Data processing agreement
For institutions or employers licensing PhdFit for their applicants. Last updated April 24, 2026.
Scope
This agreement applies when PhdFit processes personal data on behalf of an institution, employer, or program (the “customer”) who licenses the service for a cohort of applicants. For individual accounts, the privacy policy governs.
Role of the parties
The customer is the data controller. PhdFit is the data processor, acting on the customer's documented instructions. We do not process applicant data for any purpose outside running the service.
Subprocessors
Supabase (EU or US region, customer choice), Anthropic, OpenAI, and Zhipu. A full current list is maintained on request. We will give the customer at least 30 days notice before onboarding a new subprocessor that touches applicant content.
Security measures
- All data in transit is TLS 1.2+.
- Postgres at rest is AES-256 encrypted.
- Row-level security isolates every applicant's data by user id.
- Backups are encrypted and retained for 30 days; older backups are destroyed on schedule.
- Two-factor authentication is available on every account.
Requesting a signed DPA
Email hello@phdfit.com from the customer's legal or procurement contact and we will send a counter-signed copy within five business days.