Terms of Service

By accessing or using the Grapphen website (www.grapphen.com) or the Grapphen AI-powered Applicant Tracking System and related services (collectively, the "Services"), you agree to be bound by these Terms of Service ("Terms") and our Privacy Policy, which is incorporated herein by reference.

If you are entering into these Terms on behalf of a company or other legal entity ("Organisation"), you represent that you have authority to bind that Organisation. In that case, "you" and "your" refer to that Organisation.

These Terms were last updated on April 9, 2026. We reserve the right to modify these Terms at any time. Material changes will be communicated with at least 30 days' notice.

To use the Services, you must:

• Be at least 18 years of age (or the age of majority in your jurisdiction).
• Have the legal capacity to form a binding contract in your jurisdiction.
• Not be prohibited from using the Services under the laws of the United States, the EU, or any other applicable jurisdiction.
• Not be on any US government prohibited-parties lists (e.g., OFAC SDN list).

The Services are not intended for personal, family, or household purposes. They are designed for legitimate business use in recruitment and human resources functions.

• Account Creation: You must provide accurate, current, and complete registration information. You agree to keep this information updated.
• Credentials: You are responsible for maintaining the confidentiality of your login credentials. Notify us immediately at legal@grapphen.com of any unauthorised access.
• Multi-Factor Authentication: We strongly recommend enabling MFA. We may require MFA for certain account actions or subscription tiers.
• Account Sharing: Credentials are personal and may not be shared. Seat licenses apply to named users. Concurrent or shared usage may result in suspension.
• Suspension: We may suspend or terminate accounts that violate these Terms, are used fraudulently, or pose a security risk.

Grapphen provides a cloud-based SaaS platform for recruitment and talent acquisition, including:

• Applicant Tracking System (ATS) with pipeline management
• AI-powered resume/CV parsing, candidate scoring, and job matching
• Video interview recording and AI analysis capabilities
• Candidate sourcing and outreach tools
• CRM and client portal functionality
• Messaging and communication integrations
• Analytics and reporting dashboards
• API access for third-party integrations

Grapphen reserves the right to modify, enhance, or discontinue any feature with reasonable notice. We do not warrant that the Services will be error-free or uninterrupted. Our target uptime is 99.9%, as specified in our Service Level Agreement (SLA) available to enterprise customers.

Roles and Responsibilities

• Customer as Data Controller: When you use Grapphen to process personal data of candidates, employees, or other individuals in the EEA/UK, you are the Data Controller responsible for ensuring a lawful basis for that processing.
• Grapphen as Data Processor: Grapphen processes personal data only on your documented instructions, as set out in our Data Processing Agreement (DPA).

Data Processing Agreement (DPA)

Our DPA, which forms part of these Terms, governs the processing of personal data subject to GDPR (EU) 2016/679 or the UK Data Protection Act 2018. The DPA includes:

• Subject matter, nature, purpose, and duration of processing
• Categories of data subjects and types of personal data processed
• Customer's obligations as Data Controller and Grapphen's obligations as Data Processor
• Sub-processor list and notification obligations
• Standard Contractual Clauses (SCCs) for international data transfers
• Security measures and breach notification procedures
• Data subject rights fulfilment assistance

Enterprise customers automatically receive our DPA as part of their subscription agreement. All other customers may request the full DPA from privacy@grapphen.com.

Your Obligations as Data Controller

• Ensure you have a lawful basis (GDPR Art. 6 / Art. 9) for processing each category of candidate data.
• Provide candidates with required privacy notices/DPIA information before processing begins.
• Comply with all applicable data protection laws for the jurisdictions in which you recruit.
• Implement appropriate data minimisation — only upload data necessary for the recruitment purpose.
• Ensure candidate data is accurate and kept for no longer than necessary.
• Not use the Platform to collect or process special categories of personal data (GDPR Art. 9) without explicit candidate consent and an appropriate legal basis.

For the purposes of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Grapphen acts as a "Service Provider" when processing California residents' personal information on behalf of our business customers (who are "Businesses" under CCPA).

In this capacity, Grapphen:

• Processes personal information only for the business purpose of providing the Services and as permitted by the CCPA Service Provider exception.
• Does not sell or share California personal information, or use it for any purpose other than performing the contracted services.
• Does not retain, use, or disclose personal information outside the direct business relationship.
• Assists Customers in fulfilling California consumer rights requests (deletion, access, correction, opt-out) within the timeframes required by law.
• Maintains a Data Processing Addendum meeting CCPA § 1798.100(d) requirements, available upon request.

Customer Obligations: Customers who are "Businesses" under CCPA are responsible for: providing required notices at point of collection; maintaining valid service provider contracts; not directing Grapphen to process data in ways that would violate CCPA; and responding to verified consumer requests within statutory timelines.

Grapphen maintains industry-standard security controls aligned with:

Customer Security Responsibilities: Customers are responsible for configuring their account security settings appropriately (including enabling MFA), managing user access permissions within their tenant, and promptly reporting any suspected security incidents to security@grapphen.com.

Nature of AI Features

• Grapphen's AI features generate recommendations, scores, and insights from candidate data to help recruiters prioritise and evaluate applications more efficiently.
• AI outputs are probabilistic and should be used as one input among many in the recruitment process.
• Grapphen does not guarantee that AI recommendations will result in successful hires or absence of any bias.

EU AI Act — High-Risk AI System Obligations

AI systems used in employment contexts are classified as High-Risk under Annex III of the EU AI Act (Regulation (EU) 2024/1689). The following obligations apply:

Customer Obligations as AI Deployer

Under the EU AI Act, Customers deploying Grapphen's high-risk AI systems within the EU are considered "deployers" and must:

• Use the AI system only in accordance with Grapphen's instructions and the intended purpose.
• Assign human oversight to qualified personnel with necessary authority and competence.
• Implement provided monitoring and human oversight measures.
• Inform and consult with workers' representatives (where applicable) before deployment.
• Register as a deployer in the applicable EU national authority's database if required.
• Report serious incidents or malfunctions to Grapphen promptly.

Grapphen does not guarantee compliance with laws that apply specifically to Customers in their capacity as employers, including the EU AI Act's deployer obligations, employment discrimination laws, or sector-specific regulations.

Customer Obligations (Employers/Employment Agencies under LLC 144):

• Commission and publish an independent bias audit of the AI employment decision tool(s) at least annually, covering sex, race, and ethnicity impact analysis.
• Post audit results on your website before using the tool, including the date of the audit and the tool's distribution date.
• Provide plain-language notice to NYC-based candidates and employees at least 10 business days before the tool is used, including information about how to request an alternative selection process.
• Provide a reasonable alternative selection process or accommodation to candidates who request one.

Grapphen's Support: We assist compliance by:

• Conducting and providing results of annual independent bias audits of our AI screening systems.
• Providing documented descriptions of tool characteristics, job qualifications evaluated, and data used.
• Supplying templated candidate notice language for clients to include in job postings or application workflows.
• Supporting alternative (non-AI) review workflows within the Platform.

Customers remain the primary responsible party under NYC Local Law 144. Failure to comply with the law is the Customer's responsibility as the employer or employment agency covered by the ordinance.

Under 820 ILCS 42/ (Illinois AIVIA), Customers using AI to analyse video interviews of Illinois job applicants must:

• Consent Capture: Collect prior written consent from each applicant before requiring or administering a video interview where AI analysis will be used. Grapphen provides in-platform consent capture workflows; Customers must activate and configure them.
• Disclosure: Inform applicants before the interview that AI will be used, and explain the general types of characteristics AI will evaluate.
• No Third-Party Sharing: Not share the video or AI analysis with any third party other than entities whose technology is necessary to administer the interview. Customers must not share recordings outside of authorised workflows.
• Deletion: Delete all video interviews and AI analysis data for Illinois applicants within 30 days of an applicant's written request.
• Retention Limit: Retain video interview recordings no longer than necessary, and not beyond 1 year from the date of the interview.

Grapphen processes video interview data as a service provider. Customers are the covered "employer" under AIVIA and are solely responsible for compliance with consent and disclosure requirements. Grapphen will support deletion requests forwarded by Customers within 7 business days.

Grapphen is committed to supporting Customer compliance with federal civil rights and anti-discrimination laws enforced by the Equal Employment Opportunity Commission (EEOC), including:

• Title VII of the Civil Rights Act of 1964 (race, colour, national origin, sex, religion)
• Age Discrimination in Employment Act (ADEA — age 40+)
• Americans with Disabilities Act (ADA — disability)
• Genetic Information Nondiscrimination Act (GINA)
• Equal Pay Act (EPA)
• Pregnancy Discrimination Act (PDA)

Platform Design for Non-Discrimination

• Grapphen AI models are trained to make recommendations based on job-relevant qualifications, not protected characteristics.
• We conduct regular bias testing and adverse impact analysis on our models.
• Our platform generates no fields that prompt collection of protected class data (race, religion, disability) unless the Customer explicitly enables EEOC-compliant voluntary self-identification for post-offer/post-hire data collection.

Customer Obligations

• Customers must not configure the Platform to screen, filter, or score candidates based on protected characteristics.
• Customers must maintain records sufficient to demonstrate equal employment opportunity compliance, including application records for the EEOC-mandated retention period.
• Customers bear all employer-of-record obligations under EEOC-enforced statutes.

Grapphen is a technology provider, not an employer of the candidates processed through the Platform. All employment law obligations arising from hiring decisions rest with the Customer.

Grapphen provides features to support Customers who are federal contractors with compliance under Executive Order 11246, the Rehabilitation Act (Section 503), and the Vietnam Era Veterans' Readjustment Assistance Act (VEVRAA):

• Internet Applicant Tracking: Our Platform tracks and documents "Internet Applicants" consistent with 41 CFR Part 60-1.3 — including: expressions of interest, disposition codes, basic qualifications screening outcomes, and records of every individual who applied.
• Record Retention: Application and personnel selection records are retained for a minimum of 2 years (or 4 years for contractors with 150+ employees or contracts ≥$150,000).
• Voluntary Self-Identification: Optional fields for voluntary disclosure of veteran status (VEVRAA) and disability status (Section 503) are available, with proper separation from selection workflows.
• Adverse Impact Reporting: Data exports support calculation of selection rates by race, sex, and protected veteran/disability status for AAP purposes.
• Audit Support: Customers can export structured data packages to respond to OFCCP compliance evaluations.

Customers who are federal contractors are solely responsible for preparing and implementing their Affirmative Action Plans (AAPs) and for ensuring their use of Grapphen does not violate OFCCP requirements. Grapphen recommends consulting a qualified employment attorney for AAP implementation.

Grapphen integrates with third-party background check providers that may provide "consumer reports" as defined under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq.

Grapphen's Role

Grapphen is not a Consumer Reporting Agency (CRA) under FCRA. Our AI-generated candidate scores and assessments are not "consumer reports" because they are derived solely from data provided by the candidate or the Customer. Grapphen acts as a technology conduit when integrating third-party CRA services.

Customer Obligations as FCRA "Users"

• Permissible Purpose: Only obtain consumer reports for purposes permissible under FCRA § 604 (e.g., employment screening).
• Standalone Disclosure: Before procuring a consumer report, provide the applicant with a clear, standalone written disclosure that a report may be obtained, and obtain written authorisation.
• Pre-Adverse Action: Before taking any adverse action (e.g., not hiring, withdrawing an offer) based on a consumer report, provide the individual with: (a) a copy of the report, and (b) a copy of the Summary of Rights under FCRA. Allow a reasonable period (at least 5 business days is recommended) for the individual to dispute the information.
• Adverse Action Notice: After taking adverse action, provide the individual with an adverse action notice as required under FCRA § 615.
• Dispute Handling: Direct candidates to the applicable CRA for disputes regarding the accuracy or completeness of information in a consumer report.
• Record Keeping: Maintain records of consumer report use and related employment decisions for at least 5 years.

Customers bear all FCRA compliance obligations as "users" of consumer reports. Grapphen is not responsible for Customers' FCRA compliance and recommends consulting legal counsel before implementing background check processes.

Grapphen's Accessibility Commitments

• Our website and Platform target WCAG 2.1 Level AA conformance.
• We conduct periodic accessibility audits and remediation.
• We accept and act on accessibility feedback and accommodation requests promptly.
• New features are subject to accessibility review before deployment.

Customer Obligations

• Customers must ensure that their use of Grapphen-powered job application portals does not create accessibility barriers for applicants with disabilities protected under the ADA or equivalent state/local laws.
• Customers who customise the candidate-facing application portal are responsible for maintaining accessibility of custom content.
• Customers must not use methods of candidate assessment that unlawfully screen out qualified individuals with disabilities.
• Customers must provide reasonable accommodations in the application process, including alternative formats and processes, upon request.

To report an accessibility issue with our website or Platform, contact accessibility@grapphen.com.

Grapphen's Own Communications

All commercial email and SMS communications from Grapphen comply with applicable anti-spam and telecommunications laws:

• CAN-SPAM (US): Accurate sender identification, honest subject lines, physical postal address in every email, clear unsubscribe mechanism, opt-outs honoured within 10 business days.
• CASL (Canada): Commercial electronic messages sent only with express or implied consent; opt-out mechanisms in every message; consent records maintained.
• TCPA (US): SMS messages sent only with prior express written consent; opt-out via STOP; autodialer / pre-recorded calls only with required consent.

Customer Use of Communication Features

When Customers use Grapphen's built-in messaging, email automation, or SMS features to communicate with candidates:

• Customers are the sender of record and bear full responsibility for compliance with CAN-SPAM, CASL, TCPA, and any other applicable communications laws.
• Customers must ensure they have obtained required consents before sending marketing or unsolicited commercial messages to candidates.
• Customers must not use Grapphen to send spam, harassing, discriminatory, or unlawful messages.
• Customers must honour opt-out / unsubscribe requests in their messaging campaigns within the statutory timeframe.
• Grapphen reserves the right to suspend messaging features for any Customer whose conduct risks the deliverability or reputation of our platform.

Data retention is governed by our Privacy Policy and applicable law. Key terms:

• Customer Data During Subscription: Customer Data is retained and accessible for the duration of the active Subscription Term.
• Post-Termination Export: For 60 days following expiration or termination of a subscription, Customers may request a full export of their data in machine-readable format.
• Post-Export Deletion: Following the 60-day export window (or upon confirmed export and Customer request), Grapphen will securely delete Customer Data from production systems within 30 days. Backups may retain data for up to an additional 90 days before routine overwriting.
• Legal Hold: We may retain certain data beyond these periods if required by applicable law, a regulatory order, or legitimate legal proceedings.
• EEOC / OFCCP Minimum Retention: Application and selection records are retained for a minimum of 2 years (or 4 years where applicable under 41 CFR 60) even if Customer deletes their account, as required by federal law.
• FCRA Records: Records related to consumer report use in employment decisions are retained for a minimum of 5 years.
• Illinois AIVIA: Video interview recordings for Illinois applicants are retained for the shorter of the Customer's stated retention period or 1 year, and deleted within 30 days of a valid applicant deletion request.

Grapphen IP: The Platform, its source code, user interface, AI models, trademarks, logos, documentation, and all related technology are the exclusive intellectual property of Grapphen, Inc. and its licensors. No rights are granted to you other than the limited licence to use the Services during your Subscription Term.

Customer Data: All Customer Data and content you upload to the Platform remains your property. You grant Grapphen a limited, non-exclusive, royalty-free licence to process Customer Data solely to provide and improve the Services.

Feedback: Any feedback, suggestions, or ideas you provide about the Services may be used by Grapphen without obligation or compensation to you.

AI Model Training: Grapphen may use anonymised and aggregated information derived from Customer Data to train and improve AI models, provided that such data is anonymised and cannot be re-identified. Individual Customer Data is never used to train models that are shared with other customers without express consent.

You agree not to use the Services to:

• Violate any applicable law, regulation, or these Terms
• Discriminate against candidates on the basis of any protected characteristic under applicable law
• Circumvent or override AI fairness controls, bias detection, or human oversight features
• Process personal data in ways not permitted by the applicable Data Processing Agreement
• Attempt to reverse-engineer, decompile, or disassemble the Platform or AI models
• Conduct penetration testing or security scanning without prior written consent from Grapphen
• Upload malware, viruses, or malicious code
• Engage in scraping, data mining, or automated data extraction beyond API rate limits
• Share access to the Platform with competitors of Grapphen for the purpose of competitive analysis
• Resell, sublicense, or otherwise transfer your subscription without written consent
• Interfere with the Platform's infrastructure, servers, or other customers' use of the Services
• Send spam, phishing messages, or unlawful communications via Grapphen's messaging features

• Fees: Subscription fees are as specified in your Order Form or our published pricing page. All fees are non-refundable unless otherwise stated.
• Billing Cycle: Fees are billed in advance on a monthly or annual basis depending on your plan selection.
• Auto-Renewal: Subscriptions auto-renew at the end of each billing period unless cancelled at least 30 days before the renewal date.
• Price Changes: We will provide at least 60 days' written notice before increasing subscription fees, effective at next renewal.
• Late Payment: Overdue balances accrue interest at 1.5% per month (or the maximum permitted by law). We may suspend access for accounts 30+ days overdue.
• Taxes: Fees are exclusive of taxes. You are responsible for all applicable taxes, including VAT, GST, or sales tax, unless Grapphen is required to collect them.
• PCI Compliance: Payment card data is processed by PCI-DSS-compliant payment processors. Grapphen does not store raw payment card numbers.

• By You: You may cancel your subscription at any time through account settings or by contacting legal@grapphen.com. Cancellation takes effect at the end of the current billing period. No prorated refunds.
• By Grapphen: We may terminate or suspend your account immediately for: material breach of these Terms (including prohibited conduct), non-payment, or if required by law.
• Effect of Termination: Upon termination, your right to access the Services ceases. You have 60 days to export your data before it is deleted pursuant to Section 17.
• Survival: Sections relating to intellectual property, limitation of liability, indemnification, dispute resolution, governing law, and any section expressly stated to survive will remain in effect after termination.

To the maximum extent permitted by applicable law, Grapphen disclaims all warranties, including without limitation:

• Implied warranties of merchantability, fitness for a particular purpose, and non-infringement
• That the Services will be uninterrupted, error-free, or completely secure
• That AI recommendations will be accurate, unbiased, or result in successful hires
• That the Platform will meet your specific compliance requirements without your own legal review
• That any information provided through the Platform constitutes legal, employment, or compliance advice

Nothing in these Terms excludes or limits warranties that cannot be excluded under applicable consumer protection law.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

• Exclusion of Consequential Damages: IN NO EVENT SHALL GRAPPHEN BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOSS OF PROFITS, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
• Liability Cap: GRAPPHEN'S TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING FROM OR RELATED TO THE SERVICES SHALL NOT EXCEED THE GREATER OF: (A) THE FEES PAID BY YOU TO GRAPPHEN IN THE 12 MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED US DOLLARS ($100).
• Exceptions: The above limitations do not apply to: (i) death or personal injury caused by Grapphen's gross negligence or wilful misconduct; (ii) fraud or fraudulent misrepresentation; (iii) any liability that cannot be limited under applicable law.
• Compliance Responsibility: Grapphen is not liable for fines, penalties, or regulatory actions arising from Customer's failure to comply with applicable employment, privacy, or AI laws. Customers are responsible for their own legal compliance.

You agree to indemnify, defend, and hold harmless Grapphen, its affiliates, directors, officers, employees, and agents from and against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or relating to:

• Your use of the Services in violation of these Terms
• Your violation of any applicable law, including employment discrimination laws, data protection laws, or AI regulations
• Any employment decision you make using Grapphen's AI outputs
• Any Customer Data you submit to the Platform, including infringement of third-party rights
• Your failure to provide required notices or obtain required consents under GDPR, CCPA, FCRA, Illinois AIVIA, NYC Local Law 144, CAN-SPAM, CASL, or TCPA

Informal Resolution

Before initiating any formal proceedings, the parties agree to attempt good-faith resolution of any dispute for at least 30 days. Contact us at legal@grapphen.com.

Binding Arbitration (US Customers)

For Customers located in the United States, any unresolved dispute shall be settled by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, conducted in English in San Francisco, California. The arbitrator's decision shall be final and binding. Either party may seek emergency injunctive relief from a court of competent jurisdiction.

Class Action Waiver

YOU AGREE TO RESOLVE DISPUTES ONLY ON AN INDIVIDUAL BASIS AND WAIVE THE RIGHT TO PARTICIPATE IN CLASS ACTION LITIGATION OR CLASS-WIDE ARBITRATION.

EEA / UK Customers

Customers in the EEA or UK may bring disputes before the courts of Ireland (EEA) or England and Wales (UK) in addition to any rights under applicable consumer protection law. GDPR disputes may also be referred to the relevant data protection supervisory authority.

These Terms are governed by the laws of the State of California and the federal laws of the United States, without regard to conflict of law principles, except where mandatory local consumer protection laws require otherwise. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

For EEA/UK customers, these Terms do not affect your rights under applicable mandatory local law that cannot be contracted out of.

• Entire Agreement: These Terms, together with our Privacy Policy, DPA, and applicable Order Form, constitute the entire agreement between you and Grapphen concerning the Services, superseding all prior agreements.
• Severability: If any provision of these Terms is found unenforceable, the remaining provisions will remain in effect.
• No Waiver: Failure to enforce any provision of these Terms does not constitute a waiver of future enforcement rights.
• Assignment: You may not assign your rights or obligations under these Terms without Grapphen's prior written consent. Grapphen may freely assign its rights in connection with a merger, acquisition, or sale of assets.
• Force Majeure: Grapphen is not liable for delays or failures caused by circumstances beyond its reasonable control, including natural disasters, wars, pandemics, government actions, or telecommunications failures.
• Notices: Legal notices to Grapphen must be in writing, sent to 548 Market St, PMB 12345, San Francisco, CA 94104, USA or via email to legal@grapphen.com.
• No Agency: These Terms do not create a partnership, joint venture, agency, or employment relationship between the parties.
• Third-Party Beneficiaries: There are no intended third-party beneficiaries to these Terms.
• Sub-Processors / Cloud Infrastructure: Grapphen uses Amazon Web Services (AWS) as its primary cloud infrastructure provider. Your use of the Services is also subject to the AWS Acceptable Use Policy and AWS Service Terms, which are incorporated herein by reference. A full list of sub-processors is available upon request at privacy@grapphen.com.

If you have questions about these Terms or our Services, please contact us:

These Terms of Service were last updated on April 9, 2026. Please check this page regularly for updates.