Data Processing Addendum

• “Controller” means the Client, the entity which determines the purposes and means of the Processing of Personal Data.
• “Processor” means Taleva, the entity which Processes Personal Data on behalf of the Controller.
• “ATS/CRM Matching Data” means identifiers synced from the Client’s ATS/CRM systems to Taleva’s servers for matching, deduplication, and filtering purposes.
• “Email Integration Data” means limited email and conversation data made available through Client-authorized email integrations, strictly for sending outreach emails at the Client’s direction and displaying or processing replies related to outreach conversations managed through the Service.
• “Personal Data” means the limited personal data processed by Taleva on behalf of the Client through ATS/CRM integrations and email integrations, as further described in Annex 1.
• “Processing” means the automated matching, comparison, temporary caching, email sending, reply display, and reply processing necessary to provide the Services.

This DPA applies solely to the Processing of Personal Data provided by or made available to Taleva through Client-authorized ATS/CRM and email integrations.

Taleva processes such Personal Data strictly as a Processor for the technical purposes described in Annex 1.

3.1 Instructions

Taleva shall process Personal Data only to provide the specific Services enabled or requested by the Client.

For ATS/CRM Matching Data, Taleva shall process Personal Data only to perform matching, deduplication, filtering, and cross-referencing functions requested by the Client.

For Email Integration Data, Taleva shall process Personal Data only to send outreach emails on the Client’s behalf at the Client’s direction, and to display and process replies related to outreach conversations managed through the Service.

The act of connecting, syncing, or enabling an ATS/CRM or email integration constitutes a direct instruction from the Client to process the relevant categories of Personal Data for the applicable Service functions.

3.2 Purpose Limitation & AI Restriction

Taleva shall not use Client Personal Data for any purpose other than providing the Services to the Client.

For ATS/CRM Matching Data, Taleva shall use such data only to match candidates against the Client’s own network, deduplicate records, cross-reference candidate records, or filter search results.

For Email Integration Data, Taleva shall use such data only to send outreach emails on the Client’s behalf at the Client’s direction, and to display or process replies related to outreach conversations managed through the Service.

For the avoidance of doubt, Taleva shall not use Client Personal Data for advertising purposes, sell Client Personal Data, use Client Personal Data to train generalized AI or machine-learning models, improve a global search database, enrich third-party datasets, or provide services to any other client.

3.3 Client Warranty

The Client warrants that it has a valid legal basis, such as legitimate interest, consent, contractual necessity, or another applicable lawful basis, to process and share the relevant Personal Data with Taleva through the Services.

3.4 Article 14 Compliance

The Client is solely responsible for fulfilling any applicable “Right to be Informed” obligations for candidates, prospects, or other data subjects discovered, contacted, or processed via the platform.

4.1 Logical Isolation

Client Personal Data is stored and processed in a tenant-isolated environment.

Data from one Client can never be used to match, search, deduplicate, message, enrich, train models, or otherwise provide services to another Client.

4.2 Encryption

All cached Personal Data is encrypted at rest using AES-256 and in transit using TLS 1.3.

4.3 Confidentiality

Taleva ensures that personnel authorized to manage the infrastructure or support the Services have committed themselves to strict confidentiality obligations.

4.4 Human Access to Email Integration Data

Human access to Email Integration Data is limited to situations where access is necessary to provide customer support, troubleshoot technical issues, comply with legal obligations, or maintain the security and integrity of the Service.

4.5 Breach Notification

In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, Taleva shall notify the Client without undue delay and, in any event, no later than 72 hours after becoming aware of the breach.

5.1 Right to Erasure

Taleva shall assist the Client in fulfilling requests for data deletion, erasure, access, correction, restriction, or other applicable data subject rights, taking into account the nature of the Processing and the functionality of the Services.

5.2 Termination

Upon termination of the Agreement, Taleva shall delete all cached Personal Data within 30 days, unless retention is legally required or otherwise instructed by the Client.

5.3 Disconnection

If the Client disconnects an integration, the associated cache and Personal Data for that specific integration will be purged, including any ATS/CRM Matching Data or Email Integration Data associated with that integration, unless retention is legally required or otherwise instructed by the Client.

5.4 Sub-processing

The Client provides a general authorization for Taleva to engage third-party sub-processors, such as cloud infrastructure providers and technical service providers necessary to support the Services.

Taleva shall ensure that any sub-processor is bound by data protection obligations at least as restrictive as those in this DPA.

A list of current sub-processors is available upon request.

Taleva shall inform the Client of any intended addition or replacement of sub-processors, thereby giving the Client the opportunity to object to such change on reasonable data protection grounds.

1. Purpose of Processing

The Processing of ATS/CRM Matching Data is strictly limited to the following technical functions:

• Deduplication: comparing newly discovered leads against the Client’s existing cache to identify and flag duplicate records.
• Network Filtering: allowing the Client to exclude or include candidates in search results based on their presence in the Client’s integrated ATS/CRM database.
• Cross-Referencing: validating whether a candidate found through permitted sources already exists within the Client’s private recruitment pipeline.

2. Type of Personal Data

Taleva processes limited professional identifiers and recruitment-related record data made available through the Client’s ATS/CRM integration, only to the extent necessary to provide the matching, deduplication, filtering, and cross-referencing functions described above.

3. Data Subjects

Individuals whose professional profiles are currently stored in the Client’s internal recruitment systems, including ATS or CRM systems.

4. Retention

ATS/CRM Matching Data is retained only while the relevant integration remains connected or as otherwise required to provide the Services.

If the Client disconnects the relevant ATS/CRM integration, the associated cache for that system will be purged.

1. Purpose of Processing

The Processing of Email Integration Data is strictly limited to the following Client-authorized functions:

• Outbound Outreach: sending outreach emails on the Client’s behalf at the Client’s direction.
• Reply Display and Processing: displaying and processing replies related to outreach conversations managed through the Service.

Taleva’s systems are designed to access and process only emails and conversation threads related to outreach activity initiated through the Service.

Where the Client enables email integrations, Taleva’s use of third-party email provider APIs is further described in Taleva’s Privacy Policy.

2. Type of Personal Data

Taleva processes limited email, conversation, and outreach-related data made available through the Client’s email integration, only to the extent necessary to send outreach emails at the Client’s direction and display or process replies related to outreach conversations managed through the Service.

3. Data Subjects

Individuals involved in outreach conversations managed through the Service, including candidates, prospects, Client personnel, recruiters, hiring managers, and other recruitment contacts involved in the outreach conversation.

4. Retention

Email Integration Data is retained only for as long as necessary to provide the email integration features, unless a shorter retention period is configured by the Client.

If the Client disconnects the relevant email integration, the associated Email Integration Data will be purged in accordance with this DPA.

Across all categories of Personal Data described in this Annex:

• Taleva shall process Personal Data only on behalf of the Client and only for the purposes necessary to provide the Services.
• Taleva shall not use Client Personal Data for advertising purposes, sell Client Personal Data, use Client Personal Data to train generalized AI or machine-learning models, improve a global search database, build or enrich third-party datasets, or provide services to another client.
• Taleva shall maintain tenant isolation between Clients.
• Taleva shall apply appropriate technical and organizational measures to protect Client Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.