Data Processing Agreement

See also our Terms of Service and Privacy Policy.

This Data Processing Agreement ("DPA") is entered into between Metaview Global Ltd., a company incorporated in England and Wales under company number 11313397, with registered office at Floor 3 Norton Folgate, 16 Blossom Street, London, United Kingdom, E1 6PL ("Processor") and the individual or legal entity that accepts this DPA electronically or is otherwise bound by it under the Main Agreement ("Customer" or "Controller").

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

"Main Agreement" means the master service agreement, terms of service, or other primary agreement between the parties under which Processor provides Services to Customer.

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); for purposes of this DPA, Personal Data includes equivalent terms such as "personal information" as defined under applicable Data Protection Laws.

"Personal Data Breach" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Processor or its Sub-processors.

"Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, use, disclosure, transmission, or deletion.

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data. "Processor" means the entity that Processes Personal Data on behalf of the Controller. (For purposes of the CCPA, Customer is the "Business" and Processor is the "Service Provider.")

"Services" means the services provided by Processor to Customer as described in the Main Agreement.

"Data Protection Laws" means all applicable laws and regulations relating to privacy, data protection, data security, or personal information, as amended or superseded from time to time. This includes, without limitation, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); the GDPR as incorporated into United Kingdom law by the UK Data Protection Act 2018 and associated regulations ("UK GDPR"); the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, "CCPA"); and any other similar privacy or data protection laws in jurisdictions relevant to the Personal Data processed under this DPA.

"Standard Contractual Clauses" (or "SCCs") means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission (including Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor), as may be amended or replaced from time to time). For clarity, references to SCCs include any optional provisions selected and any relevant appendices or annexes, and include the UK International Data Transfer Addendum if applicable.

"UK Addendum" and "International Data Transfer Agreement" (or "IDTA") refer to the standard data transfer addendum or the standalone international data transfer agreement (as applicable) issued by the UK Information Commissioner's Office, which may be used to facilitate transfers of Personal Data from the UK to jurisdictions not deemed adequate under UK Data Protection Laws.

"Technical and Organizational Measures" (or "TOMs") means the security measures and other organizational controls designed to protect Personal Data, as further described in Annex 2 of this DPA.

"Sub-processor" means any third party (including any affiliate of Processor) engaged by Processor to Process Personal Data on behalf of Customer in connection with the Services.

Note: Terms used but not defined in this DPA (e.g., "Main Agreement") shall have the meanings given in the Main Agreement. Capitalized terms not defined in this DPA that are defined in the GDPR or other applicable Data Protection Laws shall be interpreted consistent with those laws.

2. Scope and Precedence

2.1 Purpose and Scope: This DPA applies to all Processing of Personal Data by Processor on behalf of Customer in connection with the Services provided under the Main Agreement. It is part of, and subject to, the Main Agreement.

2.2 Precedence: In the event of any conflict between this DPA and the Main Agreement with respect to the parties' rights and obligations regarding Personal Data, the terms of this DPA shall prevail. If Customer and Processor have executed a signed version of this DPA, that signed version shall take precedence; otherwise, this click-through version applies. Except as specifically modified by this DPA, the terms of the Main Agreement remain unchanged and in full force.

2.3 Liability: All limitations on liability and exclusions of damages set forth in the Main Agreement apply to this DPA, except where expressly modified in the Main Agreement. In no event shall either party's aggregate liability to the other party under this DPA exceed the liability cap or limitations that apply under the Main Agreement. Nothing in this Section 2.3 limits or affects the liability of either party to Data Subjects or supervisory authorities under applicable Data Protection Laws; this Section governs liability only as between the contracting parties.

2.4 Governing Law: This DPA shall be governed by and construed in accordance with the governing law and dispute resolution provisions in the Main Agreement, unless otherwise required by applicable Data Protection Laws.

3. Term

This DPA takes effect on the Effective Date and will remain in force so long as Processor Processes any Personal Data on behalf of Customer under the Main Agreement. Termination or expiration of the Main Agreement shall automatically terminate this DPA. However, Processor's obligations regarding the protection of Personal Data (and its obligation to return or delete all Personal Data per Section 10) shall survive termination of this DPA until all Personal Data is deleted or returned to Customer.

4. Roles and Responsibilities

4.1 Relationship of the Parties: As between the parties, Customer is the Controller and Processor is the Processor with respect to Personal Data Processed under this DPA. The parties acknowledge that Customer alone determines the purposes and means of the Processing of Personal Data. Processor will Process Personal Data only as a service provider/processor on behalf of Customer. Each party will comply with its respective obligations under applicable Data Protection Laws in relation to Personal Data.

4.2 Customer's Compliance Obligations: Customer shall ensure that it has obtained and maintains all necessary rights and lawful bases under applicable Data Protection Laws for Processor to Process Personal Data as contemplated by the Main Agreement and this DPA. This includes, where required, providing appropriate notices to Data Subjects and determining the lawful basis for Processing. Customer acknowledges that Processor does not determine the purposes or means of Processing, and Processor shall rely on Customer's instructions and representations regarding the lawfulness of Processing. Customer shall not instruct Processor to Process Personal Data in a manner that violates applicable Data Protection Laws.

4.3 Processor's Compliance and Instructions: Processor shall Process Personal Data only for the limited and specified purposes described in the Main Agreement, this DPA, and Annex 1 (Details of Processing), and strictly in accordance with Customer's documented instructions. Customer's instructions to Processor are (i) to Process Personal Data to provide the Services in accordance with the Main Agreement (including any Processing described in Annex 1); and (ii) to perform any other activities expressly authorized by the Customer in writing (each a documented instruction). Processor will immediately inform Customer if, in Processor's opinion, an instruction from Customer violates applicable Data Protection Laws. Processor will not Process Personal Data for any purpose or in any manner not expressly permitted by Customer's instructions or this DPA. Personal Data processed through AI-powered features of the Services shall remain subject to this DPA.

4.4 Required Processing by Law: If Processor is ever required by a law or regulation to Process Personal Data in a manner contrary to Customer's instructions (for example, if Processor receives a binding court order or subpoena), Processor shall (to the extent not prohibited by law) inform Customer of that legal requirement before Processing and provide reasonable cooperation within Processor's capabilities to limit or challenge the requirement if reasonably requested by Customer.

4.5 Details of Processing: The subject matter, nature, purpose, and duration of the Processing, the types of Personal Data, and categories of Data Subjects involved are described in Annex 1 to this DPA. The parties acknowledge that Annex 1 is intended to fulfill the requirements of Article 28(3) of the GDPR and corresponding provisions of other Data Protection Laws, as well as to serve as Annex I (Description of Processing) of the SCCs where applicable.

4.6 Contact Points for Privacy Issues: Customer may contact Processor regarding privacy or data protection matters at privacy@metaview.ai. Processor may contact Customer using the contact details of Customer's designated data protection or privacy contact.

5. Security and Confidentiality

5.1 Confidentiality of Personnel: Processor shall ensure that all persons whom it authorizes to Process Personal Data (including its employees, agents, and subcontractors) are subject to appropriate confidentiality obligations (whether through written contract or by operation of law) and committed to maintaining the confidentiality and security of Personal Data only as necessary for the authorized purposes.

5.2 Security Measures: Processor shall implement and maintain the Technical and Organizational Measures described in Annex 2 to protect Personal Data, as required by Article 32 GDPR and other applicable Data Protection Laws. Processor shall regularly assess and evaluate the effectiveness of its TOMs and make necessary improvements to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services.

5.3 Compliance Certifications: Upon Customer's written request, Processor will provide documentation or summaries of certifications, audit reports, or other relevant documentation demonstrating Processor's implementation of the TOMs and its compliance with this DPA (for example, SOC 2 Type II reports, or similar evidence, if available). All such documentation shall be considered Processor's confidential information.

6. Sub-processors

6.1 General Authorization: Customer provides a general authorization for Processor to engage third-party Sub-processors in connection with the provision of the Services. Processor shall:

maintain an up-to-date list of Sub-processors engaged to Process Personal Data;
impose on each Sub-processor data protection obligations that are at least as protective of Personal Data as those set out in this DPA, through a written agreement or other legal act; and
remain liable to Customer for the performance of its Sub-processors' obligations under this DPA.

6.2 Sub-processor Changes: Processor will provide Customer with prior notice of any intended changes concerning the addition or replacement of Sub-processors. Notification will be provided at least fourteen (14) days before the Sub-processor begins Processing Personal Data.

Customer may object to such changes only where Customer has a reasonable, good-faith basis relating to data protection. Any objection must be notified to Processor in writing within seven (7) days of the notice. The parties will discuss such objection in good faith with the aim of reaching a mutually agreeable resolution.

If no resolution is reached, Customer's sole and exclusive remedy shall be to terminate the portion of the Services that cannot reasonably be provided without the use of the objected-to Sub-processor, and Processor will refund any prepaid fees covering the remainder of the term of the terminated Services.

If Customer does not object within the notice period, the Sub-processor shall be deemed approved.

6.3 Emergency Replacement: Customer acknowledges that in some cases, Processor may need to replace a Sub-processor on an urgent basis (e.g. if a Sub-processor ceases operations unexpectedly). In such cases, Processor will inform Customer as soon as practicable of the replacement and the reason for the change, and Section 6.2 will otherwise apply.

7. Data Subject Rights

7.1 Handling Data Subject Requests: Processor shall, to the extent permitted by law, promptly notify Customer if Processor receives any request or communication from a Data Subject regarding the Processing of their Personal Data by Processor ("Data Subject Request"). This includes, without limitation, requests to access, correct, delete, or restrict Personal Data, or objections to Processing, or requests for data portability. Processor will not respond to any Data Subject Request on behalf of Customer unless (a) instructed to do so by Customer in writing or (b) required by applicable law (in which case Processor shall inform Customer of that requirement before responding, unless prohibited by law).

7.2 Assistance with Requests: Taking into account the nature of the Processing and the information available to Processor, Processor shall assist Customer in fulfilling Customer's obligations to respond to Data Subject Requests under applicable Data Protection Laws within one (1) month of Customer's request. This assistance may include providing Customer with the ability to correct, delete, or retrieve Personal Data, or other technical measures appropriate for the Services.

8. Assistance, Impact Assessments, and Audits

8.1 Privacy Impact Assessments: Upon Customer's request, Processor will provide reasonable cooperation and assistance needed for Customer to fulfill its obligation (if any) to carry out a data protection impact assessment ("DPIA") and/or consult with the relevant supervisory authority under applicable Data Protection Laws. Such assistance shall be limited to information in Processor's possession, and to the extent Customer does not otherwise have access to the relevant information. This assistance may be provided through existing documentation made available by Processor (such as audit reports, certifications, or responses to reasonable security/privacy questionnaires). Processor shall not be required to disclose information that would compromise its security, that of its other customers, or confidential business information.

8.2 Demonstrating Compliance: Processor shall make available to Customer all information reasonably necessary to demonstrate Processor's compliance with its obligations under this DPA and under Article 28 of the GDPR (and equivalent provisions of other Data Protection Laws). Without prejudice to the generality of the foregoing, at Customer's written request Processor will answer a reasonable data protection questionnaire or provide an existing report or certification to confirm the effectiveness of Processor's security measures and compliance program.

8.3 Audits: The Processor shall make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under this Agreement and applicable Data Protection Laws. The Processor may satisfy its audit obligations by providing recent third-party certifications, audit reports (e.g. SOC 2 Type II or comparable), or responses to reasonable security/privacy questionnaires. Where such existing documentation does not reasonably satisfy Customer's audit requirements, the Processor shall allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, provided that:

such audits are limited to once annually and are limited to data protection and security matters (unless otherwise required by a competent supervisory authority or following a material Personal Data Breach);
the Customer provides at least sixty (60) days' advance written notice;
audits are conducted during normal business hours, do not exceed two (2) consecutive business days, and are conducted in a manner that minimizes disruption to the Processor's business operations;
the Customer and any appointed auditor are bound by Processor's standard confidentiality terms;
the Processor may postpone audits during critical business periods with reasonable advance notice to Customer;
the Customer shall be responsible for all costs and fees related to such audits, including the Processor's reasonable costs incurred in assisting with the audit.

8.4 Changes in Law: If any change in applicable Data Protection Laws or new interpretation by authorities necessitates an amendment to this DPA or requires additional safeguards in the Processing of Personal Data, the parties will work together in good faith to promptly implement such changes or safeguards. Processor may propose supplemental terms to address such legal changes, and the parties shall negotiate in good faith with the aim of modifying this DPA as needed to ensure compliance.

9. Data Breach Notification

9.1 Notification: Processor shall notify Customer without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach.

9.2 Contents of Notice: Processor's notification of a Personal Data Breach, to the extent known at the time, shall describe: the nature of the breach, the categories and approximate volume of Personal Data and individuals affected, the likely consequences of the breach, and the measures taken or proposed by Processor to address the breach (including measures to mitigate its possible adverse effects). If complete information is not available within the initial 48-hour window, Processor will provide an initial notice with the information then available and supplement the notice as promptly as possible as further details are obtained.

9.3 Mitigation and Cooperation: Processor shall promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach. Processor will cooperate with Customer's reasonable requests in Customer's efforts to notify affected Data Subjects or relevant supervisory authorities of a Personal Data Breach, as required by applicable Data Protection Laws. Notification of or response to a Personal Data Breach under this Section 9 shall not be construed as an acknowledgment by Processor of any fault or liability with respect to the breach.

10. Return or Deletion of Data

10.1 Deletion or Return upon Termination: Upon termination or expiration of the Main Agreement, or at any time upon Customer's written request, Processor shall promptly and securely delete or, at Customer's choice, return to Customer all Personal Data (including any copies of Personal Data) in Processor's possession or control. This requirement shall not apply to Personal Data that has been archived on back-up systems, which Processor shall securely isolate and protect from any further Processing except as required by law until secure deletion is possible.

10.2 Retention Required by Law: If applicable law or a valid court or regulatory order prohibits Processor from returning or destroying all or part of the Personal Data, Processor warrants that it will continue to protect the confidentiality of such Personal Data and will not actively Process such Personal Data after the termination of the Main Agreement except to the extent required by law. Processor shall notify Customer of any such legal requirement that prevents full deletion, unless the law also prohibits such notice.

10.3 Certification: Upon Customer's reasonable request, Processor will provide a written certification confirming that Processor has fully complied with this Section 10 with respect to Personal Data.

11. International Data Transfers

11.1 General: Personal Data may not be transferred outside its originating jurisdiction unless such transfer complies with applicable Data Protection Laws. Approved mechanisms may include: (a) adequacy decisions; (b) EU Standard Contractual Clauses ("SCCs"); (c) the UK IDTA or Addendum; (d) Swiss adaptations of the SCCs; or (e) any other valid mechanism recognized by law.

11.2 EEA (EU GDPR): For transfers of Personal Data subject to the EU GDPR from the EEA to non-adequate countries, the SCCs (Module Two: Controller→Processor) are incorporated by reference.

Clause 7: Docking clause excluded.
Clause 9: Option 2 (general authorization); notice per Section 6.2.
Clause 17: Option 1; governed by Irish law.
Clause 18(b): Disputes in Irish courts.
Annexes: Annex I, II, III completed via Annexes 1 and 2 of this DPA.
Precedence: SCCs prevail over conflicting DPA terms.
Updates: New or amended SCCs automatically replace these upon adoption.

11.3 UK (UK GDPR): For transfers of Personal Data subject to UK Data Protection Laws to countries not deemed adequate, the UK Addendum (as incorporated in Annex 3) applies. Annexes 1 and 2 of this DPA complete the relevant tables of the UK Addendum. In the event of any conflict, the UK Addendum prevails for UK transfers.

11.4 Switzerland (FADP): For transfers of Personal Data subject to the Swiss Federal Act on Data Protection ("FADP" or "Bundesgesetz über den Datenschutz"):

The EU SCCs (Module Two) apply with the following adaptations:
- "GDPR" includes the FADP.
- "Supervisory authority" includes the FDPIC.
- "Member State" includes Switzerland.
- Disputes resolved before Swiss courts.
Where both EU GDPR and FADP apply, SCCs protect under both regimes simultaneously.

11.5 Other Jurisdictions: For transfers of Personal Data subject to data protection laws that impose mandatory transfer mechanisms, the parties will cooperate in good faith to implement such mechanisms, which may be documented in additional annexes if required.

11.6 Government Access Requests (Schrems II):

11.6.1 Objection Policy: The Processor's policy is to object to any third-party request, including from law enforcement or government authorities, for access to Personal Data that is not legally binding. The Processor will object to such requests where legally permissible, and will ensure that any legally binding request is reviewed by legal counsel prior to compliance.

11.6.2 Notification: If the Processor receives a legally binding request to disclose Personal Data, it will (i) promptly notify the Customer before complying, unless prohibited by law or legal process; (ii) provide only the minimum information required; and (iii) provide reasonable cooperation where legally permitted to allow Customer to challenge the request.

11.6.3 Transparency: The Processor may, in its discretion, publish a periodic transparency report, summarizing the number and type of legally binding disclosure requests received (if any) and how such requests were handled, and may indicate where no such requests have been received.

11.6.4 Data Minimization: The Processor limits access to Personal Data to what is strictly necessary to provide the Services, thereby reducing the risk of unauthorized government access, and will, where legally appropriate and feasible, direct requests to be addressed to the relevant EU/UK/Swiss authority rather than Processor.

11.7 Supplementary Measures: The Processor implements supplementary measures in accordance with Schrems II and applicable guidance. These consist of:

the contractual commitments in this Section 11 (including Processor's policy on government access requests, notification and transparency obligations, and data minimization practices); and
the Technical and Organizational Measures described in Annex 2.

Together, these contractual, technical, and organizational safeguards constitute the supplementary measures adopted by Processor to ensure that transfers of Personal Data are subject to a level of protection essentially equivalent to that required under applicable Data Protection Laws.

12. California and Other U.S. State Privacy Laws

12.1 Roles under CCPA: With respect to Personal Data that is subject to the California Consumer Privacy Act (as amended by the CPRA) ("CCPA"), Customer is a "Business" and Processor is a "Service Provider." Processor is processing such Personal Data on behalf of Customer for the purpose of providing the Services, which constitutes a business purpose.

12.2 Service Provider Restrictions: Processor certifies that it understands the rules, and agrees to comply with the limitations, imposed by the CCPA on Service Providers. Specifically, Processor shall not:

Sell or Share (as those terms are defined in the CCPA) any Personal Data processed under this DPA;
retain, use, or disclose Personal Data for any purpose other than as necessary to perform the Services for Customer as described in the Main Agreement (including retaining, using, or disclosing the data for a commercial purpose other than providing the Services); or
retain, use, or disclose the Personal Data outside of the direct business relationship between Processor and Customer.

Processor will not "share" Personal Data for cross-context behavioral advertising or combine Personal Data received from Customer with personal information received from other sources (except as permitted under CCPA for Service Providers).

12.3 Subprocessors as Service Providers: Customer hereby directs and authorizes Processor to disclose Personal Data to Processor's Sub-processors as needed to deliver the Services. Processor will ensure that each Sub-processor that processes Personal Data subject to CCPA qualifies as a "Service Provider" under CCPA and is contractually bound to the same restrictions and obligations regarding Personal Data as are imposed on Processor under this Section 12.

12.4 Consumer Requests and Cooperation: Processor shall promptly notify Customer if it receives any request from a California consumer to exercise CCPA rights (e.g., access or deletion of their Personal Data) relating to the Services, and will not respond except as directed by Customer. Processor shall provide reasonable assistance to Customer in responding to verifiable consumer requests, as required by CCPA, through standard technical measures and capabilities available within the Services, implementing measures similar to those described in Sections 7 and 8 of this DPA (Data Subject rights and cooperation).

12.5 No Sale or Contracted Assessment: The parties acknowledge and agree that the exchange of Personal Data between the parties is done solely for the purpose of rendering the Services and not for any other purpose. The parties do not intend for any disclosures of Personal Data between them to be considered a sale of Personal Data. Nothing in the Main Agreement or this DPA shall be construed as providing Processor with monetary or other valuable consideration for Personal Data, other than the business services described. If either party is required by the CCPA to conduct assessments (such as data protection impact assessments for certain high-risk processing or sharing activities), Processor will provide relevant information and cooperation as described in Section 8.1 of this DPA.

12.6 Other U.S. State Privacy Laws: To the extent Personal Data is subject to other U.S. state privacy laws that impose obligations on "processors" or "service providers" (including, without limitation, the Colorado Privacy Act, Virginia Consumer Data Protection Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act), Processor will act in the capacity of a "processor" or "service provider" (as applicable), and shall not use or disclose Personal Data other than as permitted under this DPA and the Main Agreement. The restrictions, obligations, and cooperation commitments in this Section 12 apply, mutatis mutandis, to such other state laws.

Execution

By clicking "Accept" (or an equivalent measure) to agree to this DPA, or by electronically accepting this DPA as part of the online Service signup process, each party agrees to be bound by the terms of this DPA. The person accepting this DPA on behalf of Customer represents and warrants that they have the authority to bind Customer to the terms of this DPA. Upon Customer's electronic acceptance of this DPA, it will be legally binding and effective between Customer and Processor as of that date.

Annex 1 – Details of Processing

This Annex 1 comprises the following product-specific annexes, each setting out the processing details for the relevant Processor's service: Annex 1a (Notetaker), Annex 1b (Sourcing), Annex 1c (Application Review).

Annex 1a – Details of Processing (Notetaker)

This Annex 1a applies to Customers who have purchased the Notetaker. This Annex sets out the details of the Processing of Personal Data by Processor on behalf of Customer, as required by Article 28(3) GDPR and equivalent provisions of other applicable Data Protection Laws. It also serves as Annex I of the SCCs (where applicable).

Categories of Data Subjects

Employees and contractors of the Customer (whether registered end-users or other participants), and external individuals such as job applicants, candidates, and agency recruiters who take part in conversations processed by the Services.

Types of Personal Data

Processor may process the following categories of Personal Data on behalf of Customer in connection with the Services:

Identification and contact data (e.g., names, email addresses, phone numbers, job titles, company/organization details);
Audio and video recordings (e.g., interviews, meetings, or calls, and associated metadata);
Transcripts, AI-generated summaries, and user-provided notes or annotations;
User-generated content submitted through the Services (including prompts, inputs, and other free-text fields);
Customer support and interaction data (e.g., communications with support teams); and
Any other Personal Data that Customer or its users choose to provide, upload, or transmit via the Services.

Special Categories of Data

The processing of special categories of Personal Data (as defined in Article 9 GDPR) is not intended or required for the provision of the Services. Processor does not solicit or encourage the disclosure of such information. However, given the nature of unstructured conversations, such data may be incidentally captured if voluntarily disclosed by participants. Any such processing is limited to providing the Services (e.g., transcription, summarization, or playback) and no biometric analysis is performed. Responsibility for ensuring a lawful basis for any processing of special categories of Personal Data rests with the Customer as Controller.

Nature and Purpose of Processing

Processor processes Personal Data solely for the purpose of delivering the Services to Customer in accordance with the Main Agreement and Customer's documented instructions. The processing comprises:

Recording and storing audio and video of recruitment- and talent-related conversations.
Generating transcripts, AI-powered summaries, and structured notes from recorded conversations.
Providing playback access to recordings and transcripts to Customer's authorised users.
Processing user-provided notes, annotations, and prompts submitted through the Services.

Duration of Processing

Processor will Process Personal Data for the term of the Main Agreement and any renewal periods, and thereafter only as necessary to comply with Customer's instructions, legal obligations, or to complete secure deletion or return of data. Any Personal Data retained by Processor post-termination will remain subject to the protections of this DPA and will be deleted as soon as reasonably practicable.

Frequency of Transfer

Personal Data may be transferred to and Processed by Processor on a continuous or ongoing basis for the duration of the Main Agreement. Such transfers occur whenever Customer or its authorized users input, submit, or generate Personal Data through the Services, and whenever the Services process, store, or host such data as part of their normal operation.

Locations of Processing

Processor will primarily Process Personal Data in the following countries: the United Kingdom, the United States, and Germany. Data may be transferred and stored in any country worldwide where Processor or its Sub-processors maintain facilities, provided that such transfers are made in compliance with Section 11 of this DPA (International Data Transfers).

List of Approved Sub-Processors

The full list of approved sub-processors is set out in Annex 4 (Schedule of Sub-Processors) to this DPA.

Annex 1b – Details of Processing (Sourcing)

This Annex 1b applies to Customers who have purchased the AI Sourcing module. This Annex sets out the details of the Processing of Personal Data by Processor on behalf of Customer, as required by Article 28(3) GDPR and equivalent provisions of other applicable Data Protection Laws. It also serves as Annex I of the SCCs (where applicable).

This Annex distinguishes between two categories of processing: (i) Metaview's independent operation of its candidate database and execution of candidate searches, including the determination of ranking and matching logic, for which Metaview acts as an independent data controller; and (ii) Customer-directed processing – such as saving candidates, adding notes, and initiating outreach sequences – for which Metaview acts as data processor on Customer's behalf and Customer is the controller. This Annex sets out Metaview's processor obligations in respect of category (ii) only.

Categories of Data Subjects

Employees and contractors of the Customer
Individuals identified, researched or contacted by Customer through AI Sourcing.
Individuals imported by the Customer into the platform.

Types of Personal Data

Identity and professional data: name, job title, employer, professional and education history, social media profile URL, skills.
Contact data: email address, telephone number.
Platform interaction data: candidate status, outreach history, notes added by Customer.

Special Categories of Personal Data

Metaview does not intentionally process special categories of personal data as part of the Sourcing module.

Nature and Purpose of Processing

Processor processes Personal Data solely for the purpose of delivering Services to Customer in accordance with the Main Agreement and Customer's documented instructions. The processing comprises:

Storing and managing candidate records that Customer has actively saved or imported into the platform.
Processing outreach sequences to candidates on Customer's instruction.
Processing contact enrichment requests and export requests on Customer's instruction.

Duration of Processing

Frequency of Transfer

Locations of Processing

List of Approved Sub-Processors

The full list of approved sub-processors is set out in Annex 4 (Schedule of Sub-Processors) to this DPA.

Annex 1c – Details of Processing (Application Review)

This Annex 1c applies to Customers who have purchased Application Review. This Annex sets out the details of the Processing of Personal Data by Processor on behalf of Customer, as required by Article 28(3) GDPR and equivalent provisions of other applicable Data Protection Laws. It also serves as Annex I of the SCCs (where applicable). Under applicable data protection frameworks, Metaview operates as a data processor in connection with Application Review.

Categories of Data Subjects

Employees and contractors of the Customer (e.g., recruiters and hiring managers who access or operate Application Review).
Job applicants and candidates whose applications are ingested from Customer's ATS and processed by Application Review.

Types of Personal Data

Processor may process the following categories of Personal Data on behalf of Customer:

Identification and contact data;
Application materials and the professional and educational history, skills, qualifications, and certifications contained within them;
AI-generated outputs, including classifications, field extractions, and summaries;
Customer inputs, including feedback, decisions, and field configurations;
Customer support and interaction data; and
Any other Personal Data that Customer or its users choose to provide or transmit via Application Review.

Special Categories of Data

The processing of special categories of Personal Data (as defined in Article 9 GDPR) is not intended or required for the provision of Application Review. Processor does not solicit or encourage the disclosure of such information. However, given the nature of application materials, special category data may be incidentally present if included in candidate-submitted documents. Any such processing is limited to the activities described in the Nature and Purpose of Processing section of this Annex. Responsibility for ensuring a lawful basis for any processing of special categories of Personal Data rests with the Customer as Controller.

Nature and Purpose of Processing

Processor processes Personal Data solely for the purpose of delivering Services to Customer in accordance with the Main Agreement and Customer's documented instructions. The processing comprises:

Syncing candidate application data and Customer decisions with Customer's Applicant Tracking System.
Classifying application data against Customer-defined criteria.
Extracting and categorising data points.
Generating application summaries.
Storing application data and enabling Customer to sort, filter, and search applications.

Duration of Processing

Frequency of Transfer

Personal Data may be transferred to and Processed by Processor on a continuous or ongoing basis for the duration of the Main Agreement. Transfers occur whenever Customer's ATS transmits application data to Application Review, whenever Customer or its authorised users interact with the service, and whenever accept or reject decisions are synced back to the ATS.

Locations of Processing

List of Approved Sub-Processors

The full list of approved sub-processors is set out in Annex 4 (Schedule of Sub-Processors) to this DPA.

Annex 2 – Technical and Organizational Security Measures

This Annex 2 describes the key Technical and Organizational Measures implemented by Processor to ensure a level of security appropriate to the risk of the Personal Data Processing. This Annex also corresponds to Annex II of the SCCs (where applicable). Processor may adjust or enhance these measures from time to time, provided that such changes do not materially reduce the overall security of the Personal Data.

Security Program

Processor maintains an information security program designed to protect Personal Data against unauthorized access, loss, alteration, or disclosure, consistent with industry standards (e.g. SOC 2 Type II) and applicable data protection laws. The program is reviewed at least annually and updated as necessary.

Encryption

Processor encrypts Personal Data in transit and at rest using industry-standard technologies (e.g. TLS 1.3 or higher, AES-256-GCM or equivalent authenticated encryption).

Pseudonymization and Anonymization

Processor may apply measures such as pseudonymisation, anonymisation, or aggregation of Personal Data, both to enhance security and to enable the use of resulting non-Personal Data for legitimate business purposes.

Access Controls

Processor enforces least-privilege access, unique user IDs, and multi-factor authentication for administrative access. Access rights are reviewed periodically.
Processor restricts access to customer data within the product to authenticated users, with role-based authorization controls.

Personnel Security

Processor ensures employees and contractors with access to Personal Data are subject to confidentiality obligations and receive mandatory security and privacy training upon onboarding and annually thereafter.
Processor applies endpoint protection and data loss prevention measures on employee devices, including anti-malware, full-disk encryption, and controls to prevent unauthorized transfer of customer data.

Physical and Environmental Security

Processor hosts customer data exclusively in secure cloud environments provided by vendors with audited physical and environmental security controls (e.g., SOC 2).

Network Security

Processor implements firewalls, network segmentation, intrusion detection/prevention, and redundancy measures to ensure service availability.

Secure Development

Processor maintains a secure software development lifecycle, including code review, automated security testing, and vulnerability scanning.

Monitoring and Incident Response

Processor maintains audit logs, monitors systems for anomalies, and operates a documented incident response plan.
Processor notifies Customer without undue delay, and no later than 48 hours, upon becoming aware of a Personal Data Breach and provides information reasonably necessary for Customer to meet its legal obligations.

Vulnerability Management

Processor conducts regular vulnerability scans, remediates critical findings promptly, and engages independent penetration testing at least annually.

Business Continuity

Processor maintains backup and recovery processes, performs routine backups in secure locations, and tests disaster recovery procedures at least annually.

Independent Audits and Certifications

Processor engages independent external experts to conduct annual audits of its security controls.
Processor maintains certifications or attestations against recognized industry standards (such as SOC 2 Type II) and makes summaries available to Customer upon request.

Data Minimization and Retention

Processor collects and processes only the Personal Data necessary to provide the Services.
Processor retains Personal Data only for the period specified in the DPA or as otherwise instructed by the Customer. Upon termination of services or at Customer's request, Personal Data will be securely deleted or returned.

Audit Trails

Processor maintains audit trails for key activities within its systems.

Data Subject Rights Support

Processor assists Customer in responding to Data Subject rights requests under applicable laws (access, rectification, erasure, restriction, portability, objection).

Sub-processor Management

Processor ensures that Sub-processors are subject to written agreements imposing data protection obligations substantially equivalent to those in this DPA.

AI/ML Security

Processor ensures that Personal Data processed through AI/ML systems is used solely to provide the Services and not to train underlying third-party models with Personal Data.
Processor assesses AI components for security, privacy, and bias risks and maintains guardrails to mitigate such risks.

Annex 3 – UK International Data Transfer Addendum / Agreement

Where Personal Data is transferred from the United Kingdom to a country not deemed adequate under UK Data Protection Laws, the parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, issued by the UK ICO and in force 21 March 2022) ("UK Addendum") is incorporated into this DPA by reference.

The UK Addendum is completed as follows:

Table 1 (Parties): as identified in the DPA and Main Agreement
Table 2 (Selected SCCs): the SCCs (Module Two) incorporated at Section 11.2 of this DPA
Table 3 (Appendices): Annex 1 and Annex 2 of this DPA
Table 4: neither party may end the UK Addendum under section 19

Customer's acceptance of this DPA constitutes execution of the UK Addendum.

Annex 4 – Schedule of Sub-Processors

This Schedule sets out the sub-processors engaged by Metaview to process personal data on behalf of Customer. Metaview shall provide notice of any intended changes in accordance with Section 6.2 of the DPA. The most current version of this Schedule is maintained at Metaview's Trust Center: https://trust.metaview.ai.