Legal
Effective January 1, 2026. This DPA governs how AnyInterview processes personal data on behalf of customers under GDPR, CCPA, and related frameworks.
This DPA applies automatically to Pro and Enterprise customers.
By accepting our Terms of Service, you also accept this DPA. Enterprise customers requiring a countersigned DPA or custom data processing terms should contact legal@anyinterview.to.
This Data Processing Agreement ("DPA") forms part of the agreement between AnyInterview, Inc. ("AnyInterview," "Processor") and the customer entity that has accepted the AnyInterview Terms of Service ("Customer," "Controller"). It applies to the processing of personal data by AnyInterview on behalf of the Customer in connection with the AnyInterview platform and services.
This DPA applies where and to the extent that AnyInterview processes personal data that is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, or other applicable data protection laws.
"Personal Data," "Data Subject," "Processing," "Controller," "Processor," and "Supervisory Authority" have the meanings given to them in the GDPR. "Customer Data" means any personal data that Customer submits to, or that is collected by, the Service on Customer's behalf, including interview participant data, response transcripts, and recordings.
The Customer is the Controller of Customer Data. AnyInterview is a Processor acting on behalf of the Customer. AnyInterview will not process Customer Data for any purpose other than providing and improving the Service as described in these terms and the Privacy Policy, and will not sell Customer Data to any third party.
Where AnyInterview uses sub-processors to provide elements of the Service, AnyInterview acts as Controller with respect to those sub-processors and requires them to maintain equivalent data protection standards.
AnyInterview will process Customer Data only on documented instructions from the Customer, including those set out in the Terms of Service and this DPA, and only to provide the Service. Customer's general instruction is to process Customer Data as necessary to provide, maintain, and support the Service. AnyInterview will promptly inform the Customer if, in its opinion, an instruction infringes applicable data protection law.
AnyInterview will ensure that persons authorized to process Customer Data are bound by appropriate confidentiality obligations. Access to Customer Data is restricted to employees and contractors who need it to perform the Service, and only for that purpose.
AnyInterview implements and maintains appropriate technical and organizational security measures to protect Customer Data against unauthorized access, disclosure, loss, or destruction, including:
AnyInterview will notify Customer without undue delay — and no later than 72 hours after becoming aware — of any confirmed personal data breach affecting Customer Data, as required by Article 33 of the GDPR.
Customer authorizes AnyInterview to engage sub-processors to provide elements of the Service. A current list of sub-processors is maintained at anyinterview.to/subprocessors. AnyInterview will provide at least 30 days' advance notice of any addition or change to sub-processors by updating the subprocessors page and sending email notification to the Customer's registered account email. Customers who object to a new sub-processor may terminate the affected service by providing written notice within 30 days of notification. AnyInterview requires all sub-processors to maintain data protection standards equivalent to those in this DPA.
AnyInterview's primary infrastructure is hosted in the United States. Where Customer Data originating in the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to the United States or other countries outside the EEA, such transfers are made under the European Commission's Standard Contractual Clauses (SCCs), incorporated by reference into this DPA. Enterprise customers requiring specific data residency (EU-only hosting) may request this feature — contact legal@anyinterview.to for availability.
AnyInterview will, to the extent technically feasible, assist Customer in responding to data subject requests exercised under applicable law (including rights of access, rectification, erasure, restriction, portability, and objection). Customer is responsible for determining whether and how to respond to data subject requests. AnyInterview will forward any data subject requests received directly to Customer within 5 business days.
AnyInterview retains Customer Data for as long as the Customer's account is active and for a reasonable period thereafter to allow for data export. Upon account termination or Customer request, AnyInterview will delete or return Customer Data within 30 days. Residual copies in automated backup systems will be overwritten within 90 days of the deletion date. Certain retention may be required by applicable law, in which case AnyInterview will inform the Customer of the relevant legal requirement.
AnyInterview will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for, and contribute to, audits conducted by the Customer or a mandated auditor. AnyInterview may require reasonable advance notice (not less than 30 days) and a signed confidentiality agreement before audit activities commence. Audits shall not disrupt AnyInterview's operations and shall occur no more than once per year absent a documented compliance concern.
Customers may request a copy of AnyInterview's most recent SOC 2 Type II report as a substitute for a direct audit, subject to NDA.
AnyInterview will assist the Customer, insofar as reasonably possible and taking into account the nature of the processing, in fulfilling the Customer's obligations under Articles 32 to 36 of the GDPR, including data protection impact assessments and prior consultation with supervisory authorities where required. AnyInterview has appointed a Data Protection Officer who can be reached at dpo@anyinterview.to.
To the extent AnyInterview processes personal information covered by the CCPA on behalf of the Customer, AnyInterview acts as a "service provider" and processes such personal information only for the purpose of providing the Service. AnyInterview will not sell or share personal information as defined under the CCPA, retain, use, or disclose personal information for any commercial purpose other than providing the Service, or combine personal information received from the Customer with personal information obtained from other sources for any purpose other than the Service.
In the event of a conflict between this DPA and the Terms of Service with respect to data protection obligations, this DPA will prevail. Enterprise customers with a separately executed and countersigned DPA shall be governed by the terms of that separately executed document.
Data protection inquiries should be directed to dpo@anyinterview.to. Legal requests should be directed to legal@anyinterview.to.
Enterprise customers can request a custom countersigned agreement with specific data residency, retention, and compliance terms.
Book a Demo →