Data Processing Agreement
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Terms of Service, or other written agreement (the "Principal Agreement") between TalentSec Technology (Hong Kong) Limited ("TalentSec", "Vendor", or "Processor") and the customer entity signatory to the Agreement ("Customer", "Client", or "Controller").
1. Purpose and Relationship
- Application: This DPA applies to TalentSec's Processing of Personal Data on behalf of Customer as part of the provision of the Service. For clarity, this DPA does not apply to Account Information, which TalentSec processes as an independent Controller for account administration, billing, authentication, customer support, fraud prevention, security, and compliance purposes.
- Roles: For the purposes of Applicable Data Protection Laws, Customer acts as a Controller or Business (as applicable), and TalentSec acts as a Processor or Service Provider (as applicable).
- Hierarchy: This DPA sets forth the specific instructions for Processing and the rights and obligations of both Parties. Except as set forth here, the Principal Agreement remains in full force. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall govern to the extent of the conflict.
- Superseding Effect: This DPA supersedes and replaces any previously applicable data processing terms or addenda regarding the Service between the parties.
2. Definitions
For purposes of this DPA: (i) "Third-Party Services" means any third-party application, website, platform, API, tool, or service that is not provided by Us; (ii) "Integrations" means the in-product connection capabilities within the Service that You use to connect to Third-Party Services; (iii) "Integration Management Interface" means the user interface that allows You to manage Integrations.
Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Principal Agreement (Terms of Service).
- "Account Information" means the Personal Data for which TalentSec acts as an independent Data Controller, including contact details, login credentials, and billing information.
- "Applicable Data Protection Laws" means all worldwide data protection and privacy laws applicable to the Processing, including: (a) the Hong Kong PDPO; (b) EU/UK/Swiss Privacy Laws; (c) US Privacy Laws; and (d) any other similar laws.
- "AI Partners" means third-party providers of artificial intelligence or LLM services (e.g., OpenAI, Anthropic).
- "Aggregated and Anonymized Data" means data that has been aggregated and de-identified so it does not identify Customer or any Data Subject.
- "Cloud Platform" means the cloud infrastructure environment used to host the Service.
- "Controller", "Processor", "Data Subject", and "Processing" shall have the meanings given in Applicable Data Protection Laws.
- "EU/UK/Swiss Privacy Laws" means: (a) the EU GDPR; (b) the EU e-Privacy Directive; (c) the UK Data Protection Act 2018 and UK GDPR; (d) the Swiss Data Protection Law; and (e) any relevant national implementing laws.
- "Personal Data" means any information TalentSec processes on behalf of Customer that is defined as "personal data", "personal information", or "personally identifiable information" under Applicable Data Protection Laws.
- "Processed Data" means: (a) Inputs — prompts, instructions, messages, emails, code, files, and other content provided by Customer; (b) Contextual Data — metadata, server headers, and technical environment details; and (c) Outputs — generated content, summaries, analysis, reports, and other results.
- "Restricted Transfer" means a transfer of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy determination.
- "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.
- "Standard Contractual Clauses" (SCCs) means: (a) the EU SCCs (Module 2 and Module 3); (b) the UK International Data Transfer Addendum; and (c) the Swiss-modified EU SCCs.
- "Subprocessor" means any third-party service provider engaged by TalentSec that processes Personal Data on behalf of the Customer.
- "US Privacy Laws" means CCPA/CPRA, Virginia CDPA, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and similar state laws.
3. Scope, Relationship and Ownership
- Roles of the Parties: Customer is the "Controller" / "Business" / "Service Recipient", and TalentSec is the "Processor" / "Service Provider" / "Contractor". TalentSec processes Personal Data solely as a Processor on behalf of Customer.
- Ownership: Customer retains all right, title, and ownership of all Personal Data processed under this DPA. TalentSec obtains no rights to such data except the limited right to process it for providing the Service and complying with legal obligations.
- Mutual Compliance: Each party shall comply with its respective obligations under Applicable Data Protection Laws.
- Conflict: In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
- Vendor Notification & Remediation: TalentSec shall notify Customer without undue delay if it can no longer meet its obligations under this DPA. Customer shall have the right to take reasonable steps to stop and remediate any unauthorized use of Personal Data.
4. Customer Obligations
- Compliance: Customer shall comply with all Applicable Data Protection Laws when providing Personal Data and issuing processing instructions.
- Representations and Warranties: Customer warrants that: (a) Applicable Data Protection Laws do not prevent TalentSec from fulfilling instructions; (b) all Personal Data was collected in compliance with applicable laws; and (c) Customer has a lawful basis for disclosing Personal Data to TalentSec.
- Customer Security Responsibilities: Customer is solely responsible for: (a) securing account credentials; (b) maintaining backups of Processed Data and Outputs; and (c) securing Customer's own systems and devices.
- Notification and Suspension: Customer shall notify TalentSec without undue delay if processing no longer complies with Applicable Data Protection Laws.
5. Processing Instructions
- Details of Processing: The subject matter, duration, nature, and purpose of Processing, as well as categories of Personal Data and Data Subjects, are described in Annex 1.
- Documented Instructions: TalentSec shall process Processed Data only on documented instructions of Customer (including configurations, commands, and authorizations through the Service), unless required by Applicable Law.
- Third-Party Services and Integrations: Where Customer connects the Service to Third-Party Services through Integrations, Customer acknowledges that the Third-Party Service provider processes data under its own terms.
- No-Training Covenant: TalentSec shall not use Customer's Processed Data to train, retrain, fine-tune, or otherwise update the weights of generative AI models. TalentSec may generate Aggregated and Anonymized Data solely for improving the Service's performance, security, and accuracy.
- CCPA/CPRA Prohibitions: To the extent US Privacy Laws apply, TalentSec is legally prohibited from: (a) Selling Personal Data; (b) Sharing Personal Data for cross-context behavioral advertising; (c) Retaining, using, or disclosing Personal Data for any purpose other than performing the Service; (d) Using Personal Data outside the direct business relationship; and (e) Combining Personal Data from different sources.
6. Personnel and Confidentiality
- TalentSec shall ensure that personnel authorized to access Processed Data are subject to strict confidentiality obligations.
- Access is limited to those with a "business need to know" based on the principle of least privilege.
7. Subprocessors
- General Authorization: Customer provides a general authorization for TalentSec to engage Subprocessors (e.g., cloud infrastructure providers and AI Partners). A current list of Subprocessors is maintained at https://anna.partners/subprocessors.
8. Security Measures
TalentSec shall implement appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.
9. Security Incident Notification
TalentSec shall notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Security Incident. Such notification shall include: (a) the nature of the incident; (b) the categories and approximate number of Data Subjects affected; (c) the likely consequences; and (d) the measures taken or proposed to be taken.
10. Data Subject Rights
TalentSec shall assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including access, rectification, erasure, restriction, portability, and objection rights.
11. International Data Transfers
For any Restricted Transfer, the parties shall ensure appropriate safeguards are in place. This may include entering into Standard Contractual Clauses (EU SCCs with the UK Addendum and Swiss modifications, as applicable). The relevant modules shall be Module 2 (Controller to Processor) and, where applicable, Module 3 (Processor to Processor).
12. Audit Rights
TalentSec shall make available to Customer all information necessary to demonstrate compliance with this DPA. TalentSec shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable notice and confidentiality requirements.
13. Deletion and Return of Data
Upon termination of the Service, TalentSec shall, at Customer's election, delete or return all Personal Data and delete existing copies, unless Applicable Law requires retention. TalentSec shall certify deletion upon Customer's request.
14. Term and Termination
This DPA shall remain in effect for as long as TalentSec processes Personal Data on behalf of Customer. It shall automatically terminate upon termination of the Principal Agreement, subject to TalentSec's obligations regarding deletion or return of Personal Data.
For the complete and authoritative version of this Data Processing Agreement, or if you have any questions, please contact [email protected].