Data Processing Agreement

Terms not defined here have the meaning given in the relevant data-protection law applicable to Customer's data subjects. Customer is responsible for identifying which regime(s) apply to its operations. This DPA is drafted to be compatible with:

• GDPR (EU Regulation 2016/679) + UK GDPR + Data Protection Act 2018
• NDPR (Nigeria Data Protection Regulation 2019) + Nigeria Data Protection Act 2023
• CCPA/CPRA (California Consumer Privacy Act + Privacy Rights Act)
• POPIA (South Africa Protection of Personal Information Act, 2013)
• LGPD (Brazil Lei Geral de Proteção de Dados, Law No. 13,709/2018)
• PIPEDA (Canada Personal Information Protection and Electronic Documents Act)
• Privacy Act 1988 (Australia) + Notifiable Data Breaches scheme
• PDPA (Singapore Personal Data Protection Act 2012)
• Data Protection Act 2019 (Kenya)

“Personal Data,” “Processing,” “Data Subject,” “Controller,” and “Sub-processor” have the meanings given in whichever regime applies to Customer's data subjects. References to specific Articles (e.g. GDPR Art. 28) apply mutatis mutandis where local-law equivalents exist.

• Purpose: to provide the TalentOS recruitment platform, including candidate sourcing, screening, pipeline management, interview scheduling, offer drafting, and analytics
• Categories of data subjects: Customer's employees, recruiters, hiring managers, candidates, applicants, and agency partners
• Categories of personal data: identification (name, email, phone), employment history, education, skills, interview notes, salary expectations, candidate-supplied documents (CVs, portfolios), and operational telemetry (IP address, user agent)
• Duration: for the term of the underlying agreement, plus any audit-retention obligations agreed in writing

1. Process Personal Data only on documented instructions from Customer, as provided through the platform's documented interfaces (API, web UI, configuration)
2. Ensure all personnel authorised to process Personal Data are under confidentiality obligations
3. Implement appropriate technical + organisational measures (Section 7)
4. Assist Customer in responding to Data Subject requests by providing the export + delete endpoints documented at /account
5. Assist Customer with breach notification (Section 9), DPIAs, and prior consultations with supervisory authorities
6. Make available all information necessary to demonstrate compliance with Article 28 GDPR / NDPR equivalents, including permitting audits on reasonable notice (Section 10)

Customer authorises the use of the following sub-processors, each of which processes a defined subset of Personal Data:

TalentOS will provide Customer at least 30 days' notice before adding or replacing a sub-processor. Customer may object on reasonable grounds; the parties will negotiate a remedy in good faith.

Where Personal Data is transferred across borders, TalentOS implements appropriate safeguards as required by the source jurisdiction:

• EU → outside EEA: European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) + Transfer Impact Assessment where required by Schrems II
• UK → outside UK: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
• Nigeria → outside Nigeria: NDPR Art. 2.11 compliant transfer (consent, adequacy, or contractual safeguards)
• South Africa → outside SA: POPIA s.72 compliant transfer (consent, adequacy, similar law, or BCRs)
• Other jurisdictions: equivalent safeguards approved by the source jurisdiction's supervisory authority

On request, TalentOS will execute jurisdiction-specific transfer addenda (e.g. EU SCCs, UK IDTA) as a schedule to this DPA. The Customer's data controller obligations under their home jurisdiction remain with the Customer.

• Encryption: TLS 1.3 in transit; encryption at rest on all storage backends (Vercel KV, Vercel Blob)
• Access control: role-based access (RBAC) with per-tenant isolation enforced at every read + write
• Authentication: scrypt-hashed passwords; 14-day session tokens; rate-limited login + password-reset
• Audit trail: append-only, tenant-scoped, immutable. Exportable on demand (CSV with token + cost data)
• Backups: Upstash provides multi-region replication; full snapshots per their published SLA
• Vulnerability management: automated dependency scanning; security disclosures via security@talentosglobal.co
• Incident response: documented runbook; Sentry-driven alerting (when configured)
• Compliance posture: SOC 2 Type 1 readiness in flight; Type 2 follows. Vendor reviews + policy docs in progress with Vanta/Drata.

• Right to access — admin/CHRO export endpoint at /account
• Right to erasure — admin tenant-delete endpoint at /account with typed confirmation
• Right to correction — direct edit through platform UI / API
• Right to data portability — JSON export (machine-readable, schema-versioned)
• Right to object / restrict processing — configurable per feature

TalentOS will respond to Customer-forwarded Data Subject requests within 5 business days where engineering support is required, materially assisting Customer to meet its 30-day NDPR / 1-month GDPR obligation.