Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Evolving Mind AI Technologies Private Limited, a company incorporated under the Companies Act, 2013 (India), with its registered office in Telangana, India (“Company”), and the third-party service provider executing or otherwise accepting this DPA. This DPA governs the Processing of Personal Data by the Processor on behalf of the Company in connection with the Platform.

This DPA is intended to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”), the California Consumer Privacy Act as amended (“CCPA/CPRA”), and other applicable data protection laws.

The terms that are not expressly defined herein shall have the meaning prescribed to them in the Terms of Service.

This DPA shall be read together with the Terms of Service, AUP, Privacy Policy, and the EULA, all of which are incorporated herein by reference. In the event of any conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data by Data Processors, this DPA shall prevail. For all other matters, the Terms of Service shall prevail.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Company in connection with the Rolelanded platform, including but not limited to names, email addresses, resumes, voice recordings, transcripts, job descriptions, interview data, screen captures, and related identifiers submitted by Users.

“Processing” or “Processed” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction.

“Data Controller” or “Data Fiduciary” means the Company solely to the extent that it determines the purposes and means of Processing Personal Data in connection with the Platform.

“Processor” or “Data Processor” means the third party solely to the extent it Processes Personal Data on behalf of and strictly in accordance with the documented instructions of the Company.

This DPA applies exclusively to Personal Data Processed by the Processor on behalf of the Company in connection with the provision of services supporting Rolelanded, including authentication, hosting, infrastructure, cloud storage, payment processing, speech-to-text processing, AI processing services, and analytics/crash reporting services.

The Processor shall Process Personal Data only to the extent necessary to perform the Services described in the underlying service agreement. Processing shall be limited to Personal Data categories provided by the Company, which may include User registration data, resume data, voice recording data (audio), voice transcription data, interview logs, screen capture data, and enterprise oversight data.

The Company remains the Controller or Data Fiduciary only to the extent it determines the purposes and means of Processing. The Processor acknowledges that it shall not determine independent purposes or means of Processing within the scope of this DPA.

This DPA does not apply to data Processed exclusively within the User’s local device environment or to data independently collected by the Processor outside the Company’s instructions.

If at any time the third party independently determines the purposes and means of Processing Personal Data, such Processing shall fall outside the scope of this DPA. In such circumstances, the third party shall act as an independent controller or business, this DPA shall not apply to such independent Processing activities, and Users shall be governed by the independent terms and privacy policies of such third party.

The Processor shall Process Personal Data solely on documented instructions from the Company, including instructions set forth in the main services agreement and this DPA. The Processor shall not Process Personal Data for its own commercial purposes, marketing, analytics unrelated to Service delivery, or model training.

The Processor shall not sell, share, disclose, monetize, or otherwise exploit Personal Data beyond the strict performance of Services. Under CCPA/CPRA, the Processor shall qualify as a Service Provider and shall not retain, use, or disclose Personal Data for purposes other than those specified by the Company. The Company may disclose Personal Data to third-party service providers (including speech-to-text providers and AI service providers) solely as necessary to provide the Services and under contractual restrictions designed to limit Processing to Service delivery purposes.

The Processor shall immediately notify the Company if it believes an instruction violates applicable data protection laws. The Processor shall not be obligated to follow instructions that are manifestly unlawful.

The Processor shall ensure that access to Personal Data is limited to authorized personnel subject to confidentiality obligations.

The Processor shall ensure that all personnel authorized to Process Personal Data are bound by written confidentiality obligations that survive termination of employment or engagement.

The Processor shall implement internal access controls restricting Personal Data access strictly to personnel who require such access for performance of Services.

The Processor shall ensure appropriate training of personnel regarding data protection obligations and secure handling of Personal Data.

The Processor shall remain fully liable for acts and omissions of its personnel and subcontractors in connection with Processing.

The Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, accidental loss, destruction, alteration, or disclosure.

Security measures shall include access control mechanisms, encryption where appropriate, network security protections, and vulnerability management procedures consistent with industry standards.

The Processor acknowledges that Rolelanded involves storage of interview content, resumes, voice recordings, voice transcription data, and screen capture data and shall implement safeguards proportionate to the sensitivity of such data.

The Processor shall regularly test and evaluate the effectiveness of security measures and shall provide reasonable information to the Company upon request to demonstrate compliance.

The Processor shall not appoint sub-processors without prior written authorization from the Company, whether general or specific.

Where general authorization is granted, the Processor shall notify the Company of any intended changes concerning the addition or replacement of sub-processors, providing the Company with an opportunity to object.

Any authorized sub-processor shall be bound by written contractual obligations no less protective than those contained in this DPA.

The Processor shall remain fully liable for the performance of sub-processors and for ensuring compliance with applicable data protection laws.

The Processor shall assist the Company in responding to data subject requests under GDPR, DPDP Act, and CCPA/CPRA, including access, correction, deletion, restriction, portability, and objection requests.

The Processor shall promptly notify the Company if it receives any direct request from a data subject and shall not respond independently unless legally required.

The Processor shall provide reasonable cooperation and technical assistance necessary for the Company to fulfill its legal obligations.

The Processor shall not charge additional fees for routine assistance unless otherwise agreed in writing.

The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data breach affecting data Processed under this DPA.

Notification shall include sufficient detail to enable the Company to assess legal reporting obligations and implement mitigation measures.

The Processor shall cooperate fully with the Company in investigating, mitigating, and remediating the breach.

Notification shall not constitute admission of fault or liability by the Company.

Where the Processor transfers Personal Data outside the jurisdiction in which it was collected, it shall ensure appropriate safeguards consistent with GDPR and other applicable laws.

Such safeguards may include Standard Contractual Clauses or equivalent legally recognized transfer mechanisms.

The Processor shall not transfer Personal Data to jurisdictions lacking adequate protection without implementing required safeguards.

The Processor shall provide documentation of transfer mechanisms upon reasonable request.

Where Personal Data originating from the European Economic Area, United Kingdom, or other jurisdictions requiring approved transfer safeguards is transferred to a country not recognized as providing an adequate level of protection, the parties agree that the applicable Standard Contractual Clauses adopted by the European Commission, as amended or replaced from time to time, shall be deemed incorporated by reference into this DPA and shall apply automatically to such transfers without the need for separate execution.

To the extent the Processor or any affiliated entity relies on Binding Corporate Rules approved by a competent supervisory authority for intra-group transfers, such Binding Corporate Rules are likewise incorporated by reference and shall govern the relevant transfers.

In the event of any conflict between this DPA and the incorporated Standard Contractual Clauses or Binding Corporate Rules, the provisions of the applicable transfer mechanism shall prevail solely with respect to the subject matter of international data transfers.

The Processor shall retain Personal Data only for the duration necessary to perform Services under the underlying agreement.

Upon termination of Services or upon written instruction from the Company, the Processor shall delete or return all Personal Data and certify deletion in writing.

The Processor shall not retain backups or copies of Personal Data beyond the retention periods and instructions given by the Company, unless otherwise required by applicable law.

If retention is required by applicable law, the Processor shall isolate such data and continue to protect it under this DPA.

The Company reserves the right to audit the Processor’s compliance with this DPA upon reasonable notice.

The Processor shall provide access to relevant documentation, certifications, and security reports sufficient to demonstrate compliance.

Audits shall be conducted in a manner that minimizes operational disruption and protects confidential information of the Processor.

Failure to remedy material non-compliance may constitute grounds for termination of Services.

The Processor shall defend, indemnify, and hold harmless the Company from any and all claims, fines, penalties, or damages arising from the Processor’s breach of this DPA or applicable data protection laws. The Processor acknowledges and agrees that the Company’s liability to Users may arise from Processor misconduct and the Processor agrees to assume responsibility for its Processing activities.

Nothing in this DPA shall limit the Company’s rights or remedies under applicable law.

The Processor’s obligations under this DPA survive termination of the underlying services agreement, including the Terms of Service.

In no event shall the Company be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages or loss of profits, loss of revenue, loss of business opportunities, reputational harm, or loss of anticipated savings, even if advised of the possibility of such damages.

To the maximum extent permitted by applicable law, the total cumulative liability of the Company for any and all claims arising out of or in connection with this DPA, whether in contract, tort including negligence, statutory liability, or otherwise, shall not exceed the total amount of fees actually paid by the Company to the Processor under the applicable services agreement (including the Terms of Service) during the three (3)-month period immediately preceding the event first giving rise to the claim. Where no fees have been paid during such period, the Company’s total cumulative liability for any and all claims shall be limited to a commercially reasonable nominal amount determined by the Company at its sole discretion.

This DPA shall be governed by the laws of India, without prejudice to mandatory data protection rights under applicable law.

If any provision of this DPA is held invalid, the remaining provisions shall remain enforceable.

This DPA constitutes the complete agreement governing Processing of Personal Data between the Company and the Processor within its defined scope.

Therefore, both the Data Controller and the Data Processor have caused this DPA to be executed through their duly authorized representatives as of the Effective Date.