Metrux AI
Draft - pending counsel review. This document captures the structure and factual claims of our final legal text. The exact wording will be provided by outside counsel before we accept any paid contract. Questions to legal@metrux.ai.

Data Processing Addendum

Last updated: 2026-04-30

Closed-beta Customers: we provide a signable DPA on request. Email legal@metrux.ai with your company name + signatory contact; we'll return a counter-signable PDF within one business day. The text below summarizes what will be in it so your procurement team can pre-review.

1. Parties

This DPA forms part of the agreement between the Customer (“Controller”) and Metrux AI (“Processor”). It applies whenever we process personal data on the Customer's behalf.

2. Subject matter and duration

Subject matter: the hiring-assessment service described in our Terms. Duration: the term of the underlying contract plus any applicable retention period.

3. Nature and purpose of processing

We process Candidate personal data strictly to operate the assessment platform: delivering invites, running sandboxed sessions, recording prompts/edits/test runs, computing scorecards, and providing them back to the Controller.

4. Categories of data subject

  • Candidates invited by the Customer.
  • Members of the Customer's team (admins, recruiters, viewers).

5. Categories of personal data

  • Identifiers: email, name.
  • Network: IP address, user agent.
  • Session artifacts: prompts, edits, code, terminal output, timing.
  • Scoring: overall score, per-metric breakdown, summary.

6. Instructions

We process personal data only on the Controller's documented instructions, as set out in the Terms and this DPA. We will inform the Controller if we believe an instruction infringes applicable data protection law.

7. Confidentiality

All Metrux personnel with access to Customer personal data are subject to written confidentiality obligations.

8. Security measures

See the Security section of our Privacy Policy for the authoritative list with explicit separation of controls enforced today versus those deployed with the cloud infrastructure baseline. Summary:

  • Customer-supplied API keys AES-256-GCM wrapped at rest; plaintext never persisted; every per-session decrypt is audited.
  • Per-tenant isolation at the application and API layers; every cross-tenant operator access is automatically audited.
  • Append-only audit log (database trigger refuses UPDATE + DELETE); retention target 2 years in the primary database, with additional long-term archival deployed as part of our cloud infrastructure baseline.
  • Secret-pattern redaction in both audit rows and application logs.
  • IP-level rate limits and an incident-response blocklist with brute-force auto-detection on invite-token lookups.
  • Responsible-disclosure contact at security.txt.
  • Transport encryption (TLS 1.2+), managed-database encryption at rest, KMS-backed key wrapping, and managed backup retention are deployed with our cloud infrastructure baseline before Customer-facing production traffic.

9. Sub-processors

Current list: /legal/subprocessors. We obtain the Customer's general authorization to engage sub-processors and will notify the Customer at least 30 days before adding or replacing one. The Customer may object on reasonable grounds; if we cannot accommodate the objection, the Customer may terminate the affected service.

10. Data subject requests

Candidates can exercise access and deletion rights directly via the candidate self-serve endpoints (see the Privacy Policy). If a Candidate contacts the Controller with a request, we will assist the Controller in responding within the required timeframe.

11. Breach notification

We will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any confirmed breach of Customer personal data. Notification will include known scope, affected data categories, steps taken, and recommended mitigations.

12. International transfers

Processing occurs in AWS us-east-1 today. For EU/UK personal data, the Standard Contractual Clauses (EU 2021/914; UK IDTA or Addendum) are incorporated by reference with the Controller as data exporter and Metrux as data importer. For Swiss personal data, the FDPA-aligned amendments to the SCCs apply. Transfer Impact Assessment available on request.

13. Audit rights

The Controller may request, once per 12-month period at the Controller's cost, either (a) our current SOC 2 / ISO 27001 report once available, or (b) written responses to a reasonable security questionnaire. On-site audits are by prior written agreement and subject to reasonable scope + confidentiality obligations.

14. Return and deletion on termination

On termination of the Agreement the Controller has 30 days to request an export of its data by emailing legal@metrux.ai; we provide a JSON dump of company-scoped records (assessments, sessions, scorecards, audit events) within 10 business days. Candidates may additionally export their own records at any time via the candidate self-serve endpoint described in the Privacy Policy. After the 30-day window, we delete Customer personal data per the retention policy, except where retention is required by law (e.g. tax records).

15. Liability

Liability under this DPA is subject to the limitations in the underlying Terms of Service, except for liability arising from violations of applicable data protection law, which cannot be excluded or limited beyond what the law permits.

Contact

legal@metrux.ai. Include your company's name and signatory contact to receive a counter-signable PDF.