Data Processing Agreement.

The Customer is the Controller and Toby is the Processor of Customer Content. Toby processes Customer Content solely:

• To deliver the Toby service to the Customer per the MSA
• To comply with the Customer's reasonable documented instructions
• To comply with applicable law (with notice to the Customer where permitted)
• To provide support, troubleshoot incidents, and maintain security

Toby does not sell, share, retain for its own purposes, or process Customer Content for any purpose other than the above. Toby will not combine Customer Content with personal data from other sources.

The MSA + these DPA terms constitute the Customer's complete and final processing instructions. Any additional instructions must be in writing and agreed by both parties. If Toby believes an instruction violates applicable law, it will inform the Customer.

Toby ensures that personnel with access to Customer Content:

• Are bound by written confidentiality obligations
• Have completed annual security and privacy training
• Receive only the minimum access necessary to perform their role (least privilege)
• Use individual, named accounts with MFA enforced
• Lose access promptly upon role change or termination

Toby maintains the technical and organizational measures described on the Security page, which include at minimum:

• AES-256 encryption at rest, TLS 1.3 in transit
• Three-layer tenant isolation (per-request context, application filter, database RLS)
• Passwordless authentication with mandatory passkey MFA
• Tamper-evident append-only audit ledger with SHA-256 chaining
• Automatic PII redaction before AI inference
• Annual penetration testing
• Documented incident response procedures (§07)
• Regular vulnerability scanning and patching of all infrastructure

Toby will not materially weaken these measures during the contract term.

The Customer authorizes Toby to engage the sub-processors listed at /sub-processors. Toby will:

• Impose data protection terms on each sub-processor no less protective than this DPA
• Remain liable for sub-processor performance
• Provide at least 30 days' advance notice of any new sub-processor
• Allow the Customer to object on reasonable grounds within the notice period

If the Customer objects and the parties cannot resolve the objection within 30 days, the Customer may terminate the affected portion of the service for convenience without penalty.

Toby will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Content. Notice will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects and records concerned
• Likely consequences
• Measures taken or proposed to address the breach and mitigate harm
• Contact point for further information

Toby will reasonably cooperate with the Customer in fulfilling the Customer's breach notification obligations to data subjects and regulators.

Toby provides functionality in the Product to help the Customer respond to data subject requests (access, correction, deletion, portability). Where a data subject contacts Toby directly, Toby will:

• Refer the data subject to the Customer (the Controller)
• Promptly notify the Customer of the request
• Cooperate with the Customer in responding within applicable statutory timelines

Toby will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including:

• Current security posture documentation (on request)
• SOC 2 Type II report once available (in progress)
• Penetration test summary (under NDA)
• Sub-processor list and contractual terms

Customers with regulatory audit obligations may, on 30 days' notice and not more than annually (except in response to a security incident), audit Toby's controls at the Customer's expense, during business hours, and subject to confidentiality and reasonable scoping. Audits will not unreasonably disrupt Toby's operations.

On termination of the MSA, Toby will:

• Maintain Customer Content available for export for 90 days after termination
• Delete Customer Content from active systems within 30 days after the 90-day window closes
• Retain audit logs for the duration of the Customer's configured retention policy (default 7 years) as required for legal hold and regulatory compliance
• Delete or anonymize all remaining personal data from backups within 90 days of the retention period's end

Toby will, on written request, certify in writing that the above deletion has occurred.

Customer Content is stored in the United States by default. For Customers in the EU/EEA/UK/Switzerland:

• Toby relies on the EU Standard Contractual Clauses (Module Two: Controller to Processor) as the transfer mechanism. The SCCs are incorporated by reference and will be made available on request.
• The UK International Data Transfer Addendum to the EU SCCs applies for UK Customers.
• EU data residency is available on Enterprise plans on request.

Toby will not transfer Customer Content to a sub-processor in a country lacking adequate protections without an appropriate transfer mechanism in place.

For Customers subject to the California Consumer Privacy Act, Toby acts as a "service provider" (as defined in CCPA §1798.140) and:

• Will not sell or share Customer Content
• Will not retain, use, or disclose Customer Content for any purpose other than the specific purpose of providing the service to the Customer
• Will not combine Customer Content with personal data from other sources except as permitted under CCPA §7050(b)
• Will notify the Customer if Toby determines it can no longer meet its CCPA obligations

Categories of data subjects

• Customer's employees (current and former)
• Customer's candidates and applicants (when ATS integrations are connected)
• Customer's contractors
• Witnesses, complainants, and other individuals named in Employee Relations cases
• Customer's authorized users of the Product

Categories of personal data

• Identification data (name, work email, employee id, manager, department)
• Employment data (role, hire/termination dates, compensation as recorded in connected HRIS)
• Communication content (chat messages with Toby, documents drafted, notes attached to cases)
• Case data (allegations, evidence references, case status)
• Authentication metadata (sign-in timestamps, IP for security)

Special categories of personal data

Customer Content may include special categories of personal data (e.g. health data in accommodation cases, religion in religious accommodation, union membership in NLRA matters). Toby processes special-category data only as directed by the Customer for the purpose of providing the service.

Frequency of transfer

Continuous, for the duration of the MSA.

Nature of processing

Storage, retrieval, organization, structuring, search, AI-assisted analysis and drafting, audit logging, export.

The technical and organizational measures referenced in §05 above. Full description on the Security page.

Knit Cage, LLC · Wyoming LLC
30 N Gould St Ste N · Sheridan, WY 82801 · United States

Data Protection Officer: privacy@hiretoby.com
EU Article 27 representative: contact privacy@hiretoby.com for current designation
Legal: legal@hiretoby.com