FINPLOY TECHNOLOGIES PTE. LTD.
Contents
1. Introduction and parties
2. Definitions
3. Scope and nature of processing
4. Data controller obligations
5. Data intermediary obligations
6. Security measures
7. Sub-processors
8. Data breach notification
9. Data subject rights assistance
10. Data return and deletion
11. Audit rights
12. Liability
13. Duration and termination
14. Governing law
This Data Processing Agreement ("DPA") forms part of the subscription agreement between Finploy Technologies Pte. Ltd. (UEN 202548778H), a company incorporated in Singapore and the operator of the TalentZora platform ("TalentZora", "we", "us"), and the subscribing organisation that has accepted TalentZora's Terms of Use ("Subscribing Organisation", "you").
This DPA governs TalentZora's processing of personal data on behalf of the Subscribing Organisation in connection with the TalentZora platform and supplements our Privacy Policy and PDPA Policy. In the event of any conflict between this DPA and those policies in respect of data processing obligations, this DPA prevails.
1. Introduction and Parties
TalentZora is a self-service B2B SaaS platform providing AI-assisted candidate matching, private CV vault, and recruiter productivity tools. In delivering the platform:
- The Subscribing Organisation is the data controller — it determines the purposes and means of processing candidate personal data that it uploads into TalentZora.
- Finploy Technologies Pte. Ltd. (TalentZora) is the data intermediary — it processes that personal data only on the instructions of the Subscribing Organisation and in accordance with this DPA.
This DPA applies to all personal data uploaded, processed, stored, or generated within the Subscribing Organisation's TalentZora workspace in the course of using the platform's services.
2. Definitions
- "Personal Data" — data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which TalentZora has or is likely to have access, as defined under Singapore's PDPA.
- "PDPA" — Singapore's Personal Data Protection Act 2012 (No. 26 of 2012) and all subsequent amendments, including the Personal Data Protection (Amendment) Act 2020.
- "PDPC" — the Personal Data Protection Commission of Singapore.
- "Processing" — any operation performed on personal data, including collection, storage, use, disclosure, transmission, and deletion.
- "Candidate Data" — personal data relating to individuals whose CVs, profiles, or contact details are uploaded into the Subscribing Organisation's TalentZora workspace by the Subscribing Organisation or its authorised users.
- "Workspace" — the private, isolated data environment assigned to the Subscribing Organisation within TalentZora, in which all uploaded candidate CVs, job descriptions, match results, and search history are stored.
- "DEK" — the unique AES-256 data encryption key assigned to the Subscribing Organisation's workspace.
- "Sub-processor" — a third-party service provider engaged by TalentZora to process personal data on its behalf in delivering the platform.
- "Data Breach" — any accidental or unauthorised access, collection, use, disclosure, copying, modification, disposal, or loss of personal data held by TalentZora on behalf of the Subscribing Organisation.
3. Scope and Nature of Processing
TalentZora processes personal data on behalf of the Subscribing Organisation for the following purposes and no others:
- Storing, organising, and indexing candidate CVs and job descriptions uploaded by the Subscribing Organisation.
- Parsing CV and JD content to extract structured fields (name, contact details, work history, skills, education, and similar recruitment-relevant information).
- Generating AI-assisted matching outputs between candidate profiles and job descriptions.
- Enabling private vault search, shortlist creation, and candidate filtering within the Subscribing Organisation's workspace.
- Generating and storing match scores, fit summaries, AI reasoning outputs, and smart search history within the workspace.
- Maintaining secure encrypted storage of all personal data fields associated with the Subscribing Organisation's workspace.
- Providing platform administration, access controls, billing, and support functions incidental to the above purposes.
TalentZora will not process personal data for any purpose beyond those listed above, except where required by Singapore law or a competent regulatory authority, or where expressly instructed in writing by the Subscribing Organisation.
All personal data processed under this DPA is scoped exclusively to the Subscribing Organisation's workspace. Data uploaded by one Subscribing Organisation is not made accessible to, used for, or shared with any other Subscribing Organisation or third party, except as set out in Section 7 (Sub-processors).
4. Data Controller Obligations
The Subscribing Organisation, as data controller, warrants and undertakes that:
- It has a valid legal basis under the PDPA for collecting and uploading candidate personal data into TalentZora, including obtaining any required consent from individual candidates before their data is uploaded.
- The personal data it uploads is accurate, relevant, and not excessive for the recruitment purposes for which it is uploaded.
- It will comply with all applicable PDPA obligations in its capacity as data controller for candidate data, including the Consent Obligation, Purpose Limitation Obligation, Accuracy Obligation, and Transfer Limitation Obligation in respect of any transfers it initiates.
- It will ensure that only authorised personnel use the TalentZora platform and that account credentials are kept secure and not shared.
- It will notify TalentZora promptly if it becomes aware of any suspected unauthorised access to its workspace or any misuse of platform credentials.
- It will comply with PDPC advisory guidelines, including the PDPC's Advisory Guidelines on the NRIC, in determining which personal identifiers may be uploaded to TalentZora.
5. Data Intermediary Obligations
TalentZora, as data intermediary, undertakes to:
- Process personal data only on the documented instructions of the Subscribing Organisation (as expressed through use of the platform and any written instructions communicated to TalentZora).
- Ensure that TalentZora staff who access personal data are bound by appropriate confidentiality obligations and are granted access only on a need-to-know basis.
- Implement and maintain the technical and organisational security measures described in Section 6 of this DPA.
- Assist the Subscribing Organisation in responding to data subject rights requests in accordance with Section 9.
- Notify the Subscribing Organisation of data breaches in accordance with Section 8.
- Delete or return personal data upon termination of the subscription in accordance with Section 10.
- Not engage sub-processors beyond those listed in Section 7 without giving the Subscribing Organisation prior notice.
- Promptly inform the Subscribing Organisation if, in TalentZora's reasonable opinion, an instruction from the Subscribing Organisation would cause TalentZora to be in breach of any applicable law or regulation.
6. Security Measures
TalentZora implements the following technical and organisational security measures to protect personal data processed under this DPA:
- Encryption at rest: All personal data fields (including candidate names, contact details, CV text, job description content, match results, and search history) are encrypted using AES-256-CBC encryption before storage in TalentZora's database. Each Subscribing Organisation's data is encrypted under a unique Data Encryption Key (DEK) specific to that organisation, providing cryptographic tenant isolation.
- Encryption in transit: All data transmitted between users and TalentZora's servers, and all data transmitted to sub-processors for processing, is encrypted using Transport Layer Security (TLS). No personal data is transmitted in plaintext over unencrypted channels.
- Access controls: Access to TalentZora's production systems is restricted to authorised personnel only, via multi-factor authentication. Access follows the principle of least privilege. Administrative access to production infrastructure is logged.
- Tenant isolation: Each Subscribing Organisation's workspace is logically isolated. The unique per-organisation DEK architecture ensures that, even at the database level, one organisation's encrypted data cannot be decrypted using another organisation's key.
- Staff access restrictions: TalentZora staff do not have routine operational access to decrypted Candidate Data. The limited circumstances under which TalentZora may access encrypted data (with notification to the Subscribing Organisation) are set out in our PDPA Policy.
- Incident logging: All non-routine access to encrypted data and all security incidents are logged internally and reviewed by authorised personnel.
- Backup security: Automated production backups are retained on a rotating cycle and are themselves encrypted. Backup data is not actively restored following a DEK deletion instruction.
7. Sub-processors
TalentZora engages the following categories of sub-processors in delivering the platform. Each sub-processor is engaged under data processing terms that require them to maintain appropriate data protection standards:
- Amazon Web Services (AWS), ap-south-1 (Mumbai, India): Cloud infrastructure, database hosting, and file storage. All personal data fields are encrypted at the application level before storage on AWS. Singapore-region deployment (ap-southeast-1) is available on request.
- Google — AI processing services: CV and JD content is transmitted to Google's AI services for parsing and matching output generation. All transmissions are made over encrypted HTTPS connections. Google processes this content solely to generate the outputs requested by TalentZora on behalf of the Subscribing Organisation.
- Stripe — Payment processing: Subscription billing and payment card processing. Full card details are processed and stored by Stripe only; they are not transmitted to TalentZora's own systems. Stripe is PCI DSS Level 1 compliant.
- Email delivery provider — Transactional email: Used for OTP delivery, account notifications, and support correspondence. Email content may include name and email address of the recipient.
TalentZora will provide the Subscribing Organisation with at least 14 days' prior notice of any material change to its sub-processor arrangements that affects how Candidate Data is processed. If the Subscribing Organisation reasonably objects to a change on grounds relating to data protection, it may notify TalentZora in writing within the notice period and the parties will seek to resolve the matter in good faith.
8. Data Breach Notification
TalentZora will notify the Subscribing Organisation without undue delay — and in any event within 72 hours of becoming aware of a confirmed data breach affecting Candidate Data held on behalf of that Subscribing Organisation. The notification will include, to the extent available at the time of notification:
- A description of the nature of the breach, including (where possible) the categories and approximate number of individuals and records affected.
- The name and contact details of the Data Protection Officer or designated point of contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including (where appropriate) measures to mitigate its possible adverse effects.
The Subscribing Organisation, as data controller, is responsible for assessing whether the breach is notifiable to the PDPC and/or to affected individuals under the PDPA's Data Breach Notification Obligation (i.e., whether it is likely to cause significant harm to affected individuals, or affects 500 or more individuals). TalentZora will provide reasonable assistance to the Subscribing Organisation in meeting these notification obligations.
Notification by TalentZora to the Subscribing Organisation does not constitute an admission of liability by TalentZora.
9. Data Subject Rights Assistance
TalentZora will provide reasonable assistance to the Subscribing Organisation in responding to requests from individual data subjects (i.e., candidates whose data is stored in the workspace) to exercise their rights under the PDPA, including rights of access, correction, and withdrawal of consent.
The Subscribing Organisation, as data controller, is the primary responsible party for responding to data subject rights requests in respect of Candidate Data. Individuals should direct such requests to the Subscribing Organisation, not to TalentZora directly. TalentZora will redirect any data subject requests it receives to the appropriate Subscribing Organisation where the identity of that organisation is ascertainable.
TalentZora's technical assistance may include providing the Subscribing Organisation with access to export tools, data lookup functions, and information about the fields and categories of data stored in the workspace. Any permanent deletion of Candidate Data at the request of a data subject is carried out by the Subscribing Organisation (or, upon written instruction, by TalentZora).
10. Data Return and Deletion
Upon termination or expiry of the subscription agreement, or upon written request from the Subscribing Organisation at any time:
- TalentZora will, at the Subscribing Organisation's election, either return all Candidate Data to the Subscribing Organisation in a machine-readable export format, or securely delete it by deleting the Subscribing Organisation's DEK.
- DEK deletion renders all associated encrypted personal data in active storage permanently inaccessible without possibility of decryption by any party, including TalentZora. This constitutes secure destruction of the data for purposes of the PDPA.
- Encrypted backup snapshots containing residual data will be purged automatically as part of TalentZora's standard backup rotation cycle. TalentZora does not actively restore backup data following a DEK deletion instruction.
- TalentZora will confirm in writing when deletion (or data return) has been completed.
The Subscribing Organisation is responsible for exporting any Candidate Data it wishes to retain before requesting deletion or before subscription termination takes effect. TalentZora is not liable for the loss of data that the Subscribing Organisation did not export prior to deletion.
Where specific records are subject to an active legal hold, regulatory investigation, or a competent authority instruction to preserve evidence, deletion of those records may be deferred. TalentZora will notify the Subscribing Organisation if a legal hold prevents full deletion. Deletion will be completed as soon as the hold is lifted.
11. Audit Rights
The Subscribing Organisation may request, no more than once per calendar year and upon reasonable prior written notice (minimum 14 days), written information from TalentZora relating to TalentZora's data protection practices and security controls as they apply to the Subscribing Organisation's Candidate Data.
TalentZora will respond in good faith to reasonable information requests relating to its security controls, data handling procedures, sub-processor arrangements, and breach history affecting the Subscribing Organisation. Requests for information are subject to TalentZora's reasonable confidentiality obligations with respect to its own systems and third parties.
Where a Subscribing Organisation requires more extensive audit or assessment rights — for example, for the purposes of its own regulatory compliance programme — the parties may agree in writing to expanded audit arrangements, including provision of documentation under NDA or completion of a vendor security questionnaire.
12. Liability
Each party's liability to the other under or in connection with this DPA is subject to the limitations and exclusions set out in the TalentZora Terms of Use. Nothing in this DPA limits or excludes liability that cannot be excluded by law.
TalentZora's liability in respect of any claim arising from this DPA is limited to direct losses and does not extend to indirect, consequential, special, incidental, or punitive losses, loss of profit, loss of revenue, or loss of data beyond the value of the personal data affected.
Where a data breach arises from the Subscribing Organisation's failure to comply with its own obligations under this DPA or the PDPA — including failure to secure account credentials, failure to obtain candidate consent before upload, or misuse of platform features — TalentZora shall not be liable for losses arising from that breach.
13. Duration and Termination
This DPA is effective for the duration of the Subscribing Organisation's active subscription to TalentZora and terminates automatically upon expiry or termination of that subscription.
Termination of the subscription does not affect any obligations under this DPA that by their nature should survive termination, including obligations relating to data return and deletion (Section 10), confidentiality, and liability.
Either party may propose an amendment to this DPA in writing. TalentZora will provide the Subscribing Organisation with at least 30 days' written notice of any material amendment to this DPA. Continued use of the platform after the effective date of an amendment constitutes acceptance of the revised DPA.
14. Governing Law
This DPA is governed by and construed in accordance with the laws of the Republic of Singapore. Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be subject to the non-exclusive jurisdiction of the Singapore courts.
For any questions about this DPA, to request a countersigned hard-copy version, or to discuss custom data processing terms, contact us at support@talentzora.com with the subject line "Data Processing Agreement".