Data Processing Agreement

1. Definitions

1.1. Agreement means the standard terms and conditions entered into between you as the "Customer" and us as the Licensor (as defined in the Agreement).

1.2. Data Protection Legislation means all data protection and privacy legislation applying to you and/or us which is in force from time to time. This may include (to the extent applicable):

  • The EU's General Data Protection Regulation (2016/679) (GDPR)

  • The GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018(UK GDPR)

  • The UK's Data Protection Act 2018 (DPA 2018)

  • California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, as amended by the California Privacy Rights Act

  • Virginia Consumer Data Protection Act

  • Colorado Privacy Act

  • Illinois Biometric Information Privacy Act (BIPA)

  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

  • Brazilian General Data Protection Law (LGPD)

  • Australian Privacy Act 1988 (Cth)

  • Singapore Personal Data Protection Act (PDPA)

  • Japanese Act on Protection of Personal Information (APPI)

  • Indian Digital Personal Data Protection Act

1.3. Controller, Data Subject, Personal Data, Personal Data Breach, Processor, Processing/Process/Processed and Supervisory Authority are as defined in the GDPR.

1.4. Data Transfer Provisions means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 (EU SCCs) and the UK International Transfer Addendum to the EU SCCs (UK Addendum).

1.5. FADP means the Swiss Federal Act on Data Protection.

1.6. Services means the AI-powered video interview services which we provide to you under the Agreement.

1.7. Biometric Data means personal data resulting from specific technical processing relating to physical, physiological or behavioral characteristics which allow unique identification, including facial recognition data and voice patterns.

2. Description of Processing

2.1. The parties acknowledge that this Data Processing Agreement (DPA) applies only to the Personal Data we are Processing on our Customer's instructions, and in connection with such Processing:

2.1.1.Roles: We act as the Customer's Processor in our provision of the Services;

2.1.2. Categories of Personal Data: In the provision of Services to the Customer, the categories of Personal Data we process include:

  • Customer Data as defined in the Agreement (including name, phone number, email address)

  • Video recordings and audio recordings of interviews

  • Biometric Data including facial features and voice patterns

  • Interview responses and transcripts

  • Assessment scores and analytics

  • Other Personal Data provided directly by individuals applying for employment with you

  • Special categories of Personal Data (where applicable) such as Data Subjects' age, health, disability status, racial or ethnic origin (only if collected with explicit consent)

2.1.3. Categories of Data Subjects: In the provision of Services to you, the categories of Data Subjects whose Personal Data we process are employees or individuals applying for employment with you (Candidates); and

2.1.4. Nature and Purposes of Processing: The processing is carried out to enable us to provide the Services to you during the term of the Agreement, being to:

i. Conduct AI-powered video interviews with Candidates

ii. Record, store and analyze video interview sessions

iii. Process Biometric Data for identity verification and assessment purposes (where applicable and consented)

iv. Apply AI algorithms to assess communication skills, behavioral traits, and suitability

v. Generate assessment scores, reports and recommendations for hiring decisions

vi. Collect Candidates' responses to your diversity and inclusion monitoring questions (if any)

vii. Provide analytics on interview completion rates, candidate experience, and assessmentmetrics

viii. Enable accessibility accommodations for Candidates as required

2.2. During the term of the Agreement, both parties anticipate they will exchange Personal Data acting as independent controllers relating to their employees as necessary in connection with matters such as account management and technical support. Each party will process suchPersonal Data in accordance with their own privacy notice. Our privacy notice is available at: https://welocity.ai/privacy-policy/.

2.3. You hereby agree to us Processing Customer Data to de-identify it for the purposes of the Data Protection Legislation, for us to use that de-identified data (that no longer includes Personal Data) for the purposes of developing and improving our services, including:

i. Using de-identified interview data to improve our AI models and reduce bias

ii. Testing for fairness and non-discrimination in our algorithms as required by applicable AIregulations

iii. Training our AI algorithms to improve assessment accuracy

iv. Contributing to scientific research on recruitment and assessment methodologies

3. Your Obligations

3.1. You retain control of the Personal Data we are processing on your behalf and remainresponsible for your compliance obligations under the applicable Data Protection Legislation,including:

  • Providing required notices to Candidates about video recording and AI analysis

  • Obtaining explicit consent for Biometric Data collection where required

  • Ensuring compliance with employment and anti-discrimination laws

  • Providing accessibility accommodations as required

3.2. You warrant and represent that our expected use of the Personal Data as set out in this Agreement will comply with the Data Protection Legislation.

4. Our Obligations

4.1. We will only Process the Personal Data to the extent, and in such a manner, as is necessary for providing the Services in accordance with this Agreement and your instructions. We will immediately notify you if, in our opinion, your instruction would not comply with the Data Protection Legislation.

4.2. We will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless authorized by you or this Agreement, or required by applicable law.

4.3. We will reasonably assist you with meeting your compliance obligations under the Data Protection Legislation, including in relation to Data Subjects' rights, data protection impact assessments, and reporting to supervisory authorities.

4.4. We will not sell, share for cross-context behavioral advertising, or otherwise disclose Customer Data to third parties except as permitted under paragraph 8. We will not combine Customer Data with personal data from other sources unless permitted by Data Protection Legislation.

4.5. Biometric Data Specific Obligations: Where Biometric Data is processed, we will:

  • Obtain explicit consent where required by applicable laws

  • Implement enhanced security measures for Biometric Data

  • Limit retention periods as required by laws such as BIPA

  • Permanently destroy Biometric Data when no longer necessary

  • Not sell, lease, trade or profit from Biometric Data

5. Security

5.1. We will ensure that all our employees and contractors are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations.

5.2. We will always implement appropriate technical and organizational measures against unauthorized or unlawful Processing, including:

  • Encryption of Personal Data in transit and at rest

  • Pseudonymization of Personal Data where appropriate

  • Access controls and authentication mechanisms

  • Regular security assessments and penetration testing

  • Secure deletion procedures for video recordings and Biometric Data

  • Audit logging and monitoring systems

5.3. We will implement measures to ensure a level of security appropriate to the risk, including:

  • ISO 27001 or SOC 2 compliance (where applicable)

  • Regular security training for personnel

  • Incident response procedures

  • Business continuity and disaster recovery plans

  • Regular testing of security measures

6. Personal Data Breach

6.1. Without undue delay, and in any event within 24 hours, we will notify you if we become aware of any Personal Data Breach relating to Customer Data.

6.2. We will provide you with all relevant information about the breach including:

  • Nature of the breach

  • Categories and approximate number of Data Subjects affected

  • Categories and approximate number of Personal Data records concerned

  • Likely consequences of the breach

  • Measures taken or proposed to address the breach

6.3. We will cooperate with you in investigating and mitigating the breach, and coordinate on any required notifications to supervisory authorities or Data Subjects.

6.4. We will document all Personal Data Breaches, including facts, effects, and remedial action taken.

7. Cross-border Transfers of Personal Data

7.1. If an adequate protection measure for international transfer of Personal Data is required under applicable Data Protection Legislation, the Data Transfer Provisions shall be incorporated into this DPA as set out in the International Transfers Appendix.

7.2. For transfers subject to the Swiss FADP, the Data Transfer Provisions shall apply with the modifications specified for Swiss transfers.

7.3. We acknowledge that Personal Data may be transferred to and processed in:

  • United States (primary data center)

  • Cloud service provider locations globally

  • Subprocessor locations as listed

8. Subprocessors

8.1. We may only authorize a third party (subprocessor) to process the Personal Data if:

8.1.1. You are provided with reasonable notice of changes to our subprocessors, with opportunity to object within ten (10) days;

8.1.2. We enter into a written contract with the subprocessor containing equivalent dataprotection obligations;

8.1.3. We maintain control over all Personal Data entrusted to the subprocessor.

8.2. You authorize us to use the subprocessors listed at https://welocity.ai/subprocessors/ including:

  • Cloud hosting providers (AWS, Google Cloud, Azure)

  • Video streaming and storage services

  • AI/ML processing services

  • Analytics providers

  • Technical support providers

8.3. We remain fully liable for any subprocessor's performance.

9. Complaints, Data Subject Requests and Third-Party Rights

9.1. We will assist you at your cost with responding to:

  • Data Subject access requests

  • Requests to rectify, erase, or restrict processing

  • Data portability requests

  • Objections to processing

  • Rights related to automated decision-making

9.2. If we receive any Data Subject request directly, we will promptly inform you and redirect the Data Subject to contact you.

9.3. We will cooperate fully in responding to any complaints, notices, or communications from supervisory authorities.

10. Data Return and Destruction

10.1. Upon request, we will provide you with a copy of or access to Customer Personal Data in a commonly accessible electronic format.

10.2. On termination of the Services, we will promptly and securely:

  • Delete all Personal Data including video recordings

  • Permanently destroy any Biometric Data

  • Provide certification of deletion upon request

10.3. This requirement shall not apply to data we must retain for legal or regulatory compliance.

11. Records

11.1. We will keep detailed, accurate and up-to-date written records of all Processing activities carried out on your behalf.

12. Audit

12.1. No more than once per 12-month period, we will provide relevant information from our compliance audits to demonstrate compliance with this DPA.

12.2. We will make available all information reasonably necessary to demonstrate compliance with Data Protection Legislation.

12.3. You may exercise audit rights through supervisory authorities as provided by Data Protection Legislation.

International Transfers Appendix

Part A: Standard Contractual Clauses

To the extent a restricted transfer of Personal Data is made pursuant to the GDPR, this Part A applies:

(i) Module One of the Standard Contractual Clauses if you (Controller) transfer to us (Controller)

(ii) Module Two of the Standard Contractual Clauses if you (Controller) transfer to us(Processor)

13.3 TOTAL LIABILITY SHALL NOT EXCEED THE FEES PAID IN THE 12 MONTHS PRECEDING THE CLAIM.

Supplementary Clauses

Biometric Data Transfers: Special safeguards apply to international transfers of Biometric Data,including enhanced encryption and access controls.

Transfer Impact Assessment: The data exporter acknowledges that the data importer hasprovided information necessary for transfer impact assessment.

Governing Law: For EU SCCs - Laws of Ireland; For UK Addendum - Laws of England and Wales

Annex 1 - List of Parties

Data Exporter

  • Name: Customer

  • Address: As set out in the Agreement

  • Role: Controller

Data Importer

  • Name: Netconnect Global INC (d/b/a welocity.ai)

  • Address: 415 Mission Street, San Francisco, CA 94105, USA

  • Role: Processor (for services) / Controller (for de-identified data)

Description of Transfer

Categories of Data Subjects: Job applicants and employees

Categories of Personal Data:

  • Identification data (name, email, phone)

  • Video and audio recordings

  • Biometric Data (facial features, voice patterns)

  • Interview responses and assessments

  • Special categories (if provided): age, health, ethnicity

Sensitive Data: Biometric Data and any special categories voluntarily provided

Frequency: Continuous during service provision

Nature and Purpose: AI-powered video interview and assessment services

Retention Period: As specified in Agreement, with maximum 3 years for Biometric Data

Security Measures: As described in Section 5 of this DPA

Part B: UK Addendum

For UK GDPR transfers, the UK Addendum applies with:

Start Date: Effective date of Agreement

Table 1: Parties as in Annex 1

Table 2: Modules 1 and 2 of EU SCCs

Table 3: Appendix Information as in Annex 1

Table 4: Termination rights if UK Addendum changes substantially increase costs or risks

Classification: Public

Version: 1.0

Date: 01/06/2025

Version: 1.0

Netconnect Global INC

415 Mission Street

San Francisco, CA 94105

United States