Data Processing Addendum

Effective Date: December 10, 2025

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Talent& Services Agreement (the "Agreement") between Solo Eleven, Inc ("Talent&" or "Processor") and the customer entity identified in the Agreement ("Customer" or "Controller").

1. Definitions

"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR")
  • The California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA")
  • The Texas Data Privacy and Security Act ("TDPSA")
  • Other applicable U.S. state privacy laws

"Controller" means the natural or legal person that determines the purposes and means of Processing Personal Data.

"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Talent& on behalf of Customer in connection with the Services.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

"Processing" (and "Process") means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

"Processor" means a natural or legal person that Processes Personal Data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.

"Subprocessor" means any Processor engaged by Talent& to Process Personal Data on behalf of Customer.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of Applicable Data Protection Laws.

2. Scope and Roles

2.1 Applicability

This DPA applies to the Processing of Personal Data by Talent& on behalf of Customer in connection with the Services.

2.2 Roles of the Parties

  • Customer is the Controller of Personal Data Processed through the Services
  • Talent& is the Processor acting on behalf of Customer

2.3 Customer's Processing

Customer agrees that:

(a) It will comply with Applicable Data Protection Laws in its use of the Services;

(b) It has all necessary rights and lawful bases to provide Personal Data to Talent& for Processing;

(c) It will provide all required notices to, and obtain all required consents from, Data Subjects;

(d) Its instructions to Talent& will comply with Applicable Data Protection Laws.

3. Processing of Personal Data

3.1 Customer Instructions

Talent& will Process Personal Data only:

(a) In accordance with Customer's documented instructions;

(b) As necessary to provide the Services;

(c) As required by Applicable Data Protection Laws.

If Talent& believes an instruction violates Applicable Data Protection Laws, Talent& will promptly notify Customer.

3.2 Details of Processing

Subject Matter: Processing of workforce and organizational data to provide enterprise analytics services.

Duration: For the term of the Agreement plus any retention period specified herein.

Nature and Purpose: Talent& Processes Personal Data to:

  • Generate workforce analytics and insights
  • Provide predictive analytics (e.g., flight risk, performance trajectory)
  • Create organizational visualizations
  • Enable integrations with customer systems

Types of Personal Data:

  • Identifiers (name, employee ID, email address)
  • Employment information (title, department, tenure, reporting structure)
  • Communication metadata (timestamps, participants, frequency)
  • Calendar and meeting data
  • Organizational relationship data

Categories of Data Subjects:

  • Customer's employees
  • Customer's contractors
  • Other workforce members

3.3 No Sale of Personal Data

Talent& will not sell Personal Data or share Personal Data for cross-context behavioral advertising purposes.

3.4 No Training on Personal Data

Talent& will not use Personal Data to train, develop, or improve machine learning models or artificial intelligence systems, unless Customer explicitly opts in to such use in writing.

4. Security

4.1 Security Measures

Talent& will implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Network security and monitoring
  • Regular security testing and vulnerability assessments
  • Secure development practices

Organizational Measures:

  • Personnel security and background checks
  • Security awareness training
  • Access limited to authorized personnel with need-to-know
  • Incident response procedures
  • Vendor security assessments

4.2 Security Certifications

Talent& maintains or is pursuing:

  • SOC 2 Type II certification
  • Regular third-party security assessments

Upon Customer's written request (no more than once per year), Talent& will provide a copy of its most recent audit report, subject to confidentiality obligations.

4.3 Personnel

Talent& will ensure that personnel authorized to Process Personal Data:

(a) Are subject to confidentiality obligations;

(b) Have received appropriate training on data protection requirements;

(c) Process Personal Data only as necessary for their job functions.

5. Subprocessing

5.1 Authorized Subprocessors

Customer authorizes Talent& to engage the Subprocessors listed in Annex III to Process Personal Data.

5.2 Subprocessor Obligations

Before engaging a Subprocessor, Talent& will:

(a) Enter into a written agreement with the Subprocessor imposing data protection obligations no less protective than those in this DPA;

(b) Remain fully liable to Customer for the Subprocessor's performance.

5.3 Changes to Subprocessors

Talent& will provide Customer with at least thirty (30) days prior notice before adding or replacing a Subprocessor. Customer may object to a new Subprocessor by notifying Talent& in writing within fifteen (15) days of receipt of notice. If Customer objects, the Parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected Services without penalty.

5.4 Current Subprocessors

A current list of Subprocessors is set forth in Annex III.

6. Data Subject Rights

6.1 Assistance with Requests

Talent& will assist Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

6.2 Data Subject Requests to Talent&

If Talent& receives a request from a Data Subject regarding Personal Data Processed on behalf of Customer, Talent& will:

(a) Promptly notify Customer of the request;

(b) Not respond directly to the Data Subject except to acknowledge receipt and direct them to Customer;

(c) Assist Customer in responding to the request.

6.3 Costs

Customer will reimburse Talent& for reasonable costs incurred in providing assistance beyond that which is routine and ordinary.

7. Personal Data Breach

7.1 Notification

Talent& will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

7.2 Breach Information

The notification will include, to the extent known:

(a) A description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records affected;

(b) The name and contact details of Talent&'s point of contact;

(c) A description of the likely consequences of the breach;

(d) A description of measures taken or proposed to address the breach.

7.3 Cooperation

Talent& will cooperate with Customer and take reasonable steps to assist in investigating, mitigating, and remediating the breach.

7.4 No Admission

Notification of a Personal Data Breach is not an acknowledgment of fault or liability.

8. Data Protection Impact Assessments

Upon Customer's request, Talent& will provide reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Applicable Data Protection Laws and relating to Customer's use of the Services.

9. Audits

9.1 Audit Rights

Upon Customer's written request (no more than once per year), Talent& will:

(a) Make available information necessary to demonstrate compliance with this DPA;

(b) Allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer.

9.2 Audit Procedures

Audits will be conducted:

(a) Upon at least thirty (30) days prior written notice;

(b) During regular business hours;

(c) In a manner that minimizes disruption to Talent&'s operations;

(d) Subject to confidentiality obligations.

9.3 Costs

Customer will bear the costs of any audit. If an audit reveals material non-compliance by Talent&, Talent& will bear the costs of the audit.

10. International Data Transfers

10.1 Transfers from EEA/UK/Switzerland

For transfers of Personal Data from the EEA, UK, or Switzerland to countries not recognized as providing adequate data protection:

(a) The Parties agree to the Standard Contractual Clauses set forth in Annex I;

(b) Talent& will implement supplementary measures as appropriate;

(c) Talent& will conduct transfer impact assessments upon Customer's request.

10.2 Standard Contractual Clauses

The Standard Contractual Clauses in Annex I are incorporated into this DPA. In the event of any conflict between the SCCs and this DPA, the SCCs will prevail to the extent of the conflict.

10.3 Alternative Transfer Mechanisms

If an alternative transfer mechanism becomes available that provides adequate protections (such as a new adequacy decision), the Parties may agree to rely on that mechanism.

11. Data Retention and Deletion

11.1 Retention

Talent& will retain Personal Data for the duration of the Agreement and as specified in Section 11.2.

11.2 Deletion

Upon termination of the Agreement:

(a) Customer may export Personal Data for thirty (30) days;

(b) Talent& will delete Personal Data within thirty (30) days after the export period;

(c) Talent& will provide written confirmation of deletion upon Customer's request.

11.3 Exceptions

Talent& may retain Personal Data:

(a) As required by Applicable Data Protection Laws;

(b) In anonymized or aggregated form that cannot identify Data Subjects;

(c) In backup systems for up to ninety (90) days, after which it will be deleted.

12. Liability

12.1 Allocation of Liability

Each Party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.

12.2 Indemnification

Customer will indemnify Talent& against any claims, damages, or expenses arising from Customer's breach of its obligations under Applicable Data Protection Laws or this DPA.

13. General

13.1 Precedence

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the Processing of Personal Data.

13.2 Amendments

This DPA may be amended only by written agreement signed by both Parties.

13.3 Governing Law

This DPA will be governed by the same law that governs the Agreement.

Annex I: Standard Contractual Clauses

The Parties agree that the Standard Contractual Clauses approved by European Commission Decision 2021/914 (Module Two: Controller to Processor) are incorporated into this DPA by reference for transfers of Personal Data from the EEA to Talent& in the United States.

For UK Transfers: The International Data Transfer Addendum to the EU Standard Contractual Clauses (issued by the UK Information Commissioner) is incorporated for transfers from the UK.

For Swiss Transfers: The SCCs are modified as necessary to comply with Swiss data protection requirements.

Clause-Specific Elections:

  • Clause 7 (Docking Clause): Not applicable
  • Clause 9 (Use of Subprocessors): Option 2 (general authorization)
  • Clause 11 (Redress): The optional language is not included
  • Clause 17 (Governing Law): Laws of Ireland (for EEA transfers)
  • Clause 18 (Choice of Forum): Courts of Ireland (for EEA transfers)

Annexes to SCCs:

The Annexes to the SCCs are deemed completed as follows:

  • Annex I.A (List of Parties): As identified in the Agreement
  • Annex I.B (Description of Transfer): As set forth in Section 3.2 of this DPA
  • Annex I.C (Competent Supervisory Authority): Irish Data Protection Commission (for EEA)
  • Annex II (Technical and Organizational Measures): As set forth in Section 4 of this DPA
  • Annex III (List of Subprocessors): As set forth in Annex III to this DPA

Annex II: Technical and Organizational Security Measures

Talent& implements the following technical and organizational measures:

1. Access Control

  • Role-based access controls
  • Unique user identification
  • Multi-factor authentication available
  • Regular access reviews
  • Automated deprovisioning

2. Encryption

  • TLS 1.2+ for data in transit
  • AES-256 for data at rest
  • Encryption key management procedures

3. Network Security

  • Firewalls and intrusion detection
  • Network segmentation
  • DDoS protection
  • Regular vulnerability scanning

4. Application Security

  • Secure development lifecycle
  • Code reviews
  • Security testing (SAST/DAST)
  • Penetration testing

5. Data Center Security

  • Google Cloud Platform infrastructure
  • SOC 2 Type II certified
  • Physical access controls
  • Environmental controls

6. Personnel Security

  • Background checks
  • Security awareness training
  • Confidentiality agreements
  • Access limited to need-to-know

7. Incident Response

  • Incident response plan
  • 24/7 monitoring
  • Breach notification procedures
  • Post-incident review

8. Business Continuity

  • Data backup and recovery
  • Disaster recovery planning
  • Regular testing

Annex III: List of Subprocessors

Subprocessor Purpose Location Data Processed
Google Cloud Platform / Firebase Cloud infrastructure, data storage United States All Customer Content
OpenAI, LLC AI/ML processing United States Processed inputs for analytics generation
Merge.dev HRIS integration United States HRIS data
Microsoft Corporation OAuth authentication United States Authentication credentials

Updates: Talent& will maintain a current list of Subprocessors and will notify Customer of changes in accordance with Section 5.3.

Annex IV: CCPA/CPRA Addendum

For Personal Data subject to the CCPA/CPRA:

1. Roles

  • Customer is a "Business"
  • Talent& is a "Service Provider"

2. Processing Restrictions

Talent& will:

(a) Process Personal Data only for the business purposes specified in the Agreement;

(b) Not sell or share Personal Data;

(c) Not retain, use, or disclose Personal Data outside the direct business relationship;

(d) Not combine Personal Data with data from other sources except as permitted by the CCPA/CPRA.

3. Certification

Talent& certifies that it understands and will comply with the restrictions in this Annex.

4. Assistance

Talent& will assist Customer in responding to consumer requests under the CCPA/CPRA.

Annex V: TDPSA Addendum

For Personal Data subject to the Texas Data Privacy and Security Act:

1. Roles

  • Customer is a "Controller"
  • Talent& is a "Processor"

2. Processor Obligations

Talent& will:

(a) Follow Customer's instructions with respect to Personal Data;

(b) Assist Customer with consumer rights requests;

(c) Implement appropriate security measures;

(d) Engage Subprocessors only as authorized;

(e) Delete or return Personal Data upon termination.

3. Assessment Assistance

Talent& will provide information to Customer to enable data protection assessments as required by the TDPSA.

Last Updated: December 10, 2025