Data Processing Agreement
Effective Date: May 6, 2026
Version: 1.0
DRAFT — REQUIRES LEGAL REVIEW
This Data Processing Agreement is a working draft prepared for customer review. Talent Ray FZ-LLC will counter-sign only after the customer’s authorised representative has signed and returned an executed copy. For enterprise customers with their own DPA template, please contact[email protected]to negotiate.
This Data Processing Agreement (“DPA”) forms part of the agreement between Talent Ray FZ-LLC, a Free Zone Limited Liability Company licensed by the Dubai Development Authority (TECOM), with registered address at Premises No. HD49A, First Floor, in5 Tech, Dubai Internet City, Dubai, United Arab Emirates (the “Processor” or “Talent-Ray”), and the customer organisation identified in the underlying subscription or service agreement (the “Customer” or “Controller”), each a “Party” and together the “Parties”.
This DPA reflects the Parties’ agreement on the processing of Personal Data carried out by Talent-Ray on behalf of the Customer in connection with the Talent-Ray HR evaluation platform (the “Service”).
1. Definitions
Capitalised terms used but not defined in this DPA have the meaning given to them in the underlying service agreement, or in the GDPR / UAE PDPL / KVKK as applicable. For clarity:
- “Personal Data” means any information relating to an identified or identifiable natural person, processed by Talent-Ray on behalf of the Customer.
- “Data Subject” means a natural person to whom Personal Data relates — typically a job candidate, employee, or applicant of the Customer.
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
- “Sub-processor” means any third party engaged by Talent-Ray to process Personal Data on its behalf.
- “Applicable Data Protection Law” means, collectively and as applicable: UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”); the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”); the UK GDPR and Data Protection Act 2018; Turkish Law No. 6698 (“KVKK”); and any other data protection law that applies to the Parties’ processing under this DPA.
2. Subject Matter, Duration, Nature and Purpose of Processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Talent-Ray HR evaluation platform and related services to the Customer |
| Duration | The term of the underlying service agreement, plus the data return/deletion period in Section 11 |
| Nature | Hosting, storage, transmission, AI-based evaluation, reporting, and ancillary processing required to operate the Service |
| Purpose | Enabling the Customer to evaluate, screen, assess and manage its candidates and applicants |
| Categories of Data Subjects | Candidates, applicants, employees, and authorised users of the Customer |
| Categories of Personal Data | Identification data (name, email, phone); CV / resume content (employment history, education, skills); test responses and AI-generated evaluation results; session metadata (IP address, browser, timestamps); cheat-detection snapshots (only if triggered); voice/audio for voice tests; account credentials |
| Special category / sensitive data | Talent-Ray does not require sensitive data. Customers must not upload special-category data (race, religion, health, etc.) unless strictly necessary and with a valid legal basis under Article 9 GDPR or equivalent. |
3. Roles of the Parties
The Customer is the Controller of Personal Data processed through the Service. Talent-Ray is the Processor acting on the Customer’s documented instructions.
For Personal Data that Talent-Ray processes for its own purposes (e.g. account administration of the Customer’s authorised users, billing, security logs, product analytics) Talent-Ray acts as an independent Controller, governed by the Talent-Ray Privacy Policy, not this DPA.
4. Customer Instructions
Talent-Ray will process Personal Data only:
- (a) as instructed in writing by the Customer (including via configuration of the Service);
- (b) as required to perform the underlying service agreement; or
- (c) as required by Applicable Data Protection Law, in which case Talent-Ray will inform the Customer of that requirement before processing, unless the law prohibits such notice.
The Customer warrants that its instructions, and the Customer’s processing of Personal Data through the Service, comply with Applicable Data Protection Law.
5. Confidentiality of Personnel
Talent-Ray will ensure that personnel authorised to process Personal Data:
- are subject to written confidentiality obligations no less protective than those in this DPA;
- have received appropriate data protection training; and
- access Personal Data only on a need-to-know basis.
6. Security of Processing
Talent-Ray will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex II to this DPA. At minimum, this includes:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest;
- Bcrypt-hashed credentials and role-based access control;
- Audit logging of access to Personal Data;
- Network segmentation and firewalling;
- Regular vulnerability scanning and patching;
- Secure software development lifecycle and code review;
- Incident response and business continuity procedures;
- Background screening of employees with access to Personal Data;
- Documented sub-processor onboarding controls.
Talent-Ray will review and update its security measures regularly to address evolving risks.
7. Sub-processors
The Customer grants general written authorisation to Talent-Ray to engage Sub-processors, subject to the conditions in this Section.
Talent-Ray maintains a current list of Sub-processors at Sub-processors. Customers can subscribe to email notifications of changes by emailing [email protected].
When Talent-Ray adds or replaces a Sub-processor that materially affects the Service, it will:
- (a) notify the Customer at least 30 days in advance;
- (b) impose data protection obligations on the Sub-processor that are no less protective than those in this DPA; and
- (c) remain fully liable to the Customer for the acts and omissions of the Sub-processor.
The Customer may object to a new Sub-processor on reasonable, documented data protection grounds within the 30-day notice period. As the Customer’s sole remedy, Talent-Ray may either (i) propose a commercially reasonable alternative; or (ii) accept the objection and either not engage the Sub-processor or, if it cannot operate the Service without that Sub-processor, allow the Customer to terminate the affected portion of the subscription with a pro-rata refund of pre-paid fees.
8. International Transfers
Talent-Ray will only transfer Personal Data outside the Customer’s home jurisdiction subject to appropriate safeguards, including:
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers from the EEA;
- the UK International Data Transfer Addendum for transfers from the UK;
- equivalent safeguards under UAE PDPL and KVKK; and
- supplementary technical measures (e.g. encryption) where required by Applicable Data Protection Law.
The current list of cross-border transfers is set out in the Sub-processors page.
9. Assistance with Data Subject Rights
Talent-Ray will, taking into account the nature of the processing:
- assist the Customer by appropriate technical and organisational measures to fulfil its obligation to respond to Data Subject requests for access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making; and
- promptly forward to the Customer any Data Subject request that Talent-Ray receives directly relating to the Customer’s Personal Data, without responding to it (except to acknowledge receipt and refer the Data Subject to the Customer).
Talent-Ray provides self-service tools in the administrative interface that allow the Customer to fulfil most rights requests directly (e.g. data export, account deletion).
10. Personal Data Breach Notification
Talent-Ray will notify the Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data. The notification will include, to the extent then known:
- the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
- the likely consequences of the breach;
- the measures taken or proposed to address the breach and mitigate its effects; and
- the name and contact details of Talent-Ray’s data protection contact for further information.
Talent-Ray will reasonably assist the Customer in fulfilling the Customer’s own breach notification obligations under Applicable Data Protection Law.
11. Return or Deletion of Data
Upon termination or expiry of the underlying service agreement, Talent-Ray will, at the Customer’s choice:
- return the Customer’s Personal Data in a structured, commonly used, machine-readable format; or
- delete the Customer’s Personal Data,
within 90 days of the effective date of termination, except to the extent that retention is required by Applicable Data Protection Law (in which case Talent-Ray will isolate and protect the retained data and delete it as soon as the legal retention obligation lapses).
Talent-Ray will, on written request, provide a written confirmation of deletion.
Backups containing Personal Data will be overwritten in the normal course of Talent-Ray’s backup rotation (currently within 30 days of deletion).
12. Audit Rights
Talent-Ray will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including:
- the most recent independent third-party audit reports or certifications (if any);
- summary descriptions of the security measures in Annex II; and
- responses to a reasonable number of written security questionnaires per year.
The Customer may, on at least 30 days’ written notice and not more than once per calendar year (except where required by a supervisory authority or following a Personal Data Breach), conduct an audit through an independent, mutually agreed third-party auditor bound by confidentiality. Audits must be conducted during normal business hours, must not unreasonably disrupt Talent-Ray’s operations, and must respect the confidentiality of other customers’ data. The Customer bears the costs of the audit unless the audit reveals material non-compliance.
13. Liability
Each Party’s liability under this DPA is subject to the liability cap and exclusions set out in the underlying service agreement, except where Applicable Data Protection Law prohibits such limitation (e.g. for direct claims by Data Subjects).
14. Governing Law and Jurisdiction
This DPA is governed by the laws of the United Arab Emirates as applied in the Emirate of Dubai. Disputes are subject to the exclusive jurisdiction of the Courts of Dubai, except that for enterprise customers the Parties may agree in writing to DIFC-LCIA arbitration seated in DIFC, Dubai, in English.
For matters that mandatorily fall under GDPR, KVKK or other Applicable Data Protection Law, the relevant law and supervisory authority apply with respect to those matters only.
15. Order of Precedence
In case of conflict between this DPA and the underlying service agreement, this DPA prevails with respect to data protection matters.
16. Effective Date and Signatures
This DPA takes effect on the date the underlying service agreement takes effect (or, if later, the date the Customer signs this DPA below).
| Customer | Talent Ray FZ-LLC | |
|---|---|---|
| Signed | __________________________ | __________________________ |
| Name | __________________________ | __________________________ |
| Title | __________________________ | __________________________ |
| Date | __________________________ | __________________________ |
Annex I — Description of the Processing
(See Section 2 of the DPA above.)
Annex II — Technical and Organisational Security Measures
| Domain | Measures |
|---|---|
| Encryption | TLS 1.2+ in transit; AES-256 at rest for databases and backups |
| Access Control | Role-based access control; principle of least privilege; SSO/MFA for Talent-Ray personnel; audit logging of administrative access |
| Authentication | Bcrypt-hashed passwords; OAuth 2.0 social login; rate-limited login endpoints; CAPTCHA on suspicious activity |
| Network Security | Firewalled production environment; private networking between application and database tiers; DDoS mitigation at the hosting provider |
| Application Security | Secure SDLC; code review; dependency vulnerability scanning; OWASP Top 10 mitigations; prompt-injection defences for AI inputs |
| Logging and Monitoring | Centralised application and security logs; automated alerting for anomalous behaviour; log retention aligned with the Privacy Policy |
| Incident Response | Documented incident response plan; named on-call rotation; tabletop exercises |
| Backups | Automated daily backups; geographically-separated backup storage; backup restore testing |
| Personnel | Confidentiality undertakings; data protection training; background screening for personnel with elevated access |
| Sub-processor Management | Written DPAs with all Sub-processors; documented onboarding security review |
| Physical Security | Hosting in EU (Hetzner) data centres certified to ISO 27001; no Talent-Ray-operated data centres |
| Data Minimisation | Customer-configurable retention; automated cleanup workers for expired data; cheat-detection snapshots retained for 30 days only |
Annex III — List of Sub-processors
The current list of authorised Sub-processors is published at Sub-processors and is incorporated into this DPA by reference. The list as of the effective date of this DPA is captured at that URL.
Talent Ray FZ-LLC
Premises No. HD49A, First Floor, in5 Tech, Dubai Internet City, Dubai, United Arab Emirates
Email: [email protected]
This DPA is intended to satisfy the requirements of UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, GDPR Article 28, KVKK Article 12, and equivalent provisions in other Applicable Data Protection Laws. Final wording is subject to legal review by the Parties.
