Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service and forms part of the agreement between GoodFit ("Processor") and Customer ("Controller"). It governs how GoodFit processes personal data on behalf of Customer.

1. Scope and roles

Customer is the Controller of personal data processed through the platform. GoodFit is the Processor and acts only on Customer's documented instructions, as set forth in the Terms of Service and this DPA.

2. Categories of data and data subjects

• Data subjects: Customer's employees, authorized users, and candidates invited to assessments
• Categories: identifiers, contact details, employment-related information, assessment responses, interview recordings, proctoring telemetry

3. Sub-processors

Customer authorizes GoodFit to engage the sub-processors listed on this page. We notify Customer of additions at least 30 days in advance and allow objection.

• AWS (hosting, ap-south-1)
• OpenAI / Anthropic / ElevenLabs (AI model APIs)
• Resend (transactional email)
• HubSpot (CRM)
• PostHog (analytics)

4. Security measures

GoodFit implements and maintains the technical and organizational measures described on the Security page.

5. Data subject requests

GoodFit assists Customer in responding to access, correction, deletion, and portability requests from data subjects, at no additional charge for reasonable volumes.

6. International transfers

Where personal data is transferred outside the country of origin, transfers are protected by Standard Contractual Clauses or equivalent safeguards.

7. Breach notification

GoodFit notifies Customer of confirmed personal data breaches within 72 hours.

8. Audits

Customer may audit GoodFit's processing activities once per year with reasonable notice. SOC 2 Type II report available under NDA.

9. Data return and deletion

Upon termination, Customer may export its data for 30 days, after which it is deleted.

10. Contact

For DPA questions or to request a countersigned copy, email legal@goodfit.so.