GDPR-compliant data processing terms for organizations using TalentScreen to process candidate data.
This Data Processing Agreement (DPA) outlines responsibilities when TalentScreen processes personal data on your behalf. It ensures GDPR and privacy law compliance for candidate assessment data.
You (Customer) are the Data Controller, determining purposes and means of processing candidate data. TalentScreen is the Data Processor, processing data according to your instructions. We process only as directed and do not use data for our own purposes beyond service delivery.
This DPA is automatically incorporated into your Terms of Service. No separate signature required for standard accounts.
Processing Scope: Assessment responses, candidate profiles, scoring data, and related metadata. Processing Purpose: Skills assessment, report generation, and talent evaluation. Processing Duration: Active account period plus 30 days unless deletion requested.
Sub-processors: We use Cloudflare (hosting), Supabase (database), and email providers (notifications) as sub-processors. Updated list available at ${SITE.domain}/legal/sub-processors. We notify you 30 days before adding new sub-processors.
We implement: encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, regular security audits, automated backups with encryption, incident response procedures, and employee confidentiality agreements.
We assist you in responding to data subject requests (access, deletion, portability, rectification). We provide tools to export or delete candidate data. Response time: 48 hours for deletion, 5 business days for access requests. You remain responsible for verifying data subject identity.
We notify you within 24 hours of discovering any data breach affecting personal data. Notification includes breach nature, affected data categories, estimated impact, and remediation steps. You remain responsible for notifying supervisory authorities and affected individuals as required by law.
We undergo annual SOC 2 audits and provide reports upon request. You may audit our processing activities with 30 days notice. We provide documentation demonstrating compliance with data protection obligations. For custom DPA terms, contact ${SITE.email.support}.
Was this article helpful?