Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Future Visuals (operating as “Tlntly”, the “Processor”) and the customer (“Controller”) who has agreed to the Terms of Service. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

This DPA applies to all processing of personal data by the Processor on behalf of the Controller through the Tlntly platform.

1. Definitions

• “Controller” means the Tlntly customer (recruitment agency, recruiter, or employer) who determines the purposes and means of processing candidate personal data.

• “Processor” means Future Visuals (Tlntly), which processes personal data on behalf of the Controller.

• “Data Subject” means the natural person whose personal data is processed, primarily job candidates whose CVs and personal information are uploaded to the platform.

• “Personal Data” means any information relating to an identified or identifiable natural person, including candidate names, contact details, employment history, education, skills, and other information contained in CVs and candidate profiles.

• “Processing” means any operation performed on personal data, including AI processing (parsing, scoring, matching, tailoring, translation, anonymization), storage, retrieval, modification, and deletion.

2. Scope and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Tlntly recruitment platform services to the Controller, including:

• Parsing and structuring CVs and vacancy descriptions using AI (Google Gemini API)

• Generating candidate-vacancy compatibility scores and rationales

• Tailoring resume content for specific vacancies

• Generating motivation letters

• Translating resume content

• Anonymizing candidate profiles

• Generating PDF exports

• Storing and managing candidate and vacancy data

Categories of Data Subjects

Job candidates, applicants, and other individuals whose personal data is uploaded by the Controller.

Categories of Personal Data

• Identification data: names, email addresses, phone numbers, LinkedIn URLs, profile images

• Professional data: work experience, job titles, companies, responsibilities, skills, certifications

• Educational data: institutions, courses, degrees, dates

• Other CV data: languages, interests, personal summaries, location preferences

• AI-generated data: compatibility scores, rationales, tailored content, motivation letters

3. Processor Obligations

The Processor shall:

1. Process personal data only on documented instructions from the Controller, except where required by EU or Member State law

2. Ensure that persons authorized to process personal data have committed to confidentiality

3. Implement appropriate technical and organizational security measures, including encryption in transit (HTTPS/TLS) and at rest, access controls, and secure infrastructure (see Section 5)

4. Not engage another processor without prior written authorization from the Controller (see Section 6 for approved subprocessors)

5. Assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection)

6. Assist the Controller with DPIA obligations and prior consultation with supervisory authorities where required

7. Delete or return all personal data at the end of the service provision, subject to mandatory retention requirements under the EU AI Act (minimum six months for AI system logs)

8. Make available to the Controller all information necessary to demonstrate compliance and allow for audits (see Section 8)

9. Immediately inform the Controller if an instruction infringes the GDPR or other data protection provisions

4. Controller Obligations

The Controller shall:

1. Ensure a valid legal basis exists for the processing of personal data uploaded to Tlntly

2. Inform data subjects about the processing, including AI processing, in accordance with GDPR Articles 13 and 14

3. Comply with deployer obligations under the EU AI Act, as detailed in the Terms of Service

4. Respond to data subject requests and facilitate their rights regarding automated decision-making

5. Not upload personal data for which the Controller does not have a lawful basis for processing

5. Security Measures

The Processor implements the following technical and organizational measures to protect personal data:

• Encryption in transit: All data transmitted over HTTPS/TLS

• Encryption at rest: Data stored in encrypted databases and file storage

• Access controls: Authentication via OAuth providers (Google, LinkedIn), session management, and role-based access

• Infrastructure security: Managed cloud infrastructure (Vercel EU, Neon Frankfurt, AWS eu-west-1) with provider-level security certifications

• AI processing security: Content safety checks on uploads, input validation, assessment principles to prevent fabrication

• Logging and monitoring: System-generated logs for traceability and incident investigation

• Data isolation: Customer data is logically separated at the application level

6. Subprocessors

The Controller authorizes the Processor to engage the following subprocessors. The Processor will ensure that subprocessors are bound by data protection obligations no less protective than those in this DPA.

The Processor will notify the Controller of any intended changes to subprocessors, giving the Controller the opportunity to object. If the Controller objects and the Processor cannot accommodate the objection, either party may terminate the service.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:

• A description of the nature of the breach

• The categories and approximate number of data subjects affected

• The likely consequences of the breach

• The measures taken or proposed to address the breach

The Processor shall cooperate with the Controller in investigating the breach, mitigating its effects, and fulfilling the Controller's notification obligations under GDPR Articles 33 and 34.

8. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of any audit. The Processor may provide relevant compliance certifications or third-party audit reports as an alternative to on-site inspections where appropriate.

9. International Data Transfers

The Processor stores primary data within the EU (Neon Frankfurt, AWS eu-west-1, Vercel EU). Where personal data is transferred outside the EEA (primarily for AI processing via Google Gemini API), the Processor ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Supplementary technical measures (encryption, access controls, data minimization)

• Contractual commitments from subprocessors regarding data protection

10. Data Deletion and Return

Upon termination of the service or upon request by the Controller, the Processor shall:

• Delete all personal data processed on behalf of the Controller, subject to mandatory retention requirements

• Retain AI system logs for the minimum period required by the EU AI Act (six months from the date of generation), after which they will be deleted

• Provide confirmation of deletion upon request

The Controller may request data export before deletion. The Processor will comply with export requests using reasonable efforts and standard data formats.

11. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Tlntly platform and shall automatically terminate when all personal data has been deleted or returned in accordance with Section 10. Obligations regarding confidentiality, data breach notification, and mandatory data retention survive termination.

12. Amendments

The Processor may update this DPA to reflect changes in applicable law (including the EU AI Act), regulatory guidance, or processing activities. Material changes will be communicated to the Controller at least 30 days before taking effect. Continued use of the service after the effective date constitutes acceptance.