as described in Invisible's Technical Organizational Measures.
4.4. Assistance. Invisible will reasonably assist Customer in responding to data subject requests and fulfilling Customer's obligations under Data Protection Laws.
5.1. Authorized Sub-processors. Customer authorizes Invisible to engage the Sub-processors listed in Annex A. Invisible will maintain an up-to-date, available upon request.
5.2. New Sub-processors. Invisible will notify Customer of new Sub-processors within a reasonable time period. Customer may object in writing; if the parties cannot resolve the objection, Customer may terminate the affected Services without penalty to either Party.
5.3. Sub-processor Agreements. Invisible will ensure Sub-processors are bound by data protection obligations no less protective than this DPA.
5.4. Non-Enterprise AI Providers. Customer acknowledges that certain Sub-processors (identified in Annex A) operate under standard terms of service rather than negotiated enterprise agreements. These providers may retain data for limited periods as part of service operations. Invisible is working to transition to enterprise agreements where available.
Where Customer Data is transferred outside the EEA/UK to a country not subject to an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply as follows:
6.1.1. Module Two (Controller to Processor) applies where Customer is a controller and Invisible is a processor.
6.1.2. For the purposes of Clause 9(a), Option 2 (general written authorization) applies, and the time period for prior notice of Sub-processor changes is 14 days.
6.1.3. For the purposes of Clause 11, the optional language (independent dispute resolution body) is not included.
6.1.4. For the purposes of Clause 17, Option 1 applies, and the SCCs are governed by the law of Ireland.
6.1.5. For the purposes of Clause 18(b), disputes shall be resolved by the courts of Ireland.
6.1.6. Annex I (List of Parties, Description of Transfer) is deemed completed with the information in this DPA and Annex B.
6.1.7. Annex II (Technical and Organizational Measures) is satisfied by Invisible's Technical Organizational Measures, available upon request.
For transfers of Customer Data from the United Kingdom, the UK Addendum to the EU SCCs (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018) is incorporated by reference. The information required by Table 1 of the UK Addendum is set forth in this DPA and Annex B. For the purposes of Table 4 of the UK Addendum, neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum.
For transfers of Customer Data from Switzerland, the EU SCCs as incorporated in Section 6.1 apply with the following modifications:
The SCCs, UK Addendum, and any applicable transfer mechanism documentation are available at Trust Center : https://trust.wecreateproblems.com or upon request.
7.1. Retention. Invisible will retain Customer Data for the duration of the Agreement and as specified in the Data Archiving Policy.
7.2. Deletion. Upon termination or Customer's written request, Invisible will delete or return Customer Data within 30 days, except where retention is required by law.
7.3. Transient Processing. Certain data (including facial detection outputs and biometric analysis results) is processed transiently during assessment sessions and is not written to persistent storage.
8.1. Notification. Invisible will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a security incident affecting Customer Data.
8.2. Cooperation. Invisible will provide reasonable cooperation and information to assist Customer in meeting its breach notification obligations.
Upon reasonable notice and no more than once per year, Customer may request information or conduct an audit to verify Invisible's compliance with this DPA. Invisible may satisfy this obligation by providing third-party audit reports (SOC 2, ISO 27001) or completing Customer's security questionnaire.
Liability under this DPA is subject to the limitations set forth in the Agreement.
