Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Sales accepted by the Client (the Data Controller) when using the services provided by WhyEva / ENSIFERA (the Data Processor). This DPA ensures compliance with the EU General Data Protection Regulation (GDPR) and applies globally to our processing of candidate data.

1. Purpose

This DPA defines the conditions under which WhyEva undertakes to perform personal data processing operations on behalf of the Client, specifically related to the automated video screening of job candidates.

2. Description of Processing

Nature and Purpose: Collection, hosting, AI-driven transcription, and semantic analysis of asynchronous video interviews to assist the Client's recruitment process.
Categories of Data Subjects: Job candidates applying for the Client's vacancies.
Types of Personal Data: Identification data (name, email), professional background (CVs), images and voice (video recordings), and AI-generated lexical and behavioral analysis data.

3. Obligations of the Processor (WhyEva)

WhyEva agrees to:

Process personal data only on documented instructions from the Controller.
Ensure that persons authorized to process the data have committed themselves to confidentiality.
Implement appropriate technical and organizational security measures (as per GDPR Art. 32) to protect candidate videos and data against unauthorized access or breaches.
Assist the Client, through appropriate technical measures, in fulfilling their obligation to respond to candidates' requests exercising their privacy rights (e.g., video deletion requests).

4. International Transfers

If the Client is located outside the European Economic Area (EEA), or if processing requires transferring data outside the EEA, the parties agree that the relevant Standard Contractual Clauses (SCCs) as approved by the European Commission shall apply and are hereby incorporated by reference to legitimize such transfers.

5. Sub-processors

The Client authorizes WhyEva to engage sub-processors (e.g., cloud hosting providers, LLM-ready semantic API providers). WhyEva ensures that any sub-processor is bound by data protection obligations no less protective than those in this DPA.

6. Deletion of Data

Upon completion of the recruitment campaign, expiration of the job credit, or upon explicit request from the Client, WhyEva shall delete all candidate videos and associated data from its servers, unless European or Member State law requires storage of the personal data.

7. Audits

WhyEva shall make available to the Client all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits conducted by the Client or a designated auditor.