Last Updated: 25.11.17
Version: 1.0
This Data Processing Addendum (“Addendum”) forms an integral part of, and is subject to, the terms and conditions of the applicable agreement governing the provision of the Services between the parties (the “Main Agreement”).
For the purposes of this Addendum, the Main Agreement shall mean, as applicable:
(a) the TeamFill Terms of Service, available at https://teamfill.net/terms-of-service, as accepted by the Client through registration for or use of the Services; or
(b) a separate written or electronic Service Agreement entered into between TeamFill, UAB, a company incorporated under the laws of the Republic of Lithuania, having its principal place of business at Partizanų g. 61-806, Kaunas (“TeamFill” or the “Processor”), and the relevant client entity (“Client” or the “Controller”).
This Addendum reflects the parties’ agreement with respect to the processing of personal data by TeamFill on behalf of the Client in connection with the services provided under the Main Agreement.
This Addendum is effective as of the date the Client first enters into the Main Agreement or otherwise uses the Services (“Effective Date”).
For the purpose of this Agreement each TeamFill and Client shall be collectively referred to as “parties” and individually as a “party”
BACKGROUND:
A. This Addendum forms part of the Main Agreement between TeamFill, UAB (“TeamFill” or the “Processor”) and the Client (“Client” or the “Controller”), under which TeamFill provides certain services that may involve the processing of personal data on behalf of the Client.
B. This Agreement ensures that any processing of personal information by TeamFill on behalf of the Client complies with applicable data protection laws, including:
the General Data Protection Regulation (EU) 2016 and 679 (“GDPR”), the UK GDPR and UK Data Protection Act 2018 (“EU Privacy Laws”)
the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”), and similar U.S. state privacy laws in Colorado, Connecticut, Virginia, and Utah (“US Privacy Laws”).
C. The Client acts as the organization that determines the purposes and means of the processing of Personal Information, and TeamFill only processes such data under the Client's instructions and on its behalf. This Agreement sets out the obligations of both parties regarding privacy, confidentiality, security, and the lawful handling of Personal Information processed through the TeamFill platform.
E. The parties acknowledge that this Agreement will control in the event of any conflict between its terms and those of the Main Agreement, but only to the extent such conflict relates to the processing of Personal Information.
1. DEFINITIONS
Unless otherwise defined elsewhere in this Agreement, the following definitions shall apply throughout this Agreement:
Term | Definition and Source |
Personal Information | Information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR and §1798.140(v) of the CPRA. |
Special Categories of Data OR Sensitive PI | Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data, biometric data for unique identification, data concerning health, or data concerning an individual's sex life or sexual orientation, as defined by Article 9 GDPR and Sensitive Personal Information as defined under §1798.121 CPRA. |
Controller OR Processor | Controller means the entity determining the purposes and means of processing Personal Information. Processor means the entity processing Personal Information on behalf of the Controller, as per GDPR Article 4(7) and (8). For the purpose of this Agreement, Client shall be Controller and TeamFill shall be Processor. |
Business OR Service Provider | Business means the entity determining the purposes and means of processing Personal Information. Service Provider means the entity processing Personal Information on behalf of the Business, as defined in CPRA §1798.140(d) and §1798.140(ag). For the purpose of this Agreement, Client shall be Business and TeamFill shall be Service Provider |
Data Subject | means any identified or identifiable natural person whose Personal Information is Processed by the Processor on behalf of the Controller, including but not limited to Applicants, and Client-authorized users. Also referred to as a “consumer” under applicable U.S. Privacy Laws. For the purpose of this Agreement “Data Subject” shall also include “Applicant”. |
Subprocessor | A third-party Processor and Service Provider engaged by the Processor and Service Provider to process Personal Information on behalf of the Controller/Business. |
Applicant | Any job applicant or individual utilizing the Platform provided by the Processor as part of recruitment or interview processes. |
Sell and Share | Defined under CPRA §1798.140(ad) and (ah) as the exchange or disclosure of Personal Information for monetary or other valuable consideration or for cross-context behavioral advertising purposes. |
Instructions | Documented directions issued by the Controller/Business to the Processor and Service Provider detailing the manner, purpose, and limits of processing activities. |
Standard Contractual Clauses (SCCs) | The Standard Contractual Clauses set forth by the European Commission Implementing Decision (EU) 2021 and 914 dated 4 June 2021 (Modules 2 and 3). |
UK Addendum | The International Data Transfer Addendum issued by the UK Information Commissioner’s Office (ICO) in accordance with the UK GDPR. |
Privacy Laws | means collectively US Privacy Laws and EU Privacy Laws. |
Security Incident | As defined by GDPR Article 4(12) and CPRA §1798.150, any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information processed by Processor. |
Platform | means TeamFill software platform located at https://app.teamfill.net (US server) and https://app-eu.teamfill.net/ (EEA/UK server located in EU). |
2. DETAILS OF PROCESSING
2.1. The subject matter, nature, scope, purpose, categories of Personal Information and Data Subjects, as well as the duration and frequency of processing activities, are described in Annex I (Details of Processing), which forms an integral part of this DPA.
2.2. Processor shall process Personal Information solely for the business purposes defined in the Main Agreement and this DPA, and only to the extent necessary for the provision of the services, in accordance with the Client’s Instructions and all Applicable Privacy Laws.
2.3. Instructions may include any configuration or operational actions initiated by the Client via the Platform, including the creation of job posts, question sets, evaluation criteria, or any direct or indirect submission of Applicant data.
2.4. The Parties acknowledge that the Platform is configured without automated scoring for processing Applicants located in the EEA/UK for EU-hosted Client tenants.
2.5. Processor operates separate environments for EEA/UK and US tenants. Applicant data is processed and stored in the tenant’s region. Sub-processors are configured in-region. Cross-region processing is blocked except for a documented emergency failover with Controller notice and appropriate transfer safeguards.
3. ROLES OF THE PARTIES
3.1. The parties acknowledge and agree that:
The Client is the “Controller” under EU and UK Privacy Laws and the “Business” under U.S. state privacy laws;
TeamFill is the “Processor” and “Service Provider” respectively.
3.2. Processor and Service Provider certifies that it understands the restrictions and obligations under Privacy Laws and agrees to:
Process Personal Information only on Instructions from the Client and Business;
Not retain, use, disclose, sell, or share Personal Information for any purpose other than providing the services defined in the Agreement;
Not combine Personal Information with other data except as permitted under Privacy Laws (e.g., for security, debugging, or legal compliance);
Not engage in any cross-context behavioral advertising or profiling of individuals;
3.3. The Client and Business remains responsible for determining the lawful basis for processing, fulfilling transparency and consent obligations, and responding to rights requests, unless otherwise delegated in writing.
4. PROCESSOR OBLIGATIONS
4.1. Processor and Service Provider shall not retain Personal Information longer than reasonably necessary to fulfil the purposes of processing. Processor and Service Provider shall:
Process Personal Information strictly in accordance with the Instructions from Controller/Business and not for any other purpose unless required by law.
Ensure all staff processing Personal Information are bound by strict confidentiality agreements or statutory obligations of confidentiality.
Implement technical and organizational measures as detailed in Annex II, to safeguard Personal Information from unauthorized access, alteration, disclosure, or destruction.
Ensure all subprocessors engaged have contractual obligations that meet or exceed the obligations set forth herein, including data protection, security, and confidentiality commitments.
Assist Controller/Business with fulfilling Data-Subject Requests (access, rectification, deletion, etc.) without undue delay and, at most, within five (5) business days upon receiving such a request from Controller/Business.
Assist Controller/Business in conducting Data Protection Impact Assessments (DPIA) and consulting supervisory authorities when required under Privacy Laws.
Upon termination of this Agreement, delete or return all Personal Information to Controller/Business at Controller/Business's election within thirty (30) days, and provide Controller/Business with certification confirming such deletion or return.
Allow Controller/Business or its designated auditor to perform audits or inspections upon reasonable request to confirm compliance with this Agreement and applicable laws, and provide necessary information to demonstrate such compliance.
Not combine Personal Information received from Controller/Business with Personal Information received from other sources, except as required for security purposes or upon explicit instruction from Controller/Business.
Not sell, share, or otherwise disclose Personal Information for monetary or other valuable consideration or for cross-context behavioral advertising.
4.2. The Processor and Service Provider shall process Personal Information only on the Instructions of the Controller/Business. For the purposes of this Agreement, Instructions include:
Main Agreement;
configuration settings within the Platform made by Controller/Business (including though its employees, contractors or vendors authorized to use Platform);
instructions issued through support tickets, email, or secure internal messaging channels; and
interview criteria, question templates, workflows, or Applicant evaluation parameters set by the Controller/Business via the Platform (including though its employees, contractors or vendors authorized to use Platform).
4.3. The Processor and Service Provider will not interpret silence or lack of instruction as authorization to process beyond the scope of this Agreement.
4.4. Processor and Service Provider is entitled to refuse processing where Instructions are against Privacy Laws.
5. CONTROLLER RESPONSIBILITIES
5.1. The Controller/Business acknowledges and agrees that it is responsible for complying with all obligations applicable to a Controller or Business under Privacy Laws. In particular, the Controller/Business shall:
Establish and maintain a valid legal basis for the processing of Personal Information, including Special Categories of Data where applicable, and communicate such basis to the Processor and Service Provider upon request.
Provide accurate and up-to-date privacy notices to Data Subjects (Applicants, Users) in compliance with applicable Privacy Laws, clearly describing the nature, purpose, and legal basis of the processing, and disclosing any use of automated decision-making technologies.
obtain all consents required by law for recording and transcription; where AI Evaluation is enabled outside the EEA and UK, ensure the notice expressly describes AI-generated advisory outputs and state gating.
Provide the Processor and Service Provider with documented, lawful, and clear instructions for all processing activities conducted under the Agreement.
Act as the primary contact point for all inquiries and requests from Data Subjects or Consumers regarding their rights under applicable Privacy Laws and promptly respond to such requests in accordance with applicable statutory deadlines.
The Controller/Business shall ensure that data subjects are informed of their right not to be subject to a decision based solely on automated processing, including profiling, where applicable.
Promptly notify the Processor and Service Provider of any changes to data processing requirements, consents, or notices that may affect the services under this Agreement.
6. SUBPROCESSORS
6.1. The Processor and Service Provider may engage third-party subprocessors to assist with providing the Services, as listed in Annex III.
6.2. Before appointing a new subprocessor or replacing an existing one, the Processor and Service Provider shall notify the Controller/Business in writing at least thirty (30) calendar days in advance. This notice will include the name, location, and function of the proposed subprocessor. The Controller/Business may object to the use of the proposed subprocessor on reasonable data protection grounds within the notice period. If no objection is received within that time, the Processor may proceed with the appointment.
6.3. The Processor and Service Provider shall enter into a binding written agreement with each subprocessor imposing data protection, confidentiality, and security obligations that are no less protective than those set forth in this Agreement, including obligations under applicable Privacy Laws.
6.4. Where required by Privacy Laws, the Processor and Service Provider shall execute the Standard Contractual Clauses (SCCs), UK Addendum or other legally valid transfer mechanisms with each subprocessor, ensuring equivalent safeguards for international transfers. If a subprocessor located in the United States is self-certified under the EU–U.S. Data Privacy Framework (DPF), the Processor and Service Provider shall identify this certification in Annex III, and rely on it as the primary transfer mechanism, while retaining the SCCs as fallback.
7. RETENTION OF DATA
7.1. The Processor and Service Provider shall retain Personal Information only for as long as necessary to fulfill the agreed purposes of processing, unless a longer retention period is required by applicable law or agreed in writing by the Controller/Business. The following retention periods shall apply unless the Controller/Business instructs otherwise:
Data Type | Default Retention Period | Deletion Method |
Interview recordings (audio and video) | 30 days from the date of collection | Cryptographic deletion and S3 lifecycle logging |
Applicant profile data (e.g., resume, role applied for) | 3 months post-application, unless extended by valid consent | Automatic flagging and deletion script |
System backups | 7–60 days, per rolling backup lifecycle | Automated data pruning |
Technical logs | 24 months | Managed per internal log retention policies |
Vendor artifacts | OpenAI retains transient processing artifacts up to 30 days in the same region as the tenant (EU or US) |
8 AUDIT AND INSPECTIONS
8.1. The Controller/Business shall have the right, no more than once per calendar year, and upon providing at least thirty (30) days’ prior written notice, to conduct a reasonable remote audit or review available third-party audit reports to confirm Processor and Service Provider’s compliance with this Agreement and applicable Privacy Laws.
8.2. The Controller/Business may additionally request an on-site audit, subject to the same notice period. Unless a material breach of this Agreement is identified, the costs of any audit, whether remote or on-site, shall be borne by the Controller/Business, including costs incurred by the Processor and Service Provider to support or accommodate such audit.
8.3. If the Controller/Business seeks to perform more than one audit in a twelve-month period, such additional audits may be subject to reasonable fees to be agreed upon in advance, unless
required by applicable law, or
triggered by a Security Incident or material breach.
9. LIABILITY
9.1. The parties agree that each party’s aggregate liability arising from or relating to this Agreement, whether in contract, tort, or under any other theory of liability, shall not exceed the greater of (i) €100 or (ii) the total amount of fees paid by the Controller/Business to the Processor and Service Provider during the twelve (12) months immediately preceding the event giving rise to the claim, except in cases involving breaches of confidentiality, data security obligations, intentional misconduct or any administrative fines imposed directly on that party by a competent supervisory authority for that party’s breach of Privacy Laws. Nothing in this clause limits either party’s liability to Data Subjects under Article 82 GDPR.
9.2. The Controller/Business agrees to cooperate in good faith with the Processor and Service Provider to evaluate and respond to any Security Incident, including providing relevant contextual information and coordinating notification efforts, where appropriate.
10. GOVERNING LAW
This Agreement shall be governed by and interpreted in accordance with the laws of Lithuania, and the courts of Lithuania (Vilnius) shall have exclusive jurisdiction.
11. TERM AND TERMINATION
This Agreement shall become effective as of Effective Date, upon signature by both parties and shall remain in effect for the duration of Processor and Service Provider’s processing of Personal Information under the Main Agreement.
12. MISCELLANEOUS
12.1. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
12.2. Neither party may assign or transfer any rights or obligations under this Agreement without the prior written consent of the other party, except in connection with a merger, acquisition, or sale of all or substantially all assets.
12.3 This Agreement may be amended only by written agreement duly signed by authorized representatives of both parties.
12.4. In case of conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail; in case of conflict between this DPA and the Main Agreement, this DPA prevails with respect to Personal Data
IN WITNESS WHEREOF, the Parties have executed this Agreement by their duly authorized representatives on the dates written below:
For the Controller and Business (Client):
Name: ____________________________________
Title: _____________________________________
Entity Name: _______________________________
Date: _____________________________________
Signature: _________________________________
For the Processor and Service Provider (TeamFill):
Name: ____________________________________
Title: _____________________________________
Entity Name: _______________________________
Date: _____________________________________
Signature: _________________________________
EU and UK Processing
Item | Description |
Subject‑matter | Provision of TeamFill’s SaaS video‑interview, and recruitment support platform. |
Nature of the processing | Collection, recording, storage, transcription (speech-to-text), retrieval, consultation, transmission to Client, and deletion |
Purpose(s) | (i) Hosting and streaming interview sessions; (ii) transcribing audio to text to support human review; (iii) enabling Client review, communication and selection workflows; (iv) security, troubleshooting, and analytics. |
Duration | For the term of the Agreement and any post‑termination retention period specified in §10 of this Agreement. |
Categories of Data Subjects | Applicants Client and Business administrators and authorised users |
Types of Personal Information |
|
Special Categories of Data | None intentionally processed. Any special‑category elements appearing in interview answers are incidental and processed only under the Applicant’s explicit consent obtained by Controller/Business. If Applicants voluntarily disclose special‑category data in answers, Controller/Business confirms explicit consent is collected; Processor and Service Provider processes only on that basis. |
Frequency of transfers | Continuous and as determined by Controller/Business’s use of the Platform. |
Hosting/Vendors |
|
Where the Controller/Business configures Platform settings (including job roles, evaluation criteria, interview questions), such use shall be deemed an instruction under Article 28(3) GDPR and equivalent U.S. Service Provider obligations.
Non-UK/EU processing
Item | Description |
Subject‑matter | Provision of TeamFill’s SaaS video-interview and recruitment support platform with optional AI Evaluation (advisory outputs) |
Nature of the processing | Collection, recording, storage, transcription, automated analytical processing (AI Evaluation) generating advisory outputs, retrieval, consultation, transmission, and deletion. |
Purpose(s) | (i) Hosting and streaming; (ii) transcription; (iii) generating advisory summaries and scores against Client-defined criteria (outside restricted jurisdictions); (iv) Client review and communications; (v) security, troubleshooting, analytics |
Types of Personal Information |
|
Automated decision making | Outputs are advisory only; Clients make final decisions and must comply with local law. |
Hosting/Vendors |
|
The Processor and Service Provider implements appropriate technical and organisational measures to ensure the security of Personal Information in accordance with applicable data protection laws. These measures are designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and include, at minimum, the following controls:
Data Encryption and Transmission Security. All Personal Information is encrypted in transit using TLS 1.2 or higher. Data at rest, including files stored in AWS S3 or other designated storage environments, is encrypted using industry-standard encryption such as AES‑256. Secure protocols are applied to all data transfers.
Access and Authentication Controls. Access to Personal Information is limited to authorised personnel with a business need. Access is controlled through role-based permissions. Administrative interfaces and sensitive environments are protected by authentication safeguards including multi-factor authentication for high-privilege accounts.
System and Network Security. The platform operates in a segregated cloud infrastructure environment with firewall rules and access restrictions. Internal communications between services are secured using HTTPS or other secure transport methods.
Monitoring and Logging. Security logs are maintained for relevant infrastructure and application events. Logs are retained for no less than twenty-four (24) months in secure storage and monitored for anomalies. Operational monitoring tools are in place to detect service errors and potential threats.
Backups and Disaster Recovery. Regular backups are maintained for key systems. Recovery procedures are tested periodically to ensure data restoration can be achieved within reasonable timeframes. Backup data is stored securely and subject to encryption and access control.
Patch and Vulnerability Management. Security updates and software patches are applied in a timely manner, with prioritisation of critical vulnerabilities. Processor monitors its systems and dependencies for known security risks using standard industry tools.
Incident Response. A formal incident response process is in place. In the event of a Security Incident involving Personal Information, the Processor shall notify the Controller without undue delay and no later than twenty-four (24) hours after becoming aware of the incident, in accordance with this Agreement.
Personnel and Confidentiality. All employees and personnel with access to Personal Information are subject to confidentiality obligations. Security awareness training is provided during onboarding and regularly thereafter.
Vendor and Subprocessor Oversight. Processor conducts due diligence before engaging any subprocessor and ensures that all subprocessors are contractually bound to equivalent technical and organisational safeguards.
Compliance Planning. The Processor is pursuing certification under industry frameworks (such as SOC 2 Type II or ISO and IEC 27001) to validate its data protection and security practices.
EEA/UK approved processors. Applies when the Controller’s tenant is provisioned in the EU/UK. Data is processed in-region; no automated scoring in EU/UK:
Sub-processor | Service and Purpose | Processing region |
DigitalOcean LLC (Frankfurt/AMS) | Application & MySQL hosting | EU (DE/NL) |
Amazon Web Services – S3 (eu-central-1) | Object storage for media (video/audio) | EU (DE) |
OpenAI (EU region) | Transcription (speech-to-text) only | EU |
SendGrid, Inc. (if enabled) | Transactional email delivery (notifications, scheduling) | US |
Intercom (if enabled) | Support / in-app messaging | EU or US (per config) |
Google Analytics 4 (if enabled) | Product analytics (usage, performance) | EU collection with IP-masking; further processing by Google |
Microsoft Clarity (if enabled) | Session diagnostics (UX) | EU collection where available |
US approved processors. Applies when the Controller’s tenant is provisioned in the United States. Data is processed in-region; AI Evaluation (automated advisory scoring) may be enabled where legally permitted:
Sub-processor | Service / Purpose | Processing region |
DigitalOcean Holdings, Inc. (NYC3) | Application & MySQL hosting | US |
Amazon Web Services – S3 (us-east-1) | Object storage for media (video/audio) | US |
OpenAI, Inc. (US region) | Transcription (STT) & AI Evaluation (advisory outputs) | US |
SendGrid, Inc. (if enabled) | Transactional email delivery (notifications, scheduling) | US |
Intercom, Inc. (if enabled) | Support / in-app messaging | US |
Google Analytics 4 (if enabled) | Product analytics (usage, performance) | US/EU processing by Google |
Microsoft Clarity (if enabled) | Session diagnostics (UX) | US/EU processing by Microsoft |
The Controller/Business grants a general authorisation for these sub‑processors. Processor and Service Provider shall provide thirty (30) calendar days’ prior notice of any intended changes and will allow Controller/Business to object on reasonable data‑protection grounds.