Data Processing Agreement (DPA)
Effective Date: February 16, 2026
Last Updated: February 16, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer") and Anesthesio ("Processor" or "Anesthesio") for enterprise/B2B use of the Services. This DPA applies when Anesthesio processes personal data on behalf of Customer.
1. Definitions
Terms such as "personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings provided under applicable data protection laws, including GDPR where relevant.
2. Roles and Processing Scope
For Customer Personal Data processed through the Services, Customer acts as Controller (or Business), and Anesthesio acts as Processor (or Service Provider), unless otherwise agreed in writing.
Anesthesio will process Customer Personal Data only on documented instructions from Customer, including instructions provided through product configuration and normal service use.
3. Processing Details
- Subject matter: provision of recruiting marketplace and related platform services.
- Duration: for the term of the parties' services agreement and any permitted post-termination retention period.
- Nature and purpose: hosting, storage, organization, transmission, search, analytics, support, and security operations.
- Categories of data subjects: Customer personnel, recruiters, candidates, and end users whose data is submitted to the Services by or on behalf of Customer.
- Categories of personal data: identifiers, contact information, professional profile and job-related details, usage metadata, and communications content submitted to the Services.
4. Confidentiality
Anesthesio ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate privacy and security guidance.
5. Security Measures
Anesthesio implements appropriate technical and organizational safeguards, including measures designed to:
- Protect confidentiality, integrity, and availability of Customer Personal Data;
- Restrict access to authorized personnel based on role and business need;
- Use encryption in transit and other reasonable protections at rest where applicable;
- Maintain logging, monitoring, and incident response processes; and
- Support secure development and change management practices.
6. Sub-processors
Customer authorizes Anesthesio to engage sub-processors necessary to operate the Services, including:
- Supabase / AWS (infrastructure, database, authentication, storage);
- Stripe (payment processing and billing support);
- PostHog (analytics);
- Sentry (error monitoring and diagnostics); and
- Resend (transactional email delivery).
Anesthesio will impose data protection obligations on sub-processors that are substantially equivalent to those set out in this DPA.
7. International Data Transfers
To the extent Customer Personal Data is transferred internationally, Anesthesio will implement appropriate transfer safeguards required under applicable law, which may include Standard Contractual Clauses or equivalent mechanisms.
8. Assistance with Data Subject Requests
Taking into account the nature of processing, Anesthesio will provide reasonable assistance to help Customer respond to lawful requests from data subjects (e.g., access, correction, deletion, restriction, portability, and objection), to the extent required by law.
9. Security Incident Notification
Anesthesio will notify Customer without undue delay after becoming aware of a confirmed security incident involving Customer Personal Data and will provide available information reasonably required to support Customer's investigation and notification obligations.
10. Audits and Information Rights
Upon reasonable written request, and subject to confidentiality and security restrictions, Anesthesio will provide information reasonably necessary to demonstrate compliance with this DPA. Where required by law and agreed by the parties, Customer may conduct a reasonable audit no more than once annually, at Customer's expense, without disrupting operations.
11. Return and Deletion
Upon termination or expiration of the underlying services agreement, Anesthesio will, at Customer's election and subject to legal obligations, delete or return Customer Personal Data within a commercially reasonable timeframe.
12. Order of Precedence
If there is a conflict between this DPA and the underlying services agreement regarding personal data processing obligations, this DPA will control to the extent of that conflict.
13. Contact
For privacy, security, or DPA-related requests, contact [email protected].