Data Processing Agreement

1. Parties and applicability

This Data Processing Agreement (“DPA”) constitutes a schedule to and an integral part of the agreement governing the Customer’s use of Talentwise’s services (the “Main Agreement”). This Data Processing Agreement (“DPA”) applies to the processing of personal information where Talentwise acts on behalf of the Customer as a data processor, service provider, or equivalent role under applicable data protection and privacy laws, including, where applicable, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Talentwise applies a data protection framework aligned with internationally recognized data protection principles, including those reflected in the GDPR. 

• Data Controller / Business (the “Customer”) refers to the legal entity that has entered into the Main Agreement and determines the purposes and means of the processing of personal information.
• Data Processor / Service Provider (“Talentwise”) refers to Talentwise AB, Swedish reg. no. 556956-0351, acting on documented instructions from the Customer.

Processing carried out by Talentwise in the capacity of an independent data controller is not governed by this DPA and is instead regulated by the applicable Service Agreement(s) and Talentwise’s privacy notices.

2. Nature, purpose, and scope of the processing

2.1  Talentwise processes personal information in order to provide the services ordered by the Customer under the Main Agreement and the applicable Service Agreement(s).

2.2. The processing may include storage, structuring, access control, technical provision, support, and other necessary operational activities.

2.3 The categories of personal information and individuals are set out in the applicable Service Agreement(s) or in the Customer’s instructions.

 2.4 The processing shall be carried out for the duration of the Agreement and for the retention periods specified in the applicable Service Agreement(s) or in the Customer’s instructions.

 2.5. Detailed processing instructions for each service are set out in Schedule 2.1 to this DPA.

3. Processor obligations

3.1. Talentwise shall process personal information only in accordance with this DPA, the Main Agreement, and the Customer’s documented instructions.

3.2. Talentwise shall ensure that only authorized personnel have access to personal information and that such personnel are subject to confidentiality obligations pursuant to employment agreements, internal instructions, or other binding confidentiality undertakings. 

3.3 Talentwise and its personnel shall not unlawfully disclose or otherwise use personal information processed under this DPA. An exception applies where disclosure is required by law or by a decision of a competent authority.

3.4. To the extent possible, Talentwise shall assist the Customer by providing information and support necessary for the Customer to comply with its obligations under applicable data protection laws, including obligations relating to:

• the security of personal information,

• handling of requests from individuals,

• assessing and mitigating risks relating to the processing, and

• cooperation with supervisory authorities.

3.5. Talentwise shall, without undue delay, rectify, erase, or restrict the processing of personal information at the Customer’s request or in accordance with the Customer’s instructions, to the extent permitted by applicable law and subject to technical limitations. Upon completion of the processing, erasure and any return of personal information shall be carried out in accordance with Section 9.

3.6. Talentwise shall notify the Customer without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of a personal information breach or an attempt at unauthorized access. Such notification shall contain the information necessary to enable the Customer to fulfil its obligations under applicable data protection laws, including a description of the nature of the incident, the likely consequences, and the measures taken or proposed to address it.

4. Sub-processors and external service providers

4.1 The Customer hereby grants a general written authorization for Talentwise to engage sub-processors in order to fulfil its obligations under this DPA.

4.2 Each sub-processor shall, by way of a written agreement, be subject to the same data protection obligations as those imposed on Talentwise under this DPA, where the sub-processor processes personal information on behalf of the Customer in a processor or equivalent service provider role.

4.3 A list of sub-processors in force from time to time is available at refapp.com/legal-se/data-processing/subprocessors/app. The list of sub-processors applicable at the time of entering into the Main Agreement is set out below in Schedule 2.2c

4.4 Talentwise shall notify the Customer in writing at least thirty (30) days before engaging a new sub-processor or replacing an existing sub-processor. The Customer shall have the right to object to such change where there are objectively reasonable grounds relating to data protection or information security. If the Parties are unable to agree on appropriate measures, the Customer shall be entitled to terminate the Main Agreement before the change enters into force, subject to the rules regarding prepaid periods set out in the Main Agreement.

4.5 Upon the Customer’s request, Talentwise shall provide information regarding the identity of sub-processors, the location of the processing, and a description of the nature of the services, to the extent such disclosure does not reveal commercially sensitive information.

5. Location of processing and cross-border transfers

5.1. Personal information shall be processed within the operating environment selected by the Customer in the applicable Service Agreement.

5.2. Depending on the configuration of the Service and the sub-processors engaged, personal information may be processed or accessed in other jurisdictions where Talentwise or its sub-processors maintain operations, as described in the information available at www.refapp.com/legal.

5.3. Certain limited processing activities may be carried out by Talentwise or its sub-processors located outside the Customer’s country, including within the European Economic Area, for purposes such as communication services, support, and system operations.

5.4. Talentwise shall ensure that any cross-border processing or transfer of personal information is subject to appropriate technical, organisational, and contractual safeguards in accordance with applicable data protection laws, including ensuring a level of protection comparable to that required under such laws.

5.5. The Customer hereby authorizes Talentwise to engage sub-processors located in jurisdictions outside the Customer’s country, provided that such safeguards are in place.

6. Customer obligations

6.1. The Customer is responsible for ensuring that:

(i) there is a valid legal basis or other lawful authority for all processing of personal information under applicable data protection laws;

(ii) individuals are provided with clear and sufficient information regarding the processing of their personal information;

(iii) any instructions provided to Talentwise are lawful, clear, and up to date;

(iv) the Customer’s own processing and storage of personal information comply with applicable data protection laws; and

(v) the Customer does not instruct Talentwise to carry out any processing that would be unlawful under applicable data protection laws.

6.2. The Customer acknowledges and agrees that Talentwise relies on the Customer’s instructions and representations when processing personal information. The Customer shall be solely responsible for any claims, fines, penalties, or damages arising from the Customer’s failure to comply with applicable data protection laws, unlawful instructions, or misuse of the Service, except to the extent caused by Talentwise’s breach of this DPA.

7. Individual rights

7.1. Talentwise shall assist the Customer in handling requests from individuals by:

(i) providing relevant information;

(ii) upon request, carrying out measures that fall within Talentwise’s control; and

(iii) otherwise assisting the Customer to the extent required by the PIPEDA or other applicable data protection laws.

7.2. The Customer is responsible for communication with individuals and for deciding whether and how requests relating to personal information shall be handled. Talentwise shall not respond directly to individuals unless expressly instructed to do so by the Customer.

8. Security

8.1 Talentwise applies appropriate technical and organisational measures designed to protect personal information against unauthorized access, loss, alteration, or unlawful disclosure, in accordance with applicable data protection laws and generally accepted industry standards. Such security measures include, inter alia:

• Encryption: all identifying information is stored in encrypted form using modern encryption technology (e.g. AES-based encryption), and communications are protected using TLS.

• Access control: role-based and permission-based access control, multi-factor authentication (MFA) for administrative access, and logging of access events.

• Logging: system logs and security logs are maintained and monitored in order to detect anomalous behaviour.

• Backup and recovery: backups are performed on a regular basis and retained for a limited period to enable recovery in the event of an incident.

• Redundancy: the operating environment uses redundant components (including network, power supply, and cooling) to ensure high availability.

• Incident management: established processes are in place to detect, manage, and report security incidents.

• Training: personnel receive regular training in information security and data protection.

• Data migrations: where necessary, Talentwise may create temporary encrypted copies of production data in connection with database migrations. Such copies shall be retained only for the duration required to complete the migration (maximum thirty (30) days) and shall thereafter be deleted.

9. Audit 

9.1. The Customer shall be entitled, through an independent auditor and upon at least thirty (30) days’ prior written notice, to conduct an audit of Talentwise’s compliance with this DPA. Such audit may be carried out once per calendar year, or more frequently where there is a justified suspicion of non-compliance.

9.2. The audit shall be conducted during normal business hours, shall not unreasonably interfere with Talentwise’s operations, shall not disclose data relating to other customers or Talentwise’s trade secrets, and shall be limited to the systems and processes covered by this DPA.

9.3. Talentwise may provide third-party audit reports or certifications (e.g. ISAE, SOC, ISO) as an alternative to such audit.

10. Retention and deletion

10.1. Talentwise shall erase or, where appropriate and possible, anonymise personal information in accordance with this DPA and the related schedules. Detailed retention and deletion principles are set out in the applicable Service Agreement(s) and in Schedule 2.1 to this DPA.

10.2. Erasure or anonymisation shall be carried out without undue delay after the applicable retention period has expired, unless longer retention is required by law or by a decision of a competent authority.

11. Term and termination

11.1. This DPA shall apply for as long as Talentwise processes personal information on behalf of the Customer and shall constitute an integral part of the Main Agreement. This DPA may not be terminated separately and shall follow the term of the Main Agreement. Upon termination or expiry of the Main Agreement, the processing shall cease in accordance with this DPA, except for processing required for backups and logs in accordance with ordinary retention routines.

11.2. The Customer shall be entitled to terminate this DPA with immediate effect if Talentwise commits a material breach of this DPA and fails to remedy such breach within thirty (30) days following a written request to do so.

11.3. If the Customer does not accept amendments to this DPA or changes to sub-processors in accordance with Section 4, the Customer shall be entitled to terminate the Main Agreement before such amendment enters into force, subject to the rules regarding prepaid periods set out in the Main Agreement.

11.4. Upon termination of the processing, Talentwise shall, at the Customer’s choice, erase or return all personal information, unless continued storage is required by law or by a decision of a competent authority.

12. Governing law and disputes

12.1. In the event of any conflict between this DPA and the General Terms and Conditions, this DPA shall prevail with respect to matters relating to the processing of personal information.

12.2. Provisions regarding governing law and dispute resolution shall be governed by and follow the Main Agreement.

Version history