Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Master Terms of Service or other written or electronic agreement between Taleva AI S.L. (“Taleva”) and the Client (together, the “Parties”) for the purchase of online recruitment software and sourcing platform access (the “Agreement”).

1. Definitions

• “Controller” means the Client, the entity which determines the purposes and means of the Processing of Personal Data.

• “Processor” means Taleva, the entity which Processes Personal Data on behalf of the Controller.

• “Personal Data” means identifiers (Name, Email, LinkedIn URL, Company) synced from the Client’s ATS/CRM to Taleva’s servers.

• “Processing” means the automated matching, comparison, and temporary caching of identifiers to facilitate deduplication and filtering.

2. Scope and Applicability

This DPA applies solely to the Processing of Personal Data provided by the Client through integrated ATS/CRM systems. It ensures that Taleva handles such data strictly as a Processor for the technical purposes defined in Annex 1.

3. Roles and Responsibilities

• 3.1 Instructions: Taleva shall process Personal Data only to perform the Matching and Deduplication functions requested by the Client. The act of syncing an ATS constitutes a direct instruction to perform these checks.

• 3.2 Purpose Limitation & AI Restriction: Taleva is prohibited from using Client Personal Data for any purpose other than matching candidates against the Client’s own network or filtering search results to avoid duplicates. For the avoidance of doubt, Taleva shall not use Client Personal Data to train its machine learning models, improve its global search database, or for any purpose other than providing the Services to the Client.

• 3.3 Client Warranty: The Client warrants that it has a valid legal basis (e.g., Legitimate Interest) to process and share these identifiers.

• 3.4 Article 14 Compliance: The Client is solely responsible for fulfilling the “Right to be Informed” for any candidates discovered or processed via the platform.

4. Technical Security & Data Isolation

• 4.1 Logical Isolation: Client-provided identifiers are stored in a tenant-isolated environment. Data from one Client can never be used to match, search, or deduplicate against the data of another Client.

• 4.2 Encryption: All cached identifiers are encrypted at rest using AES-256 and in transit using TLS 1.3.

• 4.3 Confidentiality: Taleva ensures that personnel authorized to manage the infrastructure have committed themselves to strict confidentiality.

• 4.4 Breach Notification: In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, or unauthorized disclosure of Client Personal Data, Taleva shall notify the Client without undue delay (and in no event later than 72 hours) after becoming aware of the breach.

5. Data Subject Rights, Deletion & Sub-Processing

• 5.1 Right to Erasure: Taleva shall assist the Client in fulfilling requests for data deletion.

• 5.2 Termination: Upon termination of the Agreement, Taleva shall delete all cached Personal Data within 30 days.

• 5.3 Disconnection: If the Client disconnects an integration, the associated cache for that specific system will be purged.

• 5.4 Sub-processing: The Client provides a general authorization for Taleva to engage third-party sub-processors (e.g., cloud infrastructure providers) to support the Integration Service. Taleva shall ensure that any sub-processor is bound by data protection obligations at least as restrictive as those in this DPA. A list of current sub-processors is available upon request.

ANNEX 1: Details of Processing

A. PURPOSE OF PROCESSING (The "Matching Logic") The processing is strictly limited to the following technical functions:

1. Deduplication: Comparing newly discovered leads against the Client’s existing cache to identify and flag duplicate records.

2. Network Filtering: Allowing the Client to exclude or include candidates in search results based on their presence in the Client's integrated database.

3. Cross-Referencing: Validating if a candidate found on public sources already exists within the Client’s private recruitment pipeline.

B. CATEGORIES OF PERSONAL DATA Taleva caches the minimum identifiers necessary for matching:

• Full Name

• Email Address

• LinkedIn Profile URL

• Current Employer/Company

C. DATA SUBJECTS Individuals whose professional profiles are currently stored in the Client’s internal recruitment systems (ATS/CRM).