Data Processing Agreement

1Definitions

• "GDPR": The General Data Protection Regulation (EU) 2016/679.
• "Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject"), such as candidate CVs, email addresses, video interviews, and behavioral scores.
• "Sub-processor": Any third party engaged by Wedey to assist in fulfilling its obligations with respect to providing the Services (e.g., cloud hosting, AI providers).
• "Security Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2Roles and Responsibilities

2.1. Relationship

The parties acknowledge that with regard to the processing of Candidate Data, the Client is the Data Controller and Wedey is the Data Processor.

2.2. Compliance

Wedey agrees to process Personal Data only in accordance with the documented instructions of the Client (which include the Agreement and the features of the Platform) and in compliance with the GDPR.

3Obligations of the Processor (Wedey)

3.1. Confidentiality

Wedey ensures that all personnel (employees and contractors) authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Security Measures (Art. 32 GDPR)

Wedey implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256).
• Regular vulnerability scanning and penetration testing.
• Access control mechanisms (MFA, Role-Based Access Control).

3.3. Sub-processing

The Client grants Wedey a general authorization to engage Sub-processors. Wedey shall:

• Ensure that Sub-processors are bound by data protection obligations compatible with this DPA.
• Remain fully liable to the Client for the performance of the Sub-processor's obligations.
• Maintain an up-to-date list of Sub-processors (see Annex 2).

3.4. Assistance to Controller

Wedey shall assist the Client:

• By appropriate technical means (e.g., "Delete" buttons in the dashboard) to fulfill the Client's obligation to respond to requests for exercising the Data Subject's rights (Right to Access, Rectification, Erasure).
• In ensuring compliance with obligations regarding security of processing, data protection impact assessments (DPIA), and prior consultations with supervisory authorities, specifically regarding the use of AI and Automated Decision Making.

3.5. Breach Notification

In the event of a Security Breach, Wedey shall notify the Client without undue delay (and in any event within 48 hours of becoming aware of the breach).

4International Transfers

If Wedey transfers Personal Data outside the European Economic Area (EEA) to a country not deemed to provide an adequate level of protection, such transfers shall be governed by:

• The EU-US Data Privacy Framework (for US-based providers certified under the framework); or
• The European Commission's Standard Contractual Clauses (SCCs).

5Term and Deletion

5.1. Term

This DPA remains in effect as long as Wedey processes Personal Data on behalf of the Client.

5.2. Deletion or Return

Upon termination of the Services, Wedey shall, at the choice of the Client, delete or return all Personal Data to the Client, unless applicable law requires storage of the Personal Data. If no specific instruction is given, Wedey generally deletes data 30 days after account termination.

6Audit Rights

Wedey shall make available to the Client all information necessary to demonstrate compliance with this DPA. For Enterprise Clients, Wedey may allow for audits or inspections, subject to reasonable notice, confidentiality agreements, and limitation to once per year.

A1Annex 1: Details of Processing

A2Annex 2: Sub-Processors

The Client authorizes the engagement of the following Sub-processors: