TalentSkout.ai DPA

This Data Processing Addendum (DPA) contains GDPR clauses to be followed by the parties who signed the Subscription Services with TalentSkout.ai a Product of AagatiServe Pvt. Ltd

BETWEEN THE PARTIES:

Customer/Partner (hereinafter referred to as "Data Controller") & AagatiServe Private Limited, CIN: U72900DL2023PTC418451, having its registered office at 15/72, 1st floor, 59th Cross, 4th Block Rajajinagar, Bengaluru 560010, Phone No: +1(469)982-4425, +91(888)2350-264 (hereinafter referred to as "TalentSkout" or the "Company") (Hereinafter referred to as the "Data Processor")

In consideration of the mutual obligations set out in this GDPR Addendum, the parties agree as follows:

This Addendum supplements and forms part of the Master Services Agreement, Subscription Agreement, or other binding contract between the parties governing the use of TalentSkout's services and applies to the extent TalentSkout processes Personal Data on behalf of the Customer.

This Agreement details the roles of both parties set forth in GDPR Regulation (EU) 2016/679 under Articles 28, 32, and 82.

1. Definitions

  1. i. Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"). For the purpose of this DPA, the following may be considered Personal Data:
    1. • Name
    2. • Identification Number
    3. • Location data
    4. • Online identifiers
    5. • IP Address
    6. • Cookie Identifiers
    7. • RF ID tags
    8. • Physical, physiological, genetic, mental, economic, cultural or social identity factors, to the extent that any such data is applicable to a natural person.
  2. ii. Natural Person/Data Subject: Any individual, who can be identified directly or indirectly by reference to Personal Data.
  3. iii. Processing: Any operation performed on Personal Data, including but not limited to:
    1. • Collection
    2. • Recording
    3. • Organisation
    4. • Structuring
    5. • Storage
    6. • Adaptation or alteration
    7. • Retrieval
    8. • Consultation
    9. • Use
    10. • Disclosure
    11. • Dissemination
    12. • Alignment or combination
    13. • Restriction
    14. • Erasure or destruction
  4. iv. Data Controller: Entity which determines the purpose and means of processing Personal Data.
  5. v. Data Processor: Entity which processes Personal Data on behalf of the Data Controller, i.e., TalentSkout.
  6. vi. Data Sub-Processor: Any third-party processor engaged by TalentSkout to process Personal Data on its behalf.
  7. vii. GDPR: General Data Protection Regulation (EU) 2016/679.
  8. viii. DPDP Act: The Digital Personal Data Protection Act, 2023 of India.
  9. ix. Profiling: Automated processing of Personal Data to evaluate certain personal aspects.
  10. x. Personal Data Breach: Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
  11. xi. Consent: Any freely given, specific, informed and unambiguous indication of the Data Subject's (or their guardian's) agreement to process their Personal Data.
  12. xii. Data Protection Impact Assessment (DPIA): Assessment conducted to evaluate processing risks and enhance compliance.
  13. xiii. Security Breach: Unauthorized use, access, loss, or disclosure of Subscriber Data as defined under applicable law.
  14. xiv. Supervisory Authority: A government or independent data protection regulator with jurisdiction over data processing activities.

2. Applicability

This DPA is applicable where:

  1. i. The Data Controller is a party to the Agreement with TalentSkout.
  2. ii. The Data Controller has executed an Order Form or is covered by a subscription with TalentSkout.
  3. iii. This DPA does not apply to indirect users through resellers unless explicitly included via an amendment.
  4. iv. The Data Controller and TalentSkout agree to perform their respective obligations in accordance with GDPR, the DPDP Act (India), and other applicable data protection laws.

3. Scope

TalentSkout will process Personal Data shared by the Data Controller for recruitment automation and related services.

  1. i. TalentSkout ensures mechanisms are in place for collecting and recording Consent, in accordance with the DPDP Act.
  2. ii. Data may be stored and processed on third-party cloud infrastructure for service continuity.
  3. iii. Data may be retained post-termination for legitimate purposes outlined in the Privacy Policy.
  4. iv. The Data Controller is responsible for ensuring appropriate notices and Consents from their end users.
  5. v. TalentSkout shall notify the Data Controller of any Personal Data Breach promptly.
  6. vi. Processing will be limited to the documented purposes unless legally required.
  7. vii. TalentSkout shall, in its capacity as a "Data Fiduciary" under India's Digital Personal Data Protection Act, 2023, comply with all applicable fiduciary duties, including:
    1. • Providing clear and timely privacy notices.
    2. • Obtaining, managing, and recording valid consent where required.
    3. • Honouring data-subject requests and redressal obligations.
    4. • Ensuring that any cross-border transfer of Personal Data is carried out in accordance with authorised transfer mechanisms and any restrictions prescribed by the DPDP Act or other applicable law.

4. Consent Management Implementation

TalentSkout affirms that, as of the effective date of this DPA, all necessary mechanisms for obtaining, managing, and recording consent required by applicable data protection laws including but not limited to DPDP Act and the GDPR are fully operational and enforced. These mechanisms include:

  1. A cookie and privacy notice pop-up displayed on the website at the point of first access.
  2. Explicit consent collection and notice as part of the user onboarding process.
  3. An accessible, in-app consent management dashboard enabling Users to view, modify, or withdraw consent at any time.

5. Warranties by TalentSkout

TalentSkout warrants that:

  1. i. It shall fully comply with applicable data protection laws including GDPR and DPDP Act, in carrying out its obligations under this agreement.
  2. ii. It has implemented and will maintain adequate technical and organizational security measures.
  3. iii. It shall immediately notify the Data Controller in writing upon becoming aware of any:
    1. Complaint or allegation indicating a violation of applicable data protection laws;
    2. Request from an individual seeking to access, correct, or delete their Personal Data;
    3. Inquiry or complaint from a data subject regarding data use or processing;
    4. Any regulatory or legal request for Personal Data disclosure.

6. Representations by TalentSkout

TalentSkout shall:

  1. i. Maintain appropriate technical and organizational measures to secure Personal Data.
  2. ii. Ensure that Sub-Processors only process Personal Data on its instructions and in compliance with applicable laws.
  3. iii. Limit Personal Data collection to what is necessary for performance of services.
  4. iv. Publish and maintain an updated list of all authorized Sub-Processors on its website.
  5. v. Vet each Sub-Processor for adequate data protection safeguards before engagement.
  6. vi. Remain liable to the Data Controller for the acts and omissions of any Sub-Processor.
  7. vii. Take reasonable steps to ensure Personal Data accuracy.
  8. viii. Provide audit records, compliance certifications, and responses to data protection assessments upon reasonable written notice.
  9. ix. Provide the Data Controller with all Personal Data upon request or termination of services.
  10. x. Maintain records of all Personal Data Processing activities.
  11. xi. Assist the Data Controller with breach notifications to regulatory authorities.
  12. xii. Not use Personal Data for profiling or analytics unless required for providing subscribed services.
  13. xiii. Notify the Data Controller if it believes any processing instruction violates applicable law.
  14. xiv. Ensure that cross-border transfers are made in accordance with an appropriate Transfer Mechanism.
  15. xv. Regularly train personnel with access to Personal Data and enforce confidentiality obligations.

7. Audit

TalentSkout will appoint third-party auditors to assess compliance with ISO 27001, SOC 2, and relevant data protection laws.

Upon request and subject to NDA, TalentSkout will provide audit reports and responses to security and data protection questionnaires as necessary to verify compliance.

8. Right to Terminate

If TalentSkout materially breaches its obligations under Clause 6 (Audit), the Data Controller may terminate this DPA and the underlying Master Services Agreement.

9. Mechanism of Data Transfers

Where Personal Data is transferred outside the India, US or European Economic Area (EEA), or any jurisdiction with adequate protection, TalentSkout shall ensure:

  1. i. The use of Standard Contractual Clauses or other valid Transfer Mechanism;
  2. ii. That the recipient of the data provides protection equivalent to this DPA and applicable laws.

10. Data Incident Management

TalentSkout will:

  1. i. Notify the Data Controller of any Personal Data Breach without undue delay.
  2. ii. Investigate and take reasonable steps to mitigate and remediate the breach.
  3. iii. Provide the Data Controller with all relevant breach details required for compliance
  4. iv. Maintain incident logs and cooperate with forensic or regulatory inquiries.

11. Return and Erasure of Data

Upon termination of services:

  1. i. TalentSkout will return or delete all Personal Data as requested by the Data Controller.
  2. ii. Retained data will be limited to what is required for legal or regulatory purposes and deleted thereafter per Retention Policies.
  3. iii. TalentSkout shall confirm data erasure upon completion.

12. Data Protection Officer

TalentSkout has designated a Data Protection Officer (DPO) to oversee compliance with data protection obligations. For any data protection inquiries, concerns, or requests, you may contact our DPO at:

Ritesh Mohan Gupta
Data Protection Officer, TalentSkout.ai
Email: hr@talentskout.ai
Phone: +91-8882350264, +1-(469)982-4425
Address: 15/72, 1st Floor, 59th Cross, 4th Block Rajajinagar, Bengaluru 560010, Karnataka, India

13. General Provisions

  1. i. This DPA does not limit TalentSkout's independent obligations under GDPR, DPDP Act, or other data protection laws.
  2. ii. This DPA shall be governed by the laws of India, the EEA member state, or the United States, as applicable based on the Data Controller's location.
  3. iii. TalentSkout will periodically conduct Data Protection Impact Assessments (DPIA) as required by law
  4. iv. All obligations under this DPA shall survive termination to the extent required to enforce compliance.
  5. v. Any inconsistencies between the DPA and other terms of the Agreement shall be resolved in favor of this DPA to the extent it addresses Personal Data protection.