Data Processing Agreement

Document Version: v1.0.0

Data Processing Agreement

Effective Date: 1-July-025 Last Updated: 30-June-2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Datastruk Software Solutions ("Processor") regarding the processing of personal data through TeamSyncAI.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Subject: The identified or identifiable natural person to whom personal data relates.

Controller: The entity that determines the purposes and means of processing personal data.

Processor: Datastruk Software Solutions, which processes personal data on behalf of the Controller.

3. Scope and Nature of Processing

3.1 Categories of Data Subjects

  • Job candidates and interview participants
  • Customer employees and hiring managers
  • Customer contacts and users

3.2 Categories of Personal Data

Interview Participants:

  • Basic identification (name, email, phone)
  • Video and audio recordings
  • Interview responses and assessments
  • Demographic information (when provided)

Customer Users:

  • Account information (name, email, job title)
  • Company information
  • Usage and activity data
  • Communication records

3.3 Purpose of Processing

  • Conducting AI-powered interview analysis
  • Providing team fit assessments
  • Generating hiring insights and reports
  • Service delivery and account management
  • Customer support and technical assistance

3.4 Duration of Processing

Processing will continue for the duration of the service agreement plus retention periods specified in our Privacy Policy.

4. Customer Obligations as Data Controller

4.1 Legal Basis

Customer warrants that it has a lawful basis for processing and sharing personal data with us, including:

  • Legitimate interests in hiring and team assessment
  • Consent from interview participants
  • Contractual necessity for service delivery

4.2 Data Subject Rights

Customer is responsible for:

  • Informing data subjects about data processing
  • Obtaining necessary consents for video recording
  • Handling data subject access requests
  • Ensuring compliance with applicable privacy laws

4.3 Data Quality

Customer must ensure that personal data provided is:

  • Accurate and up-to-date
  • Relevant and limited to necessary purposes
  • Obtained lawfully and fairly

5. Processor Obligations

5.1 Processing Instructions

We will process personal data only:

  • According to documented instructions from Customer
  • As necessary to provide the TeamSyncAI service
  • As required by applicable law

5.2 Confidentiality

All personnel with access to personal data are bound by confidentiality obligations and receive appropriate data protection training.

5.3 Technical and Organizational Measures

We implement appropriate security measures including:

Technical Measures:

  • Encryption of data in transit and at rest
  • Access controls and authentication systems
  • Regular security monitoring and logging
  • Secure data backup and recovery procedures
  • Network security and firewall protection

Organizational Measures:

  • Staff training on data protection
  • Clear data handling procedures
  • Regular security audits and assessments
  • Incident response procedures
  • Vendor management and due diligence

5.4 Data Breach Notification

In case of a personal data breach, we will:

  • Notify Customer without undue delay (within 72 hours when possible)
  • Provide detailed information about the breach
  • Assist Customer in breach assessment and notification obligations
  • Implement measures to address the breach and prevent recurrence

6. Sub-Processing

6.1 Authorized Sub-Processors

We may engage the following categories of sub-processors:

  • Cloud infrastructure providers (AWS, Google Cloud, DigitalOcean)
  • AI/ML service providers (OpenAI, Anthropic, Groq, Google Gemini)
  • Payment processors (Stripe, Paddle)
  • Communication and support tools (Intercom, SendGrid)
  • Analytics and monitoring services (Google Analytics, Sentry)
  • Video processing services (Agora.io, Vonage/Tokbox)

6.2 Sub-Processor Requirements

All sub-processors must:

  • Provide adequate data protection guarantees
  • Be bound by data processing agreements
  • Implement appropriate technical and organizational measures
  • Allow audits and inspections

6.3 Changes to Sub-Processors

We will inform Customer of any intended changes to sub-processors, giving Customer the opportunity to object to such changes.

7. Data Subject Rights

7.1 Assistance with Rights Requests

We will assist Customer in fulfilling data subject rights requests, including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

7.2 Response Timeframes

We will respond to Customer requests for assistance within 10 business days and provide necessary information to enable Customer compliance with legal timeframes.

8. Data Transfers

8.1 International Transfers

Personal data may be transferred to and processed in countries outside Canada, including:

  • United States (cloud infrastructure, AI processing)
  • European Union (development teams)
  • Singapore (video processing)

8.2 Transfer Safeguards

For transfers to countries without adequacy decisions, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable
  • Certification schemes (Privacy Shield successors)

8.3 Customer Consent

By using our services, Customer consents to these international transfers under the safeguards described above.

9. Data Retention and Deletion

9.1 Retention Periods

Interview Data:

  • Raw video recordings: 90 days maximum
  • Analysis results: 24 months or until account deletion
  • Anonymized insights: Indefinitely for service improvement

Account Data:

  • Customer account information: Duration of service plus 12 months
  • Support communications: 36 months
  • Billing records: 7 years (legal requirement)

9.2 Deletion Procedures

Upon termination of services or Customer request:

  • Personal data deleted within 30 days
  • Backups purged within 90 days
  • Anonymized data may be retained for analytics

9.3 Certification of Deletion

Upon request, we will provide certification that personal data has been deleted in accordance with this agreement.

10. Audits and Compliance

10.1 Audit Rights

Customer may conduct audits of our data processing activities:

  • Upon reasonable notice (30 days minimum)
  • During regular business hours
  • At Customer's expense
  • Maximum once per year unless breach suspected

10.2 Compliance Documentation

We will provide Customer with:

  • Security certifications and audit reports
  • Data processing records and logs
  • Compliance attestations
  • Third-party security assessments

10.3 Cooperation with Authorities

We will cooperate with supervisory authorities and provide requested information regarding our processing activities.

11. Liability and Indemnification

11.1 Data Processing Liability

Each party is liable for its own compliance with applicable data protection laws:

  • Customer: As data controller
  • Processor: As data processor

11.2 Indemnification

We will indemnify Customer against claims arising from our breach of this DPA, subject to:

  • Customer's prompt notification of claims
  • Customer's cooperation in defense
  • Our control over defense and settlement

11.3 Limitation of Liability

Our total liability under this DPA is limited to the amount paid by Customer in the 12 months preceding the claim.

12. Term and Termination

12.1 Duration

This DPA remains in effect for the duration of the service agreement and any data retention periods.

12.2 Termination Rights

Either party may terminate this DPA:

  • Upon termination of the main service agreement
  • For material breach not cured within 30 days
  • If required by applicable law

12.3 Survival

Obligations regarding data security, deletion, and confidentiality survive termination of this agreement.

13. Governing Law and Disputes

13.1 Applicable Law

This DPA is governed by the laws of Nova Scotia, Canada, and applicable federal privacy legislation.

13.2 Dispute Resolution

Disputes will be resolved through:

  1. Good faith negotiations (30 days)
  2. Mediation through ADR Institute of Canada
  3. Binding arbitration in Halifax, Nova Scotia

13.3 Regulatory Cooperation

Both parties will cooperate with privacy regulators and supervisory authorities as required by law.

14. Amendments and Updates

14.1 Agreement Changes

This DPA may be amended:

  • By mutual written agreement
  • To comply with changes in applicable law
  • With 30 days' notice for non-material changes

14.2 Legal Updates

We will update this DPA as necessary to maintain compliance with evolving privacy regulations.

15. Contact Information

Data Protection Officer
Datastruk Software Solutions
Halifax, Nova Scotia, Canada
Email: privacy@teamsyncai.com

Legal Department
Email: legal@teamsyncai.com

16. Signatures

This DPA is incorporated into and forms part of the Terms of Service. By using TeamSyncAI services, Customer acknowledges acceptance of this Data Processing Agreement.

Customer Acknowledgment:
By using the service, Customer confirms that it has read, understood, and agrees to be bound by this Data Processing Agreement.

Processor Details:
Datastruk Software Solutions
Halifax, Nova Scotia, Canada
Business Registration: [Your NS Registration Number]

Effective Date: [Date of service commencement]
Last Updated: [Date]

Appendix A: Technical and Organizational Measures

A.1 Access Control

  • Multi-factor authentication for system access
  • Role-based access controls
  • Regular access reviews and deprovisioning
  • Privileged access management

A.2 Data Encryption

  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • Encrypted database connections
  • Key management through secure key stores

A.3 Monitoring and Logging

  • 24/7 security monitoring
  • Audit logging of all data access
  • Automated threat detection
  • Regular log analysis and review

A.4 Physical Security

  • Secure data center facilities
  • Biometric access controls
  • 24/7 security personnel
  • Environmental monitoring and controls

A.5 Business Continuity

  • Regular data backups (encrypted)
  • Disaster recovery procedures
  • Business continuity planning
  • Regular testing of recovery procedures

Appendix B: Sub-Processor List

B.1 Infrastructure Providers

Amazon Web Services (AWS)

  • Purpose: Cloud hosting and storage
  • Location: Canada, United States
  • Safeguards: AWS Data Processing Agreement

Google Cloud Platform

  • Purpose: AI/ML processing services
  • Location: Canada, United States
  • Safeguards: Google Cloud Data Processing Agreement

DigitalOcean

  • Purpose: Application hosting and databases
  • Location: Canada, United States, Europe
  • Safeguards: DigitalOcean Data Processing Agreement

B.2 AI/ML Service Providers

OpenAI

  • Purpose: Large language model processing and analysis
  • Location: United States
  • Safeguards: OpenAI Data Processing Agreement, API Terms

Anthropic

  • Purpose: AI analysis and processing services
  • Location: United States
  • Safeguards: Anthropic Commercial Terms, Data Processing Agreement

Groq

  • Purpose: High-speed AI inference processing
  • Location: United States
  • Safeguards: Groq Terms of Service, Data Processing Agreement

Google Gemini (Vertex AI)

  • Purpose: AI analysis and natural language processing
  • Location: Canada, United States
  • Safeguards: Google Cloud AI/ML Services Agreement

B.3 Payment Processing

Stripe

  • Purpose: Payment processing and billing
  • Location: Canada, United States, Europe
  • Safeguards: PCI DSS compliance, Stripe Data Processing Agreement

Paddle

  • Purpose: Subscription management and billing
  • Location: United Kingdom, United States
  • Safeguards: PCI DSS compliance, Standard Contractual Clauses

B.4 Communication & Support

Intercom

  • Purpose: Customer support and messaging
  • Location: United States, European Union
  • Safeguards: GDPR compliance, Standard Contractual Clauses

SendGrid/Twilio

  • Purpose: Email delivery and notifications
  • Location: United States
  • Safeguards: SOC 2 compliance, Data Processing Agreement

B.5 Analytics & Monitoring

Google Analytics

  • Purpose: Website and application analytics (anonymized)
  • Location: United States
  • Safeguards: Google Analytics Data Processing Agreement

Sentry

  • Purpose: Error monitoring and performance tracking
  • Location: United States
  • Safeguards: Sentry Data Processing Agreement

B.6 Video Processing

Agora.io

  • Purpose: Real-time video/audio streaming and recording
  • Location: United States, Singapore
  • Safeguards: Agora Data Processing Agreement

Vonage/Tokbox

  • Purpose: Video interview platform infrastructure
  • Location: United States
  • Safeguards: Vonage Data Processing Agreement

B.7 Notification Process

Customer will be notified of sub-processor changes via:

  • Email notification to primary account contact (30 days advance notice)
  • In-app notification
  • Updates to this appendix with effective date
  • Right to object to new sub-processors

Data Transfer Safeguards: All sub-processors processing personal data outside Canada are bound by:

  • Standard Contractual Clauses (SCCs) where applicable
  • Adequacy decisions (where available)
  • Additional contractual safeguards
  • Regular security and compliance audits

Last Updated: 30-June-2025