Data Processing
Data Processing
Data Processing
Updated 19/11/2025
1. Introduction & Scope
1.1 This Data Processing Addendum (“DPA”) forms part of, and is subject to, the agreement between Hyaa AI Pty Ltd (“Hyaa AI”) and the customer that governs the customer’s use of the Hyaa AI platform and related services (“Agreement”).
1.2 This DPA applies only to the extent that Hyaa AI processes Personal Data on behalf of the customer in connection with the provision of the services. The parties agree to comply with the terms of this DPA in their respective capacities as Processor (Hyaa AI) and Controller (the customer), or as otherwise defined under Applicable Data Protection Laws.
1.3 In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall control to the extent of the conflict with respect to the processing of Personal Data.
1.4 This DPA reflects the parties’ obligations under Applicable Data Protection Laws, including but not limited to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Australian Privacy Act 1988 (Cth), the California Consumer Privacy Act (“CCPA”/“CPRA”), and any other laws that govern the processing of Personal Data as part of the services.
1.5 Capitalised terms used but not defined in this DPA have the meanings given in the Agreement or in Section 2 of this DPA.
2. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not defined in this Section shall have the meaning given in the Agreement.
2.1 “Agreement” means the agreement between the customer and Hyaa AI governing the provision of the Services, into which this DPA is incorporated.
2.2 “Applicable Data Protection Laws” means all laws, regulations, and rules relating to the protection of Personal Data applicable to the processing under this DPA, including the GDPR, UK GDPR, the Australian Privacy Act 1988 (Cth), the CCPA/CPRA, and any other applicable data protection or privacy legislation.
2.3 “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the customer is the Controller of Customer Data.
2.4 “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Hyaa AI acts as a Processor of Customer Data.
2.5 “Customer Data” means any Personal Data submitted to, stored within, transmitted through, or otherwise processed via the Services by or on behalf of the customer, including Personal Data relating to candidates, employees, or other individuals associated with the customer.
2.6 “Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.
2.7 “Personal Data” means any information relating to a Data Subject that is protected as “personal data”, “personal information”, or similar under Applicable Data Protection Laws and that is processed by Hyaa AI on behalf of the customer.
2.8 “Processing” or “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, analysis, alteration, retrieval, disclosure, transmission, or deletion.
2.9 “Services” means the Hyaa AI platform and related products, technologies, and services provided by Hyaa AI to the customer under the Agreement.
2.10 “Subprocessor” means any third party appointed by Hyaa AI to process Personal Data on Hyaa AI’s behalf for the purpose of providing the Services.
2.11 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Hyaa AI.
2.12 “Standard Contractual Clauses” or “SCCs” means the applicable model contractual clauses adopted by the European Commission or equivalent UK transfer mechanisms for the lawful transfer of Personal Data outside the EEA or UK.
3. Roles of the Parties
3.1 Customer as Controller.
For the purposes of this DPA, the customer is the Controller of Customer Data. The customer determines the purposes and means of processing Customer Data, including Personal Data relating to candidates, users, and other individuals associated with the customer.
3.2 Hyaa AI as Processor.
Hyaa AI acts as a Processor of Customer Data and will process such data only on behalf of the customer and in accordance with the customer’s documented instructions, the Agreement, and this DPA, unless otherwise required by Applicable Data Protection Laws.
3.3 Hyaa AI as Controller for Limited Activities.
For certain processing activities such as account administration, billing, security monitoring, or compliance with legal obligations Hyaa AI may act as an independent Controller. These activities are outside the scope of this DPA and are governed by the Hyaa AI Product Privacy Notice.
3.4 Customer Responsibilities.
The customer is solely responsible for:
a. determining the lawfulness of processing Customer Data under Applicable Data Protection Laws;
b. providing all necessary notices and obtaining all necessary consents from Data Subjects;
c. ensuring Customer Data is accurate, complete, and lawful;
d. managing and restricting access to Customer Data within its organization; and
e. complying with all applicable laws in relation to its use of the Services.
3.5 Compliance with Law.
Each party shall comply with Applicable Data Protection Laws in the performance of its obligations under this DPA and the Agreement.
4. Customer Instructions
4.1 Documented Instructions.
Hyaa AI will process Customer Data only on the basis of the customer’s documented instructions, which consist of:
a. the Agreement;
b. this DPA;
c. configurations and actions taken by the customer within the Services; and
d. any additional written instructions provided by the customer and acknowledged in writing by Hyaa AI.
4.2 Scope of Instructions.
The customer’s instructions for the processing of Customer Data are limited to those necessary to provide the Services, including hosting, storage, transcription, summarization, scoring, workflow automation, and related operational functions.
4.3 Prohibited Instructions.
Hyaa AI shall promptly inform the customer if, in its opinion, an instruction violates Applicable Data Protection Laws. Hyaa AI is not required to follow instructions that are unlawful or technically infeasible.
4.4 Additional Instructions.
Any instruction outside the scope of the Services or this DPA may require:
a. a separate written agreement;
b. the payment of additional fees; or
c. technical validation by Hyaa AI.
4.5 Customer Responsibility for Instructions.
The customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws and do not cause Hyaa AI to violate any legal or contractual obligations.
5. Types of Data & Data Subjects
5.1 Categories of Data Subjects.
Customer Data processed under this DPA may relate to the following categories of Data Subjects:
a. candidates who participate in interviews or submit application materials through the Services;
b. employees, contractors, or authorized users of the customer who access or administer the Services;
c. individuals whose information appears in resumes, documents, or other materials submitted by candidates or the customer.
5.2 Categories of Personal Data.
The categories of Personal Data processed by Hyaa AI on behalf of the customer may include, without limitation:
a. identification and contact information, such as names and email addresses;
b. audio data, including interview recordings and per-question audio files;
c. transcripts and textual data, including automated transcriptions of audio content;
d. summaries, classifications, insights, and scoring generated by AI models;
e. resume data, including documents uploaded by candidates and structured fields extracted from those documents;
f. application-related information, including job preferences, role information, and employer notes or tags;
g. technical and device information, including IP address, browser type, operating system, region, timestamps, and usage metadata;
h. workflow and activity logs, including actions taken by users within the Services.
5.3 Special Categories of Data.
The Services are not designed to intentionally collect Special Categories of Data (sensitive information as defined under GDPR or equivalent laws). If such information is provided by the customer or a candidate, the customer remains solely responsible for ensuring the lawful collection and processing of that information.
5.4 Nature and Purpose of Processing.
Hyaa AI will process Personal Data for the purposes of:
a. providing, operating, and supporting the Services;
b. hosting, storing, transmitting, and retrieving Customer Data;
c. generating transcripts, summaries, insights, and scoring;
d. enabling customer workflows, AI processing, and interview functions;
e. providing customer support, troubleshooting, and maintenance;
f. ensuring the security, integrity, and availability of the Services;
g. complying with legal obligations and customer instructions.
5.5 Duration of Processing.
Hyaa AI will process Personal Data for the duration of the Agreement and, with respect to candidate data, for the fixed retention period of twelve (12) months, unless a longer retention period is required by law or explicitly agreed in writing. Following such a period, Personal Data will be deleted or anonymised in accordance with Section 12 of this DPA.
6. Hyaa AI’s Obligations as Processor
6.1 Compliance.
Hyaa AI shall process Customer Data in compliance with Applicable Data Protection Laws and shall implement appropriate technical and organisational measures to protect Personal Data as described in this DPA.
6.2 Confidentiality.
Hyaa AI shall ensure that all personnel authorised to process Customer Data:
a. are bound by appropriate confidentiality obligations; and
b. process Customer Data only as necessary to provide the Services.
6.3 Security Measures.
Hyaa AI shall implement and maintain the security measures described in Annex B (Technical and Organisational Measures). These measures are designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
6.4 Assistance with Data Subject Requests.
Taking into account the nature of the processing, Hyaa AI shall provide reasonable assistance to the customer in responding to Data Subject requests under Applicable Data Protection Laws.
If such a request is received directly by Hyaa AI, Hyaa AI shall promptly forward the request to the customer unless prohibited by law.
6.5 Assistance with Compliance Obligations.
Hyaa AI shall, upon reasonable request:
a. assist the customer in conducting data protection impact assessments;
b. assist in consultations with relevant supervisory authorities; and
c. provide information necessary to demonstrate compliance with this DPA.
6.6 Compliance Documentation.
Upon reasonable request, Hyaa AI shall make available to the customer documentation describing its security measures and data protection practices, which may include policies, whitepapers, third-party reports, or other relevant materials.
6.7 Access Controls.
Hyaa AI shall limit access to Customer Data to personnel who require such access to perform the Services, and such access shall be revoked when no longer required.
6.8 Prohibited Processing.
Hyaa AI shall not:
a. sell Customer Data;
b. retain, use, or disclose Customer Data for any purpose other than providing the Services; or
c. use Customer Data for targeted advertising or profiling unrelated to the Services.
6.9 Use of Aggregated or Anonymised Data.
Nothing in this DPA prevents Hyaa AI from using aggregated or anonymised data that does not identify any individual for analytics, improvement of the Services, or other legitimate business purposes.
7. Security Measures
7.1 Implementation of Security Measures.
Hyaa AI shall implement and maintain the technical and organisational security measures set out in Annex B to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
7.2 Appropriateness of Measures.
The security measures described in Annex B are designed to:
a. ensure the ongoing confidentiality, integrity, availability, and resilience of the Services;
b. protect Customer Data against foreseeable internal or external threats; and
c. align with industry standards appropriate to the nature and sensitivity of the Personal Data processed.
7.3 Updates to Security Measures.
Hyaa AI may update or modify the security measures in Annex B from time to time, provided that any such updates:
a. do not materially reduce the overall level of protection for Customer Data; and
b. maintain a level of security consistent with Applicable Data Protection Laws and industry practices.
7.4 Customer Responsibilities.
The customer is responsible for:
a. implementing appropriate security controls within its own systems and environment;
b. managing user access, permissions, and authentication within the Services; and
c. ensuring secure handling of any Personal Data exported, downloaded, or otherwise processed outside the Services.
8. Subprocessors
8.1 Authorised Subprocessors.
The customer acknowledges and agrees that Hyaa AI may engage Subprocessors to process Customer Data on its behalf in connection with providing the Services. A current list of Subprocessors, including their roles and locations, is maintained by Hyaa AI and made available on the Subprocessors Page referenced in Annex C.
8.2 Requirements for Subprocessors.
Hyaa AI shall:
a. enter into a written agreement with each Subprocessor imposing data protection obligations that provide a level of protection substantially similar to those set out in this DPA; and
b. remain responsible for the performance of such Subprocessors to the extent required by Applicable Data Protection Laws.
8.3 Changes to Subprocessors.
Hyaa AI may update its list of Subprocessors from time to time. In the event of any new Subprocessor that materially affects the processing of Customer Data, Hyaa AI shall provide notice to the customer via the Subprocessors Page or other reasonable means.
8.4 Right to Object.
If the customer has a reasonable basis to object to the use of a new Subprocessor on data protection grounds, the customer must notify Hyaa AI in writing within ten (10) days of receiving notice. Hyaa AI will work in good faith with the customer to address the objection.
If the parties cannot reach a mutually acceptable resolution, the customer may terminate the affected portion of the Services with a pro-rata refund for any prepaid fees.
8.5 Emergency Engagement.
Hyaa AI may engage a new Subprocessor on an emergency basis (such as to maintain service continuity or security). In such cases, Hyaa AI shall provide notice as soon as reasonably practicable.
9. International Data Transfers
9.1 General.
In providing the Services, Hyaa AI may transfer and process Customer Data in countries outside the jurisdiction where the customer or Data Subjects are located. This includes transfers to regions where Hyaa AI and its Subprocessors maintain infrastructure or operations.
9.2 Adequate Protection.
Hyaa AI shall ensure that any transfer of Customer Data outside the European Economic Area (“EEA”), the United Kingdom (“UK”), or other applicable jurisdictions is performed in compliance with Applicable Data Protection Laws and is subject to appropriate safeguards.
9.3 Standard Contractual Clauses (SCCs).
For transfers of Customer Data from the EEA to countries that are not deemed to provide an adequate level of protection under Applicable Data Protection Laws, the parties agree that the SCCs form part of this DPA as further described in Annex C.
9.4 UK Addendum or IDTA.
For transfers of Customer Data from the UK to countries without an adequacy decision, the International Data Transfer Addendum (“Addendum”) to the SCCs or the UK International Data Transfer Agreement (“IDTA”), as applicable, shall apply and is incorporated by reference.
9.5 Other Transfer Mechanisms.
Where appropriate, Hyaa AI may rely on:
a. adequacy decisions;
b. certified frameworks recognised under Applicable Data Protection Laws; or
c. other lawful transfer mechanisms approved by relevant supervisory authorities.
9.6 Subprocessor Transfers.
Hyaa AI shall ensure that any Subprocessor that processes Customer Data outside the customer’s jurisdiction does so under:
a. a valid data transfer mechanism; and
b. contractual obligations consistent with this DPA.
9.7 Customer Authorization.
By entering into this DPA, the customer authorizes Hyaa AI to transfer Customer Data internationally as required to provide the Services in accordance with the Agreement, this DPA, and Applicable Data Protection Laws.
10. Assistance to Customer
10.1 Data Subject Requests.
Taking into account the nature of the processing and the information available to Hyaa AI, Hyaa AI shall provide reasonable assistance to the customer, at the customer’s request, to enable the customer to fulfil its obligations to respond to requests from Data Subjects under Applicable Data Protection Laws.
If Hyaa AI receives a Data Subject request directly, Hyaa AI shall promptly notify the customer and shall not respond except as directed by the customer or as required by law.
10.2 Security and Compliance Assistance.
Hyaa AI shall provide reasonable assistance to the customer with respect to:
a. obligations relating to the security of processing;
b. notification of Personal Data breaches to supervisory authorities or Data Subjects; and
c. consultations with supervisory authorities, where such consultations relate to the Services.
10.3 Data Protection Impact Assessments.
Taking into account the nature of the processing and information reasonably available to Hyaa AI, Hyaa AI shall provide assistance to the customer as necessary for the customer to meet its obligations to conduct data protection impact assessments (“DPIAs”) and prior consultations with supervisory authorities.
10.4 Customer Costs.
Any assistance provided by Hyaa AI under this Section that goes beyond reasonable routine support may be subject to:
a. mutually agreed fees; and
b. a written request that clearly describes the assistance required.
10.5 Limitations.
Hyaa AI is not responsible for:
a. performing DPIAs on behalf of the customer;
b. ensuring that the customer meets its independent legal obligations; or
c. providing legal advice to the customer.
11. Security Incidents
11.1 Notification.
Hyaa AI shall notify the customer without undue delay after becoming aware of a Security Incident affecting Customer Data. Such notification shall describe, to the extent known at the time:
a. the nature of the Security Incident;
b. the categories and approximate number of affected Data Subjects;
c. the categories and approximate volume of affected Personal Data;
d. the likely consequences of the Security Incident; and
e. the measures taken or proposed to address or mitigate the Security Incident.
11.2 Ongoing Updates.
Hyaa AI shall provide the customer with updates regarding the Security Incident as more information becomes available, to the extent permitted by law and insofar as such updates are necessary for the customer to meet its obligations.
11.3 Cooperation.
Hyaa AI shall take all reasonable steps to contain, investigate, and remediate the Security Incident and shall provide reasonable cooperation to the customer in fulfilling the customer’s obligations under Applicable Data Protection Laws, including any notifications to supervisory authorities or affected Data Subjects.
11.4 No Admission of Fault.
Notification of a Security Incident by Hyaa AI shall not be construed as an admission of fault or liability by Hyaa AI.
11.5 Customer Responsibilities.
The customer is responsible for:
a. ensuring that its own systems and credentials are protected;
b. providing accurate and up-to-date contact information for incident notification; and
c. taking any measures reasonably required by law or regulatory guidance in connection with a Security Incident.
12. Return or Deletion of Data
12.1 Deletion at End of Processing.
Upon termination or expiration of the Agreement, or upon written request from the customer, Hyaa AI shall, to the extent technically feasible, delete or return all Customer Data processed on behalf of the customer, unless Hyaa AI is required to retain such data under Applicable Data Protection Laws.
12.2 Customer Exports.
Before the termination or expiration of the Agreement, the customer is responsible for exporting or retrieving any Customer Data it wishes to retain. Hyaa AI shall make Customer Data available for export for a reasonable period following termination, after which Hyaa AI may permanently delete such data.
12.3 Standard Retention Period for Candidate Data.
Notwithstanding Section 12.1, Hyaa AI will retain candidate-related Personal Data (including audio recordings, transcripts, summaries, scoring, resume data, and metadata) for a fixed period of twelve (12) months from the date of collection, after which such data will be securely deleted or anonymised unless a longer period is required by law.
12.4 Deletion of Backups.
Customer Data stored in routine backups will be deleted in accordance with Hyaa AI’s standard backup rotation and deletion schedules. During this period, such data remains protected in accordance with this DPA.
12.5 Aggregated or Anonymised Data.
Hyaa AI may retain and use aggregated or anonymised information that does not identify individuals after deletion of Customer Data. Such information is not considered Personal Data under Applicable Data Protection Laws.
12.6 Certification of Deletion.
Upon written request, Hyaa AI shall provide confirmation that Customer Data has been deleted in accordance with this Section, to the extent reasonably possible.
13. Audit Rights
13.1 Customer Audit Rights.
Upon reasonable written request, Hyaa AI shall make available to the customer information necessary to demonstrate compliance with its obligations under this DPA. Such information may include policies, technical documentation, third-party certifications, or other materials that reasonably substantiate Hyaa AI’s data protection practices.
13.2 Third-Party Reports.
Where available, Hyaa AI may satisfy its audit obligations by providing the customer with copies of independent third-party audit reports, certifications, or compliance attestations (such as SOC 2, ISO 27001, or equivalent), or by providing summaries thereof.
13.3 On-Site or Direct Audits.
If the information provided under Sections 13.1 or 13.2 is insufficient, the customer may request an on-site or direct audit. Any such audit shall:
a. be conducted no more than once per twelve (12) months, unless required by supervisory authorities or following a confirmed Security Incident;
b. be conducted by an independent auditor mutually agreed upon by the parties;
c. be limited to facilities, systems, and processes relevant to the processing of Customer Data;
d. be subject to reasonable advance notice (at least thirty (30) days); and
e. not unreasonably interfere with Hyaa AI’s normal business operations.
13.4 Confidentiality and Scope.
All audit activities shall be subject to confidentiality obligations and may not involve access to:
a. information relating to other customers;
b. proprietary or confidential business information not relevant to the audit; or
c. systems or infrastructure unrelated to the Services.
13.5 Costs.
The customer shall bear all costs associated with audits requested by the customer, except where the audit reveals a material breach of this DPA by Hyaa AI, in which case Hyaa AI shall bear the reasonable costs of the audit.
13.6 Alternative Controls.
Hyaa AI may, at its discretion, satisfy audit obligations by providing other reasonable attestations of compliance, responding to security questionnaires, or permitting a remote assessment where appropriate and sufficiently protective of Hyaa AI’s confidentiality and security obligations.
14. Liability
14.1 General.
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA is intended to increase, expand, or modify the liability of either party beyond the limits agreed in the Agreement.
14.2 Data Protection Liability.
Each party shall be liable for damages arising from breaches of its respective obligations under this DPA and Applicable Data Protection Laws, subject always to the limitations set out in the Agreement.
14.3 Processor Limitation.
Hyaa AI shall not be responsible for:
a. the customer’s collection or handling of Personal Data outside the Services;
b. decisions made by the customer based on data processed through the Services;
c. the customer’s failure to comply with its obligations as a Controller; or
d. any processing undertaken by the customer or its third parties beyond Hyaa AI’s control.
14.4 No Liability for Customer Instructions.
Hyaa AI shall not be liable for any claim arising from:
a. processing undertaken in accordance with the customer’s instructions;
b. processing resulting from configurations, workflows, or integrations implemented by the customer; or
c. the customer’s failure to obtain appropriate rights, permissions, or consents from Data Subjects.
14.5 Exclusion of Punitive Damages.
To the maximum extent permitted by law, neither party shall be liable to the other for indirect, incidental, punitive, special, or consequential damages arising from or related to this DPA, consistent with the Agreement.
15. Terms & Termination
15.1 Term.
This DPA shall remain in effect for as long as Hyaa AI processes Customer Data on behalf of the customer under the Agreement.
15.2 Termination of the DPA.
This DPA shall automatically terminate upon termination or expiration of the Agreement, except that Sections which, by their nature or legal requirement, must survive termination shall continue to apply.
15.3 Effect of Termination.
Upon termination of the Agreement, Hyaa AI shall process Customer Data in accordance with Section 12 (Return or Deletion of Data). All obligations relating to the protection, security, and lawful handling of Customer Data shall remain in effect until such deletion is complete.
15.4 Survival.
The following obligations shall survive termination of this DPA and the Agreement:
a. confidentiality obligations;
b. obligations related to deletion and return of Customer Data;
c. limitations of liability;
d. audit rights (as applicable to completed processing);
e. any obligations required to comply with Applicable Data Protection Laws.
15.5 Continuation of Safeguards.
Hyaa AI shall maintain appropriate technical and organisational measures to protect Customer Data retained as required by law during the post-termination period described in Section 12.
Annex A - Description of Processing
This Annex forms part of the Data Processing Addendum and describes the subject matter, nature, purpose, duration, and categories of Personal Data processed by Hyaa AI on behalf of the customer.
A1. Subject Matter and Purpose of Processing
Hyaa AI processes Personal Data for the purpose of providing the Hyaa AI platform and related services to the customer, including:
a. conducting audio-based job interviews;
b. generating transcripts, summaries, and AI-derived insights;
c. performing resume extraction and structured data processing;
d. enabling scoring, classification, and ranking functionality;
e. hosting, storing, transmitting, and retrieving Customer Data;
f. supporting workflows, automation, and messaging;
g. providing troubleshooting, support, and maintenance;
h. securing and monitoring the platform; and
i. complying with the customer’s documented instructions and Applicable Data Protection Laws.
A2. Duration of Processing
Hyaa AI processes Customer Data for the duration of the Agreement.
Candidate-related Personal Data is retained for a fixed period of twelve (12) months from collection, after which it is deleted or anonymised unless a longer retention period is required by law.
Other Customer Data may be retained as necessary for legal, security, billing, or operational requirements.
A3. Nature of Processing
Processing activities may include:
collection
recording
storage
organisation
formatting
structuring
transcription
analysis
summarisation
scoring and classification
retrieval
transmission
restricted disclosure
deletion or anonymisation
workflow automation
All processing is performed in accordance with the customer’s instructions.
A4. Categories of Data Subjects
Processing may involve the following categories of Data Subjects:
a. job candidates participating in interviews or submitting application materials;
b. employees, contractors, administrators, and authorised users of the customer;
c. individuals referenced in resumes, documents, or other materials provided by candidates.
A5. Categories of Personal Data
The Personal Data processed may include, without limitation:
A5.1 Identification and Account Data
names
email addresses
authentication details
organization-level profile information
A5.2 Candidate-Submitted Data
audio interview recordings
per-question audio files
resume documents
job application materials
A5.3 AI-Generated and Derived Data
transcripts
summaries
structured insights
scoring and ranking outputs
extracted skills and classifications
A5.4 Metadata and Technical Data
IP address
device type, browser, operating system
location (approximate region)
timestamps, logs, interaction data
workflow activity records
status and delivery metadata for messages
A5.5 Employer-Generated Data
notes, tags, labels
status updates and pipeline classifications
internal evaluations or comments
Hyaa AI does not intentionally process special categories of data, but such information may be included if provided by the candidate or the customer.
A6. Categories of Recipients
Personal Data may be disclosed to:
a. authorised users within the customer’s organisation;
b. Hyaa AI personnel with a legitimate need to access the data;
c. approved Subprocessors engaged to support the Services;
d. third-party systems integrated by the customer (upon customer instruction);
e. competent authorities where required by law.
A7. Cross-Border Transfers
Personal Data may be transferred internationally as described in Section 9 of the DPA. Transfers outside the EEA or UK are subject to SCCs, the UK Addendum, or other lawful mechanisms.
Annex B - Technical and Organisational Measures
This Annex describes the technical and organisational measures implemented by Hyaa AI to protect Personal Data processed on behalf of the customer. These measures are designed to ensure a level of security appropriate to the risks presented by the processing.
B1. Information Security Management
B1.1 Hyaa AI maintains policies and procedures addressing data protection, access control, secure development, incident response, and operational security.
B1.2 Access to systems handling Personal Data is limited to authorised personnel with a legitimate business need and is regularly reviewed.
B2. Access Control and Authentication
B2.1 Access to production systems requires secure authentication, including password complexity requirements and restricted administrative permissions.
B2.2 Role-based access control (RBAC) is enforced within the Services to ensure users within the customer’s organisation only access appropriate data.
B2.3 Access rights for Hyaa AI personnel are granted based on least-privilege principles and revoked promptly when no longer required.
B3. Physical Security
B3.1 Hyaa AI uses reputable cloud hosting providers (such as Supabase and Vercel) that maintain robust physical and environmental controls at their data centre facilities.
B3.2 Hyaa AI personnel do not have physical access to the data centres where Customer Data is stored.
B4. Data Encryption
B4.1 Personal Data is encrypted in transit using industry-standard protocols (such as TLS).
B4.2 Personal Data stored within the Services is encrypted at rest using technologies supported by Hyaa AI’s hosting providers.
B5. System and Network Security
B5.1 Firewalls, security groups, or equivalent controls are used to restrict network access to authorised endpoints.
B5.2 Infrastructure providers maintain continuous monitoring, threat detection, DDoS protection, and anti-abuse systems.
B5.3 Hyaa AI maintains application-level safeguards against common security vulnerabilities.
B6. Secure Development Practices
B6.1 Hyaa AI follows secure coding and deployment practices, including code review and controlled deployment workflows.
B6.2 Dependencies and libraries are monitored and updated as needed to address security issues.
B6.3 Development and testing environments are logically separated from production environments.
B7. Logging and Monitoring
B7.1 Hyaa AI maintains logging for relevant system activities, authentication events, and operational behaviour.
B7.2 Logs are monitored to identify anomalous activity or security-related events.
B7.3 Access to logs is restricted to authorised personnel.
B8. Data Backup and Recovery
B8.1 Customer Data stored within Supabase or related hosting systems is backed up in accordance with the provider’s backup and recovery policies.
B8.2 Backup data is protected using the same or equivalent safeguards as production data.
B9. Data Minimisation and Retention Controls
B9.1 Candidate data is retained for a fixed period of twelve (12) months unless otherwise legally required.
B9.2 Upon expiration of the retention period, data is securely deleted or anonymised.
B9.3 Exported data becomes the customer’s responsibility outside the platform environment.
B10. Personnel Security
B10.1 All Hyaa AI personnel with access to Personal Data are subject to confidentiality obligations.
B10.2 Personnel receive training on data protection, security awareness, and safe handling of Personal Data.
B11. Incident Management
B11.1 Hyaa AI maintains procedures to detect, assess, and respond to Security Incidents.
B11.2 In the event of a Security Incident affecting Customer Data, Hyaa AI will notify the customer in accordance with Section 11 of the DPA and provide reasonable cooperation.
B12. Vendor and Subprocessor Management
B12.1 Hyaa AI conducts due diligence on Subprocessors to verify they maintain adequate technical and organisational safeguards.
B12.2 Subprocessors are bound by contractual obligations that provide a level of protection substantially similar to this DPA.
B12.3 Hyaa AI maintains a publicly accessible list of approved Subprocessors.
B13. Customer Responsibilities
B13.1 The customer is responsible for securing its own systems, managing user access, and ensuring secure handling of Personal Data outside the Services.
B13.2 The customer must implement appropriate safeguards when transferring or exporting data from the platform.
Annex C - Subprocessors & International Transfer Mechanisms
C1. Approved Subprocessors
Hyaa AI engages certain third parties (“Subprocessors”) to support the provision of the Services. These Subprocessors may process Personal Data on behalf of the customer.
A current and up-to-date list of all approved Subprocessors, including their roles and processing locations, is maintained by Hyaa AI at the following location:
https://hyaa.ai/policies/subprocessors
The customer is responsible for reviewing this list periodically.
Changes to Subprocessors are notified in accordance with Section 8 of the DPA.
C2. International Transfer Mechanisms
For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or other regions with data transfer restrictions, the following mechanisms apply:
C2.1 European Economic Area
Transfers of Personal Data from the EEA to countries not deemed to provide an adequate level of protection shall be governed by the EU Standard Contractual Clauses (SCCs), incorporated by reference into this DPA.
Where applicable, the SCCs shall be applied:
with the customer as the data exporter,
with Hyaa AI as the data importer, and
with the relevant modules selected based on the Controller–Processor relationship.
C2.2 United Kingdom
Transfers of Personal Data from the UK to non-adequate countries shall be governed by:
the UK Addendum to the EU Standard Contractual Clauses (IDTA Addendum), or
the International Data Transfer Agreement (IDTA),
as required by UK law.
The Addendum or IDTA is incorporated into this DPA by reference.
C2.3 Other Jurisdictions
Where required by other Applicable Data Protection Laws, Hyaa AI will implement:
adequacy decisions,
approved contractual clauses,
binding frameworks, or
other legally recognised safeguards.
C2.4 Customer Authorization
By entering into this DPA, the customer authorizes:
the use of Subprocessors;
the international transfer of Personal Data to Subprocessors; and
the application of the SCCs, UK Addendum, or equivalent measures
as necessary to lawfully provide the Services.
Updated 19/11/2025
1. Introduction & Scope
1.1 This Data Processing Addendum (“DPA”) forms part of, and is subject to, the agreement between Hyaa AI Pty Ltd (“Hyaa AI”) and the customer that governs the customer’s use of the Hyaa AI platform and related services (“Agreement”).
1.2 This DPA applies only to the extent that Hyaa AI processes Personal Data on behalf of the customer in connection with the provision of the services. The parties agree to comply with the terms of this DPA in their respective capacities as Processor (Hyaa AI) and Controller (the customer), or as otherwise defined under Applicable Data Protection Laws.
1.3 In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall control to the extent of the conflict with respect to the processing of Personal Data.
1.4 This DPA reflects the parties’ obligations under Applicable Data Protection Laws, including but not limited to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Australian Privacy Act 1988 (Cth), the California Consumer Privacy Act (“CCPA”/“CPRA”), and any other laws that govern the processing of Personal Data as part of the services.
1.5 Capitalised terms used but not defined in this DPA have the meanings given in the Agreement or in Section 2 of this DPA.
2. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not defined in this Section shall have the meaning given in the Agreement.
2.1 “Agreement” means the agreement between the customer and Hyaa AI governing the provision of the Services, into which this DPA is incorporated.
2.2 “Applicable Data Protection Laws” means all laws, regulations, and rules relating to the protection of Personal Data applicable to the processing under this DPA, including the GDPR, UK GDPR, the Australian Privacy Act 1988 (Cth), the CCPA/CPRA, and any other applicable data protection or privacy legislation.
2.3 “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the customer is the Controller of Customer Data.
2.4 “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Hyaa AI acts as a Processor of Customer Data.
2.5 “Customer Data” means any Personal Data submitted to, stored within, transmitted through, or otherwise processed via the Services by or on behalf of the customer, including Personal Data relating to candidates, employees, or other individuals associated with the customer.
2.6 “Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.
2.7 “Personal Data” means any information relating to a Data Subject that is protected as “personal data”, “personal information”, or similar under Applicable Data Protection Laws and that is processed by Hyaa AI on behalf of the customer.
2.8 “Processing” or “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, analysis, alteration, retrieval, disclosure, transmission, or deletion.
2.9 “Services” means the Hyaa AI platform and related products, technologies, and services provided by Hyaa AI to the customer under the Agreement.
2.10 “Subprocessor” means any third party appointed by Hyaa AI to process Personal Data on Hyaa AI’s behalf for the purpose of providing the Services.
2.11 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Hyaa AI.
2.12 “Standard Contractual Clauses” or “SCCs” means the applicable model contractual clauses adopted by the European Commission or equivalent UK transfer mechanisms for the lawful transfer of Personal Data outside the EEA or UK.
3. Roles of the Parties
3.1 Customer as Controller.
For the purposes of this DPA, the customer is the Controller of Customer Data. The customer determines the purposes and means of processing Customer Data, including Personal Data relating to candidates, users, and other individuals associated with the customer.
3.2 Hyaa AI as Processor.
Hyaa AI acts as a Processor of Customer Data and will process such data only on behalf of the customer and in accordance with the customer’s documented instructions, the Agreement, and this DPA, unless otherwise required by Applicable Data Protection Laws.
3.3 Hyaa AI as Controller for Limited Activities.
For certain processing activities such as account administration, billing, security monitoring, or compliance with legal obligations Hyaa AI may act as an independent Controller. These activities are outside the scope of this DPA and are governed by the Hyaa AI Product Privacy Notice.
3.4 Customer Responsibilities.
The customer is solely responsible for:
a. determining the lawfulness of processing Customer Data under Applicable Data Protection Laws;
b. providing all necessary notices and obtaining all necessary consents from Data Subjects;
c. ensuring Customer Data is accurate, complete, and lawful;
d. managing and restricting access to Customer Data within its organization; and
e. complying with all applicable laws in relation to its use of the Services.
3.5 Compliance with Law.
Each party shall comply with Applicable Data Protection Laws in the performance of its obligations under this DPA and the Agreement.
4. Customer Instructions
4.1 Documented Instructions.
Hyaa AI will process Customer Data only on the basis of the customer’s documented instructions, which consist of:
a. the Agreement;
b. this DPA;
c. configurations and actions taken by the customer within the Services; and
d. any additional written instructions provided by the customer and acknowledged in writing by Hyaa AI.
4.2 Scope of Instructions.
The customer’s instructions for the processing of Customer Data are limited to those necessary to provide the Services, including hosting, storage, transcription, summarization, scoring, workflow automation, and related operational functions.
4.3 Prohibited Instructions.
Hyaa AI shall promptly inform the customer if, in its opinion, an instruction violates Applicable Data Protection Laws. Hyaa AI is not required to follow instructions that are unlawful or technically infeasible.
4.4 Additional Instructions.
Any instruction outside the scope of the Services or this DPA may require:
a. a separate written agreement;
b. the payment of additional fees; or
c. technical validation by Hyaa AI.
4.5 Customer Responsibility for Instructions.
The customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws and do not cause Hyaa AI to violate any legal or contractual obligations.
5. Types of Data & Data Subjects
5.1 Categories of Data Subjects.
Customer Data processed under this DPA may relate to the following categories of Data Subjects:
a. candidates who participate in interviews or submit application materials through the Services;
b. employees, contractors, or authorized users of the customer who access or administer the Services;
c. individuals whose information appears in resumes, documents, or other materials submitted by candidates or the customer.
5.2 Categories of Personal Data.
The categories of Personal Data processed by Hyaa AI on behalf of the customer may include, without limitation:
a. identification and contact information, such as names and email addresses;
b. audio data, including interview recordings and per-question audio files;
c. transcripts and textual data, including automated transcriptions of audio content;
d. summaries, classifications, insights, and scoring generated by AI models;
e. resume data, including documents uploaded by candidates and structured fields extracted from those documents;
f. application-related information, including job preferences, role information, and employer notes or tags;
g. technical and device information, including IP address, browser type, operating system, region, timestamps, and usage metadata;
h. workflow and activity logs, including actions taken by users within the Services.
5.3 Special Categories of Data.
The Services are not designed to intentionally collect Special Categories of Data (sensitive information as defined under GDPR or equivalent laws). If such information is provided by the customer or a candidate, the customer remains solely responsible for ensuring the lawful collection and processing of that information.
5.4 Nature and Purpose of Processing.
Hyaa AI will process Personal Data for the purposes of:
a. providing, operating, and supporting the Services;
b. hosting, storing, transmitting, and retrieving Customer Data;
c. generating transcripts, summaries, insights, and scoring;
d. enabling customer workflows, AI processing, and interview functions;
e. providing customer support, troubleshooting, and maintenance;
f. ensuring the security, integrity, and availability of the Services;
g. complying with legal obligations and customer instructions.
5.5 Duration of Processing.
Hyaa AI will process Personal Data for the duration of the Agreement and, with respect to candidate data, for the fixed retention period of twelve (12) months, unless a longer retention period is required by law or explicitly agreed in writing. Following such a period, Personal Data will be deleted or anonymised in accordance with Section 12 of this DPA.
6. Hyaa AI’s Obligations as Processor
6.1 Compliance.
Hyaa AI shall process Customer Data in compliance with Applicable Data Protection Laws and shall implement appropriate technical and organisational measures to protect Personal Data as described in this DPA.
6.2 Confidentiality.
Hyaa AI shall ensure that all personnel authorised to process Customer Data:
a. are bound by appropriate confidentiality obligations; and
b. process Customer Data only as necessary to provide the Services.
6.3 Security Measures.
Hyaa AI shall implement and maintain the security measures described in Annex B (Technical and Organisational Measures). These measures are designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
6.4 Assistance with Data Subject Requests.
Taking into account the nature of the processing, Hyaa AI shall provide reasonable assistance to the customer in responding to Data Subject requests under Applicable Data Protection Laws.
If such a request is received directly by Hyaa AI, Hyaa AI shall promptly forward the request to the customer unless prohibited by law.
6.5 Assistance with Compliance Obligations.
Hyaa AI shall, upon reasonable request:
a. assist the customer in conducting data protection impact assessments;
b. assist in consultations with relevant supervisory authorities; and
c. provide information necessary to demonstrate compliance with this DPA.
6.6 Compliance Documentation.
Upon reasonable request, Hyaa AI shall make available to the customer documentation describing its security measures and data protection practices, which may include policies, whitepapers, third-party reports, or other relevant materials.
6.7 Access Controls.
Hyaa AI shall limit access to Customer Data to personnel who require such access to perform the Services, and such access shall be revoked when no longer required.
6.8 Prohibited Processing.
Hyaa AI shall not:
a. sell Customer Data;
b. retain, use, or disclose Customer Data for any purpose other than providing the Services; or
c. use Customer Data for targeted advertising or profiling unrelated to the Services.
6.9 Use of Aggregated or Anonymised Data.
Nothing in this DPA prevents Hyaa AI from using aggregated or anonymised data that does not identify any individual for analytics, improvement of the Services, or other legitimate business purposes.
7. Security Measures
7.1 Implementation of Security Measures.
Hyaa AI shall implement and maintain the technical and organisational security measures set out in Annex B to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
7.2 Appropriateness of Measures.
The security measures described in Annex B are designed to:
a. ensure the ongoing confidentiality, integrity, availability, and resilience of the Services;
b. protect Customer Data against foreseeable internal or external threats; and
c. align with industry standards appropriate to the nature and sensitivity of the Personal Data processed.
7.3 Updates to Security Measures.
Hyaa AI may update or modify the security measures in Annex B from time to time, provided that any such updates:
a. do not materially reduce the overall level of protection for Customer Data; and
b. maintain a level of security consistent with Applicable Data Protection Laws and industry practices.
7.4 Customer Responsibilities.
The customer is responsible for:
a. implementing appropriate security controls within its own systems and environment;
b. managing user access, permissions, and authentication within the Services; and
c. ensuring secure handling of any Personal Data exported, downloaded, or otherwise processed outside the Services.
8. Subprocessors
8.1 Authorised Subprocessors.
The customer acknowledges and agrees that Hyaa AI may engage Subprocessors to process Customer Data on its behalf in connection with providing the Services. A current list of Subprocessors, including their roles and locations, is maintained by Hyaa AI and made available on the Subprocessors Page referenced in Annex C.
8.2 Requirements for Subprocessors.
Hyaa AI shall:
a. enter into a written agreement with each Subprocessor imposing data protection obligations that provide a level of protection substantially similar to those set out in this DPA; and
b. remain responsible for the performance of such Subprocessors to the extent required by Applicable Data Protection Laws.
8.3 Changes to Subprocessors.
Hyaa AI may update its list of Subprocessors from time to time. In the event of any new Subprocessor that materially affects the processing of Customer Data, Hyaa AI shall provide notice to the customer via the Subprocessors Page or other reasonable means.
8.4 Right to Object.
If the customer has a reasonable basis to object to the use of a new Subprocessor on data protection grounds, the customer must notify Hyaa AI in writing within ten (10) days of receiving notice. Hyaa AI will work in good faith with the customer to address the objection.
If the parties cannot reach a mutually acceptable resolution, the customer may terminate the affected portion of the Services with a pro-rata refund for any prepaid fees.
8.5 Emergency Engagement.
Hyaa AI may engage a new Subprocessor on an emergency basis (such as to maintain service continuity or security). In such cases, Hyaa AI shall provide notice as soon as reasonably practicable.
9. International Data Transfers
9.1 General.
In providing the Services, Hyaa AI may transfer and process Customer Data in countries outside the jurisdiction where the customer or Data Subjects are located. This includes transfers to regions where Hyaa AI and its Subprocessors maintain infrastructure or operations.
9.2 Adequate Protection.
Hyaa AI shall ensure that any transfer of Customer Data outside the European Economic Area (“EEA”), the United Kingdom (“UK”), or other applicable jurisdictions is performed in compliance with Applicable Data Protection Laws and is subject to appropriate safeguards.
9.3 Standard Contractual Clauses (SCCs).
For transfers of Customer Data from the EEA to countries that are not deemed to provide an adequate level of protection under Applicable Data Protection Laws, the parties agree that the SCCs form part of this DPA as further described in Annex C.
9.4 UK Addendum or IDTA.
For transfers of Customer Data from the UK to countries without an adequacy decision, the International Data Transfer Addendum (“Addendum”) to the SCCs or the UK International Data Transfer Agreement (“IDTA”), as applicable, shall apply and is incorporated by reference.
9.5 Other Transfer Mechanisms.
Where appropriate, Hyaa AI may rely on:
a. adequacy decisions;
b. certified frameworks recognised under Applicable Data Protection Laws; or
c. other lawful transfer mechanisms approved by relevant supervisory authorities.
9.6 Subprocessor Transfers.
Hyaa AI shall ensure that any Subprocessor that processes Customer Data outside the customer’s jurisdiction does so under:
a. a valid data transfer mechanism; and
b. contractual obligations consistent with this DPA.
9.7 Customer Authorization.
By entering into this DPA, the customer authorizes Hyaa AI to transfer Customer Data internationally as required to provide the Services in accordance with the Agreement, this DPA, and Applicable Data Protection Laws.
10. Assistance to Customer
10.1 Data Subject Requests.
Taking into account the nature of the processing and the information available to Hyaa AI, Hyaa AI shall provide reasonable assistance to the customer, at the customer’s request, to enable the customer to fulfil its obligations to respond to requests from Data Subjects under Applicable Data Protection Laws.
If Hyaa AI receives a Data Subject request directly, Hyaa AI shall promptly notify the customer and shall not respond except as directed by the customer or as required by law.
10.2 Security and Compliance Assistance.
Hyaa AI shall provide reasonable assistance to the customer with respect to:
a. obligations relating to the security of processing;
b. notification of Personal Data breaches to supervisory authorities or Data Subjects; and
c. consultations with supervisory authorities, where such consultations relate to the Services.
10.3 Data Protection Impact Assessments.
Taking into account the nature of the processing and information reasonably available to Hyaa AI, Hyaa AI shall provide assistance to the customer as necessary for the customer to meet its obligations to conduct data protection impact assessments (“DPIAs”) and prior consultations with supervisory authorities.
10.4 Customer Costs.
Any assistance provided by Hyaa AI under this Section that goes beyond reasonable routine support may be subject to:
a. mutually agreed fees; and
b. a written request that clearly describes the assistance required.
10.5 Limitations.
Hyaa AI is not responsible for:
a. performing DPIAs on behalf of the customer;
b. ensuring that the customer meets its independent legal obligations; or
c. providing legal advice to the customer.
11. Security Incidents
11.1 Notification.
Hyaa AI shall notify the customer without undue delay after becoming aware of a Security Incident affecting Customer Data. Such notification shall describe, to the extent known at the time:
a. the nature of the Security Incident;
b. the categories and approximate number of affected Data Subjects;
c. the categories and approximate volume of affected Personal Data;
d. the likely consequences of the Security Incident; and
e. the measures taken or proposed to address or mitigate the Security Incident.
11.2 Ongoing Updates.
Hyaa AI shall provide the customer with updates regarding the Security Incident as more information becomes available, to the extent permitted by law and insofar as such updates are necessary for the customer to meet its obligations.
11.3 Cooperation.
Hyaa AI shall take all reasonable steps to contain, investigate, and remediate the Security Incident and shall provide reasonable cooperation to the customer in fulfilling the customer’s obligations under Applicable Data Protection Laws, including any notifications to supervisory authorities or affected Data Subjects.
11.4 No Admission of Fault.
Notification of a Security Incident by Hyaa AI shall not be construed as an admission of fault or liability by Hyaa AI.
11.5 Customer Responsibilities.
The customer is responsible for:
a. ensuring that its own systems and credentials are protected;
b. providing accurate and up-to-date contact information for incident notification; and
c. taking any measures reasonably required by law or regulatory guidance in connection with a Security Incident.
12. Return or Deletion of Data
12.1 Deletion at End of Processing.
Upon termination or expiration of the Agreement, or upon written request from the customer, Hyaa AI shall, to the extent technically feasible, delete or return all Customer Data processed on behalf of the customer, unless Hyaa AI is required to retain such data under Applicable Data Protection Laws.
12.2 Customer Exports.
Before the termination or expiration of the Agreement, the customer is responsible for exporting or retrieving any Customer Data it wishes to retain. Hyaa AI shall make Customer Data available for export for a reasonable period following termination, after which Hyaa AI may permanently delete such data.
12.3 Standard Retention Period for Candidate Data.
Notwithstanding Section 12.1, Hyaa AI will retain candidate-related Personal Data (including audio recordings, transcripts, summaries, scoring, resume data, and metadata) for a fixed period of twelve (12) months from the date of collection, after which such data will be securely deleted or anonymised unless a longer period is required by law.
12.4 Deletion of Backups.
Customer Data stored in routine backups will be deleted in accordance with Hyaa AI’s standard backup rotation and deletion schedules. During this period, such data remains protected in accordance with this DPA.
12.5 Aggregated or Anonymised Data.
Hyaa AI may retain and use aggregated or anonymised information that does not identify individuals after deletion of Customer Data. Such information is not considered Personal Data under Applicable Data Protection Laws.
12.6 Certification of Deletion.
Upon written request, Hyaa AI shall provide confirmation that Customer Data has been deleted in accordance with this Section, to the extent reasonably possible.
13. Audit Rights
13.1 Customer Audit Rights.
Upon reasonable written request, Hyaa AI shall make available to the customer information necessary to demonstrate compliance with its obligations under this DPA. Such information may include policies, technical documentation, third-party certifications, or other materials that reasonably substantiate Hyaa AI’s data protection practices.
13.2 Third-Party Reports.
Where available, Hyaa AI may satisfy its audit obligations by providing the customer with copies of independent third-party audit reports, certifications, or compliance attestations (such as SOC 2, ISO 27001, or equivalent), or by providing summaries thereof.
13.3 On-Site or Direct Audits.
If the information provided under Sections 13.1 or 13.2 is insufficient, the customer may request an on-site or direct audit. Any such audit shall:
a. be conducted no more than once per twelve (12) months, unless required by supervisory authorities or following a confirmed Security Incident;
b. be conducted by an independent auditor mutually agreed upon by the parties;
c. be limited to facilities, systems, and processes relevant to the processing of Customer Data;
d. be subject to reasonable advance notice (at least thirty (30) days); and
e. not unreasonably interfere with Hyaa AI’s normal business operations.
13.4 Confidentiality and Scope.
All audit activities shall be subject to confidentiality obligations and may not involve access to:
a. information relating to other customers;
b. proprietary or confidential business information not relevant to the audit; or
c. systems or infrastructure unrelated to the Services.
13.5 Costs.
The customer shall bear all costs associated with audits requested by the customer, except where the audit reveals a material breach of this DPA by Hyaa AI, in which case Hyaa AI shall bear the reasonable costs of the audit.
13.6 Alternative Controls.
Hyaa AI may, at its discretion, satisfy audit obligations by providing other reasonable attestations of compliance, responding to security questionnaires, or permitting a remote assessment where appropriate and sufficiently protective of Hyaa AI’s confidentiality and security obligations.
14. Liability
14.1 General.
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA is intended to increase, expand, or modify the liability of either party beyond the limits agreed in the Agreement.
14.2 Data Protection Liability.
Each party shall be liable for damages arising from breaches of its respective obligations under this DPA and Applicable Data Protection Laws, subject always to the limitations set out in the Agreement.
14.3 Processor Limitation.
Hyaa AI shall not be responsible for:
a. the customer’s collection or handling of Personal Data outside the Services;
b. decisions made by the customer based on data processed through the Services;
c. the customer’s failure to comply with its obligations as a Controller; or
d. any processing undertaken by the customer or its third parties beyond Hyaa AI’s control.
14.4 No Liability for Customer Instructions.
Hyaa AI shall not be liable for any claim arising from:
a. processing undertaken in accordance with the customer’s instructions;
b. processing resulting from configurations, workflows, or integrations implemented by the customer; or
c. the customer’s failure to obtain appropriate rights, permissions, or consents from Data Subjects.
14.5 Exclusion of Punitive Damages.
To the maximum extent permitted by law, neither party shall be liable to the other for indirect, incidental, punitive, special, or consequential damages arising from or related to this DPA, consistent with the Agreement.
15. Terms & Termination
15.1 Term.
This DPA shall remain in effect for as long as Hyaa AI processes Customer Data on behalf of the customer under the Agreement.
15.2 Termination of the DPA.
This DPA shall automatically terminate upon termination or expiration of the Agreement, except that Sections which, by their nature or legal requirement, must survive termination shall continue to apply.
15.3 Effect of Termination.
Upon termination of the Agreement, Hyaa AI shall process Customer Data in accordance with Section 12 (Return or Deletion of Data). All obligations relating to the protection, security, and lawful handling of Customer Data shall remain in effect until such deletion is complete.
15.4 Survival.
The following obligations shall survive termination of this DPA and the Agreement:
a. confidentiality obligations;
b. obligations related to deletion and return of Customer Data;
c. limitations of liability;
d. audit rights (as applicable to completed processing);
e. any obligations required to comply with Applicable Data Protection Laws.
15.5 Continuation of Safeguards.
Hyaa AI shall maintain appropriate technical and organisational measures to protect Customer Data retained as required by law during the post-termination period described in Section 12.
Annex A - Description of Processing
This Annex forms part of the Data Processing Addendum and describes the subject matter, nature, purpose, duration, and categories of Personal Data processed by Hyaa AI on behalf of the customer.
A1. Subject Matter and Purpose of Processing
Hyaa AI processes Personal Data for the purpose of providing the Hyaa AI platform and related services to the customer, including:
a. conducting audio-based job interviews;
b. generating transcripts, summaries, and AI-derived insights;
c. performing resume extraction and structured data processing;
d. enabling scoring, classification, and ranking functionality;
e. hosting, storing, transmitting, and retrieving Customer Data;
f. supporting workflows, automation, and messaging;
g. providing troubleshooting, support, and maintenance;
h. securing and monitoring the platform; and
i. complying with the customer’s documented instructions and Applicable Data Protection Laws.
A2. Duration of Processing
Hyaa AI processes Customer Data for the duration of the Agreement.
Candidate-related Personal Data is retained for a fixed period of twelve (12) months from collection, after which it is deleted or anonymised unless a longer retention period is required by law.
Other Customer Data may be retained as necessary for legal, security, billing, or operational requirements.
A3. Nature of Processing
Processing activities may include:
collection
recording
storage
organisation
formatting
structuring
transcription
analysis
summarisation
scoring and classification
retrieval
transmission
restricted disclosure
deletion or anonymisation
workflow automation
All processing is performed in accordance with the customer’s instructions.
A4. Categories of Data Subjects
Processing may involve the following categories of Data Subjects:
a. job candidates participating in interviews or submitting application materials;
b. employees, contractors, administrators, and authorised users of the customer;
c. individuals referenced in resumes, documents, or other materials provided by candidates.
A5. Categories of Personal Data
The Personal Data processed may include, without limitation:
A5.1 Identification and Account Data
names
email addresses
authentication details
organization-level profile information
A5.2 Candidate-Submitted Data
audio interview recordings
per-question audio files
resume documents
job application materials
A5.3 AI-Generated and Derived Data
transcripts
summaries
structured insights
scoring and ranking outputs
extracted skills and classifications
A5.4 Metadata and Technical Data
IP address
device type, browser, operating system
location (approximate region)
timestamps, logs, interaction data
workflow activity records
status and delivery metadata for messages
A5.5 Employer-Generated Data
notes, tags, labels
status updates and pipeline classifications
internal evaluations or comments
Hyaa AI does not intentionally process special categories of data, but such information may be included if provided by the candidate or the customer.
A6. Categories of Recipients
Personal Data may be disclosed to:
a. authorised users within the customer’s organisation;
b. Hyaa AI personnel with a legitimate need to access the data;
c. approved Subprocessors engaged to support the Services;
d. third-party systems integrated by the customer (upon customer instruction);
e. competent authorities where required by law.
A7. Cross-Border Transfers
Personal Data may be transferred internationally as described in Section 9 of the DPA. Transfers outside the EEA or UK are subject to SCCs, the UK Addendum, or other lawful mechanisms.
Annex B - Technical and Organisational Measures
This Annex describes the technical and organisational measures implemented by Hyaa AI to protect Personal Data processed on behalf of the customer. These measures are designed to ensure a level of security appropriate to the risks presented by the processing.
B1. Information Security Management
B1.1 Hyaa AI maintains policies and procedures addressing data protection, access control, secure development, incident response, and operational security.
B1.2 Access to systems handling Personal Data is limited to authorised personnel with a legitimate business need and is regularly reviewed.
B2. Access Control and Authentication
B2.1 Access to production systems requires secure authentication, including password complexity requirements and restricted administrative permissions.
B2.2 Role-based access control (RBAC) is enforced within the Services to ensure users within the customer’s organisation only access appropriate data.
B2.3 Access rights for Hyaa AI personnel are granted based on least-privilege principles and revoked promptly when no longer required.
B3. Physical Security
B3.1 Hyaa AI uses reputable cloud hosting providers (such as Supabase and Vercel) that maintain robust physical and environmental controls at their data centre facilities.
B3.2 Hyaa AI personnel do not have physical access to the data centres where Customer Data is stored.
B4. Data Encryption
B4.1 Personal Data is encrypted in transit using industry-standard protocols (such as TLS).
B4.2 Personal Data stored within the Services is encrypted at rest using technologies supported by Hyaa AI’s hosting providers.
B5. System and Network Security
B5.1 Firewalls, security groups, or equivalent controls are used to restrict network access to authorised endpoints.
B5.2 Infrastructure providers maintain continuous monitoring, threat detection, DDoS protection, and anti-abuse systems.
B5.3 Hyaa AI maintains application-level safeguards against common security vulnerabilities.
B6. Secure Development Practices
B6.1 Hyaa AI follows secure coding and deployment practices, including code review and controlled deployment workflows.
B6.2 Dependencies and libraries are monitored and updated as needed to address security issues.
B6.3 Development and testing environments are logically separated from production environments.
B7. Logging and Monitoring
B7.1 Hyaa AI maintains logging for relevant system activities, authentication events, and operational behaviour.
B7.2 Logs are monitored to identify anomalous activity or security-related events.
B7.3 Access to logs is restricted to authorised personnel.
B8. Data Backup and Recovery
B8.1 Customer Data stored within Supabase or related hosting systems is backed up in accordance with the provider’s backup and recovery policies.
B8.2 Backup data is protected using the same or equivalent safeguards as production data.
B9. Data Minimisation and Retention Controls
B9.1 Candidate data is retained for a fixed period of twelve (12) months unless otherwise legally required.
B9.2 Upon expiration of the retention period, data is securely deleted or anonymised.
B9.3 Exported data becomes the customer’s responsibility outside the platform environment.
B10. Personnel Security
B10.1 All Hyaa AI personnel with access to Personal Data are subject to confidentiality obligations.
B10.2 Personnel receive training on data protection, security awareness, and safe handling of Personal Data.
B11. Incident Management
B11.1 Hyaa AI maintains procedures to detect, assess, and respond to Security Incidents.
B11.2 In the event of a Security Incident affecting Customer Data, Hyaa AI will notify the customer in accordance with Section 11 of the DPA and provide reasonable cooperation.
B12. Vendor and Subprocessor Management
B12.1 Hyaa AI conducts due diligence on Subprocessors to verify they maintain adequate technical and organisational safeguards.
B12.2 Subprocessors are bound by contractual obligations that provide a level of protection substantially similar to this DPA.
B12.3 Hyaa AI maintains a publicly accessible list of approved Subprocessors.
B13. Customer Responsibilities
B13.1 The customer is responsible for securing its own systems, managing user access, and ensuring secure handling of Personal Data outside the Services.
B13.2 The customer must implement appropriate safeguards when transferring or exporting data from the platform.
Annex C - Subprocessors & International Transfer Mechanisms
C1. Approved Subprocessors
Hyaa AI engages certain third parties (“Subprocessors”) to support the provision of the Services. These Subprocessors may process Personal Data on behalf of the customer.
A current and up-to-date list of all approved Subprocessors, including their roles and processing locations, is maintained by Hyaa AI at the following location:
https://hyaa.ai/policies/subprocessors
The customer is responsible for reviewing this list periodically.
Changes to Subprocessors are notified in accordance with Section 8 of the DPA.
C2. International Transfer Mechanisms
For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or other regions with data transfer restrictions, the following mechanisms apply:
C2.1 European Economic Area
Transfers of Personal Data from the EEA to countries not deemed to provide an adequate level of protection shall be governed by the EU Standard Contractual Clauses (SCCs), incorporated by reference into this DPA.
Where applicable, the SCCs shall be applied:
with the customer as the data exporter,
with Hyaa AI as the data importer, and
with the relevant modules selected based on the Controller–Processor relationship.
C2.2 United Kingdom
Transfers of Personal Data from the UK to non-adequate countries shall be governed by:
the UK Addendum to the EU Standard Contractual Clauses (IDTA Addendum), or
the International Data Transfer Agreement (IDTA),
as required by UK law.
The Addendum or IDTA is incorporated into this DPA by reference.
C2.3 Other Jurisdictions
Where required by other Applicable Data Protection Laws, Hyaa AI will implement:
adequacy decisions,
approved contractual clauses,
binding frameworks, or
other legally recognised safeguards.
C2.4 Customer Authorization
By entering into this DPA, the customer authorizes:
the use of Subprocessors;
the international transfer of Personal Data to Subprocessors; and
the application of the SCCs, UK Addendum, or equivalent measures
as necessary to lawfully provide the Services.
Updated 19/11/2025
1. Introduction & Scope
1.1 This Data Processing Addendum (“DPA”) forms part of, and is subject to, the agreement between Hyaa AI Pty Ltd (“Hyaa AI”) and the customer that governs the customer’s use of the Hyaa AI platform and related services (“Agreement”).
1.2 This DPA applies only to the extent that Hyaa AI processes Personal Data on behalf of the customer in connection with the provision of the services. The parties agree to comply with the terms of this DPA in their respective capacities as Processor (Hyaa AI) and Controller (the customer), or as otherwise defined under Applicable Data Protection Laws.
1.3 In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall control to the extent of the conflict with respect to the processing of Personal Data.
1.4 This DPA reflects the parties’ obligations under Applicable Data Protection Laws, including but not limited to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Australian Privacy Act 1988 (Cth), the California Consumer Privacy Act (“CCPA”/“CPRA”), and any other laws that govern the processing of Personal Data as part of the services.
1.5 Capitalised terms used but not defined in this DPA have the meanings given in the Agreement or in Section 2 of this DPA.
2. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not defined in this Section shall have the meaning given in the Agreement.
2.1 “Agreement” means the agreement between the customer and Hyaa AI governing the provision of the Services, into which this DPA is incorporated.
2.2 “Applicable Data Protection Laws” means all laws, regulations, and rules relating to the protection of Personal Data applicable to the processing under this DPA, including the GDPR, UK GDPR, the Australian Privacy Act 1988 (Cth), the CCPA/CPRA, and any other applicable data protection or privacy legislation.
2.3 “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the customer is the Controller of Customer Data.
2.4 “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Hyaa AI acts as a Processor of Customer Data.
2.5 “Customer Data” means any Personal Data submitted to, stored within, transmitted through, or otherwise processed via the Services by or on behalf of the customer, including Personal Data relating to candidates, employees, or other individuals associated with the customer.
2.6 “Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.
2.7 “Personal Data” means any information relating to a Data Subject that is protected as “personal data”, “personal information”, or similar under Applicable Data Protection Laws and that is processed by Hyaa AI on behalf of the customer.
2.8 “Processing” or “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, analysis, alteration, retrieval, disclosure, transmission, or deletion.
2.9 “Services” means the Hyaa AI platform and related products, technologies, and services provided by Hyaa AI to the customer under the Agreement.
2.10 “Subprocessor” means any third party appointed by Hyaa AI to process Personal Data on Hyaa AI’s behalf for the purpose of providing the Services.
2.11 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Hyaa AI.
2.12 “Standard Contractual Clauses” or “SCCs” means the applicable model contractual clauses adopted by the European Commission or equivalent UK transfer mechanisms for the lawful transfer of Personal Data outside the EEA or UK.
3. Roles of the Parties
3.1 Customer as Controller.
For the purposes of this DPA, the customer is the Controller of Customer Data. The customer determines the purposes and means of processing Customer Data, including Personal Data relating to candidates, users, and other individuals associated with the customer.
3.2 Hyaa AI as Processor.
Hyaa AI acts as a Processor of Customer Data and will process such data only on behalf of the customer and in accordance with the customer’s documented instructions, the Agreement, and this DPA, unless otherwise required by Applicable Data Protection Laws.
3.3 Hyaa AI as Controller for Limited Activities.
For certain processing activities such as account administration, billing, security monitoring, or compliance with legal obligations Hyaa AI may act as an independent Controller. These activities are outside the scope of this DPA and are governed by the Hyaa AI Product Privacy Notice.
3.4 Customer Responsibilities.
The customer is solely responsible for:
a. determining the lawfulness of processing Customer Data under Applicable Data Protection Laws;
b. providing all necessary notices and obtaining all necessary consents from Data Subjects;
c. ensuring Customer Data is accurate, complete, and lawful;
d. managing and restricting access to Customer Data within its organization; and
e. complying with all applicable laws in relation to its use of the Services.
3.5 Compliance with Law.
Each party shall comply with Applicable Data Protection Laws in the performance of its obligations under this DPA and the Agreement.
4. Customer Instructions
4.1 Documented Instructions.
Hyaa AI will process Customer Data only on the basis of the customer’s documented instructions, which consist of:
a. the Agreement;
b. this DPA;
c. configurations and actions taken by the customer within the Services; and
d. any additional written instructions provided by the customer and acknowledged in writing by Hyaa AI.
4.2 Scope of Instructions.
The customer’s instructions for the processing of Customer Data are limited to those necessary to provide the Services, including hosting, storage, transcription, summarization, scoring, workflow automation, and related operational functions.
4.3 Prohibited Instructions.
Hyaa AI shall promptly inform the customer if, in its opinion, an instruction violates Applicable Data Protection Laws. Hyaa AI is not required to follow instructions that are unlawful or technically infeasible.
4.4 Additional Instructions.
Any instruction outside the scope of the Services or this DPA may require:
a. a separate written agreement;
b. the payment of additional fees; or
c. technical validation by Hyaa AI.
4.5 Customer Responsibility for Instructions.
The customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws and do not cause Hyaa AI to violate any legal or contractual obligations.
5. Types of Data & Data Subjects
5.1 Categories of Data Subjects.
Customer Data processed under this DPA may relate to the following categories of Data Subjects:
a. candidates who participate in interviews or submit application materials through the Services;
b. employees, contractors, or authorized users of the customer who access or administer the Services;
c. individuals whose information appears in resumes, documents, or other materials submitted by candidates or the customer.
5.2 Categories of Personal Data.
The categories of Personal Data processed by Hyaa AI on behalf of the customer may include, without limitation:
a. identification and contact information, such as names and email addresses;
b. audio data, including interview recordings and per-question audio files;
c. transcripts and textual data, including automated transcriptions of audio content;
d. summaries, classifications, insights, and scoring generated by AI models;
e. resume data, including documents uploaded by candidates and structured fields extracted from those documents;
f. application-related information, including job preferences, role information, and employer notes or tags;
g. technical and device information, including IP address, browser type, operating system, region, timestamps, and usage metadata;
h. workflow and activity logs, including actions taken by users within the Services.
5.3 Special Categories of Data.
The Services are not designed to intentionally collect Special Categories of Data (sensitive information as defined under GDPR or equivalent laws). If such information is provided by the customer or a candidate, the customer remains solely responsible for ensuring the lawful collection and processing of that information.
5.4 Nature and Purpose of Processing.
Hyaa AI will process Personal Data for the purposes of:
a. providing, operating, and supporting the Services;
b. hosting, storing, transmitting, and retrieving Customer Data;
c. generating transcripts, summaries, insights, and scoring;
d. enabling customer workflows, AI processing, and interview functions;
e. providing customer support, troubleshooting, and maintenance;
f. ensuring the security, integrity, and availability of the Services;
g. complying with legal obligations and customer instructions.
5.5 Duration of Processing.
Hyaa AI will process Personal Data for the duration of the Agreement and, with respect to candidate data, for the fixed retention period of twelve (12) months, unless a longer retention period is required by law or explicitly agreed in writing. Following such a period, Personal Data will be deleted or anonymised in accordance with Section 12 of this DPA.
6. Hyaa AI’s Obligations as Processor
6.1 Compliance.
Hyaa AI shall process Customer Data in compliance with Applicable Data Protection Laws and shall implement appropriate technical and organisational measures to protect Personal Data as described in this DPA.
6.2 Confidentiality.
Hyaa AI shall ensure that all personnel authorised to process Customer Data:
a. are bound by appropriate confidentiality obligations; and
b. process Customer Data only as necessary to provide the Services.
6.3 Security Measures.
Hyaa AI shall implement and maintain the security measures described in Annex B (Technical and Organisational Measures). These measures are designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
6.4 Assistance with Data Subject Requests.
Taking into account the nature of the processing, Hyaa AI shall provide reasonable assistance to the customer in responding to Data Subject requests under Applicable Data Protection Laws.
If such a request is received directly by Hyaa AI, Hyaa AI shall promptly forward the request to the customer unless prohibited by law.
6.5 Assistance with Compliance Obligations.
Hyaa AI shall, upon reasonable request:
a. assist the customer in conducting data protection impact assessments;
b. assist in consultations with relevant supervisory authorities; and
c. provide information necessary to demonstrate compliance with this DPA.
6.6 Compliance Documentation.
Upon reasonable request, Hyaa AI shall make available to the customer documentation describing its security measures and data protection practices, which may include policies, whitepapers, third-party reports, or other relevant materials.
6.7 Access Controls.
Hyaa AI shall limit access to Customer Data to personnel who require such access to perform the Services, and such access shall be revoked when no longer required.
6.8 Prohibited Processing.
Hyaa AI shall not:
a. sell Customer Data;
b. retain, use, or disclose Customer Data for any purpose other than providing the Services; or
c. use Customer Data for targeted advertising or profiling unrelated to the Services.
6.9 Use of Aggregated or Anonymised Data.
Nothing in this DPA prevents Hyaa AI from using aggregated or anonymised data that does not identify any individual for analytics, improvement of the Services, or other legitimate business purposes.
7. Security Measures
7.1 Implementation of Security Measures.
Hyaa AI shall implement and maintain the technical and organisational security measures set out in Annex B to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
7.2 Appropriateness of Measures.
The security measures described in Annex B are designed to:
a. ensure the ongoing confidentiality, integrity, availability, and resilience of the Services;
b. protect Customer Data against foreseeable internal or external threats; and
c. align with industry standards appropriate to the nature and sensitivity of the Personal Data processed.
7.3 Updates to Security Measures.
Hyaa AI may update or modify the security measures in Annex B from time to time, provided that any such updates:
a. do not materially reduce the overall level of protection for Customer Data; and
b. maintain a level of security consistent with Applicable Data Protection Laws and industry practices.
7.4 Customer Responsibilities.
The customer is responsible for:
a. implementing appropriate security controls within its own systems and environment;
b. managing user access, permissions, and authentication within the Services; and
c. ensuring secure handling of any Personal Data exported, downloaded, or otherwise processed outside the Services.
8. Subprocessors
8.1 Authorised Subprocessors.
The customer acknowledges and agrees that Hyaa AI may engage Subprocessors to process Customer Data on its behalf in connection with providing the Services. A current list of Subprocessors, including their roles and locations, is maintained by Hyaa AI and made available on the Subprocessors Page referenced in Annex C.
8.2 Requirements for Subprocessors.
Hyaa AI shall:
a. enter into a written agreement with each Subprocessor imposing data protection obligations that provide a level of protection substantially similar to those set out in this DPA; and
b. remain responsible for the performance of such Subprocessors to the extent required by Applicable Data Protection Laws.
8.3 Changes to Subprocessors.
Hyaa AI may update its list of Subprocessors from time to time. In the event of any new Subprocessor that materially affects the processing of Customer Data, Hyaa AI shall provide notice to the customer via the Subprocessors Page or other reasonable means.
8.4 Right to Object.
If the customer has a reasonable basis to object to the use of a new Subprocessor on data protection grounds, the customer must notify Hyaa AI in writing within ten (10) days of receiving notice. Hyaa AI will work in good faith with the customer to address the objection.
If the parties cannot reach a mutually acceptable resolution, the customer may terminate the affected portion of the Services with a pro-rata refund for any prepaid fees.
8.5 Emergency Engagement.
Hyaa AI may engage a new Subprocessor on an emergency basis (such as to maintain service continuity or security). In such cases, Hyaa AI shall provide notice as soon as reasonably practicable.
9. International Data Transfers
9.1 General.
In providing the Services, Hyaa AI may transfer and process Customer Data in countries outside the jurisdiction where the customer or Data Subjects are located. This includes transfers to regions where Hyaa AI and its Subprocessors maintain infrastructure or operations.
9.2 Adequate Protection.
Hyaa AI shall ensure that any transfer of Customer Data outside the European Economic Area (“EEA”), the United Kingdom (“UK”), or other applicable jurisdictions is performed in compliance with Applicable Data Protection Laws and is subject to appropriate safeguards.
9.3 Standard Contractual Clauses (SCCs).
For transfers of Customer Data from the EEA to countries that are not deemed to provide an adequate level of protection under Applicable Data Protection Laws, the parties agree that the SCCs form part of this DPA as further described in Annex C.
9.4 UK Addendum or IDTA.
For transfers of Customer Data from the UK to countries without an adequacy decision, the International Data Transfer Addendum (“Addendum”) to the SCCs or the UK International Data Transfer Agreement (“IDTA”), as applicable, shall apply and is incorporated by reference.
9.5 Other Transfer Mechanisms.
Where appropriate, Hyaa AI may rely on:
a. adequacy decisions;
b. certified frameworks recognised under Applicable Data Protection Laws; or
c. other lawful transfer mechanisms approved by relevant supervisory authorities.
9.6 Subprocessor Transfers.
Hyaa AI shall ensure that any Subprocessor that processes Customer Data outside the customer’s jurisdiction does so under:
a. a valid data transfer mechanism; and
b. contractual obligations consistent with this DPA.
9.7 Customer Authorization.
By entering into this DPA, the customer authorizes Hyaa AI to transfer Customer Data internationally as required to provide the Services in accordance with the Agreement, this DPA, and Applicable Data Protection Laws.
10. Assistance to Customer
10.1 Data Subject Requests.
Taking into account the nature of the processing and the information available to Hyaa AI, Hyaa AI shall provide reasonable assistance to the customer, at the customer’s request, to enable the customer to fulfil its obligations to respond to requests from Data Subjects under Applicable Data Protection Laws.
If Hyaa AI receives a Data Subject request directly, Hyaa AI shall promptly notify the customer and shall not respond except as directed by the customer or as required by law.
10.2 Security and Compliance Assistance.
Hyaa AI shall provide reasonable assistance to the customer with respect to:
a. obligations relating to the security of processing;
b. notification of Personal Data breaches to supervisory authorities or Data Subjects; and
c. consultations with supervisory authorities, where such consultations relate to the Services.
10.3 Data Protection Impact Assessments.
Taking into account the nature of the processing and information reasonably available to Hyaa AI, Hyaa AI shall provide assistance to the customer as necessary for the customer to meet its obligations to conduct data protection impact assessments (“DPIAs”) and prior consultations with supervisory authorities.
10.4 Customer Costs.
Any assistance provided by Hyaa AI under this Section that goes beyond reasonable routine support may be subject to:
a. mutually agreed fees; and
b. a written request that clearly describes the assistance required.
10.5 Limitations.
Hyaa AI is not responsible for:
a. performing DPIAs on behalf of the customer;
b. ensuring that the customer meets its independent legal obligations; or
c. providing legal advice to the customer.
11. Security Incidents
11.1 Notification.
Hyaa AI shall notify the customer without undue delay after becoming aware of a Security Incident affecting Customer Data. Such notification shall describe, to the extent known at the time:
a. the nature of the Security Incident;
b. the categories and approximate number of affected Data Subjects;
c. the categories and approximate volume of affected Personal Data;
d. the likely consequences of the Security Incident; and
e. the measures taken or proposed to address or mitigate the Security Incident.
11.2 Ongoing Updates.
Hyaa AI shall provide the customer with updates regarding the Security Incident as more information becomes available, to the extent permitted by law and insofar as such updates are necessary for the customer to meet its obligations.
11.3 Cooperation.
Hyaa AI shall take all reasonable steps to contain, investigate, and remediate the Security Incident and shall provide reasonable cooperation to the customer in fulfilling the customer’s obligations under Applicable Data Protection Laws, including any notifications to supervisory authorities or affected Data Subjects.
11.4 No Admission of Fault.
Notification of a Security Incident by Hyaa AI shall not be construed as an admission of fault or liability by Hyaa AI.
11.5 Customer Responsibilities.
The customer is responsible for:
a. ensuring that its own systems and credentials are protected;
b. providing accurate and up-to-date contact information for incident notification; and
c. taking any measures reasonably required by law or regulatory guidance in connection with a Security Incident.
12. Return or Deletion of Data
12.1 Deletion at End of Processing.
Upon termination or expiration of the Agreement, or upon written request from the customer, Hyaa AI shall, to the extent technically feasible, delete or return all Customer Data processed on behalf of the customer, unless Hyaa AI is required to retain such data under Applicable Data Protection Laws.
12.2 Customer Exports.
Before the termination or expiration of the Agreement, the customer is responsible for exporting or retrieving any Customer Data it wishes to retain. Hyaa AI shall make Customer Data available for export for a reasonable period following termination, after which Hyaa AI may permanently delete such data.
12.3 Standard Retention Period for Candidate Data.
Notwithstanding Section 12.1, Hyaa AI will retain candidate-related Personal Data (including audio recordings, transcripts, summaries, scoring, resume data, and metadata) for a fixed period of twelve (12) months from the date of collection, after which such data will be securely deleted or anonymised unless a longer period is required by law.
12.4 Deletion of Backups.
Customer Data stored in routine backups will be deleted in accordance with Hyaa AI’s standard backup rotation and deletion schedules. During this period, such data remains protected in accordance with this DPA.
12.5 Aggregated or Anonymised Data.
Hyaa AI may retain and use aggregated or anonymised information that does not identify individuals after deletion of Customer Data. Such information is not considered Personal Data under Applicable Data Protection Laws.
12.6 Certification of Deletion.
Upon written request, Hyaa AI shall provide confirmation that Customer Data has been deleted in accordance with this Section, to the extent reasonably possible.
13. Audit Rights
13.1 Customer Audit Rights.
Upon reasonable written request, Hyaa AI shall make available to the customer information necessary to demonstrate compliance with its obligations under this DPA. Such information may include policies, technical documentation, third-party certifications, or other materials that reasonably substantiate Hyaa AI’s data protection practices.
13.2 Third-Party Reports.
Where available, Hyaa AI may satisfy its audit obligations by providing the customer with copies of independent third-party audit reports, certifications, or compliance attestations (such as SOC 2, ISO 27001, or equivalent), or by providing summaries thereof.
13.3 On-Site or Direct Audits.
If the information provided under Sections 13.1 or 13.2 is insufficient, the customer may request an on-site or direct audit. Any such audit shall:
a. be conducted no more than once per twelve (12) months, unless required by supervisory authorities or following a confirmed Security Incident;
b. be conducted by an independent auditor mutually agreed upon by the parties;
c. be limited to facilities, systems, and processes relevant to the processing of Customer Data;
d. be subject to reasonable advance notice (at least thirty (30) days); and
e. not unreasonably interfere with Hyaa AI’s normal business operations.
13.4 Confidentiality and Scope.
All audit activities shall be subject to confidentiality obligations and may not involve access to:
a. information relating to other customers;
b. proprietary or confidential business information not relevant to the audit; or
c. systems or infrastructure unrelated to the Services.
13.5 Costs.
The customer shall bear all costs associated with audits requested by the customer, except where the audit reveals a material breach of this DPA by Hyaa AI, in which case Hyaa AI shall bear the reasonable costs of the audit.
13.6 Alternative Controls.
Hyaa AI may, at its discretion, satisfy audit obligations by providing other reasonable attestations of compliance, responding to security questionnaires, or permitting a remote assessment where appropriate and sufficiently protective of Hyaa AI’s confidentiality and security obligations.
14. Liability
14.1 General.
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA is intended to increase, expand, or modify the liability of either party beyond the limits agreed in the Agreement.
14.2 Data Protection Liability.
Each party shall be liable for damages arising from breaches of its respective obligations under this DPA and Applicable Data Protection Laws, subject always to the limitations set out in the Agreement.
14.3 Processor Limitation.
Hyaa AI shall not be responsible for:
a. the customer’s collection or handling of Personal Data outside the Services;
b. decisions made by the customer based on data processed through the Services;
c. the customer’s failure to comply with its obligations as a Controller; or
d. any processing undertaken by the customer or its third parties beyond Hyaa AI’s control.
14.4 No Liability for Customer Instructions.
Hyaa AI shall not be liable for any claim arising from:
a. processing undertaken in accordance with the customer’s instructions;
b. processing resulting from configurations, workflows, or integrations implemented by the customer; or
c. the customer’s failure to obtain appropriate rights, permissions, or consents from Data Subjects.
14.5 Exclusion of Punitive Damages.
To the maximum extent permitted by law, neither party shall be liable to the other for indirect, incidental, punitive, special, or consequential damages arising from or related to this DPA, consistent with the Agreement.
15. Terms & Termination
15.1 Term.
This DPA shall remain in effect for as long as Hyaa AI processes Customer Data on behalf of the customer under the Agreement.
15.2 Termination of the DPA.
This DPA shall automatically terminate upon termination or expiration of the Agreement, except that Sections which, by their nature or legal requirement, must survive termination shall continue to apply.
15.3 Effect of Termination.
Upon termination of the Agreement, Hyaa AI shall process Customer Data in accordance with Section 12 (Return or Deletion of Data). All obligations relating to the protection, security, and lawful handling of Customer Data shall remain in effect until such deletion is complete.
15.4 Survival.
The following obligations shall survive termination of this DPA and the Agreement:
a. confidentiality obligations;
b. obligations related to deletion and return of Customer Data;
c. limitations of liability;
d. audit rights (as applicable to completed processing);
e. any obligations required to comply with Applicable Data Protection Laws.
15.5 Continuation of Safeguards.
Hyaa AI shall maintain appropriate technical and organisational measures to protect Customer Data retained as required by law during the post-termination period described in Section 12.
Annex A - Description of Processing
This Annex forms part of the Data Processing Addendum and describes the subject matter, nature, purpose, duration, and categories of Personal Data processed by Hyaa AI on behalf of the customer.
A1. Subject Matter and Purpose of Processing
Hyaa AI processes Personal Data for the purpose of providing the Hyaa AI platform and related services to the customer, including:
a. conducting audio-based job interviews;
b. generating transcripts, summaries, and AI-derived insights;
c. performing resume extraction and structured data processing;
d. enabling scoring, classification, and ranking functionality;
e. hosting, storing, transmitting, and retrieving Customer Data;
f. supporting workflows, automation, and messaging;
g. providing troubleshooting, support, and maintenance;
h. securing and monitoring the platform; and
i. complying with the customer’s documented instructions and Applicable Data Protection Laws.
A2. Duration of Processing
Hyaa AI processes Customer Data for the duration of the Agreement.
Candidate-related Personal Data is retained for a fixed period of twelve (12) months from collection, after which it is deleted or anonymised unless a longer retention period is required by law.
Other Customer Data may be retained as necessary for legal, security, billing, or operational requirements.
A3. Nature of Processing
Processing activities may include:
collection
recording
storage
organisation
formatting
structuring
transcription
analysis
summarisation
scoring and classification
retrieval
transmission
restricted disclosure
deletion or anonymisation
workflow automation
All processing is performed in accordance with the customer’s instructions.
A4. Categories of Data Subjects
Processing may involve the following categories of Data Subjects:
a. job candidates participating in interviews or submitting application materials;
b. employees, contractors, administrators, and authorised users of the customer;
c. individuals referenced in resumes, documents, or other materials provided by candidates.
A5. Categories of Personal Data
The Personal Data processed may include, without limitation:
A5.1 Identification and Account Data
names
email addresses
authentication details
organization-level profile information
A5.2 Candidate-Submitted Data
audio interview recordings
per-question audio files
resume documents
job application materials
A5.3 AI-Generated and Derived Data
transcripts
summaries
structured insights
scoring and ranking outputs
extracted skills and classifications
A5.4 Metadata and Technical Data
IP address
device type, browser, operating system
location (approximate region)
timestamps, logs, interaction data
workflow activity records
status and delivery metadata for messages
A5.5 Employer-Generated Data
notes, tags, labels
status updates and pipeline classifications
internal evaluations or comments
Hyaa AI does not intentionally process special categories of data, but such information may be included if provided by the candidate or the customer.
A6. Categories of Recipients
Personal Data may be disclosed to:
a. authorised users within the customer’s organisation;
b. Hyaa AI personnel with a legitimate need to access the data;
c. approved Subprocessors engaged to support the Services;
d. third-party systems integrated by the customer (upon customer instruction);
e. competent authorities where required by law.
A7. Cross-Border Transfers
Personal Data may be transferred internationally as described in Section 9 of the DPA. Transfers outside the EEA or UK are subject to SCCs, the UK Addendum, or other lawful mechanisms.
Annex B - Technical and Organisational Measures
This Annex describes the technical and organisational measures implemented by Hyaa AI to protect Personal Data processed on behalf of the customer. These measures are designed to ensure a level of security appropriate to the risks presented by the processing.
B1. Information Security Management
B1.1 Hyaa AI maintains policies and procedures addressing data protection, access control, secure development, incident response, and operational security.
B1.2 Access to systems handling Personal Data is limited to authorised personnel with a legitimate business need and is regularly reviewed.
B2. Access Control and Authentication
B2.1 Access to production systems requires secure authentication, including password complexity requirements and restricted administrative permissions.
B2.2 Role-based access control (RBAC) is enforced within the Services to ensure users within the customer’s organisation only access appropriate data.
B2.3 Access rights for Hyaa AI personnel are granted based on least-privilege principles and revoked promptly when no longer required.
B3. Physical Security
B3.1 Hyaa AI uses reputable cloud hosting providers (such as Supabase and Vercel) that maintain robust physical and environmental controls at their data centre facilities.
B3.2 Hyaa AI personnel do not have physical access to the data centres where Customer Data is stored.
B4. Data Encryption
B4.1 Personal Data is encrypted in transit using industry-standard protocols (such as TLS).
B4.2 Personal Data stored within the Services is encrypted at rest using technologies supported by Hyaa AI’s hosting providers.
B5. System and Network Security
B5.1 Firewalls, security groups, or equivalent controls are used to restrict network access to authorised endpoints.
B5.2 Infrastructure providers maintain continuous monitoring, threat detection, DDoS protection, and anti-abuse systems.
B5.3 Hyaa AI maintains application-level safeguards against common security vulnerabilities.
B6. Secure Development Practices
B6.1 Hyaa AI follows secure coding and deployment practices, including code review and controlled deployment workflows.
B6.2 Dependencies and libraries are monitored and updated as needed to address security issues.
B6.3 Development and testing environments are logically separated from production environments.
B7. Logging and Monitoring
B7.1 Hyaa AI maintains logging for relevant system activities, authentication events, and operational behaviour.
B7.2 Logs are monitored to identify anomalous activity or security-related events.
B7.3 Access to logs is restricted to authorised personnel.
B8. Data Backup and Recovery
B8.1 Customer Data stored within Supabase or related hosting systems is backed up in accordance with the provider’s backup and recovery policies.
B8.2 Backup data is protected using the same or equivalent safeguards as production data.
B9. Data Minimisation and Retention Controls
B9.1 Candidate data is retained for a fixed period of twelve (12) months unless otherwise legally required.
B9.2 Upon expiration of the retention period, data is securely deleted or anonymised.
B9.3 Exported data becomes the customer’s responsibility outside the platform environment.
B10. Personnel Security
B10.1 All Hyaa AI personnel with access to Personal Data are subject to confidentiality obligations.
B10.2 Personnel receive training on data protection, security awareness, and safe handling of Personal Data.
B11. Incident Management
B11.1 Hyaa AI maintains procedures to detect, assess, and respond to Security Incidents.
B11.2 In the event of a Security Incident affecting Customer Data, Hyaa AI will notify the customer in accordance with Section 11 of the DPA and provide reasonable cooperation.
B12. Vendor and Subprocessor Management
B12.1 Hyaa AI conducts due diligence on Subprocessors to verify they maintain adequate technical and organisational safeguards.
B12.2 Subprocessors are bound by contractual obligations that provide a level of protection substantially similar to this DPA.
B12.3 Hyaa AI maintains a publicly accessible list of approved Subprocessors.
B13. Customer Responsibilities
B13.1 The customer is responsible for securing its own systems, managing user access, and ensuring secure handling of Personal Data outside the Services.
B13.2 The customer must implement appropriate safeguards when transferring or exporting data from the platform.
Annex C - Subprocessors & International Transfer Mechanisms
C1. Approved Subprocessors
Hyaa AI engages certain third parties (“Subprocessors”) to support the provision of the Services. These Subprocessors may process Personal Data on behalf of the customer.
A current and up-to-date list of all approved Subprocessors, including their roles and processing locations, is maintained by Hyaa AI at the following location:
https://hyaa.ai/policies/subprocessors
The customer is responsible for reviewing this list periodically.
Changes to Subprocessors are notified in accordance with Section 8 of the DPA.
C2. International Transfer Mechanisms
For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom (UK), or other regions with data transfer restrictions, the following mechanisms apply:
C2.1 European Economic Area
Transfers of Personal Data from the EEA to countries not deemed to provide an adequate level of protection shall be governed by the EU Standard Contractual Clauses (SCCs), incorporated by reference into this DPA.
Where applicable, the SCCs shall be applied:
with the customer as the data exporter,
with Hyaa AI as the data importer, and
with the relevant modules selected based on the Controller–Processor relationship.
C2.2 United Kingdom
Transfers of Personal Data from the UK to non-adequate countries shall be governed by:
the UK Addendum to the EU Standard Contractual Clauses (IDTA Addendum), or
the International Data Transfer Agreement (IDTA),
as required by UK law.
The Addendum or IDTA is incorporated into this DPA by reference.
C2.3 Other Jurisdictions
Where required by other Applicable Data Protection Laws, Hyaa AI will implement:
adequacy decisions,
approved contractual clauses,
binding frameworks, or
other legally recognised safeguards.
C2.4 Customer Authorization
By entering into this DPA, the customer authorizes:
the use of Subprocessors;
the international transfer of Personal Data to Subprocessors; and
the application of the SCCs, UK Addendum, or equivalent measures
as necessary to lawfully provide the Services.
