Data Processing Addendum (DPA)

This Data Processing Addendum ("Addendum") is entered into between Yupcha Softwares Pvt. Ltd. ("Processor") and the client ("Controller") and forms part of the main services agreement ("Main Agreement") between the parties. This Addendum governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Services under the Main Agreement.

1. Definitions

• Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• Processor: Yupcha Softwares Pvt. Ltd., which processes Personal Data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
• Data Subject: The identified or identifiable natural person to whom Personal Data relates.
• Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Services: The SaaS products, AI-powered tools, and related offerings provided by Yupcha Softwares Pvt. Ltd. to the Controller under the Main Agreement.
• Applicable Data Protection Laws: All laws and regulations applicable to the processing of Personal Data under the Main Agreement, including, but not limited to, Indian Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, and the General Data Protection Regulation (EU) 2016/679 ("GDPR") where applicable.

2. Roles and Responsibilities

• Controller's Role: The Controller determines the purposes and means of the Processing of Personal Data. The Controller represents and warrants that it has all necessary rights, permissions, and consents to collect and transfer the Personal Data to the Processor for processing in accordance with the Main Agreement and this Addendum.
• Processor's Role: The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by Applicable Data Protection Laws to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. Details of Processing

• Data Subject Categories: Employees, candidates, contractors, end-users, or other individuals whose Personal Data is provided by the Controller for processing within the Services.
• Types of Personal Data: Identifiers (e.g., name, contact details), professional data (e.g., job title, company, employment history), assessment data, uploaded files (e.g., resumes, certifications), communications, and performance-related data. This also specifically includes:
  • Textual content from resumes, cover letters, and application forms (e.g., work experience, education, skills, career aspirations).
  • Transcripts of video and audio interviews (where applicable, based on client's configuration).
  • Responses to AI-driven assessments or prompts.
  • AI-inferred data points such as skill proficiencies, role compatibility scores, sentiment analysis results from communications, and summarized candidate profiles.
  • Behavioral patterns inferred from interactions with our AI tools during assessments or simulated tasks.
• Duration of Processing: Personal Data will be processed for the term of the Main Agreement and as otherwise specified in the Controller's instructions or the Processor's Privacy Policy regarding data retention.
• Purpose of Processing: To provide, maintain, and improve the Services as described in the Main Agreement, including the delivery of AI-powered functionalities. This encompasses processing data to train, evaluate, and enhance the underlying AI models and algorithms powering the SaaS services, strictly using anonymized or pseudonymized data where feasible and consistent with the Controller's instructions and Applicable Data Protection Laws.

4. Compliance with Applicable Data Protection Laws

Both Controller and Processor shall comply with their respective obligations under Applicable Data Protection Laws concerning the Processing of Personal Data.

5. Subprocessors

• Authorization: The Controller authorizes the Processor to engage third-party subprocessors for the performance of specific Processing activities on behalf of the Controller.
• List of Subprocessors: A current list of subprocessors used by the Processor is maintained and available upon reasonable request from the Controller. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes on reasonable grounds.
• Subprocessor Obligations: Where the Processor engages a subprocessor, it shall ensure that the subprocessor is bound by a written contract that imposes data protection obligations equivalent to those set out in this Addendum. The Processor remains liable for the acts and omissions of its subprocessors.

6. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including, where appropriate:

• Encryption: Encryption of Personal Data where appropriate (e.g., in transit and at rest).
• Access Controls: Strict access control policies and procedures to prevent unauthorized access to systems processing Personal Data.
• Pseudonymization & Anonymization: Implementation of techniques like pseudonymization and anonymization where feasible and beneficial for data protection, particularly for AI training.
• Regular Audits: Regular security audits, penetration testing, and vulnerability assessments.
• Employee Training: Confidentiality obligations and regular data protection and security awareness training for personnel who have access to Personal Data.
• Incident Management: Procedures for promptly identifying, assessing, and remediating security incidents.
• Secure AI Development: Incorporating security best practices throughout the AI model development lifecycle, protecting training data, and ensuring the integrity of AI systems and their outputs.

7. Data Subject Rights

The Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights (e.g., access, rectification, erasure, restriction, portability, objection).

• Direct Requests: If a Data Subject directly contacts the Processor regarding their Personal Data processed under this Addendum, the Processor will, where legally permitted, promptly inform the Data Subject that their request should be submitted to the Controller.
• Controller's Responsibility: The Controller remains solely responsible for responding to Data Subject requests.

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours from discovery of a Personal Data breach affecting Personal Data processed under this Addendum. The notification shall, at a minimum:

• Describe the nature of the Personal Data breach.
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
• Describe the likely consequences of the Personal Data breach.
• Describe the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall cooperate fully with the Controller in investigating and mitigating the breach and provide reasonable assistance as requested.

9. International Data Transfers

The Controller authorizes the Processor to transfer Personal Data outside of India or to other jurisdictions for processing in connection with the Services, provided that such transfers are conducted in compliance with Applicable Data Protection Laws. The Processor shall ensure that appropriate safeguards are in place for any such international transfers, such as Standard Contractual Clauses (SCCs) or other legally recognized mechanisms.

10. Data Retention and Deletion/Return

Upon the termination or expiry of the Main Agreement, or at the Controller's instruction, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller, and delete existing copies unless Applicable Data Protection Laws require storage of the Personal Data. Anonymized data used for general AI model improvement may be retained by the Processor as per its Privacy Policy.

11. Audit Rights

The Controller, or an independent auditor mandated by the Controller, may, upon reasonable prior written notice (90 days) and no more than once per year, conduct an audit of the Processor's data processing facilities and procedures relevant to the Personal Data processed under this Addendum. Such audits shall be conducted during normal business hours, be non-disruptive to the Processor's business operations, and subject to the Processor's confidentiality obligations and security policies. The Controller shall bear the costs of such audits.

12. Liability

The liability of the parties under this Addendum shall be subject to the limitations of liability set forth in the Main Agreement.

13. Contact Information

If you have any questions about this Addendum, please contact us:

IN WITNESS WHEREOF, the parties have executed this Data Processing Addendum as of the Effective Date.