Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Service Agreement between you ("Data Controller", "Controller") and [Company Name] S.R.L., operating as Talentika ("Data Processor", "Processor"), and supplements the Terms of Service and Privacy Policy.

This DPA applies to all processing of personal data by Talentika on your behalf through the Service, in compliance with the General Data Protection Regulation (GDPR), specifically Articles 28-32, and the EU AI Act (Regulation 2024/1689).

The purpose of this DPA is to ensure that personal data processed within the Talentika platform is handled lawfully, securely, and in accordance with the documented instructions of the Controller.

2.1 Data Controller (You)

As the Data Controller, you determine the purposes and means of processing personal data. Your responsibilities include:

• Ensuring a lawful basis exists for all processing activities
• Obtaining necessary consents from candidates and data subjects
• Fulfilling data subject rights requests
• Maintaining records of processing activities
• Conducting Data Protection Impact Assessments where required
• Ensuring overall GDPR and employment law compliance

2.2 Data Processor (Talentika)

As the Data Processor, Talentika processes personal data solely on your documented instructions. Our responsibilities include:

• Processing data only in accordance with your documented instructions
• Implementing appropriate technical and organizational security measures
• Ensuring personnel are bound by confidentiality obligations
• Engaging sub-processors only with your prior authorization
• Assisting with data subject rights requests and regulatory obligations
• Maintaining records of all processing activities carried out on your behalf

3.1 Types of Personal Data

• Contact information: name, email address, phone number, postal address
• Professional information: resumes/CVs, work history, qualifications, certifications
• Interview data: video recordings, assessment responses, AI evaluation results
• Behavioral data: interview performance metrics, interaction patterns
• System-generated data: AI assessment scores, matching results, parsed CV fields
• Account data: login credentials (hashed), role assignments, activity logs

3.2 Categories of Data Subjects

• Job applicants and candidates
• Employees of the Controller (recruiters, hiring managers, administrators)
• Internal mobility candidates (if applicable)
• References and referrals

3.3 Duration of Processing

• Standard retention: Up to 2 years from application date, unless specified otherwise
• Extended retention: With explicit candidate consent for talent pool purposes
• Legal compliance: As required by applicable Romanian and EU law
• Post-termination: Data returned or deleted within 30 days of service termination

The Controller instructs the Processor to process personal data for the following purposes:

4.1 Authorized Processing Activities

• Candidate screening, evaluation, and ranking
• AI video interview administration and assessment
• CV parsing and candidate profile extraction
• Candidate-to-job matching and recommendation
• Recruitment reporting, analytics, and compliance
• Career page hosting and application management
• Email notifications and communication delivery

4.2 Processing Limitations

• The Processor shall not process data for its own independent purposes
• Data shall not be used for purposes beyond those documented in this DPA
• No fully automated decision-making without the Controller's explicit authorization
• Any new processing purpose requires prior written approval from the Controller
• The Processor shall inform the Controller if an instruction infringes GDPR or other EU/Member State data protection law

The Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk (GDPR Art. 32):

5.1 Technical Measures

• Encryption in transit: TLS 1.3 for all data transmissions
• Encryption at rest: AES-256 for stored data, with additional application-level encryption for sensitive fields
• Access controls: Role-based access control (RBAC), multi-factor authentication, principle of least privilege
• Network security: Firewalls, intrusion detection systems, DDoS protection, network segmentation
• Monitoring: Real-time security monitoring, automated alerting, audit logging
• Backup: Encrypted backups with geo-redundancy within the EU

5.2 Organizational Measures

• Mandatory data protection and security training for all personnel
• Confidentiality agreements for all employees and contractors
• Regular third-party security assessments and penetration testing
• Documented incident response and business continuity procedures
• Periodic review and update of security policies

6.1 Approved Sub-processors

The Controller authorizes the following sub-processors:

6.2 Sub-processor Changes

The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object in writing within 14 days. If the objection cannot be resolved, the Controller may terminate the affected service component.

6.3 Sub-processor Obligations

All sub-processors are bound by data processing agreements imposing equivalent obligations to those in this DPA. The Processor remains fully liable for the compliance of its sub-processors.

7.1 Assistance Obligations

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests under GDPR Chapter III, including:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Rights related to automated decision-making (Art. 22)

7.2 Response Timelines

The Processor shall respond to Controller requests for assistance within 10 business days. For urgent requests (e.g., regulatory inquiries), the Processor shall respond within 48 hours.

7.3 Direct Requests

If the Processor receives a data subject request directly, it shall promptly redirect the request to the Controller and shall not respond independently unless instructed to do so.

8.1 Notification Obligation

The Processor shall notify the Controller of any personal data breach without undue delay, and in any event within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33.

8.2 Notification Content

The breach notification shall include:

• Nature of the breach, including categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Likely consequences of the breach
• Measures taken or proposed to address and mitigate the breach
• Contact details for the Processor's designated point of contact

8.3 Controller Obligations

The Controller is responsible for notifying the relevant supervisory authority (within 72 hours) and affected data subjects (without undue delay) where required by GDPR Art. 33 and 34. The Processor shall provide reasonable assistance with these notifications.

8.4 Cooperation

The Processor shall cooperate fully in breach investigations, preserve evidence, conduct forensic analysis as appropriate, and implement remedial measures to prevent recurrence.

9.1 EU Data Residency

All primary data processing and storage occurs within the European Union. The Processor's primary infrastructure is located in AWS Ireland (eu-west-1). The Processor commits to maintaining EU data residency for all personal data processed under this DPA.

9.2 Standard Contractual Clauses

Where any personal data must be transferred outside the EU/EEA (e.g., to sub-processor locations without an adequacy decision), such transfers shall be governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and supplemented by appropriate technical measures.

9.3 Transfer Impact Assessments

The Processor conducts and maintains Transfer Impact Assessments for all international data transfers, reviewing them periodically and upon material changes in the legal framework of the recipient country.

The Talentika platform uses AI systems classified as high-risk under the EU AI Act (Regulation 2024/1689), as they are used in the context of employment, recruitment, and worker management.

10.1 Risk Assessment

The Processor maintains a risk management system for its AI components, including identification of foreseeable risks, estimation of their likelihood and severity, and implementation of appropriate mitigation measures.

10.2 Transparency

• AI usage in the recruitment process is clearly disclosed to all stakeholders
• Candidates are informed when AI is involved in their assessment
• Explanations of AI-generated evaluations are available upon request
• Technical documentation of AI systems is maintained and available for regulatory review

10.3 Human Oversight

• AI systems provide recommendations only; they do not make final hiring decisions
• Human override mechanisms are available at every stage of the recruitment process
• The Controller is responsible for ensuring meaningful human review of AI recommendations

10.4 Bias Monitoring & Fairness

• Regular bias audits across protected characteristics (gender, age, ethnicity, disability)
• Continuous fairness metrics monitoring
• Documented remediation procedures when bias is detected
• Non-discrimination certification maintained and available upon request

11.1 Controller Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor appointed by the Controller, subject to reasonable advance notice (at least 30 days) and confidentiality obligations.

11.2 Processor Obligations

The Processor shall make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or a mandated auditor.

11.3 Audit Reports

The Processor shall provide, upon request, copies of relevant third-party audit reports, compliance certifications (e.g., ISO 27001), and summaries of penetration testing results.

11.4 Regulatory Audits

The Processor shall cooperate fully with any audits conducted by supervisory authorities and provide access as required by applicable law.

12.1 Duration

This DPA remains in effect for the duration of the Service Agreement and continues to apply for as long as the Processor retains personal data processed on behalf of the Controller.

12.2 Termination Effects

Upon termination of the Service Agreement, the Processor shall, at the Controller's election:

• Return: Provide all personal data in a structured, commonly used, machine-readable format within 30 days
• Delete: Securely delete all personal data and existing copies within 30 days, unless EU or Member State law requires further retention

12.3 Deletion Certification

Upon request, the Processor shall provide written certification that all personal data has been deleted in accordance with this DPA.

12.4 Survival

Obligations regarding confidentiality, data deletion, audit rights, and liability survive the termination of this DPA.

This DPA is governed by and construed in accordance with the laws of Romania. The GDPR and other applicable EU data protection regulations shall take precedence where they conflict with national law.

Any disputes arising from or relating to this DPA shall be submitted to the exclusive jurisdiction of the courts of Bucharest, Romania.

If any provision of this DPA conflicts with the Service Agreement, the provisions of this DPA shall prevail with respect to data protection matters.