Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between 11022822 Canada Inc., operating as TalentSprout ("TalentSprout", "we", "us", or "Processor"), and the entity that has executed a subscription or services agreement with TalentSprout ("Customer", "you", or "Controller") for the use of TalentSprout's AI-powered interview platform (the "Service").

This DPA sets out the terms under which TalentSprout processes Personal Data on behalf of the Customer in connection with the Service, and reflects the parties' commitment to comply with applicable Data Protection Laws, including the GDPR, UK GDPR, CCPA/CPRA, and PIPEDA.

This DPA applies to the extent that TalentSprout processes Personal Data on behalf of the Customer in its capacity as a Processor. It supplements and is incorporated into the underlying service agreement between the parties (the "Agreement").

In this DPA, unless the context requires otherwise:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by TalentSprout on behalf of the Customer in connection with the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and any implementing or supplementary legislation.
• "Sub-processor" means any third party engaged by TalentSprout to process Personal Data on behalf of the Customer.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• "UK Addendum" means the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

Terms not defined in this DPA shall have the meaning given to them in the Agreement or under applicable Data Protection Laws.

3.1 The Customer acts as the Controller (or, where applicable, a processor on behalf of its own controller) and determines the purposes and means of processing Personal Data. TalentSprout acts as the Processor, processing Personal Data solely on behalf of and in accordance with the Customer's documented instructions.

3.2 TalentSprout shall process Personal Data only to the extent necessary to provide the Service in accordance with the Agreement, this DPA, and the Customer's documented instructions, unless required to do so by applicable law. In such a case, TalentSprout shall inform the Customer of that legal requirement before processing, unless prohibited by law.

3.3 TalentSprout shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes applicable Data Protection Laws.

The following describes the nature, purpose, and scope of data processing under this DPA:

TalentSprout shall:

5.1 Confidentiality. Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

5.2 Security. Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, as described in Section 7 of this DPA.

5.3 Cooperation. Taking into account the nature of processing, assist the Customer by appropriate technical and organizational measures to fulfill the Customer's obligations to respond to data subject requests under Data Protection Laws.

5.4 Data Protection Impact Assessments. Provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Data Protection Laws, taking into account the nature of processing and the information available to TalentSprout.

5.5 AI Processing. Personal Data processed through AI models (including OpenAI) is not used to train or improve third-party AI models. TalentSprout uses API-based integrations with data processing agreements in place that prohibit the use of customer data for model training purposes.

6.1 Authorization. The Customer provides general written authorization for TalentSprout to engage Sub-processors to assist in providing the Service. TalentSprout shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6.2 Notification of Changes. TalentSprout shall notify the Customer at least 30 days in advance before adding or replacing a Sub-processor by updating the sub-processor list on our website or by direct notification. The Customer may object to a new Sub-processor on reasonable data protection grounds by notifying TalentSprout in writing within 14 days of receiving notice. If TalentSprout cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Service.

6.3 Liability. TalentSprout remains responsible for the acts and omissions of its Sub-processors to the same extent it would be liable if performing the processing directly.

6.4 Current Sub-processors. The following Sub-processors are authorized as of the effective date of this DPA. An up-to-date list is maintained at www.talentsprout.ai/subprocessors.

TalentSprout implements and maintains the following technical and organizational security measures to protect Personal Data:

• Encryption in transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive data at rest is encrypted using AES-256 encryption. Passwords are hashed using bcrypt and are never stored in plaintext.
• Access controls: Role-based access controls limit data access to authorized personnel only. All API requests are authenticated and scoped to the Customer's organization.
• Organization-level isolation: Each Customer's data is logically isolated within the platform. Cross-organization data access is prohibited by design.
• Infrastructure security: Key infrastructure providers maintain industry-standard third-party security attestations (such as SOC reports), which may be provided on request where available. Automated backups and high availability are enabled.
• Incident response: TalentSprout maintains an incident response process to detect, respond to, and recover from Security Incidents, as described in Section 8.

For more detail on our security practices, see our Security page.

8.1 TalentSprout shall notify the Customer without undue delay, and in any event within 72 hours after becoming aware of a Security Incident involving Personal Data processed under this DPA.

8.2 Such notification shall include, to the extent reasonably available:

• A description of the nature of the Security Incident
• The categories and approximate number of data subjects and records affected
• The likely consequences of the Security Incident
• The measures taken or proposed to address the incident and mitigate its effects

8.3 TalentSprout shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

9.1 TalentSprout shall, taking into account the nature of processing, assist the Customer by appropriate technical and organizational measures to fulfill the Customer's obligations to respond to requests from data subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, data portability, and objection.

9.2 If TalentSprout receives a request directly from a data subject relating to Personal Data processed on behalf of the Customer, TalentSprout shall promptly notify the Customer and shall not respond to the request directly unless authorized or required by law.

9.3 TalentSprout provides a Data Rights Portal that enables data subjects to submit data access and deletion requests. Requests submitted through this portal are routed to the appropriate Customer for authorization where applicable.

10.1 Processing Locations. TalentSprout is based in Canada and processes Personal Data primarily in Canada and the United States through its Sub-processors. The Customer acknowledges that Personal Data may be transferred to and processed in these jurisdictions in connection with the provision of the Service.

10.2 Canada Adequacy. Canada has been recognized by the European Commission as providing an adequate level of protection for personal data transferred to Canadian organizations subject to PIPEDA. For transfers to Canada, this adequacy decision serves as the lawful transfer mechanism.

10.3 EU Standard Contractual Clauses. To the extent that Personal Data subject to the GDPR is transferred to a country outside the EEA that has not been recognized as providing an adequate level of data protection (including transfers to Sub-processors in the United States), the parties agree that the EU Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) are hereby incorporated by reference and form part of this DPA. For the purposes of the SCCs:

• The Customer is the "data exporter" and TalentSprout is the "data importer"
• The details of processing described in Section 4 of this DPA shall serve as Annex I of the SCCs
• The security measures described in Section 7 of this DPA shall serve as Annex II of the SCCs
• The Sub-processor list in Section 6.4 shall serve as Annex III of the SCCs

10.4 UK International Data Transfer Addendum. To the extent that Personal Data subject to the UK GDPR is transferred outside the United Kingdom to a country not recognized as providing adequate protection under UK law, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018) is hereby incorporated by reference and forms part of this DPA, supplementing the SCCs referenced in Section 10.3.

10.5 Safeguards. TalentSprout shall implement appropriate supplementary measures where necessary to ensure that the level of protection for Personal Data is not undermined by the transfer, including the technical and organizational measures described in Section 7. TalentSprout shall promptly notify the Customer if it becomes aware of any circumstances that may prevent it from fulfilling its obligations under this Section 10.

10.6 Government Access Requests. TalentSprout shall notify the Customer promptly if it receives a legally binding request from a government authority for access to Personal Data, unless prohibited from doing so by applicable law. TalentSprout shall not voluntarily disclose Personal Data to any government authority.

10.7 SCCs and UK Addendum Text. The full text of the EU Standard Contractual Clauses and the UK International Data Transfer Addendum is available from the European Commission and UK Information Commissioner's Office respectively. Links are available on request or at talentsprout.ai/dpa.

11.1 TalentSprout shall make available to the Customer, upon reasonable request and no more than once per year, such information as is reasonably necessary to demonstrate compliance with this DPA, including summaries of relevant third-party audit reports or certifications (such as SOC reports from infrastructure providers), which may be provided on request where available.

11.2 The Customer may, at its own expense and upon at least 30 days' prior written notice, conduct or commission a third-party audit of TalentSprout's processing activities to verify compliance with this DPA. The scope of any audit shall be mutually agreed and limited to processing relevant to the Customer's use of the Service. Audits shall not include access to data or systems of other customers. Such audits shall be conducted during normal business hours, shall not unreasonably interfere with TalentSprout's operations, and the Customer shall ensure that any auditor is bound by appropriate confidentiality obligations.

11.3 TalentSprout may satisfy the audit obligation by providing a completed security questionnaire, evidence pack, or third-party audit report where such materials adequately address the Customer's audit request, in lieu of permitting an on-site audit.

11.4 For audits beyond a written questionnaire or standard evidence pack, TalentSprout may recover reasonable costs associated with supporting the audit.

12.1 Upon termination or expiry of the Agreement, or upon the Customer's written request, TalentSprout shall, at the Customer's choice, delete or return all Personal Data processed on behalf of the Customer, except to the extent that applicable law requires continued storage.

12.2 Deletion shall be completed within 30 days of the request or termination date. TalentSprout shall provide written confirmation of deletion upon the Customer's request.

12.3 The Customer may export its data through the Service's available export functionality prior to termination. TalentSprout shall provide reasonable assistance with data export upon request.

13.1 Order of Precedence. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum (as applicable) shall prevail.

13.2 Amendments. TalentSprout may update this DPA from time to time to reflect changes in applicable Data Protection Laws or our processing practices. Material changes will be communicated to the Customer with at least 30 days' notice.

13.3 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of law principles. Where the SCCs or UK Addendum apply, the governing law provisions of those instruments shall take precedence for matters within their scope.

13.4 Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

13.5 Entire DPA. This DPA, together with the Agreement and any applicable SCCs and UK Addendum incorporated herein, constitutes the entire agreement between the parties with respect to the processing of Personal Data in connection with the Service.