Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) ("Agreement") between Customer (as defined in the Agreement) and “JobTwine Inc” including its subsidiary “JobTwine India Private Limited” (herein after “us” “processor”) under which the Processor provides the Controller/Fiduciary with the software and services (the "Services"). The Controller/Fiduciary and the Processor are individually referred to as a "Party" and collectively as the "Parties".

The Parties seek to implement this DPA to comply with applicable Data Protection Laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), and other applicable global privacy laws, in relation to the Processing of Personal Data by the Processor. This DPA shall apply to Processor's processing of Personal Data, provided by the Controller/Fiduciary as part of Processor's obligations under the Agreement.

Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Definitions

Terms not otherwise defined herein shall have the meaning given to them in the India’s DPDP Act and EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

1.1. "Data Transfer" means a transfer of the Personal Data from the Controller/Fiduciary to the Processor, or between two establishments of the Processor, or with a Sub-processor by the Processor.

1.2. "Agreement" means the standard terms and conditions entered into between you as the "Customer" and us as the Licensor (as defined in the Agreement).

1.3. "Data Protection Legislation" means all data protection and privacy legislation applying to you and/or us which is in force from time to time. This may include (to the extent applicable) the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Australian Privacy Act 1988 (Cth); the EU’s General Data Protection Regulation(2016/679) (GDPR); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (UK GDPR); the UK’s Data Protection Act 2018 (DPA 2018); and applicable U.S. state privacy laws including the California Consumer Privacy Act, Cal. Civ. Code § 1798. 100 et seq., and its implementing regulations, as amended by the California Privacy Rights Act.

1.4. "Fiduciary"means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

1.5. "DPDP Act"means the Digital Personal Data Protection, 2023 of India and the rules, regulations, orders, and guidelines issued thereunder, as amended from time to time.

1.6. "Data Principal"means any individual including the parents or lawful guardian of such a child to whom the personal data relates.

1.7. "Board"means Data Protection Board of India established by the Central Government under section 18 of the DPDP Act.

1.8. "EU GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.9. "Standard Contractual Clauses" means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.

1.10. "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

1.11. "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

1.12. "Personal Data Breach" shall have the meaning assigned under GDPR and DPDP Act and other relevant data protection acts.

1.13. "Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller /Fiduciary.

1.14. "Sub-processor" means a processor/ sub-contractor appointed by the Processor for the provision of all or parts of the Services and Processes the Personal Data as provided by the Controller/Fiduciary.

1.15. "ISO/IEC 27001:2022" means the international standard for information security management systems (ISMS) published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which specifies requirements for establishing, implementing, maintaining and continually improving an information security management system.

1.16. "Services" means the services which we provide to you under the Agreement.

1.17. "De-identified Data" means data that cannot reasonably be used to identify an individual.

1.18. "Processing Activities Record" means records required under Article 30 GDPR or equivalent provisions.

2. Purpose of this Agreement

This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be limited to the Processor's obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail. The Processor shall process Personal Data strictly in accordance with documented instructions of the Controller/Fiduciary and in compliance with Applicable Data Protection Laws.

3. Categories of Personal Data and Data Subjects

The Controller/Fiduciary authorizes permission to the Processor to process the Personal Data to the extent of which is determined and regulated by the Controller/Fiduciary. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.

4. Purpose of Processing

The parties acknowledge that this Data Processing Agreement (DPA) applies only to the Personal Data we are Processing on our Customer's instructions, and in connection with such Processing.

4.1. The objective of Processing of Personal Data by the Processor shall be limited to the Processor's provision of the Services to the Controller/Fiduciary and or its Client, pursuant to the Agreement.

4.2. Categories of Personal Data: In the provision of Services to the Customer, the categories of Personal Data we process are Customer Data as defined in the Agreement (including name, phone number and email address), and other Personal Data as defined in the Agreement provided to us directly by the individual applying for employment with you, such as in response to the interview questions asked of the individual during our provision of the Services, which may include special categories of Personal Data such as Data Subjects' age, health, and racial or ethnic origin;

4.3. Categories of Data Subjects: In the provision of Services to you, the categories of Data Subjects whose Personal Data we process are employees or individuals applying for employment with you (Candidates);

4.4. You hereby agree to us Processing Customer Data to de-identity it for the purposes of the Data Protection Legislation, for us to use that de-identified data (that no longer includes Personal Data) for the purposes of developing and improving our services, including:

• 4.4.1. using de-identified data about Candidates' experiences of the interview process to promote our services.

• 4.4.2. using de-identified data about Candidates' location, age, gender, health, and racial and ethnic origin, for the purposes of testing for bias in our services as required by relevant legislation;

• 4.4.3. using Candidates' de-identified responses to interview questions to train our AI algorithms to improve our AI model;

5. Duration of Processing

The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller /Fiduciary.

6. Data Controller/Fiduciary's Obligations

6.1. The Data Controller/Fiduciary shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services. To the extent required by Data Privacy Laws, Data Controller/Fiduciary is responsible for ensuring that it provides such Personal Data to Data Processor based on an appropriate legal basis allowing lawful processing activities, including any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such consent be revoked by the Data Subject, the Data Controller/Fiduciary is responsible for communicating the fact of such revocation to the Data Processor.

6.2. The Data Controller/Fiduciary shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice.

6.3. The Data Controller/Fiduciary shall request the Data Processor to purge Personal Data when required by the Data Controller/Fiduciary or any Data Subject whom it collects Personal Data unless the Data Processor is otherwise required to retain the Personal Data by applicable law.

6.4. The Controller/Fiduciary shall ensure that all processing of Personal Data is supported by a valid lawful basis in accordance with the requirements of the GDPR and, where applicable, is based on valid consent or legitimate use as prescribed under the DPDP Act. The Controller/Fiduciary shall further ensure that clear, specific, and easily understandable privacy notices are provided to Data Subjects/Data Principals in compliance with the DPDP Act, including at or before the time of data collection. It shall maintain accurate and up-to-date records of consent obtained from Data Principals, including mechanisms to demonstrate such consent when required. Additionally, the Controller/Fiduciary shall establish and maintain an effective grievance redressal mechanism, including the appointment of a grievance officer where mandated under applicable law, to address complaints and requests from Data Principals in a timely and compliant manner.

6.4.1. The Data Controller/Fiduciary shall immediately advise the Data Processor in writing if it receives or learns of any:

• 6.4.2. Complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data;

• 6.4.3. Request from one or more individuals seeking to access, correct, or delete Personal Data;

• 6.4.4. Inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; and

• 6.4.5. Any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data.

7. Data Processor's Obligations

7.1. The Processor will follow written and documented instructions received, including email, from the Controller/Fiduciary, its affiliate, agents, or personnel, with respect to the Processing of Personal Data (each, an "Instruction").

7.2. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller/Fiduciary.

7.3. Processor shall assist Controller/Fiduciary in responding to Data Subject/Data Principal requests including access, correction, erasure, restriction, portability and grievance redressal within statutory timelines.

7.4. Processor shall not independently obtain consent from Data Subjects unless expressly instructed. Consent obligations remain with Controller/Fiduciary.

7.5. The Processor shall ensure that all transfers of Personal Data are carried out in compliance with applicable data protection laws, including the requirements set out under Chapter V of the GDPR, such as the use of Standard Contractual Clauses and the conduct of Transfer Impact Assessments, as well as any cross-border transfer restrictions prescribed under the DPDP Act. The Processor shall further implement the principles of privacy by design and privacy by default in the development, operation, and delivery of its Services, ensuring that data protection safeguards are embedded into processing activities from the outset. In addition, the Processor shall maintain complete and accurate records of its processing activities in accordance with applicable legal requirements and shall make such records available to the Controller/Fiduciary upon reasonable request.

7.6. The processor shall inform the Controller/Fiduciary if, in its opinion, a processing instruction infringes applicable legislation or regulation.

7.7. As A Data Processor, taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller/Fiduciary in conducting any necessary Data Protection Impact Assessments (DPIAs), as required under GDPR.

8. Consent Management

8.1. The Customer shall warrant that any consent obtained from Data Principals for the Processing of Digital Personal Data is free, specific, informed, unconditional and unambiguous, and is obtained separately for distinct Processing purposes, including, where applicable, the collection, recording, storage, analysis and evaluation of video, audio or other candidate-related data through automated or AI-enabled means. The Customer shall further ensure that Data Principals are provided with clear and plain-language notice at or before the point of data collection describing the nature and purpose of such Processing activities.

8.2. The Customer shall be responsible for ensuring that Data Principals are provided with an effective mechanism to withdraw Consent which is as easy as the mechanism used to provide such Consent and for promptly notifying JobTwine of any withdrawal of Consent. Upon receipt of such notification, JobTwine shall cease the relevant Processing and take appropriate action in accordance with this DPA.

9. Data Secrecy

9.1. To Process the Personal Data, the Processor will use personnel who are

• 9.1.1. Informed of the confidential nature of the Personal Data, and

• 9.1.2. Perform the Services in accordance with the Agreement.

9.2. The Processor will regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all the Personal Data is kept strictly confidential.

9.3. The Processor will maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of the Personal Data as per the specifications as per the standards mutually agreed in writing by the Parties.

10. Personal Data Breach Notification

10.1. JobTwine shall maintain and implement documented incident response procedures that address Personal Data Breaches affecting the Digital Personal Data of Indian Data Principals, consistent with the requirements of the DPDP Act and GDPR and any rules prescribed thereunder.

10.2. In the event of a Personal Data Breach affecting Digital Personal Data of Indian Data Principals, JobTwine shall notify the Customer without undue delay and in any event within no later than seventy-two (72) hours of becoming aware of the Breach shall provide to the Customer with a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Principals affected and the categories and approximate volume of Personal Data records concerned, the name and contact details of JobTwine’s data protection point of contact (or equivalent), a description of the likely consequences of the Personal Data Breach, and a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

10.3. Where complete information is not available at the time of initial notification, JobTwine shall provide to the Customer without undue delay as and when such information becomes available.

10.4. The Customer, as Data Fiduciary, acknowledges its obligation under the DPDP Act to notify the Board and affected Data Principals of a Personal Data Breach in accordance with the requirements and timelines prescribed by the DPDP Act and applicable rules. JobTwine shall provide the Customer with all reasonable cooperation and assistance required to enable the Customer to fulfil its breach notification obligations to the Board and Data Principals.

10.5. JobTwine's notification of or response to a Personal Data Breach shall not be construed as an acknowledgement of fault or liability on the part of JobTwine with respect to the Breach.

11. Transparency in Automated Processing

11.1. The Customer shall ensure that the Services may involve automated processing, including AI-enabled analysis of candidate data (such as video, audio, and responses), for the purpose of evaluation, scoring, or recommendation. JobTwine Inc shall ensure that Data Principals are provided with clear and plain-language notice of such processing, including the nature and purpose of the automated processing.

11.2. The Customer shall be solely responsible for determining whether to rely on any automated outputs generated through the Services and shall ensure that any decisions impacting Data Principals are made in compliance with applicable law, including principles of fairness and transparency under the DPDP Act and EU's GDPR.

11.3. The Processor shall implement appropriate safeguards to ensure that automated processing does not result in unlawful discrimination, bias, or unfair treatment of Data Subjects/Data Principals. Such safeguards shall include periodic testing, validation, and monitoring of AI systems for bias and accuracy, and the use of techniques such as anonymisation or pseudonymisation where appropriate.

11.4. The Processor shall ensure that appropriate measures are available to the Controller/Fiduciary to enable human oversight and intervention. This shall include the ability for the Controller/Fiduciary to review, override, or supplement automated outputs, and to provide Data Subjects/Data Principals with the ability to seek meaningful human review and contest such decisions where required under applicable law.

12. Audit Rights

12.1. Upon Controller/Fiduciary's reasonable request, the Processor will make available to the Controller/Fiduciary, information as is reasonably necessary to demonstrate Processor's compliance with its obligations under the EU GDPR or other applicable laws in respect of its Processing of the Personal Data.

12.2. When the Controller/Fiduciary wishes to conduct the audit (by itself or through a representative) at Processor's site, it shall provide at least fifteen (15) days' prior written notice to the Processor; the Processor will provide reasonable cooperation and assistance in relation to audits, including inspections, conducted by the Controller/Fiduciary or its representative.

12.3. The Controller/Fiduciary shall bear the expense of such an audit.

13. Mechanism of Data Transfers

Any Data Transfer for the purpose of Processing by the Processor in a country outside the European Economic Area (the "EEA") shall only take place in compliance as detailed in Schedule 1 to the DPA. Where such model clauses have not been executed at the same time as this DPA, the Processor shall not unduly withhold the execution of such template model clauses, where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement.

14. Sub-processors

14.1. The Controller/Fiduciary acknowledges and agrees that the Processor may engage a third-party Sub-processor(s) in connection with the performance of the Services, provided such Sub- processor(s) take technical and organizational measures to ensure confidentiality of Personal Data shared with them; The current Sub-processors engaged by the Processors and approved by the Controller/Fiduciary are listed in Annex III of Schedule 1 hereto, and their processing location is the US region unless otherwise expressly notified in writing. The processor shall notify the Controller/Fiduciary at least thirty (30) calendar days in advance of any intended changes or additions to its Sub-processors listed in Annex III by emailing notice of the intended change to Customer. In accordance with Article 28(4) of the GDPR, the Processor shall remain liable to Controller/Fiduciary for any failure on behalf of a Sub-processor to fulfil its data protection obligations under the DPA in connection with the performance of the Services.

14.2. If the Controller/Fiduciary has a concern that the Sub-processor(s) Processing of Personal Data is reasonably likely to cause the Controller/Fiduciary to breach its data protection obligations under the GDPR, the Controller/Fiduciary may object to Processor's use of such Sub-processor and the Processor and Controller/Fiduciary shall confer in good faith to address such concern.

15. Return and Deletion of Personal Data

15.1. The Processor shall at least thirty (30) days from the end of the Agreement or cessation of the Processor's Services under the Agreement, whichever occurs earlier, shall return to the Controller/Fiduciary all the Personal Data, or if the Controller/Fiduciary so instructs, the Processor shall have the Personal Data deleted. The Processor shall return such Personal Data in a commonly used format or in the current format in which it was stored at discretion of the Controller/Fiduciary, soon as reasonably practicable following receipt of Controller/Fiduciary's notification.

15.2. In any case, the Processor shall delete Personal Data including all the copies of it as soon as reasonably practicable following the end of the Agreement.

16. Grievance Officer

The Processor shall designate and maintain a Grievance Officer in accordance with the requirements of the DPDP Act, and shall publish the contact details of such Grievance Officer as required under applicable law. The Processor shall provide reasonable cooperation and assistance to the Controller/Fiduciary in addressing and resolving complaints, grievances, and requests received from Data Principals, including by facilitating timely responses and providing relevant information necessary for the Controller/Fiduciary to comply with its obligations under the DPDP Act.

17. Liability and Indemnity

Each Party shall be responsible for and liable for any damages, losses, or liabilities arising out of or in connection with its breach of this DPA or any Applicable Data Protection Laws. Each Party (the "Indemnifying Party") shall indemnify, defend, and hold harmless the other Party, its affiliates, and their respective officers, directors, and employees (the "Indemnified Party") from and against any claims, actions, damages, losses, penalties, fines, costs, and expenses (including reasonable legal fees) arising from or relating to the Indemnifying Party's breach of this DPA or violation of Applicable Data Protection Laws, subject to the terms and limitations set forth in the Agreement.

18. Technical and Organizational Measures

Having regard to the state of technological development and the cost of implementing any measures, the Processor will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected [including the measures stated in Annex II of Schedule 1].

The Processor shall maintain an information security management system that complies with the requirements of ISO/IEC 27001:2022 (as defined in this DPA), and the technical and organisational security measures implemented by the Processor are further described in Annex II of Schedule 1.