Data Processing Agreement

AI-Powered Recruitment Platform Services

Effective Date: November 2, 2025
NetConnect Private Limited

Operating as Welocity™
CIN: U32202KA1997PTC021881

INTRODUCTION

This Data Processing Agreement ("DPA" or "Agreement") forms an integral part of the Terms of Service and governs the Processing of Personal Data by NetConnect Private Limited, operating as Welocity™ ("Processor", "Service Provider", "Welocity", "we", "us", "our") on behalf of any entity using the Welocity platform ("Controller", "Customer", "Client", "you", "your").

By accessing or using the Welocity platform, you acknowledge and agree to be bound by the terms of this Agreement. This Agreement applies automatically to all Customers without requiring separate execution.

ARTICLE 1: DEFINITIONS AND INTERPRETATION

1.1 Definitions

  1. "Applicable Law" means any applicable law, statute, regulation, rule, order, decree, judgment, or other legally binding requirement in the relevant jurisdiction.

  2. "Data Protection Laws" means all applicable laws, regulations, and statutory instruments relating to privacy, data protection, and data security in force from time to time.

  3. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, including but not limited to job candidates, employees, contractors, and authorized users.

  4. "Personal Data" means any information relating to an identified or identifiable natural person.

  5. "Platform" means the Welocity AI-powered recruitment platform, including all associated services, features, and functionalities.

  6. "Platform Data" means aggregated, anonymized, or de-identified data derived from Processing activities that cannot be attributed to any specific Data Subject or Controller.

  7. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.

  8. "Security Incident" means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Datathat materially compromises the confidentiality, integrity, or availability of the Controller's Personal Data..

  9. "Services" means the AI-powered recruitment and talent assessment services provided through the Platform.

  10. "Sub-processor" means any third party engaged by the Processor to Process Personal Data.

1.2 Interpretation

In this Agreement:

(a) references to statutory provisions include amendments and re-enactments;

(b) headings are for convenience only; (c) "including" means "including without limitation";

(d) references to singular include plural and vice versa;

(e) in case of conflict between this Agreement and the Terms of Service regarding data processing matters, this Agreement shall prevail.

ARTICLE 2: SCOPE AND PURPOSE OF PROCESSING

2.1 Subject Matter and Duration

The subject matter of Processing under this Agreement is the provision of AI-powered recruitment services through the Platform, including automated candidate assessment, video interview analysis, skills evaluation, talent matching, and duplicate detection services. The duration of Processing shall continue for as long as the Controller uses the Services.

2.2 Nature and Purpose

The nature of Processing includes: 

(a) collection via API integration and web interfaces; 

(b) storage in encrypted cloud infrastructure; 

(c) analysis using proprietary machine learning algorithms; 

(d) duplicate detection within job requisitions; 

(e) transmission to authorized recipients; 

(f) retention for platform optimization , subject to explicit, freely-given and documented Data Subject consent obtained via the Platform, for cross-client talent pool management; 

(g) Controller access, usage, and retention for a maximum of sixty (60) days for a specific job (the "Controller Usage Window"); and 

(h) deletion upon Controller instruction or at the end of  the applicable retention period . The purpose includes providing recruitment services and continuously improving platform capabilities.

2.3 Categories of Data Subjects

  1. Job candidates and applicants

  2. Current employees subject to internal mobility

  3. Contractors and temporary workers

  4. Authorized users (recruiters, hiring managers)

  5. Reference providers

2.4 Categories of Personal Data

  1. Identification Data: name, email, phone, address

  2. Professional Data: CV/resume, work history, education, certifications, skills

  3. Assessment Data: interview recordings, responses, evaluation scores

  4. Technical Data: IP addresses, device identifiers, browser information

  5. Special Categories (only where lawfully processed with explicit consent)

ARTICLE 3: DATA RIGHTS AND PLATFORM OPERATIONS

3.1 Welocity's Data Rights

By using the Platform, Controller acknowledges and agrees to the following data handling practices:

3.1.1. Controller's Data Usage Window:.The Controller’s right to access, use, process and retain identifiable Personal Data obtained via the Platform for a particular job requisition is limited to the active recruitment period for that requisition and, in any event, shall not exceed sixty (60) days from the date the candidate is first submitted to that job requisition (the “Controller Usage Window”). The Controller shall securely delete all copies of such candidate Personal Data in its possession at the end of the Controller Usage Window and shall certify the deletion to Welocity upon request...   

3.1.2. Multiple Client Access. Where candidates have expressly consented through the Platform or relevant privacy notice, Welocity may make their profiles available to multiple clients. Different Controllers may submit the same CV without restriction, provided lawful consent exists for such cross-client consideration

3.1.3. Duplicate Detection Scope: Duplicate checking applies ONLY within the context of a specific job requisition (Job ID unless the candidate has provided consent to cross-requisition or cross-client duplicate detection. Welocity shall document the scope of such consent.

3.1.4.Platform Intelligence:Platform Intelligence and Use of Anonymized Data. Welocity may analyze submitted data for pattern recognition, improve AI algorithms, create industry insights and benchmarks, develop predictive models, and build talent pools. Welocity may retain identifiable Personal Data beyond the Controller Usage Window only where explicit, documented candidate consent has been obtained through the Platform and only for the purposes specified at the time of consent. Welocity may retain anonymized or aggregated Platform Data indefinitely provided it cannot be used to re-identify Data Subjects; 

3.1.5.No Exclusivity:Controllers acknowledge that: (a) no exclusive rights to any candidate are granted solely through submission to the Platform; (b) candidates may be considered by other clients if the candidate has consented or another lawful basis exists; and (c) Welocity may proactively match candidates to opportunities across its client base in compliance with Data Protection Laws and any candidate consents obtained. 

3.2 Proprietary Rights

Welocity retains all rights, title, and interest in: (a) the Platform and underlying technology; (b) all algorithms, models, and AI systems; (c) Platform Data and derived insights; (d) candidate pools and talent databases after the 60-day usage  period; (e) all improvements and enhancements to the Platform; (f) aggregated and anonymized data. : Welocity retains rights in Platform technology, algorithms, models, and in anonymized, aggregated and de-identified data derived from Processing. Welocity does not claim ownership of identifiable Personal Data; any retention of identifiable Personal Data beyond the Controller Usage Window is subject to documented candidate consent or other lawful basis.

3.3 Controller's Rights

Controller's rights are limited to: (a) accessing candidate data for specific job requisitions for a maximum of 60 ( sixty) days ; (b) receiving assessment reports for submitted candidates; (c) making hiring decisions based on provided information; (d) requesting data export in accordance with the Terms of Service.Controllers shall have no exclusive rights to any candidate submitted through the Platform. However, Controllers may request deletion or export of candidate data prior to the 60-day usage window expiration...   Controller may request an export of candidate data during the Controller Usage Window in a commonly used machine-readable format. Controller may instruct Welocity to delete Controller Personal Data at any time during the Controller Usage Window and Welocity will comply unless it has a lawful obligation to retain such data

ARTICLE 4: PROCESSING OBLIGATIONS

4.1 Processor's Obligations

Welocity shall use commercially reasonable efforts to:

  1. Process Personal Data in accordance with Controller's instructions submitted through the Platform, subject to Welocity's rights under Article 3;

  2. Ensure personnel handling Personal Data are subject to confidentiality obligations;

  3. Implementappropriate technical and organizational security measures consistent with industry standards and the obligations of this Agreement and applicable Data Protection Laws .measures;

  4. Notify Controller of confirmed Security Incidents affecting Controller's data;

  5. Provide reasonable assistance for data subject requests, subject to additional fees.

4.2 Processor's Discretion

Welocity retains sole discretion regarding: 

(a) technical implementation methods; 

(b) choice of Sub-processors and vendors;

 (c) data center locations and infrastructure; 

(d) security measures and protocols; 

(e) platform features and functionality; 

(f) data retention periods beyond minimum requirements; 

(g) service improvements and updates. 

provided that such discretion does not materially reduce the level of data protection required under this Agreement or applicable law. Welocity shall implement changes in a manner consistent with the protections described herein.

4.3 Controller's Obligations

Controller shall:

a) Ensure lawful basis for Processing Personal Data;

b) Provide accurate instructions through the Platform;

c) Obtain necessary consents from Data Subjects;

d) Comply with applicable Data Protection Laws;

e) Not use the Platform for unlawful purposes.

ARTICLE 6: SECURITY MEASURES

6.1 Technical and Organizational Measures

Welocity implements commercially reasonable security measures appropriate to the risk, including:

(a) Encryption of data at rest and in transit

(b)Access controls and authentication mechanisms

( c)Regular security assessments and updates

(d) Network security and monitoring

( e) Incident response procedures

1.In the event of a confirmed Security Incident affecting Controller’s Personal Data, Welocity shall notify the Controller without undue delay and, where feasible, within seventy-two (72) hours of confirmation, providing details of the nature, scope, and mitigation steps taken. Welocity shall cooperate with the Controller and provide reasonable assistance in any regulatory notifications, mitigation, and remediation.6.2 Service Availability

THE PLATFORM IS PROVIDED ON  AN "AS AVAILABLE" BASIS. . WELOCITY DOES NOT GUARANTEE UNINTERRUPTED SERVICE, ERROR-FREE OPERATION, OR ABSOLUTE SECURITY. NO SYSTEM IS COMPLETELY SECURE, AND CONTROLLERS ACKNOWLEDGE THIS INHERENT RISK.

ARTICLE 7: DATA SUBJECT RIGHTS

7.1 Controller Responsibility

7.1.1. Controller Primary Responsibility: Controller remains solely responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) under applicable Data Protection Laws. Welocity may provide assistance where technically feasible, subject to additional fees.

7.1.2. Processor Assistance : Welocity shall, to the extent legally permitted and technically feasible, promptly assist the Controller by implementing technical and organizational measures for fulfilling Controller’s obligations to respond to Data Subject requests. Welocity shall notify the Controller if it receives a Data Subject request related to Controller data and shall not respond to such request except on Controller’s documented instructions, or as required by Applicable Law (in which case Welocity will notify Controller where permitted). Reasonable assistance shall be provided at no additional charge; extraordinary requests (e.g., disproportionate burden) may be subject to reasonable fees.

7.2 Limitations

Data Subject rights do not apply to to anonymized or aggregated data that cannot reasonably be re-identified: For identifiable Personal Data, Welocity shall assist the Controller in responding to Data Subject requests as set out in Article 7.1. Where Welocity is required by Applicable Law to respond directly to a Data Subject request, Welocity shall promptly notify the Controller unless prohibited by law. .

ARTICLE 8: SECURITY INCIDENTS

8.1 Incident Notification

Welocity shall notify affected Controllers of confirmed Security Incidents materially affecting their data without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the incident. Notifications will be provided via email or Platform notification and will contain, to the extent reasonably available, the information set out in Article 6.1 above. 

8.2 Incident Response

Welocity will take reasonable steps to investigate and mitigate Security Incidents. Controllers are responsible for their own incident response obligations, including regulatory notifications.

ARTICLE 9: LIABILITY AND INDEMNIFICATION

9.1 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

(a) WELOCITY'S TOTAL LIABILITY SHALL NOT EXCEED THE FEES PAID BY CONTROLLER IN THE THREE (3) MONTHS PRECEDING THE EVENT;

(b) WELOCITY SHALL NOT BE LIABLE FOR INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES;

( c) WELOCITY SHALL NOT BE LIABLE FOR REGULATORY FINES OR PENALTIES IMPOSED ON CONTROLLER;

(d) THESE LIMITATIONS APPLY REGARDLESS OF THE THEORY OF LIABILITY.

9.2 Controller Indemnification

Controller shall defend, indemnify, and hold harmless Welocity from all third-party claims, damages, losses, and expenses (including reasonable attorneys' fees) arising from: (a) Controller's use of the Platform; (b) Controller's violation of laws; (c) Controller's breach of this Agreement; (d) claims by Data Subjects; (e) Controller's instructions.

9.3 Risk Acknowledgment

The limitations of liability reflect the risk allocation between the parties and are a fundamental element of the basis of the bargain. Welocity would not provide the Services without these limitations.

ARTICLE 10: AUDIT AND COMPLIANCE

10.1 Compliance Documentation

Welocity may provide standard security documentation or certifications upon request, subject to confidentiality agreements. .. Welocity shall make available, upon written request, relevant documentation or third-party audit reports (e.g., SOC 2, ISO 27001) to demonstrate compliance with this Agreement. On-site audits shall not be permitted; however, Welocity shall make available a remote document-based review under appropriate confidentiality terms. Any extraordinary compliance assistance beyond standard documentation may be subject to Welocity’s professional services fees.

10.2 Compliance Costs

Any compliance assistance beyond standard documentation shall be subject to Welocity's professional services fees.

ARTICLE 11: DATA RETENTION AND DELETION

11.1 Retention Periods

(a) Active recruitment data: Duration of recruitment process (b) Candidate profiles: . : Identifiable candidate Personal Data shall be retained by Welocity beyond the Controller Usage Window only if explicit candidate consent has been obtained for such retention and processing for specific purposes. Where such consent is obtained, Welocity shall retain identifiable candidate Personal Data only for the period specified in the candidate’s consent or as required/permitted by Applicable Law (whichever is shorter). In absence of valid consent, Welocity shall either delete or irreversibly anonymize candidate Personal Data at the end of the Controller Usage Window.( c) Platform optimization data: Anonymized or aggregated data derived from Personal Data may be retained indefinitely provided it cannot be used to re-identify Data Subjects.

(d) Audit logs: Retained for a minimum of 24 months or as required by Applicable Law.

11.2 Termination Effects

 Upon termination of Services: 

 (a) Controller’s access ceases immediately; 

(b) identifiable Controller Personal Data shall be returned or deleted in accordance with Controller instructions and applicable law; 

(c) anonymized Platform Data may be retained by Welocity in accordance with Article 11.1(c); 

(d) .Controller may request a data export prior to deletion; Welocity will provide such export in a commonly used machine-readable format. The Controller must, within fifteen (15) days of the expiration of the Controller Usage Window, certify deletion of candidate Personal Data from its systems.

ARTICLE 12: CROSS-BORDER TRANSFERS

12.1 Transfer Mechanisms

Controller acknowledges that data may be transferred globally for Processing. Welocity implements appropriate safeguards for international data transfers, including contractual protections with Sub-processors.

12.2 Controller Consent

By using the Platform, Controller consents to cross-border data transfers necessary for service provision.

ARTICLE 13: GENERAL PROVISIONS

13.1 Governing Law

This Agreement is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of the courts in Bangalore, Karnataka, India.

13.2 Amendments

Welocity may amend this Agreement from time to time by providing at least fifteen (15) days’ prior notice to Controllers through the Platform or email. Continued use of the Services after the effective date of such amendment shall constitute acceptance of the updated terms. Material changes that impact Controller rights under applicable Data Protection Laws shall be subject to reasonable notice and, where required, Controller consent.. 

13.3 Severability

If any provision is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Entire Agreement

This Agreement, together with the Terms of Service and Privacy Policy, constitutes the entire agreement regarding data processing.

13.5 No Third-Party Beneficiaries

This Agreement does not create any third-party beneficiary rights.

13.6 Force Majeure

Neither party shall be liable for failures or delays due to causes beyond their reasonable control.

13.7 Survival

Provisions relating to data rights, liability, confidentiality, and any other provisions that by their nature should survive, shall survive termination of this Agreement.

ARTICLE 14: CONTACT INFORMATION

14.1 Data Protection Inquiries

For questions about this Agreement or data protection practices:

Email: privacy@welocity.ai

Address: NetConnect Private Limited

Bangalore, Karnataka, India

14.2 Legal Notices

Legal notices should be sent to: legal@welocity.ai

ACCEPTANCE OF TERMS

By using the Welocity platform, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.

This Agreement is effective immediately upon your use of the Platform and supersedes any previous versions

If you do not agree to these terms, you must not use the Welocity platform.

SCHEDULE A: TECHNICAL MEASURES

Security Controls

a) Encryption: AES-256 for data at rest, TLS 1.3 for data in transit

b) Access Management: Multi-factor authentication, role-based access control

c) Network Security: Firewalls, intrusion detection, DDoS protection

d) Monitoring: 24/7 security monitoring, automated threat detection

e) Physical Security: Secure data centers with restricted access

f) Backup: Regular automated backups with geographic redundancy

g) Incident Response: Documented procedures, regular drills

Note: Security measures are subject to change as technology evolves. Welocity maintains the right to modify security controls to ensure appropriate protection.

SCHEDULE B: DATA PROCESSING DETAILS

Processing Activities

a) Collection via web forms, APIs, and file uploads

b) Storage in cloud infrastructure

c)AI-powered analysis and scoring

d) Duplicate detection per job requisition

e) Video interview processing

f) Cross-client talent matching (post 60-day conversion)

g) Analytics and reporting

h) Platform improvement and optimization

Data Flow

  1. Candidate submits application → Platform processing → Client review

  2. 60 days post-submission → → If candidate consented, candidate identifiable data may be retained in accordance with consent ; otherwise data is deleted or anonymized. Talent pool building and cross-client opportunities may proceed only with candidate consent or other lawful basis.[ 

END OF DOCUMENT

This Data Processing Agreement was last updated on November 2, 2025

© 2025 NetConnect Private Limited. All rights reserved.

Welocity™ is a trademark of NetConnect Private Limited