Vesper

This Data-Processing Agreement (“DPA”) is incorporated by reference into (a) any Master Subscription Agreement or Order Form between Vesper Technologies Inc. (“Vesper,” “we,” “us,” “our”) and the customer identified therein (“Customer,” “controller”) and (b) the live privacy-and-security documents in Vesper’s Trust Center (https://askvesper.com/trust-center).

‍

Vesper may update this DPA to reflect changes in law or processing practices. If an update materially reduces Customer’s rights, Vesper will give at least thirty (30) days’ notice via the Trust Center or email. Continued use of the Services after the effective date constitutes acceptance.

‍

1. Definitions

‍

“Personal Data,” “Data Subject,” “Controller,” “Processor,” “Processing,” and “Personal-Data Breach” have the meanings in applicable legislation.

‍

Privacy Laws (or “Applicable Data-Protection Law”) means all data-protection and privacy statutes, regulations and guidance that govern either party’s processing of Personal Data, including but not limited to the EU GDPR, UK GDPR, Canada’s PIPEDA and Québec Law 25, and U.S. state privacy acts that cover employment data.

‍

“Customer Personal Data” means Personal Data processed by Vesper on Customer’s behalf under the Agreement.

‍

“SCCs” means the EU 2021 Standard Contractual Clauses and, where applicable, the UK International Data-Transfer Addendum.

All other capitalised terms follow the Agreement.

‍

2. Roles and scope

‍

2.1 Controller / Processor. Customer is the Controller of Customer Personal Data; Vesper is the Processor and will act only on documented instructions, unless required by Privacy Laws.

2.2 Independent-controller activities. For service security, integrity, de-identified analytics and legal compliance, Vesper acts as an independent Controller, as explained in the Privacy Policy and Trust Center.

2.3 Details of processing appear in Schedule 1.

‍

3. Vesper obligations

‍

Vesper shall:

process Customer Personal Data only on documented instructions;
ensure personnel are bound by confidentiality;
implement and maintain the technical and organisational measures (“TOMs”) described in the Trust Center;
assist Customer with data-subject requests, DPIAs, regulator queries and security incidents, taking into account the nature of processing;
on termination, delete or return Customer Personal Data unless law requires storage;
make available information necessary to demonstrate compliance and allow audits per Clause 8; and
notify Customer if we believe an instruction violates Privacy Laws.

4. Sub-processors

General authorisation. Customer authorises Vesper to use sub-processors; the up-to-date list is in the Trust Center.
Advance notice. Vesper will post or email notice at least ten (10) days before adding or replacing a sub-processor. Customer may object on reasonable privacy grounds.
Flow-down. Vesper imposes data-protection terms on each sub-processor that are no less protective than this DPA and remains liable for their actions.

5 International transfers

‍

Transfers outside the jurisdiction of origin follow a recognised mechanism:

EU/EEA → non-EEA: SCCs (Modules 2 & 3).
UK → non-UK: UK IDTA Addendum.
Swiss data: SCCs as adapted.

SCC appendices, TOMs and Transfer-Impact Assessments are in the Trust Center. Execution of this DPA constitutes execution of the SCCs/Addendum for relevant transfers.

‍

6 California service-provider certification

‍

For California Personal Data Vesper acts as a “service provider/contractor” under the CPRA. Vesper will not:
a) sell or share such Personal Data;
b) retain, use or disclose it for purposes other than performing the Services or as permitted by law; or
c) combine it with other data except as allowed by the CPRA.

‍

7 Security incidents

‍

Vesper will notify Customer without undue delay after confirming a Personal-Data Breach and will provide details, mitigation steps and cooperation as required by Privacy Laws.

‍

8 Audits

‍

Once per twelve-month period, or following a confirmed Personal-Data Breach, Customer may audit Vesper’s compliance. At Vesper’s option, audits may be satisfied through a current SOC 2 Type II, ISO 27001, or equivalent report, completed questionnaire, or on-site visit (30-days’ notice, business hours, confidentiality applied).

‍

9 Liability & term

‍

Liability under this DPA is capped under the Agreement’s limitation clause. This DPA lasts as long as Vesper processes Customer Personal Data under the Agreement.

‍

10 Order of precedence

‍

If this DPA conflicts with the Agreement, this DPA prevails to the extent of the conflict on data-protection matters.

‍

Schedule 1 – Details of Processing

Data Subjects. Job applicants / candidates provided by Customer.
Categories of Personal Data. Interview audio/video, transcripts, names, contact details, résumé/CV data, job IDs, scheduling metadata, AI scores & rankings, optional demographic answers.
Sensitive Data. Not intentionally collected; if supplied, handled or deleted per Privacy Laws.
Purpose. Capture and evaluate interview responses; present results to Customer; security, support, de-identified accuracy & fairness analytics; legal compliance.
Duration. For the term of the Agreement or as instructed by Customer; deletion/return on termination.
Processing locations. Primary hosting in Canada and the United States; additional locations as listed in the Trust Center.

Schedule 2 – SCC / IDTA incorporation
‍

The SCCs (Modules 2 and 3) and the UK IDTA Addendum are incorporated by reference. Annex-information references:

Annex I(A) – Parties: Customer (exporter); Vesper (importer).
Annex I(B) & (C) – See Schedule 1 and Trust Center TOMs.
Annex II – Technical and organisational measures: Trust Center.
Annex III – Sub-processor list: Trust Center.
For Clause 9(a) (sub-processor changes) the notice period is ten (10) days.
Clause 17 governing law: Ireland. Clause 18 courts: Dublin.

‍

Data-Processing Addendum (DPA)