- 1. Parties and Scope
- 2. Definitions
- 3. Processing Details
- 4. Processor Obligations
- 5. Sub-processor Provisions
- 6. International Data Transfers
- 7. CCPA Service Provider Addendum
- 8. India DPDP Act Addendum
- 9. Technical and Organizational Measures (Annex II)
- 10. Term, Termination, and Data Disposition
- 11. General Provisions
- Annex I — Processing Details
- Annex II — Technical and Organizational Measures
Data Processing Agreement
Effective Date: April 11, 2026 Last Updated: April 11, 2026
This Data Processing Agreement ("DPA") is entered into between the entity identified as "Customer" in the applicable Service agreement ("Controller") and Sentient AI Inc., a Delaware corporation doing business as NexxaScreen, with its registered address at 8 The Green STE R, Dover, DE 19901 ("Processor," "NexxaScreen," "we," or "us").
This DPA supplements and forms an integral part of the Terms of Service available at https://nexxascreen.com/terms and any enterprise agreement between the parties (collectively, the "Agreement"). In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to the processing and protection of Personal Data.
1. Parties and Scope
1.1 Roles
The Customer acts as the Data Controller (or "Data Fiduciary" under the DPDP Act) who determines the purposes and means of processing Personal Data. NexxaScreen acts as the Data Processor (or "Data Processor" under the DPDP Act) who processes Personal Data on behalf of and under the documented instructions of the Controller, solely in connection with the provision of NexxaScreen's AI-powered interview assessment services (the "Services").
1.2 Applicability
This DPA applies whenever NexxaScreen processes Personal Data on behalf of the Controller in connection with the Services, regardless of whether such processing occurs within or outside the European Economic Area ("EEA"), the United Kingdom ("UK"), the United States, India, or any other jurisdiction.
1.3 Supplementary Nature
This DPA supplements the Agreement and does not replace or modify it except as expressly stated herein. All terms not defined in this DPA shall have the meanings given to them in the Agreement.
1.4 Order of Precedence
In the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail to the extent that such conflict relates to the processing or protection of Personal Data. In the event of a conflict between the main body of this DPA and any Annex, the main body shall prevail unless the Annex expressly states otherwise.
2. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings ascribed to them in the GDPR, the Agreement, or as otherwise contextually appropriate.
2.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to: (a) the GDPR; (b) the UK GDPR and the UK Data Protection Act 2018; (c) the CCPA; (d) the DPDP Act; and (e) any other applicable national, state, or regional data protection legislation, each as amended, replaced, or superseded from time to time.
2.2 "Biometric Data" means Personal Data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person. For the purposes of this DPA, voice characteristics processed during communication assessment are treated as Biometric Data.
2.3 "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code Section 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 ("CPRA"), and all implementing regulations thereunder.
2.4 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in GDPR Article 4(7). For the purposes of this DPA, the Controller is the Customer.
2.5 "Data Principal" means an individual whose Personal Data is processed, as defined under the DPDP Act. This term is equivalent to "Data Subject" under the GDPR.
2.6 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, as defined in GDPR Article 4(1).
2.7 "DPDP Act" means the Digital Personal Data Protection Act, 2023 of India, together with any rules, regulations, and notifications issued thereunder, as amended from time to time.
2.8 "EEA" means the European Economic Area, comprising the member states of the European Union together with Iceland, Liechtenstein, and Norway.
2.9 "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended, replaced, or superseded from time to time.
2.10 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in GDPR Article 4(1), and includes "personal information" as defined under the CCPA and "personal data" as defined under the DPDP Act, in each case to the extent processed by the Processor on behalf of the Controller in connection with the Services.
2.11 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in GDPR Article 4(12).
2.12 "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in GDPR Article 4(2).
2.13 "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8). For the purposes of this DPA, the Processor is NexxaScreen.
2.14 "Service Provider" has the meaning given in CCPA Section 1798.140(ag), and for the purposes of Section 7 of this DPA, NexxaScreen acts as a Service Provider with respect to Personal Data of California consumers.
2.15 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, replaced, or superseded from time to time.
2.16 "Sub-processor" means any third party (excluding employees of the Processor) engaged by the Processor or by any subsequent Sub-processor to process Personal Data on behalf of the Controller in connection with the Services.
2.17 "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to GDPR Article 51, or equivalent regulatory authority in other jurisdictions.
2.18 "Technical and Organizational Measures" or "TOMs" means the security measures described in Annex II of this DPA, implemented by the Processor to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure.
2.19 "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
3. Processing Details
This Section 3 serves as Annex I to this DPA and to the Standard Contractual Clauses where applicable.
3.1 Subject Matter of Processing
The Processing of Personal Data by NexxaScreen in connection with the provision of AI-powered interview assessment, communication scoring, and candidate evaluation services as described in the Agreement.
3.2 Duration of Processing
The Processing shall continue for the term of the Agreement between the Controller and the Processor, plus an additional period of thirty (30) days for data return or deletion as described in Section 10.
3.3 Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| Interview Recording | Recording video and/or audio of interviews conducted through the NexxaScreen platform |
| Transcription | Converting audio recordings to text transcripts using speech-to-text technology |
| AI Analysis and Scoring | Analyzing interview content using artificial intelligence to generate candidate assessments, scores, and recommendations |
| Communication Assessment | Evaluating candidate communication skills including voice characteristics, fluency, pronunciation, and speech patterns |
| Storage and Retrieval | Storing interview recordings, transcripts, assessments, and associated metadata for Controller access |
| Reporting | Generating interview reports, scorecards, and analytics for the Controller |
| Notifications | Sending email, SMS, WhatsApp, and/or phone communications to candidates and recruiters related to the interview process |
| Platform Operations | User authentication, access control, audit logging, and platform administration |
3.4 Categories of Data Subjects
| Category | Description |
|---|---|
| Candidates | Individuals who participate in interviews conducted through the NexxaScreen platform, including job applicants and mock interview participants |
| Customer Personnel | Employees, contractors, and authorized representatives of the Controller who use the NexxaScreen platform as recruiters, hiring managers, or administrators |
3.5 Types of Personal Data Processed
| Data Category | Examples |
|---|---|
| Identity Data | Full name, email address, phone number |
| Contact Data | Mailing address, WhatsApp number, preferred communication channel |
| Interview Content | Video recordings, audio recordings, interview transcripts |
| AI-Generated Assessments | Interview scores, competency ratings, candidate evaluations, communication assessment results, AI-generated summaries and recommendations |
| Biometric-Adjacent Data | Voice characteristics processed during communication assessment (pitch, pace, clarity, fluency, filler word frequency) |
| Employment Data | Resume/CV data, job title, job description, employment history (as provided by Controller or candidate) |
| Device and Connection Data | IP address, user agent string, browser type and version, operating system, screen resolution |
| Authentication Data | Hashed passwords, session tokens, OAuth tokens, multi-factor authentication identifiers |
| Usage Data | Platform interaction logs, feature usage, interview scheduling data |
3.6 Special Categories of Data
Voice characteristics processed during communication assessment are treated as sensitive data and Biometric Data for the purposes of compliance with Applicable Data Protection Law. NexxaScreen applies enhanced safeguards to the processing of such data, including purpose limitation (used solely for communication scoring), minimization (processed only when the communication assessment feature is enabled by the Controller), and encryption at rest and in transit.
No other special categories of data (as defined in GDPR Article 9) are intentionally processed. The Controller shall not submit special category data to NexxaScreen unless expressly agreed in writing.
4. Processor Obligations
4.1 Processing on Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (GDPR Article 28(3)(a)).
4.2 Confidentiality
The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Article 28(3)(b)). This obligation shall survive the termination of this DPA and any individual's employment or engagement with the Processor.
4.3 Security Measures
The Processor shall implement and maintain appropriate Technical and Organizational Measures as described in Annex II (Section 9) of this DPA, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (GDPR Article 32). The Processor shall regularly test, assess, and evaluate the effectiveness of these measures.
4.4 Sub-processor Engagement
The Processor shall comply with the conditions set out in Section 5 of this DPA for engaging Sub-processors (GDPR Article 28(2) and 28(4)).
4.5 Data Subject Rights Assistance
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR, the CCPA, and the DPDP Act (GDPR Article 28(3)(e)). Such assistance shall include:
- (a) Promptly notifying the Controller if the Processor receives a request directly from a Data Subject, unless otherwise instructed by the Controller;
- (b) Providing the Controller with the ability to access, rectify, erase, or export Personal Data through the Services where technically feasible;
- (c) Responding to Controller's requests for assistance with Data Subject requests within five (5) business days of receipt;
- (d) Not responding to Data Subject requests directly unless authorized by the Controller or required by Applicable Data Protection Law.
4.6 Security, Breach Notification, and Impact Assessments
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor (GDPR Article 28(3)(f)), including:
- (a) Data Protection Impact Assessments (DPIAs): Providing the Controller with reasonable assistance, upon request, in conducting DPIAs related to the Services, including providing relevant information about the Processing activities, TOMs, and Sub-processors;
- (b) Prior Consultation: Assisting the Controller, upon request, in consultations with Supervisory Authorities pursuant to GDPR Article 36;
- (c) Breach Notification: Complying with the breach notification obligations set out in Section 4.8 of this DPA.
4.7 Data Return and Deletion
At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services relating to processing, and shall delete existing copies unless European Union or Member State law requires storage of the Personal Data (GDPR Article 28(3)(g)). The specific procedures are set out in Section 10 of this DPA.
4.8 Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. Such notification shall include, to the extent available:
- (a) A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- (b) The name and contact details of the Processor's data protection contact from whom more information can be obtained;
- (c) A description of the likely consequences of the Personal Data Breach;
- (d) A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
- (e) Where it is not possible to provide all information at the same time, information may be provided in phases without undue further delay.
The Processor shall cooperate with and assist the Controller in investigating, remediating, and mitigating the effects of the Personal Data Breach, and in complying with the Controller's notification obligations under Applicable Data Protection Law.
4.9 Audit and Compliance
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (GDPR Article 28(3)(h)):
- (a) Annual Audit Report: The Processor shall, at no additional charge to the Controller, provide an annual SOC 2 Type II audit report (or equivalent independent third-party audit report) upon written request. Such report shall be treated as Confidential Information of the Processor.
- (b) On-Site Audits: The Controller may conduct on-site audits of the Processor's facilities and systems, subject to the following conditions:
- (i) The Controller shall provide at least thirty (30) days' prior written notice of any on-site audit;
- (ii) Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations;
- (iii) The Controller shall bear all costs and expenses of such on-site audit;
- (iv) The Controller shall not conduct more than one (1) on-site audit per calendar year, unless an additional audit is required by a Supervisory Authority or is reasonably necessary following a Personal Data Breach;
- (v) The Controller's auditors shall be bound by confidentiality obligations no less restrictive than those set out in the Agreement.
- (c) Regulatory Audits: The limitations in subsection (b) shall not apply to audits required by a Supervisory Authority or other competent regulatory authority.
- (d) Remediation: If an audit reveals any non-compliance with this DPA, the Processor shall promptly remediate such non-compliance at its own cost and provide evidence of remediation to the Controller.
5. Sub-processor Provisions
5.1 Authorized Sub-processors
The Controller grants the Processor a general written authorization to engage Sub-processors for the processing of Personal Data in connection with the Services, subject to the conditions set out in this Section 5.
5.2 Sub-processor Register
The Processor maintains a current list of authorized Sub-processors at:
5.3 Named AI Sub-processors
Given the sensitivity of AI-based processing of Personal Data, the following Sub-processors are specifically identified:
| Sub-processor | Service | Data Processed |
|---|---|---|
| Anthropic (Claude) | AI analysis, scoring, assessment generation | Interview transcripts, candidate responses |
| Deepgram | Speech-to-text transcription | Audio recordings |
| Amazon Web Services (AWS) | Infrastructure hosting (EC2, S3), AI services (Bedrock), text-to-speech (Polly), email delivery (SES) | All Personal Data categories as hosted infrastructure provider |
| Tavus | AI-generated video avatars for interactive interviews | Interview session data (transient — real-time generation, not stored) |
5.4 Notification of New Sub-processors
The Processor shall notify the Controller at least ten (10) days before engaging any new Sub-processor or replacing an existing Sub-processor. Notification shall be sent to the email address registered by the Controller for DPA notifications, or if none is registered, to the Controller's primary account email address.
5.5 Controller's Right to Object
- (a) The Controller may object to the engagement of a new Sub-processor by providing written notice to the Processor, with reasonable grounds for the objection, within ten (10) days of receiving the notification under Section 5.4.
- (b) If the Controller objects, the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution, which may include: (i) the Processor making available a reasonable change in the Services to avoid processing by the objected-to Sub-processor; or (ii) the Processor recommending a commercially reasonable alternative Sub-processor.
- (c) If the parties are unable to resolve the objection within thirty (30) days of the Controller's objection notice, the Controller may, as its sole and exclusive remedy, terminate the affected portion of the Services by providing written notice to the Processor, without penalty.
5.6 Sub-processor Obligations
The Processor shall:
- (a) Ensure that each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate Technical and Organizational Measures (GDPR Article 28(4));
- (b) Conduct a security and data protection assessment of each Sub-processor before engagement;
- (c) Conduct an annual compliance review of each Sub-processor.
5.7 Processor Liability
The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations under the sub-processing agreement. Where a Sub-processor fails to fulfill its data protection obligations, the Processor shall remain liable to the Controller for the performance of that Sub-processor's obligations (GDPR Article 28(4)).
6. International Data Transfers
6.1 Transfer Mechanisms
Where Personal Data is transferred from the EEA, the UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the relevant authority, the Processor shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law.
6.2 Standard Contractual Clauses (EEA Transfers)
For transfers of Personal Data from the EEA to the United States or other countries without an adequacy decision, the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 are hereby incorporated by reference into this DPA:
- (a) Module 2 (Controller to Processor) shall apply;
- (b) For Clause 7, the optional docking clause is included, allowing additional parties to accede to the SCCs;
- (c) For Clause 9(a), Option 2 (general written authorization) is selected, with a notification period of ten (10) days as set out in Section 5.4;
- (d) For Clause 11, the optional language regarding independent dispute resolution is not included;
- (e) For Clause 17, Option 1 (governing law of an EU Member State that allows third-party beneficiary rights) is selected; the governing law shall be that of Ireland;
- (f) For Clause 18(b), disputes shall be resolved before the courts of Ireland;
- (g) Annex I of the SCCs is completed by Section 3 (Processing Details) of this DPA;
- (h) Annex II of the SCCs is completed by Section 9 (Technical and Organizational Measures) of this DPA;
- (i) The competent Supervisory Authority shall be the supervisory authority of the EU Member State in which the Controller is established, or where the Controller is not established in the EEA, the Irish Data Protection Commission.
6.3 UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses ("UK IDTA"), issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, is hereby incorporated by reference into this DPA. The UK IDTA shall apply in addition to the SCCs for UK transfers, with the modifications and supplementary terms as set out therein.
6.4 EU-US Data Privacy Framework
Where applicable, NexxaScreen participates in or relies upon the EU-US Data Privacy Framework ("DPF"), the UK Extension to the DPF, and/or the Swiss-US Data Privacy Framework as supplementary safeguards for transatlantic data transfers. The DPF shall serve as a supplementary transfer mechanism and does not replace the SCCs.
6.5 Transfer Impact Assessment
The Processor shall, upon request, provide the Controller with a Transfer Impact Assessment ("TIA") evaluating the laws and practices of the destination country relevant to the specific transfer, including government access to data, in order to assist the Controller in assessing whether supplementary measures are necessary.
6.6 Data Storage Locations
Personal Data is primarily stored in the following locations:
| Provider | Location | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | United States (us-east-1, N. Virginia) | Primary infrastructure, compute, storage, AI services |
| Hetzner Online GmbH | Germany (EU) | EU-based hosting and storage |
The Processor shall not transfer Personal Data to a new country without first notifying the Controller and ensuring appropriate transfer mechanisms are in place.
7. CCPA Service Provider Addendum
This Section 7 applies to the extent that NexxaScreen processes Personal Data that constitutes "personal information" of California consumers as defined by the CCPA.
7.1 Service Provider Status
NexxaScreen acts as a "Service Provider" as defined under CCPA Section 1798.140(ag) with respect to personal information received from or on behalf of the Controller.
7.2 Purpose Limitation
NexxaScreen shall not:
- (a) Sell or share (as those terms are defined in CCPA Section 1798.140(ad) and 1798.140(ah)) personal information received from or on behalf of the Controller;
- (b) Retain, use, or disclose personal information for any purpose other than for the specific purpose of performing the Services specified in the Agreement, including retaining, using, or disclosing personal information for a commercial purpose other than providing the Services;
- (c) Retain, use, or disclose personal information outside of the direct business relationship between NexxaScreen and the Controller;
- (d) Combine personal information received from or on behalf of the Controller with personal information received from other sources, except as expressly permitted by the CCPA.
7.3 CCPA Certification
NexxaScreen hereby certifies that it understands and will comply with the restrictions set out in Section 7.2 and that it does not sell or share (as defined by the CCPA) personal information received from or on behalf of the Controller.
7.4 Consumer Rights Assistance
NexxaScreen shall cooperate with and assist the Controller in responding to verifiable consumer requests under the CCPA, including the right to know, the right to delete, the right to correct, and the right to opt-out of sale/sharing. NexxaScreen shall respond to the Controller's requests for assistance within five (5) business days.
7.5 Compliance Notification
NexxaScreen shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA as a Service Provider.
7.6 Controller Remedies
The Controller shall have the right to take reasonable and appropriate steps to help ensure that NexxaScreen uses personal information in a manner consistent with the Controller's obligations under the CCPA, including ongoing manual reviews and automated scans, and regular assessments. Upon notice of non-compliance under Section 7.5, the Controller may take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
8. India DPDP Act Addendum
This Section 8 applies to the extent that NexxaScreen processes personal data of Data Principals located in India, subject to the Digital Personal Data Protection Act, 2023.
8.1 Lawful Basis
Processing of Data Principals' personal data under this DPA is consent-based in accordance with the DPDP Act. The Controller, as the Data Fiduciary, is responsible for obtaining valid consent from Data Principals prior to submitting their personal data to the Services. NexxaScreen acknowledges that the DPDP Act does not recognize legitimate interest as a lawful basis for processing.
8.2 Data Principal Rights Assistance
NexxaScreen shall assist the Controller (as Data Fiduciary) in facilitating the exercise of Data Principal rights under the DPDP Act, including:
- (a) Right to access information about processing;
- (b) Right to correction and erasure of personal data;
- (c) Right to grievance redressal;
- (d) Right to nominate another individual to exercise rights in case of death or incapacity.
8.3 Grievance Officer
NexxaScreen designates the following Grievance Officer for the purposes of the DPDP Act:
Name: Vinay Jain Email: [email protected] Response Time: Within thirty (30) days of receipt of a grievance, in accordance with the DPDP Rules
8.4 Security Safeguards
NexxaScreen shall implement reasonable security safeguards to protect personal data of Data Principals as required under Section 8 of the DPDP Act. The Technical and Organizational Measures set out in Annex II (Section 9) of this DPA satisfy this requirement.
8.5 Cross-Border Transfers
The Controller confirms that the transfer of personal data of Data Principals to NexxaScreen's processing locations (as described in Section 6.6) is not restricted by any notification issued by the Central Government of India under Section 16 of the DPDP Act. Should the Central Government issue a notification restricting such transfers, the parties shall cooperate in good faith to implement alternative arrangements.
8.6 Consent Manager Readiness
NexxaScreen shall support integration with certified Consent Managers (as defined under the DPDP Act and DPDP Rules) by November 2026, in accordance with the timeline prescribed under the DPDP Rules. Such integration will enable Data Principals to manage, review, and withdraw consent through a certified Consent Manager platform.
8.7 Breach Notification under DPDP Act
In the event of a personal data breach affecting Data Principals in India, NexxaScreen shall, in addition to the obligations under Section 4.8, assist the Controller in notifying the Data Protection Board of India as required under Section 8(6) of the DPDP Act.
9. Technical and Organizational Measures (Annex II)
This Section 9 serves as Annex II to this DPA and to the Standard Contractual Clauses where applicable. The Processor implements and maintains the following Technical and Organizational Measures to protect Personal Data.
9.1 Encryption
| Measure | Implementation |
|---|---|
| Data in transit | TLS 1.2 or higher for all connections to and from the NexxaScreen platform, APIs, and internal services |
| Data at rest | AES-256 encryption for all stored Personal Data, including interview recordings, transcripts, and assessments |
| Database encryption | Encryption enabled at the database engine level for all production databases |
| Key management | Encryption keys managed through AWS Key Management Service (KMS) with automatic rotation |
| Backup encryption | All backup data encrypted with AES-256 before storage |
9.2 Access Control
| Measure | Implementation |
|---|---|
| Role-Based Access Control (RBAC) | Principle of least privilege applied; access granted only to the minimum scope necessary for each role |
| Multi-Factor Authentication (MFA) | Required for all administrative accounts and all employees with access to Personal Data |
| Unique credentials | Each authorized person is assigned unique credentials; no shared accounts permitted |
| Password policy | Minimum 12 characters, complexity requirements enforced, passwords hashed with bcrypt |
| Session management | Automatic session timeout after period of inactivity; secure session token handling |
| Access reviews | Quarterly reviews of all access permissions; prompt revocation upon role change or termination |
| Privileged access management | Administrative access logged, monitored, and subject to approval workflows |
9.3 Infrastructure Security
| Measure | Implementation |
|---|---|
| Cloud infrastructure | AWS infrastructure with SOC 2 Type II certification and ISO 27001 compliance |
| EU hosting | Hetzner Online GmbH with ISO 27001 certified data centers (Germany) |
| Network segmentation | Production, staging, and development environments separated; firewall rules restrict inter-segment traffic |
| DDoS protection | Distributed denial-of-service protection and mitigation at the infrastructure layer |
| Vulnerability scanning | Automated vulnerability scanning of all production systems on a regular schedule |
| Patch management | Security patches applied promptly; critical patches within 48 hours of availability |
| Secure development | Secure development lifecycle (SDLC) practices, including code review and static analysis |
9.4 Monitoring and Logging
| Measure | Implementation |
|---|---|
| Audit logging | Comprehensive logging of all data access, modifications, and administrative actions |
| Log integrity | Logs stored in append-only format with tamper detection |
| Log retention | Audit logs retained for seven (7) years |
| Anomaly detection | Automated alerting for suspicious access patterns and potential security incidents |
| Log review | Regular review of security logs by authorized personnel |
| Log access | Access to audit logs restricted to authorized security personnel only |
9.5 Incident Response
| Measure | Implementation |
|---|---|
| Incident response plan | Documented incident response plan covering identification, containment, eradication, recovery, and lessons learned |
| Incident response team | Designated incident response team with defined roles and responsibilities |
| Breach notification | 72-hour breach notification capability as described in Section 4.8 |
| Communication protocols | Pre-established communication channels and escalation procedures |
| Post-incident review | Mandatory post-incident review and remediation following every security incident |
| Incident response testing | Annual tabletop exercises and simulated incident response drills |
| Evidence preservation | Procedures for forensic evidence collection and preservation |
9.6 Business Continuity and Disaster Recovery
| Measure | Implementation |
|---|---|
| Backup frequency | Automated daily backups of all production data |
| Backup storage | Geographically separated backup storage in a different availability zone or region |
| Backup testing | Regular testing of backup restoration procedures |
| Disaster recovery plan | Documented and tested disaster recovery procedures |
| Recovery Time Objective (RTO) | Four (4) hours |
| Recovery Point Objective (RPO) | One (1) hour |
| Redundancy | Redundant systems and failover mechanisms for critical services |
9.7 Employee Security
| Measure | Implementation |
|---|---|
| Background checks | Background checks conducted for all employees with access to Personal Data, to the extent permitted by applicable law |
| Security training | Annual security awareness training covering data protection, phishing, social engineering, and incident reporting |
| Confidentiality agreements | All employees and contractors bound by written confidentiality and non-disclosure agreements |
| Acceptable use policies | Documented acceptable use policies for company systems and data |
| Secure offboarding | Prompt revocation of all access upon termination; return of company devices and data; exit procedures documented |
9.8 Vendor and Sub-processor Security
| Measure | Implementation |
|---|---|
| Pre-engagement assessment | Security and data protection assessment of all Sub-processors before engagement |
| Contractual requirements | Written data protection agreements with all Sub-processors imposing obligations no less protective than this DPA |
| Annual review | Annual compliance and security review of all active Sub-processors |
| Risk classification | Sub-processors classified by risk level based on the nature and volume of Personal Data processed |
| Termination rights | Contractual right to terminate Sub-processor agreements in the event of material non-compliance |
9.9 Physical Security
| Measure | Implementation |
|---|---|
| Data center security | All data centers (AWS, Hetzner) maintain physical access controls including biometric access, CCTV surveillance, and 24/7 security personnel |
| Visitor management | Data center access restricted to authorized personnel; visitor logs maintained |
| Environmental controls | Fire suppression, climate control, and uninterruptible power supply (UPS) systems at all data center locations |
10. Term, Termination, and Data Disposition
10.1 Term
This DPA shall become effective on the Effective Date stated above and shall remain in force for the duration of the Agreement between the Controller and the Processor. This DPA shall automatically terminate upon termination or expiry of the Agreement, subject to the obligations in Sections 10.2 through 10.5 which shall survive.
10.2 Data Return
Upon termination or expiry of the Agreement, the Controller may, by written request submitted within thirty (30) days of termination, instruct the Processor to return all Personal Data in a standard, machine-readable format (CSV or JSON, at the Controller's election). The Processor shall comply with such request within thirty (30) days of receipt.
10.3 Data Deletion
If the Controller does not request the return of Personal Data within the thirty (30) day period specified in Section 10.2, or upon completion of the data return, the Processor shall permanently delete all Personal Data from its systems within thirty (30) days, including all copies, replicas, and backups, unless retention is required by Applicable Data Protection Law.
10.4 Certification of Deletion
Upon the Controller's written request, the Processor shall provide a written certification confirming that all Personal Data has been permanently deleted in accordance with this Section 10, signed by an authorized representative of the Processor.
10.5 Survival
The following provisions shall survive the termination or expiry of this DPA:
- (a) Section 4.2 (Confidentiality);
- (b) Section 4.8 (Personal Data Breach Notification), to the extent a breach is discovered after termination relating to data processed during the term;
- (c) Section 4.9 (Audit and Compliance), for a period of twelve (12) months following termination;
- (d) Section 10 (Term, Termination, and Data Disposition);
- (e) Any provision of this DPA that by its nature is intended to survive termination.
10.6 Continuing Obligations
The obligations of the Processor under this DPA shall continue for so long as the Processor processes, stores, or has access to Personal Data on behalf of the Controller, regardless of whether the Agreement has been terminated.
11. General Provisions
11.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws governing the Agreement, unless otherwise required by Applicable Data Protection Law.
11.2 Entire Agreement
This DPA, together with its Annexes and the Agreement, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous agreements, representations, and understandings relating to such subject matter.
11.3 Amendments
This DPA may only be amended by a written instrument signed by both parties, except that NexxaScreen may update the Technical and Organizational Measures (Section 9) from time to time, provided that such updates do not materially decrease the overall level of protection afforded to Personal Data.
11.4 Severability
If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, such invalidity or unenforceability shall not affect the remaining provisions, which shall continue in full force and effect.
11.5 No Third-Party Beneficiaries
Except as provided in the Standard Contractual Clauses, this DPA does not create any third-party beneficiary rights.
11.6 Notices
All notices under this DPA shall be sent to:
To the Processor:
Sentient AI Inc. (dba NexxaScreen) 8 The Green STE R, Dover, DE 19901 Email: [email protected] Privacy inquiries: [email protected]
To the Controller:
At the address and email associated with the Controller's NexxaScreen account, or as otherwise specified in the Agreement.
11.7 Counterparts
This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed original signatures for all purposes.
Annex I — Processing Details
See Section 3 of this DPA.
Annex II — Technical and Organizational Measures
See Section 9 of this DPA.
SENTIENT AI INC. (dba NexxaScreen)
For questions regarding this Data Processing Agreement, contact: [email protected]