DPA — AvatarMatch
Last updated: March 30, 2026
1. Introduction
This Data Processing Agreement ("DPA") is entered into between Reliable Communications s.r.o. ("Data Processor") and the business customer using the Avatar Match platform ("Data Controller").
This DPA forms an integral part of the main service agreement and is drafted in accordance with Article 28 of GDPR (EU Regulation 2016/679).
Data Processor: Reliable Communications s.r.o.
Address: Prokopova 2856/10, 130 00, Prague, Czechia
DPO: dpo@avatarmatch.app
If you use Avatar Match as an individual, this DPA does not apply — your rights are governed by the Privacy Policy.
2. Subject Matter and Purposes
The Processor processes personal data on behalf of the Controller solely to provide Avatar Match platform services, including:
- Creating and managing user accounts
- Psychometric analysis and matching
- Message storage and delivery
- AI processing for avatar creation
- Billing and subscription management
3. Data Subjects and Categories
3.1. Data Subjects
- Controller's employees and users
- Candidates and project participants
3.2. Data Categories
- Identification data (name, email)
- Psychometric data (personality test results)
- Professional data (position, skills)
- Interaction data (messages, simulations)
- Technical data (IP, device)
4. Processor Obligations (Art. 28 GDPR)
Reliable Communications s.r.o. undertakes to:
- Process data only on documented instructions from the Controller
- Ensure confidentiality of personnel with data access
- Implement technical and organizational security measures (Art. 32 GDPR)
- Not engage sub-processors without prior notification to the Controller
- Assist the Controller in fulfilling data subject rights
- Delete or return all data upon service termination
- Provide information for audits and inspections
- Notify the Controller of data security breaches within 24 hours
5. Sub-Processors
Current list of sub-processors:
| Sub-Processor | Country | Purpose |
|---|---|---|
| Google Cloud / Firebase | USA (SCC) | Hosting, database, authentication |
| Stripe, Inc. | USA (SCC) | Payment processing |
| OpenAI, L.P. | USA (SCC) | AI avatar generation |
| Anthropic PBC | USA (SCC) | AI simulations |
| iDenfy | Lithuania (EU) | Identity verification |
All transfers outside the EEA are made under Standard Contractual Clauses (SCC) or other appropriate safeguards per Art. 46 GDPR.
6. Technical and Organizational Measures (TOMs)
- Encryption: TLS 1.3 in transit; AES-256 for sensitive data at rest
- Access control: RBAC, MFA for staff with data access
- Data minimization: Only necessary data is collected
- Logging: Audit logs for all data operations
- Testing: Regular security reviews and penetration testing
- Backup: Daily encrypted backups
7. Data Subject Rights
The Controller is responsible for receiving data subject requests. The Processor assists in fulfilling rights: access, rectification, erasure, portability, restriction, and objection — within 30 days of request.
8. Term and Termination
This DPA is effective for the duration of the main agreement. Upon expiry or termination, the Processor shall within 30 days:
- Delete all Controller's personal data from active systems
- Provide a data export in JSON/CSV format upon request
- Confirm deletion in writing
9. Contact
DPA inquiries: dpo@avatarmatch.app
Custom DPA requests: legal@avatarmatch.app