Data Processing Agreement

"Controller" means the Customer, who determines the purposes and means of the processing of Personal Data.

"Processor" means Clapwork, which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person processed under this Agreement.

"Sub-processor" means any third party engaged by Clapwork to process Personal Data on behalf of the Controller.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

Clapwork processes Personal Data solely to provide the services described in the Master SaaS Agreement, including:

• Candidate assessment and AI interview processing
• Skill evaluation, scoring, and report generation
• Interview recording, transcription, and analysis
• Communication between clients and candidates
• Account management and billing

Categories of Data Subjects include: candidates, freelancers, hiring managers, and organizational administrators.

The Controller shall:

• Ensure that the processing of Personal Data has a lawful basis under applicable data protection laws.
• Provide Data Subjects with required notices regarding the processing of their data through Clapwork.
• Ensure the accuracy and completeness of Personal Data provided to Clapwork.
• Promptly notify Clapwork of any data subject requests that require Clapwork's assistance.

Clapwork shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure security of processing.
• Assist the Controller in responding to Data Subject rights requests.
• Delete or return all Personal Data upon termination or expiry of the Agreement, at the Controller's election.
• Make available all information necessary to demonstrate compliance with this DPA.

Clapwork implements and maintains the following technical and organizational measures:

• Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access Controls: Role-based access control (RBAC), multi-factor authentication, IP allowlisting.
• Audit Logging: Immutable audit logs for all data access and modifications.
• Infrastructure: SOC 2 Type II certified hosting with regular penetration testing.
• Incident Response: Documented incident response procedures with 72-hour breach notification.
• Employee Training: Regular security awareness and data protection training.

Clapwork maintains a current list of sub-processors. The Controller may subscribe to receive notifications of changes. Current sub-processors include infrastructure and cloud service providers used to deliver the platform.

Clapwork shall:

• Enter into written agreements with sub-processors imposing equivalent data protection obligations.
• Provide the Controller with prior notice of any intended addition or replacement of sub-processors.
• Allow the Controller to object to the appointment of a new sub-processor on reasonable grounds.

Where Personal Data is transferred outside the European Economic Area (EEA), Clapwork shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission.
• Transfers to countries with an adequacy decision from the European Commission.
• Supplementary measures where required by applicable guidance from data protection authorities.

Clapwork shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including rights of access, rectification, erasure, portability, restriction of processing, and objection. Clapwork provides self-service tools in the platform dashboard for Controllers to manage data subject requests.

Clapwork shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories of data and data subjects affected, likely consequences, and measures taken or proposed to address the breach.

This DPA shall remain in effect for the duration of the Master SaaS Agreement. Upon termination, Clapwork shall, at the Controller's choice, delete or return all Personal Data and certify such deletion or return in writing, unless retention is required by applicable law.