Appendix 2 – Data Processing Agreement

Last changed: May 19, 2026

This Appendix 2 (Data Processing Agreement) including Sub-appendix 1 (Instructions for the Processing of Personal Data) and Sub-appendix 2 (List of Approved Sub-processors) (this "DPA") constitutes an appendix to and forms an integral part of the Agreement entered into between Talentium and the Customer, which applies when Talentium (the "Data Processor") processes personal data on behalf of the business Customer (the "Data Controller") when providing the Services to the Data Controller.

1. Background

1.1. This DPA governs the rights and obligations of the Data Controller and the Data Processor when the Data Processor processes personal data on behalf of the Data Controller, pursuant to the Agreement.

1.2. If the information stipulated in the Agreement conflicts with this DPA, this DPA shall take precedence in relation to rights and obligations related to the processing of personal data. In the event of any contradictions between this document and the Data Controller's documented instruction, this document shall take precedence, unless otherwise specifically stipulated or clearly indicated by the circumstances.

1.3. This DPA aims to meet the current requirements for a DPA in accordance with Applicable Data Protection Legislation.

1.4. This DPA shall remain in force for as long as the Data Processor processes personal data on the Data Controller's behalf. This DPA applies to and covers any changes, additions, or amendments to the Agreement unless the Parties enter into a new data processing agreement. If the Agreement is terminated and a new contract with a similar scope and purpose to the Agreement is entered into between the Parties, while a new data processing agreement is not entered into, this DPA shall apply to the new Agreement. This also applies if an explicit reference is made to this DPA in a contract between the Data Controller and the Data Processor.

2. Definitions

The terms in this DPA shall have the same definition attributed to them as in the Agreement if not expressly defined where the terms are used, in the definition list below or defined in Appendix 1 (Terms and Conditions) to the Agreement. In addition, the terms in this DPA shall be interpreted in accordance with the GDPR (as defined in Appendix 1), unless otherwise specified.

• "Agreement" means Talentium's Master Service Agreement including its appendices, entered into between the Parties.
• "Applicable Data Protection Legislation" means all privacy, data protection and personal data laws of the European Union or a member state of the European Union applicable to the personal data processing that is carried out under this DPA.
• "Data Controller" has the meaning set forth in the recitals.
• "Data Processor" has the meaning set forth in the recitals.
• "DPA" has the meaning set forth in the recitals.
• "Party" and "Parties" have the meaning set forth in the recitals of the Agreement.
• "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to data processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented by the European Commission decision (EU) 2021/914 of 4 June 2021.
• "Sub-processor" means the legal person who is engaged by the Data Processor to carry out specific processing activities on behalf of the Data Controller.
• "Sub-processor Notice" has the meaning set forth in Clause 8.2.

3. Obligations of the Data Controller

3.1. The Data Controller undertakes to ensure that there is a legal basis for the processing and for compiling correct instructions with regard to the nature of the processing so that the Data Processor and any Sub-processor can fulfil their obligations according to this DPA and the Agreement, where applicable.

3.2. The Data Controller shall, without undue delay, inform the Data Processor of changes in the processing which affect the Data Processor's obligations pursuant to Applicable Data Protection Legislation.

3.3. The Data Controller is responsible for informing data subjects, whose personal data is subject to processing under this DPA, about the processing and safeguard the rights of data subjects in accordance with Applicable Data Protection Legislation, as well as to take every other measure required of the Data Controller pursuant to Applicable Data Protection Legislation.

4. Processing of Personal Data

4.1. The Data Processor shall ensure compliance with Applicable Data Protection Legislation as well as its obligations under this DPA when processing personal data on behalf of the Data Controller.

4.2. The Data Processor may only process personal data on behalf of the Data Controller in accordance with the Data Controller's documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by the laws of the European Union or a member state of the European Union to which the Data Processor is subject, in which case the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.3. The Data Controller's initial instructions are set out in this DPA and Sub-appendix 1 (Instructions for the Processing of Personal Data). Subsequent instructions may also be given by the Data Controller throughout the duration of the processing of personal data. These instructions shall always be documented. The Data Processor shall, if a subsequent instruction involves a certain change and the instruction does not result from obligations under Applicable Data Protection Legislation, be given a reasonable time to implement such an update.

4.4. In the event of an update of the instruction that goes beyond the obligations arising from Applicable Data Protection Legislation, the Data Processor shall be entitled to compensation for documented additional costs.

4.5. The Data Processor has the right to terminate the Agreement, including this DPA, according to Clause 14.3 if an update of the instruction goes beyond the obligations arising from Applicable Data Protection Legislation and the Data Processor is unable to carry out/implement the requested update or if it would involve a significant change or additional cost. The aforementioned only applies if the Data Controller does not choose to recall an update of the instruction.

4.6. The Data Processor shall immediately inform the Data Controller if, in its opinion, the Data Processor has not received sufficient instructions to process personal data in accordance with its obligations pursuant to the Agreement or if, in the Data Processor's opinion, an instruction infringes Applicable Data Protection Legislation, and defer the processing until further instructions from the Data Controller are provided.

4.7. If the Data Controller persists with an instruction which, in the Data Processor's opinion, infringes Applicable Data Protection Legislation pursuant to Clause 4.4, the Data Processor shall have the right to terminate the Agreement, including this DPA, according to Clause 14.3.

4.8. The Data Processor shall, without undue delay, inform the Data Controller about technical, organisational, or financial changes, including changes in the ownership, which are likely to affect the Data Processor's capability of complying with its obligations in accordance with this DPA.

5. The Data Processor's Obligations to Assist the Data Controller

5.1. The Data Processor shall assist the Data Controller in fulfilling its obligations in accordance with Applicable Data Protection Legislation per the Data Controllers request. This means that the Data Processor shall:

a) through appropriate technical and organisational measures, to the extent possible and with due regard to the nature of the processing, assist the Data Controller in fulfilling the Data Controller's obligations to respond to requests for exercising the data subjects right laid down in Chapter III of the GDPR (such as rectification, deletion, restriction, data portability and request of access);

b) assist the Data Controller in fulfilling the Data Controller's obligations to take appropriate security measures for the processing of personal data under this DPA to ensure a level of security appropriate considering the level of risk which the processing of personal data in question entails in accordance with Article 32 of the GDPR;

c) assist the Data Controller by providing the information, assistance and resources that are reasonably necessary for fulfilling the Data Controller's obligation to report personal data breaches to the competent supervisory authority in accordance with Article 33 of the GDPR;

d) assist the Data Controller with the information, assistance and resources that may reasonably be required to fulfil the Data Controller's obligation to inform the data subject, within the framework of this DPA, in the event of a data breach that is likely to result in a high risk to the rights and freedoms of natural persons in accordance with Article 34 of the GDPR;

e) assist the Data Controller in fulfilling the Data Controller's obligation to carry out data protection impact assessments for processing under this DPA, which is likely to result in a high risk to the rights and freedoms of individuals in accordance with Article 35 of the GDPR; and

f) assist the Data Controller by providing the Data Controller with the information, assistance and resources that may reasonably be required to fulfil the Data Controller's obligation to provide information and documentation to the supervisory authority for prior consultation, and when necessary, and to a reasonable extent, attend meetings with the supervisory authority in accordance with Article 36 of the GDPR.

5.2. When the Data Processor assists the Data Controller in fulfilling the Data Controller's obligations under Applicable Data Protection Legislation in accordance with Clauses 5.1 b) – f) above, consideration shall be given to the type of processing it refers to, and the information available to the Data Processor. In order to avoid any misunderstandings, nothing in this clause shall be interpreted as indicating that the Data Processor may act on behalf of the Data Controller. The Data Processor may only act to fulfil its obligations vis-à-vis the Data Controller.

6. Security and Confidentiality

6.1. The Parties' obligations to observe confidentiality is regulated in Appendix 1 (Terms and Conditions) to the Agreement. The Data Processor shall ensure that any Sub-processors that are engaged by the Data Processor is subject to a confidentiality undertaking corresponding to the provisions under the Agreement.

6.2. The Data Processor undertakes to take all appropriate technical and organisational measures to protect the personal data being processed under this DPA in accordance with Applicable Data Protection Legislation and in particular Article 32 of the GDPR. The Data Processor shall ensure that its service fulfils the requirements of the principles of privacy by design and privacy by default in line with Applicable Data Protection Legislation as set out in the Agreement and this DPA.

6.3. The Data Processor has implemented the technical and organisational measures set out in the instructions from the Data Controller and undertakes not to substantially change these or otherwise change the security measures in a way that results in a lower level of security than the one intended in Clause 6.2 and the Data Controller's instructions.

6.4. The Data Processor is obliged to immediately inform the Data Controller if the Data Processor considers that the implemented security measures no longer comply with the requirements set out in the Applicable Data Protection Legislation and wait for further instructions from the Data Controller.

6.5. The Data Processor shall ensure that only the personnel who must have access to the personal data in order to fulfil the Data Processor's obligations under this DPA will have access to such personal data. The Data Processor shall ensure that all such personnel are bound by appropriate confidentiality obligations, either by law or by agreement. The Data Processor shall also ensure that the personnel understand what confidentiality obligation entails.

7. Personal Data Breaches

7.1. The Data Processor shall without undue delay after the Data Processor having become aware of the personal data breach, notify the Data Controller.

7.2. A notification pursuant to Clause 7.1 shall include all information which may reasonably be required by the Data Controller to fulfil its obligations under Applicable Data Protection Legislation. Such information includes e.g. a description of:

a) the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;

b) the details of a contact point where more information concerning the personal data breach can be obtained;

c) likely consequences as a result of the data breach; and

d) the measures taken or proposed to be taken to rectify the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.

7.3. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information available and further information shall, as it becomes available, subsequently be provided without undue delay.

7.4. The Data Controller shall compensate the Data Processor for any direct costs that the Data Processor incurs if the measures taken under this Clause 7 are due to the Data Controller's non-compliance of Applicable Data Protection Legislation.

7.5. The Data Processor is not entitled to inform any third parties, including data subjects, of the personal data breach without the Data Controller's prior written consent, unless required to do so by the laws of the European Union or a member state of the European Union to which the Data Processor is subject.

8. Sub-processors

8.1. The Data Processor is aware that it must comply with the requirements specified in Article 28(2) and (4) of the GDPR in order to engage a Sub-processor.

8.2. The Data Processor has the Data Controller's general written authorisation for the engagement of Sub-processors. The Data Processor shall inform the Data Controller in writing of any intended changes concerning the addition or replacement of Sub-processors ("Sub-processor Notice") at fourteen (14) days in advance, thereby giving the Data Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-processor(s). A Sub-processor Notice to the Data Controller, to engage or replace a Sub-processor shall be in writing and as a minimum include the following information:

• (i) company name;
• (ii) company registration number (or equivalent);
• (iii) address and country;
• (iv) a description of the sub-processing; and
• (v) where the personal data will be processed.

8.3. A list of approved Sub-processors at the time of entering into this DPA is set forth in Sub-appendix 2 (List of Approved Sub-processors). The Data Processor shall, from time to time, maintain an updated list of the Sub-processors who have been approved by the Data Controller, as well as the countries in which these Sub-processors perform their activities. At the Data Controller's request, the Data Processor shall submit a copy of the list to the Data Controller.

8.4. Where the Data Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Data Controller, the Data Processor shall enter into an agreement with the Sub-processor which imposes corresponding obligations as are applicable to the Data Processor in accordance with this DPA, and under which the Sub-processor also provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this DPA and Applicable Data Protection Legislation. The Data Processor shall therefore be responsible for requiring that the Sub-processor at least complies with the obligations to which the Data Processor is subject pursuant to this DPA and Applicable Data Protection Legislation.

8.5. If the Sub-processor does not fulfil his data protection obligations, the Data Processor shall remain fully liable to the Data Controller as regards the fulfilment of the obligations of the Sub-processor.

9. Transfer of Personal Data to a Third Country

9.1. The Data Processor may transfer personal data on behalf of the Data Controller to a country outside of the EU/EEA (i.e., third country), provided such transfers meet the requirements and undertakings which follow from Applicable Data Protection Legislation and the Data Controller's instructions.

9.2. The Data Processor undertakes to enter into the relevant module of the Standard Contractual Clauses with its Sub-processors which process personal data outside the EU/EEA, unless another applicable transfer mechanism applies or if the transfer is based on an adequacy decision, and to take all reasonable measures to control that the engaged Sub-processors ensure the lawfulness of any further transfers of personal data that the Sub-processors' sub-processors may undertake.

9.3. The Data Processor shall inform the Data Controller, without undue delay, if an adequate level of protection can no longer be guaranteed for the transfer of personal data to, or access from, a country outside the EU/EEA, or if the transfer or processing can, in any other way, be considered contrary to the Applicable Data Protection Legislation. Furthermore, in such instances, the Data Processor shall immediately take steps to ensure that personal data can continue to be processed in accordance with Applicable Data Protection Legislation and inform the Data Controller of the measures taken.

10. Request for Information and Disclosure of Personal Data

10.1. In cases where a data subject or other third party requests information from the Data Processor in respect of processing of personal data which belongs to the Data Controller, the Data Processor shall refer such data subject or third party to the Data Controller.

10.2. In the event a public authority requests the type of data as set forth in Clause 10.1 above, the Data Processor shall immediately inform the Data Controller of the request, unless prevented by law, and the Data Processor and the Data Controller shall, in consultation, agree on a suitable course of action.

10.3. The Data Processor shall not disclose or make any personal data which belongs to the Data Controller available unless the Data Processor is under legal obligation deriving from laws of a member state of the European Union or European Union law, or court or public authorities' order to disclose the information (provided that such court or public authority is located within the European Union).

10.4. If an obligation to disclose information as stipulated in Clause 10.3 above emerges, the Data Processor shall immediately inform the Data Controller of such situation if not prohibited by law.

11. Audit and Documentation

11.1. The Data Processor shall make available to the Data Controller all information necessary to demonstrate that the Data Processor has fulfilled its obligations in accordance with this DPA and Applicable Data Protection Legislation. At the Data Controller's request, the Data Processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. The Data Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Data Processor. The Data Controller shall ensure that such independent third party is subject to confidentiality.

11.2. The Data Processor shall, at all times, be entitled to reasonable notice in the event the Data Controller wishes to exercise its right to conduct an audit.

11.3. If an audit pursuant to this Clause 11 indicates that the Data Processor has breached its obligations under this DPA or Applicable Data Protection Legislation, the Data Processor shall, without undue delay, remedy such deficiency.

12. Liability

12.1. Subject to the limitation of liability set out in Appendix 1 (Terms and Conditions) to the Agreement, if the Data Processor processes personal data in violation of this DPA or Applicable Data Protection Legislation, the Data Processor shall compensate the Data Controller for the damage caused by the Data Processor due to the incorrect processing.

12.2. In the event of compensation for damages in connection with wrongful processing of personal data, which, through an established judgment or settlement, shall be payable to the data subject due to a breach of the provisions in this DPA, the Data Controller's instructions and/or Applicable Data Protection Legislation, Article 82 of the GDPR shall apply.

12.3. The Parties' liability for compensation in accordance with this Clause 12 will apply even if the DPA is terminated or otherwise cease to apply.

13. Contract Period

With the exception of Clauses 6 and 12, the provisions of this DPA shall apply for as long as the Data Processor processes personal data on the Data Controller's behalf.

14. Early Termination

14.1. The Data Processor shall immediately inform the Data Controller if the Data Processor, for whatever reason, is unable to fulfill its obligations under this DPA.

14.2. If the Data Processor is not able to remedy and fulfil its obligations under this DPA prior to thirty (30) days after having informed the Data Controller pursuant to Clause 14.1, the Data Controller shall have the right to terminate the Agreement and this DPA.

14.3. For termination of this DPA pursuant to Clause 4.5 of this DPA, Clause 5 of the Master Service Agreement shall apply.

15. Measures in Connection with the Termination

15.1. When this DPA expires, the Data Processor shall, at the Data Controller's request and per the Data Controllers instructions, permanently delete, or return in a format that the Data Controller chooses, all personal data processed in accordance with this DPA to the Data Controller and delete all existing copies, unless the Data Processor is required by European Union law or laws of a member state of the European Union to save a copy of the personal data.

15.2. In this context, deletion means that the personal data is deleted in accordance with the industry standard in force at any given time in order to make it impossible for the data to be recreated using technology or method known at the time of deletion. This shall also apply to personal data that has been processed for logging and security purposes.

16. Amendments

16.1. If Applicable Data Protection Legislation changes during the term of this DPA, or if competent supervisory authority issues guidelines, decisions or regulations concerning the application of Applicable Data Protection Legislation that result in this DPA no longer meeting the requirements for a data processing agreement, this DPA shall be changed in order to meet such new or additional requirements.

16.2. What is stipulated in the Agreement regarding changes shall apply to this DPA in addition to Clause 16.1 above.

17. Governing Law and Dispute Resolution

What is stipulated in the Agreement regarding governing law and dispute resolution also apply to this DPA.

Sub-appendix 1 — Instructions for the Processing of Personal Data

The following document is the Data Controller's instructions to the Data Processor.

Definitions used in this instruction shall have the same meaning as in the DPA, unless circumstances clearly indicate otherwise.

1. Processing of Personal Data

1.1. Purpose of processing.

The Data Processor's purpose of the processing is to provide specific functionality within the Services to the Data Controller. The Data Controller's purposes are the following:

• Receiving and managing applications: To receive qualitative applications, as well as to process and communicate regarding job applications in order to be able to fill a possible position.
• Identifying and matching candidates: To identify, contact and communicate with potential candidates for recruitment purposes, including streamlining recruitment processes by efficiently matching candidates to the Data Controller's needs/jobs and evaluating them effectively.
• Optimising recruitment: To optimize employee' work and internal recruitment processes and to generate texts.
• Networking processes: To enhance networking by maintaining and developing business relationships with potential candidates and other contacts.

1.2. Subject-matter of the processing.

The subject-matter of the processing is the provision of the Data Processor's Services.

1.3. Categories of personal data.

The Data Processor shall collect and process the following categories of personal data: Name, contact details, employer and job title, language and current city of residence, job history, education and other personal data included in a potential candidate's CV and cover letter, as well as personal data included in the Data Controller's email, calendar and correspondence, etc.

1.4. Categories of data subjects.

• Potential job candidates.
• Reference person.
• Business contacts.
• The Data Controller's personnel, consultants or other parties or individuals who are authorised by the Data Controller to use the Services.

1.5. Processing activities (nature of the processing).

The use of the Services includes functionalities such as:

collection, structuring, storage, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

1.6. Transfer to third countries.

The locations/countries listed in Sub-Appendix 2 (List of approved Sub-processors) or as shown in the list of the Sub-processors in accordance with Clause 8.3 of the DPA.

1.7. Duration.

Measures to ensure that personal data is deleted during and after the contract period when the processing is no longer necessary for the original purpose.

The Data Processor undertakes to process personal data as follows:

• Personal data may not be stored for a longer period of time than is necessary for the purposes for which the personal data is processed.
• The Data Processor deletes personal data at the Data Controller's request (if applicable in the specific Services). The Data Controller also has the option to delete data manually in the Services.

After the Agreement has ceased to apply: see Clause 15 of the DPA.

2. Technical and Organisational Security Measures

Introduction

This document details the technical and organizational security measures adopted by Talentium to ensure the confidentiality, integrity, and availability of our data and information systems. By leveraging Cloud Service Provider (CSP), Database Management system (DBMS), and OAuth for secure authentication, we are committed to protecting our systems and data against unauthorized access, disclosure, alteration, and destruction.

A. (Our cloud service provider — CSP)

1. Physical Security

• Data Centers: CSP data centers are fortified with physical security measures such as biometric verification and environmental controls, designed to withstand natural disasters.

2. Data Encryption

• Encryption Protocols: CSP automatically encrypts all data before it is stored and protects data in transit with HTTPS and other secure communication protocols.

3. Access Control

• IAM System: Implementation of CSP's Identity and Access Management (IAM) to define precise access controls and policies, reinforcing the principle of least privilege. Integration of multi-factor authentication and OAuth protocols ensures secure access.
• OAuth & Auth0 Integration: Utilization of OAuth for secure delegation of access rights and Auth0 for streamlined identity management across applications. This combination enhances security and user experience by providing a single sign-on (SSO) capability across our cloud-based services.

4. Network Security

• Secure Network Infrastructure: Utilization of CSP's secure network features, including firewalls, DDoS protection, and VPCs for workload isolation.

5. Incident Response

• Monitoring and Response: Continuous monitoring with CSP's incident response team, prepared to swiftly address and mitigate any security incidents.

B. DBMS

1. Encryption at Rest and In Transit

• Encryption Mechanisms: Utilization of WiredTiger storage engine and TLS/SSL for securing data at rest and in transit, respectively.

2. Access Control

• RBAC Implementation: Implementation of DBMS's role-based access control (RBAC) to ensure that access to data and operations is restricted to authorized users only. Enhanced with OAuth protocols for secure access delegation and integrated with Auth0 for efficient identity management, ensuring secure and convenient access controls.

3. Auditing

• Comprehensive Auditing: DBMS's auditing capabilities enable tracking of all access and modifications, supporting our commitment to data integrity and compliance.

4. Network Isolation

• Isolated Environments: Configuration of DBMS within isolated network environments to minimize unauthorized access risks.

5. Regular Updates

• Security Updates: Adherence to a strict policy of regular updates to DBMS, ensuring protection against known vulnerabilities.

C. Best Practices

1. Regular Security Assessments

• Assessment and Penetration Testing: Ongoing security assessments to identify vulnerabilities, with OAuth implementations regularly reviewed for security best practices.

2. Compliance Certifications

• Regulatory Adherence: Ensuring that our use of CSP, DBMS, and OAuth aligns with GDPR, HIPAA, SOC 2, and other relevant standards.

3. Data Backup and Recovery

• Robust Backup Strategies: Comprehensive data backup and recovery measures to guarantee business continuity.

4. Security Training

• Ongoing Training: Continuous security training for our team, with a focus on the secure implementation and management of OAuth alongside our core technologies.

5. Secure Authentication and Authorization Practices

• OAuth: Adoption of OAuth, an open-standard authorization protocol, to allow secure authorization workflows. This is crucial for applications that require access to user data without exposing user passwords, providing a secure and efficient method of granting access rights.
• Auth0 Integration: Leveraging Auth0 for advanced identity management solutions, including secure authentication and authorization services. Auth0 offers a robust platform for implementing SSO, multi-factor authentication, and user management, significantly enhancing security and user experience across our digital assets.

Conclusion

Talentium is committed to maintaining a secure and resilient environment for our data and systems. Through the strategic implementation of CSP and DBMS's security features, coupled with adherence to best practices and the advanced authentication and authorization mechanisms provided by OAuth and Auth0, we strive to protect our assets against evolving threats and ensure the privacy and security of our customers' data.

Sub-appendix 2 — List of Approved Sub-processors

The Data Processor is entitled to engage the following Sub-processors for the processing of personal data within the scope of this DPA.

Definitions used in this list of approved Sub-processors shall have the same meaning as in the DPA, unless circumstances clearly indicate otherwise.