Data Processing Agreement

1. Parties and applicability

1.1 This Data Processing Agreement (“DPA”) constitutes a schedule to and an integral part of the agreement governing the Customer’s use of Talentwise’s services (the “Main Agreement”). This DPA applies to the processing of personal information where Talentwise acts on behalf of the Customer as a data processor, service provider, or equivalent role under applicable data protection and privacy laws, including the Australian Privacy Act 1988 (including the Australian Privacy Principles, APP) and other applicable privacy laws. Talentwise applies a data protection framework aligned with internationally recognized standards, including principles reflected in the GDPR.

• Data Controller / Business (the “Customer”) refers to the legal entity that has entered into the Main Agreement and determines the purposes and means of the processing of personal information.
• Data Processor / Service Provider (“Talentwise”) refers to Talentwise AB, Swedish reg. no. 556956-0351, acting on documented instructions from the Customer.

1.2 The Parties acknowledge that, under certain applicable privacy laws, including the Australian Privacy Act 1988, Talentwise may have independent obligations in relation to personal information. Nothing in this DPA limits such obligations.

2. Nature, purpose, and scope of the processing

2.1 Talentwise processes personal information in order to provide the services ordered by the Customer under the Main Agreement and the applicable Service Agreement(s).

2.2 The processing may include storage, structuring, access control, technical provision, support, and other necessary operational activities.

2.3 The categories of personal information and data subjects are set out in the applicable Service Agreement(s) or in the Customer’s instructions.

2.4 The processing shall be carried out for the duration of the Agreement and for the retention periods specified in the applicable Service Agreement(s) or in the Customer’s instructions.

2.5 Detailed processing instructions for each service are set out in Schedule 2.1 to this DPA.

3. Processor obligations

3.1 Talentwise shall process personal information only in accordance with this DPA, the Main Agreement, and the Customer’s documented instructions. To the extent required under applicable law, Talentwise may independently assess and respond to obligations relating to personal information, including obligations that cannot be fulfilled solely on the basis of the Customer’s instructions.

3.2 Talentwise shall ensure that only authorised personnel have access to personal information and that such personnel are subject to confidentiality obligations pursuant to employment agreements, internal instructions, or other binding confidentiality undertakings.

3.3 Talentwise and its personnel shall not unlawfully disclose or otherwise use personal information processed under this DPA. An exception applies where disclosure is required by law or by a decision of a competent authority.

3.4 To the extent possible, Talentwise shall assist the Customer by providing information and support necessary for the Customer to comply with its obligations under applicable data protection laws, including obligations relating to security measures, handling of data subject rights, impact assessments, and cooperation with supervisory authorities, as well as to demonstrate compliance with this DPA and enable and contribute to audits.

3.5 Talentwise shall, without undue delay, rectify, erase, or restrict the processing of personal information at the Customer’s request or in accordance with the Customer’s instructions, to the extent permitted by applicable law and subject to technical limitations. Upon completion of the processing, erasure and any return of personal information shall be carried out in accordance with Section 9.

3.6 Talentwise shall notify the Customer without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of a personal information breach or an attempt at unauthorised access. Such notification shall contain the information required to enable the Customer to fulfil its obligations under applicable data protection laws, including a description of the nature of the incident, the likely consequences thereof, and the measures taken or proposed to address the incident.

4. Sub-processors and external service providers

4.1 Talentwise may engage sub-processors in order to fulfil its obligations under this DPA.

4.2 Each sub-processor shall, by way of a written agreement, be subject to the same data protection obligations as those imposed on Talentwise under this DPA, where the sub-processor processes personal information on behalf of the Customer in a processor or equivalent service provider role.

4.3 Information about sub-processors used in the provision of the Service is available at www.refapp.com/legal-au/data-processing/subprocessors/app and may be updated from time to time.

4.4 Where changes to sub-processors are expected to materially affect the processing of personal information, Talentwise shall provide reasonable notice to the Customer.

5. Location of processing and transfers to third countries

5.1 Personal information shall be processed within the operating environment selected by the Customer in the applicable Service Agreement.

5.2 Depending on the configuration of the Service and the sub-processors engaged, personal information may be processed or accessed in other jurisdictions where Talentwise or its sub-processors maintain operations, as described in the information available at www.refapp.com/legal-au.

5.3 Certain limited processing activities may be carried out by Talentwise or its sub-processors located outside the Customer’s country, including within the European Economic Area, for purposes such as communication services, support, and system operations.

5.4 Talentwise shall ensure that any cross-border processing or transfers of personal information are subject to appropriate technical, organisational, and contractual safeguards in accordance with applicable data protection laws (including the Australian Privacy Act), designed to ensure that personal information is handled in a manner consistent with such laws.

5.5 The Customer hereby authorises Talentwise to engage sub-processors located in jurisdictions outside the Customer’s country, provided that such safeguards are in place.

6. Customer obligations

6.1 The Customer is responsible for ensuring that:

(i) there is a valid legal basis or other lawful authority for all processing of personal information under applicable data protection laws;

(ii) data subjects are provided with clear and sufficient information regarding the processing of their personal information, in accordance with applicable data protection laws;

(iii) any instructions provided to Talentwise are lawful, clear, and up to date;

(iv) the Customer’s own processing and storage of personal information comply with applicable data protection laws; and

(v) the Customer does not instruct Talentwise to carry out any processing that would be unlawful under applicable data protection laws.

6.2 The Customer acknowledges and agrees that Talentwise relies on the Customer’s instructions and representations when processing personal information. The Customer shall be solely responsible for any claims, fines, penalties, or damages arising from the Customer’s failure to comply with applicable data protection laws, unlawful instructions, or misuse of the Service, except to the extent caused by Talentwise’s breach of this DPA.

7. Rights of individuals and data subjects

7.1 The Customer is responsible for communication with data subjects and for deciding whether measures shall be taken. If Talentwise receives a request directly from a data subject, Talentwise shall notify the Customer without undue delay and, unless legally required to act otherwise, not respond directly except on the Customer’s documented instructions. The Parties acknowledge that, under applicable law, individuals may exercise their rights directly against either Party, and the Parties shall cooperate in good faith to ensure that such requests are handled appropriately.

7.2 Talentwise shall assist the Customer in handling requests from data subjects by:

(i) providing relevant information;

(ii) upon request, carrying out measures that fall within Talentwise’s control; and

(iii) otherwise assisting the Customer to the extent required by the Australian data protection laws and principles, or other applicable data protection laws.

8. Security

8.1 Talentwise applies appropriate technical and organisational security measures in accordance with generally accepted industry standards and applicable data protection laws in order to protect personal information against unauthorised access, loss, alteration, or unlawful disclosure. Such security measures include, inter alia:

• Encryption: all identifying information is stored in encrypted form using modern encryption technology (e.g. AES-based encryption), and communications are protected using TLS.
• Access control: role-based and permission-based access control, multi-factor authentication (MFA) for administrative access, and logging of access events.
• Logging: system logs and security logs are maintained and monitored in order to detect anomalous behaviour.
• Backup and recovery: backups are performed on a regular basis and retained for a limited period to enable recovery in the event of an incident.
• Redundancy: the operating environment uses redundant components (including network, power supply, and cooling) to ensure high availability.
• Incident management: established processes are in place to detect, manage, and report security incidents.
• Training: personnel receive regular training in information security and data protection.
• Data migrations: where necessary, Talentwise may create temporary encrypted copies of production data in connection with database migrations. Such copies shall be retained only for the duration required to complete the migration (maximum thirty (30) days) and shall thereafter be deleted.

9. Audit

9.1 The Customer shall be entitled, through an independent auditor and upon at least thirty (30) days’ prior written notice, to conduct an audit of Talentwise’s compliance with this DPA. Such audit may be carried out once per calendar year, or more frequently where there is a justified suspicion of non-compliance.

9.2 The audit shall be conducted during normal business hours, shall not unreasonably interfere with Talentwise’s operations, shall not disclose data relating to other customers or Talentwise’s trade secrets, and shall be limited to the systems and processes covered by this DPA.

9.3 Talentwise may provide third-party audit reports or certifications (e.g. ISAE, SOC, ISO) as an alternative to such audit.

10. Retention and deletion

10.1 Talentwise shall erase or, where appropriate and possible, anonymise personal information in accordance with this DPA and the related schedules. Detailed retention and deletion principles are set out in the applicable Service Agreement(s) and in Schedule 2.1 to this DPA.

10.2 Erasure or anonymisation shall be carried out without undue delay after the applicable retention period has expired, unless longer retention is required by law or by a decision of a competent authority.

11. Term and termination

11.1 This DPA shall apply for as long as Talentwise processes personal information on behalf of the Customer in accordance with applicable data protection laws and shall constitute an integral part of the Main Agreement. This DPA may not be terminated separately and shall follow the term of the Main Agreement. Upon termination or expiry of the Main Agreement, the processing shall cease in accordance with this DPA, except for processing required for backups and logs in accordance with ordinary retention routines.

11.2 The Customer shall be entitled to terminate this DPA with immediate effect if Talentwise commits a material breach of this DPA and fails to remedy such breach within thirty (30) days following a written request to do so.

11.3 If the Customer does not accept amendments to this DPA, the Customer shall be entitled to terminate the Main Agreement before such amendment enters into force, subject to the rules regarding prepaid periods set out in the Main Agreement.

11.4 Upon termination of the processing, Talentwise shall, at the Customer’s choice, erase or return all personal information, unless continued storage is required by law or by a decision of a competent authority.

12. Governing law and disputes

12.1 In the event of any conflict between this DPA and the General Terms and Conditions, this DPA shall prevail with respect to matters relating to the processing of personal information.

12.2 Provisions regarding governing law and dispute resolution shall be governed by and follow the Main Agreement.

Version history

Version	Date	Change / Comment
2026.01	2026-04-16	Revised structure to accommodate Talentwise’s provision of multiple services, adaptations for Background Checks, and various clarifications, including with respect to the processing of personal information.