Data Processing Agreement

1. Parties and applicability

This Data Processing Agreement (“DPA”) constitutes a schedule to and an integral part of the agreement governing the Customer’s use of Talentwise’s services (the “Main Agreement”). This DPA applies solely to the processing of personal data where Talentwise acts as a data processor in accordance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”). 

• Data Controller (the “Customer”) refers to the legal entity that has entered into the Main Agreement.
• Data Processor (“Talentwise”) refers to Talentwise AB, reg. no. 556956-0351.

Processing carried out by Talentwise in the capacity of an independent data controller is not governed by this DPA.

2. Nature, purpose, and scope of the processing

2.1. Talentwise processes personal data in order to provide the services ordered by the Customer under the Main Agreement and the applicable Service Agreement(s).

2.2. The processing may include storage, structuring, access control, technical provision, support, and other necessary operational activities.

2.3. The categories of personal data and data subjects are set out in the applicable Service Agreement(s) or in the Customer’s instructions.

2.4. The processing shall be carried out for the duration of the Agreement and for the retention periods specified in the applicable Service Agreement(s) or in the Customer’s instructions.

2.5. Detailed processing instructions for each service are set out in Schedule 2.1 to this DPA.

3. Processor obligations

3.1. Talentwise shall process personal data only in accordance with this DPA, the Main Agreement, and the Customer’s documented instructions.

3.2. Talentwise shall ensure that only authorized personnel have access to personal data and that such personnel are subject to confidentiality obligations pursuant to employment agreements, internal instructions, or other binding confidentiality undertakings.

3.3. Talentwise and its personnel shall not unlawfully disclose or otherwise use personal data processed under this DPA. An exception applies where disclosure is required by law or by a decision of a competent authority.

3.4. To the extent possible, Talentwise shall assist the Customer by providing information necessary for the Customer to comply with its obligations under Articles 32–36 of the GDPR, demonstrate compliance with this DPA, and enable and contribute to any necessary audits.

3.5. Talentwise shall, without undue delay, rectify, erase, or restrict the processing of personal data at the Customer’s request or in accordance with the Customer’s instructions, to the extent permitted by applicable law and subject to technical limitations. Upon completion of the processing, erasure and any return of personal data shall be carried out in accordance with Section 9.

3.6. Talentwise shall notify the Customer without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of a personal data breach or an attempt at unauthorized access, in accordance with Article 33 of the GDPR.

3.7. Such notification shall contain the information required to enable the Customer to fulfil its obligations under the GDPR, including a description of the nature of the incident, the likely consequences thereof, and the measures taken or proposed to address the incident.

4. Sub-processors and external service providers

4.1. The Customer hereby grants a general written authorization for Talentwise to engage sub-processors in order to fulfil its obligations under this DPA.

4.2. Each sub-processor shall, by way of a written agreement, be subject to the same data protection obligations as those imposed on Talentwise under this DPA, where the sub-processor processes personal data as a data processor.

4.3. A list of sub-processors in force from time to time is available at www.refapp.se/dataskydd. The list of sub-processors applicable at the time of entering into the Main Agreement is set out in version 2025.02.

4.4. Talentwise shall notify the Customer in writing at least thirty (30) days before engaging a new sub-processor or replacing an existing sub-processor. The Customer shall have the right to object to such change where there are objectively reasonable grounds relating to data protection or information security. If the Parties are unable to agree on appropriate measures, the Customer shall be entitled to terminate the Main Agreement before the change enters into force, subject to the rules regarding prepaid periods set out in the Main Agreement.

4.5. Upon the Customer’s request, Talentwise shall provide information regarding the identity of sub-processors, the location of the processing, and a description of the nature of the services, to the extent such disclosure does not reveal commercially sensitive information.

5. Location of processing and transfers to third countries

5.1. Personal data shall be processed within the operating environment selected by the Customer in the applicable Service Agreement.

5.2. Talentwise may transfer personal data outside the EU/EEA only to the extent that such transfer is carried out in accordance with Chapter V of the GDPR and the Customer’s instructions.

5.3. The Customer approves that Talentwise may use sub-processors located in third countries, provided that appropriate safeguards in accordance with Article 46 of the GDPR have been implemented.

6. Customer obligations

6.1. The Customer is responsible for ensuring that: (i) there is a valid legal basis for all processing of personal data; (ii) data subjects are informed in accordance with Articles 13–14 of the GDPR; (iii) instructions provided to Talentwise are lawful, clear, and up to date; (iv) the Customer’s own processing and storage of personal data comply with the GDPR; and (v) the Customer does not instruct Talentwise to carry out any unlawful processing.

7. Data subject rights

7.1. Talentwise shall assist the Customer in handling requests from data subjects by: (i) providing relevant information; (ii) upon request, carrying out measures that fall within Talentwise’s control; and (iii) otherwise assisting the Customer to the extent required by the GDPR.

7.2. The Customer is responsible for communication with data subjects and for deciding whether measures shall be taken. Talentwise shall not respond directly to data subjects unless expressly instructed to do so by the Customer.

8. Security

8.1. Talentwise applies appropriate technical and organisational security measures in accordance with Article 32 of the GDPR in order to protect personal data against unauthorised access, loss, alteration, or unlawful disclosure. Such security measures include, inter alia:

• Encryption: all identifying information is stored in encrypted form using modern encryption technology (e.g. AES-based encryption), and communications are protected using TLS.
• Access control: role-based and permission-based access control, multi-factor authentication (MFA) for administrative access, and logging of access events.
• Logging: system logs and security logs are maintained and monitored in order to detect anomalous behaviour.
• Backup and recovery: backups are performed on a regular basis and retained for a limited period to enable recovery in the event of an incident.
• Redundancy: the operating environment uses redundant components (including network, power supply, and cooling) to ensure high availability.
• Incident management: established processes are in place to detect, manage, and report security incidents.
• Training: personnel receive regular training in information security and data protection.
• Data migrations: where necessary, Talentwise may create temporary encrypted copies of production data in connection with database migrations. Such copies shall be retained only for the duration required to complete the migration (maximum thirty (30) days) and shall thereafter be deleted.

9. Audit

9.1. The Customer shall be entitled, through an independent auditor and upon at least thirty (30) days’ prior written notice, to conduct an audit of Talentwise’s compliance with this DPA. Such audit may be carried out once per calendar year, or more frequently where there is a justified suspicion of non-compliance.

9.2. The audit shall be conducted during normal business hours, shall not unreasonably interfere with Talentwise’s operations, shall not disclose data relating to other customers or Talentwise’s trade secrets, and shall be limited to the systems and processes covered by this DPA.

9.3. Talentwise may provide third-party audit reports or certifications (e.g. ISAE, SOC, ISO) as an alternative to such audit.

10. Retention and deletion

10.1. Talentwise shall erase or, where appropriate and possible, anonymise personal data in accordance with this DPA and the related schedules. Detailed retention and deletion principles are set out in the applicable Service Agreement(s) and in Schedule 2.1 to this DPA.

10.2. Erasure or anonymisation shall be carried out without undue delay after the applicable retention period has expired, unless longer retention is required by law or by a decision of a competent authority.

11. Term and termination

11.1. This DPA shall apply for as long as Talentwise processes personal data on behalf of the Customer in accordance with the GDPR and shall constitute an integral part of the Main Agreement. This DPA may not be terminated separately and shall follow the term of the Main Agreement. Upon termination or expiry of the Main Agreement, the processing shall cease in accordance with this DPA, except for processing required for backups and logs in accordance with ordinary retention routines.

11.2. The Customer shall be entitled to terminate this DPA with immediate effect if Talentwise commits a material breach of this DPA and fails to remedy such breach within thirty (30) days following a written request to do so.

11.3. If the Customer does not accept amendments to this DPA or changes to sub-processors in accordance with Section 4, the Customer shall be entitled to terminate the Main Agreement before such amendment enters into force, subject to the rules regarding prepaid periods set out in the Main Agreement.

11.4. Upon termination of the processing, Talentwise shall, at the Customer’s choice, erase or return all personal data, unless continued storage is required by law or by a decision of a competent authority.

12. Governing law and disputes

12.1. In the event of any conflict between this DPA and the General Terms and Conditions, this DPA shall prevail with respect to matters relating to the processing of personal data.

12.2. Provisions regarding governing law and dispute resolution shall be governed by and follow the Main Agreement.