Last updated: February 28, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between TalentLens and the User.
"Controller" means the User of TalentLens who determines the purposes and means of processing candidate personal data.
"Processor" means TalentLens, which processes candidate personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person ("data subject") that the Controller uploads, inputs, or otherwise processes through the Service.
"Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
This DPA applies to all processing of personal data by TalentLens on behalf of the User in connection with the Service. The purpose of processing is to provide the recruiting intelligence features of TalentLens, including candidate profile storage, AI-powered evaluation and matching, outreach generation, and analytics.
The categories of personal data processed through the Service include:
Identity data: Full name, professional headline.
Contact data: Email address, phone number, city, country.
Professional data: Employment history, education records, skills, publications, portfolio and professional profile URLs.
Recruitment data: Resume/CV content, salary expectations, availability, visa status, relocation preferences.
Evaluation data: AI-generated assessments, match scores, interview questions and answers.
Data subjects: Candidates for employment whose data is uploaded by the User.
TalentLens shall:
a) Process personal data only on documented instructions from the Controller (the User), including with respect to transfers to third countries, unless required by applicable law;
b) Ensure that persons authorized to process personal data have committed themselves to confidentiality;
c) Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security testing;
d) Not engage another processor (sub-processor) without prior written authorization from the Controller. A list of current sub-processors is provided in Section 6;
e) Assist the Controller in fulfilling data subject requests by providing tools for data access, rectification, and deletion;
f) Assist the Controller in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations;
g) At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless required by law;
h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections.
The User shall:
a) Ensure they have a lawful basis for all personal data uploaded to the Service;
b) Provide clear processing instructions to TalentLens through their use of the Service;
c) Inform data subjects about the processing of their data as required by applicable law;
d) Respond to data subject requests within the timeframes required by applicable law;
e) Implement appropriate data retention practices and regularly review stored data for continued necessity;
f) Notify TalentLens promptly if they become aware of any data breach or security incident affecting personal data processed through the Service.
The Controller authorizes the use of the following sub-processors:
Supabase, Inc. — Database hosting, authentication, and storage. Location: United States (AWS infrastructure).
Anthropic, PBC — AI processing for candidate evaluations. Location: United States. Data is processed in real-time and not retained beyond the API request.
Vercel, Inc. — Application hosting and content delivery. Location: United States and global edge network.
TalentLens will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller objects and TalentLens cannot reasonably accommodate the objection, either party may terminate the agreement.
Where personal data is transferred outside the EEA, TalentLens ensures appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) as approved by the European Commission; reliance on adequacy decisions where applicable; and supplementary measures such as encryption and access controls.
TalentLens implements the following technical and organizational measures:
Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.
Access control: Role-based access; unique authentication per user; hashed passwords.
Infrastructure: Hosted on enterprise-grade cloud infrastructure with physical security, redundancy, and monitoring.
Incident response: Documented procedures for security incident detection, response, and notification.
Data isolation: Each User's data is logically separated and accessible only through authenticated access to their account.
In the event of a personal data breach, TalentLens will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach. The notification will include: the nature of the breach; categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed to address the breach.
This DPA is effective for the duration of the Controller's use of the Service. Upon termination, TalentLens will delete all personal data within 30 days unless retention is required by applicable law. The Controller may request data export prior to termination.
This DPA shall be governed by the same law that governs the Terms of Service. To the extent that GDPR applies, the provisions of this DPA shall be interpreted in accordance with the GDPR.
For questions about this DPA, please contact: dpo@talentlens.app