Data Processing Agreement (DPA)
Effective: May 10, 2026 | Version 1.0
For Agency Customers: This DPA is automatically incorporated into your Agency or Enterprise subscription agreement. Individual (B2C) users are covered by our standard
Privacy Policy and do not need a separate DPA.
1. Definitions
- "Controller" — The Agency/Organization subscribing to MySearchLog services ("you")
- "Processor" — Aelise Intelligence, operating as MySearchLog ("we," "us")
- "Data Subject" — Individuals (clients) whose data is processed through the Service
- "Personal Data" — Any information relating to an identified or identifiable natural person
- "Processing" — Any operation performed on Personal Data
2. Scope of Processing
2.1 Categories of Data Subjects
- Individuals under court-mandated job search requirements
- Probationers and parolees in reentry programs
- SNAP, TANF, and UI benefits recipients with work-search mandates
- Non-custodial parents under family court seek-work orders
- Agency caseworkers and administrators
2.2 Types of Personal Data
| Category | Data Elements | Sensitivity |
|---|
| Identity | Full name, email, phone number | Standard |
| Employment | Work history, skills, certifications, desired titles | Standard |
| Location | City, state, ZIP code | Standard |
| Legal/Court | Case number, probation officer name, court jurisdiction | Sensitive |
| Activity | Job applications, search logs, interview records, time tracking | Standard |
| Evidence | Uploaded documents, screenshots, business cards | Standard |
| Technical | IP address, browser type, access timestamps | Standard |
2.3 Purpose of Processing
We process Personal Data solely to:
- Provide job search compliance tracking and reporting services
- Generate court-ready compliance reports on behalf of the Controller
- Maintain tamper-evident audit trails for evidentiary purposes
- Send notifications and deadline reminders as configured by the Controller
- Provide caseworker dashboards and client monitoring capabilities
3. Processor Obligations
3.1 Lawful Processing
We process Personal Data only on documented instructions from the Controller, unless required by applicable law. If we believe an instruction infringes data protection law, we will promptly inform the Controller.
3.2 Confidentiality
All personnel authorized to process Personal Data are bound by confidentiality obligations. Given the justice-involved nature of many Data Subjects, we apply heightened sensitivity to all data handling.
3.3 Security Measures
| Measure | Implementation |
|---|
| Encryption at rest | SQLite WAL with encrypted backups; planned AES-256 for Phase 2 |
| Encryption in transit | TLS 1.3 enforced on all connections |
| Access control | Role-based (client, caseworker, admin) with bcrypt-hashed credentials |
| Audit logging | All data access and modifications logged with IP, timestamp, user |
| Data integrity | SHA-256 hash chain on all compliance records |
| Backup | Automated daily backups with 30-day retention and rotation |
| Rate limiting | Request-level throttling on all endpoints |
| Vulnerability management | Dependency updates, CSRF protection, security headers |
3.4 Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Coolify (self-hosted) | Application hosting | US |
| SMTP provider (configurable) | Email delivery | US/EU (per config) |
| AI provider (optional, configurable) | Resume generation, job matching | US |
We will notify the Controller at least 14 days before engaging a new sub-processor. The Controller may object, in which case we will work to find an alternative or the Controller may terminate the agreement.
3.5 No AI Training
Contractual Guarantee: We do not use any Personal Data processed under this DPA to train, fine-tune, or improve any machine learning or AI model. AI features (if enabled) use one-shot inference only; no data is retained by AI providers beyond the immediate request.
4. Controller Obligations
- Ensure lawful basis for processing (consent, legitimate interest, or legal obligation)
- Provide Data Subjects with appropriate privacy notices
- Respond to Data Subject requests (with our assistance as needed)
- Notify us promptly of any changes to processing instructions
5. Data Subject Rights
We will assist the Controller in responding to Data Subject requests including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability (CSV/PDF export)
- Right to restriction of processing
Response time: within 72 hours of receiving a verified request from the Controller.
6. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify the Controller without undue delay and no later than 48 hours after becoming aware
- Provide: nature of breach, categories of data affected, approximate number of Data Subjects, consequences, and measures taken
- Cooperate with the Controller's notification obligations to supervisory authorities and Data Subjects
7. Data Retention and Deletion
- Active accounts: Data retained for the duration of the subscription
- Post-termination: Data deleted within 30 days unless Controller requests earlier deletion or extended retention for legal proceedings
- Compliance records: May be retained up to 7 years if required for ongoing legal proceedings (at Controller's documented instruction)
- Backups: Purged within 30 days of account deletion
8. International Transfers
All data is currently processed within the United States. If transfer outside the US becomes necessary, we will implement appropriate safeguards (Standard Contractual Clauses or equivalent) and notify the Controller in advance.
9. Audits
The Controller may audit our compliance with this DPA:
- Once per calendar year (or more frequently if required by a supervisory authority)
- With 30 days' written notice
- During regular business hours
- At the Controller's expense (unless breach is discovered)
We will provide reasonable cooperation and access to relevant documentation, systems, and personnel.
10. Term and Termination
This DPA is effective for the duration of the subscription agreement. Upon termination:
- We will cease processing within 24 hours
- Provide a complete data export to the Controller (within 7 days)
- Delete all Personal Data within 30 days (with written certification)
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the underlying subscription agreement.
12. Governing Law
This DPA is governed by the laws of the State of California, United States.
13. Contact
Data Protection Officer: [email protected]
General inquiries: [email protected]
← Back to MySearchLog · Terms · Privacy