Legal
Data Processing Addendum
Last Updated: April 28, 2026
Purpose and Roles
This Data Processing Addendum is intended for enterprise customers that require contractual data protection terms. Depending on the configuration, the customer may act as controller, business, or data owner for candidate data, while Bifalabs may act as processor, service provider, or vendor. For Bifalabs-owned accounts and platform operations, Bifalabs may act as an independent controller.
Processing Instructions
Bifalabs will process customer personal data only to provide the Services, comply with documented customer instructions, support security, meet legal obligations, and perform permitted business operations described in the agreement. Bifalabs will notify the customer if it believes an instruction violates applicable law, where legally permitted.
Confidentiality
Bifalabs will ensure that personnel authorized to process customer personal data are subject to confidentiality obligations and receive appropriate access only where needed for operations, support, security, or compliance.
Security Measures
Bifalabs will maintain reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction. Measures may include encryption in transit, access control, logging, secure cloud storage, least-privilege permissions, vulnerability management, incident response, and vendor controls.
Subprocessors
Bifalabs may engage subprocessors for hosting, storage, analytics, communications, security, identity verification, payments, support, and related services. Bifalabs maintains a current subprocessor list and provides notice of material changes to enterprise customers under the applicable agreement.
Data Subject Requests
Where Bifalabs acts as processor, Bifalabs will reasonably assist the customer with access, correction, deletion, restriction, portability, objection, and other data subject requests to the extent required by law and feasible through the Services.
International Transfers
Where personal data is transferred internationally, Bifalabs will use appropriate safeguards required by applicable data protection law, such as standard contractual clauses or other recognized mechanisms.
Deletion or Return
Upon termination of the Services, Bifalabs will delete or return customer personal data according to the agreement, platform settings, legal obligations, backup cycles, and security requirements.
Audits
Bifalabs may provide security documentation, compliance summaries, audit reports, questionnaires, and other reasonable evidence of controls. On-site audits should be limited, scheduled, confidential, and subject to reasonable scope, security, and frequency limits.
Questions about this policy?