Data Processing Agreement
Version 1.0 — Effective May 28, 2026 · NEXTCORE AI LLC / TalentLane
Contents
- Definitions
- Roles and Relationship
- Subject Matter & Nature of Processing
- Processor Obligations (TalentLane)
- Controller Obligations (Customer)
- Authorized Subprocessors
- Data Subject Rights
- Security Measures
- Data Breach Notification
- Return and Deletion of Data
- International Data Transfers
- Audit Rights
- Term and Termination
- Order of Precedence
- Contact and Execution
1 Definitions
- "Agreement" means the TalentLane Terms of Service or any other written agreement between the parties governing use of the Service.
- "Controller" means the Customer (employer or recruiter account holder) who determines the purposes and means of processing Personal Data through the Service.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed in connection with the Service.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council, and, where applicable, the UK GDPR and the Swiss Federal Act on Data Protection (FADP).
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service, as further described in Section 3.
- "Processing" has the meaning given to it in the GDPR, and includes any operation or set of operations performed on Personal Data.
- "Processor" means TalentLane / NEXTCORE AI LLC, a West Virginia limited liability company, which processes Personal Data on behalf of the Controller in connection with providing the Service.
- "Service" means the TalentLane job platform available at talentlane.biz and all related APIs and features.
- "Standard Contractual Clauses (SCCs)" means the EU Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
2 Roles and Relationship
The parties agree that with respect to Personal Data uploaded to or processed through the Service by the Customer:
- The Customer is the Controller and NEXTCORE AI LLC is the Processor, within the meaning of applicable data protection law.
- NEXTCORE AI LLC processes Personal Data only on documented instructions from the Controller, unless required by applicable law (in which case TalentLane will, to the extent permitted by law, inform the Controller).
- The Controller is responsible for ensuring it has a lawful basis for processing under applicable data protection law, and for providing required privacy notices to Data Subjects.
- This DPA forms part of the Agreement between the parties and prevails over the Agreement in the event of any conflict relating to data protection matters (see Section 14).
3 Subject Matter, Duration, and Nature of Processing
| Subject matter | Operation of the TalentLane job platform for the Customer's use |
| Duration | For the term of the Agreement, plus any applicable retention period specified in Section 10 |
| Nature of processing | Collection, storage, retrieval, transmission, AI analysis (where applicable), and deletion of Personal Data |
| Purpose | Facilitating job postings, candidate applications, employer-seeker matching, and AI-assisted hiring tools on behalf of the Controller |
| Categories of Personal Data | Job seeker name, email address, resume and work history, professional skills; application data and cover letters; in-platform message content; account identifiers |
| Categories of Data Subjects | Job seekers who apply to the Customer's job postings; candidates whose profiles the Customer reviews or accesses through the Service |
4 Data Processor Obligations (TalentLane)
TalentLane shall:
- Process Personal Data only on documented instructions from the Controller, except where required by applicable law;
- Ensure that personnel authorized to access Personal Data are bound by written confidentiality obligations;
- Implement and maintain appropriate technical and organizational security measures as described in Section 8;
- Assist the Controller in responding to Data Subject rights requests to the extent technically feasible (see Section 7);
- Make available all information reasonably necessary to demonstrate compliance with this DPA, and cooperate with audits as provided in Section 12;
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach (see Section 9);
- Not engage new Sub-processors without prior written authorization from the Controller (general authorization is granted for the Sub-processors listed in Section 6); and
- Delete or return Personal Data upon termination of the Agreement in accordance with Section 10.
5 Data Controller Obligations (Customer)
The Controller shall:
- Ensure it has a valid lawful basis under applicable data protection law for all Personal Data submitted to or processed through the Service;
- Provide appropriate and timely privacy notices to Data Subjects regarding processing carried out through the Service;
- Ensure it has the legal authority to instruct TalentLane as Processor with respect to all Personal Data submitted;
- Comply with all applicable data protection law in its use of the Service, including obligations under GDPR, CCPA/CPRA, and any other applicable national or state law; and
- Not submit special category data (as defined in GDPR Article 9, including health data, racial or ethnic origin, religious beliefs, sexual orientation) through the Service unless expressly agreed in writing by TalentLane.
6 Authorized Subprocessors
By executing this DPA, the Controller provides general written authorization for TalentLane to use the following Sub-processors to process Personal Data in connection with the Service:
| Sub-processor | Location | Processing Activity |
|---|---|---|
| Auth0 (Okta) | United States | User authentication and identity verification |
| Amazon Web Services | United States (us-east-2) | Application hosting (EC2); file storage (S3); transactional email delivery (SES/SNS) |
| Stripe | United States | Payment and subscription processing — billing metadata only; no candidate or job seeker data is shared with Stripe |
| Anthropic (Claude API) | United States | AI analysis of resume text and job descriptions — only when AI features are explicitly triggered by the Customer; not used for ongoing background processing |
TalentLane will notify the Controller at least 14 days in advance of adding or replacing Sub-processors. If the Controller objects on reasonable data protection grounds, it may terminate the Agreement with 30 days' written notice to TalentLane.
7 Data Subject Rights
TalentLane will assist the Controller in fulfilling its obligations to respond to Data Subject rights requests (including rights of access, rectification, erasure, restriction, portability, and objection) to the extent technically feasible, taking into account the nature of the processing.
Data Subjects may exercise certain rights (including access and deletion) directly through the TalentLane platform or by contacting privacy@talentlane.biz. Where TalentLane receives a Data Subject request that relates to Personal Data for which the Controller is the appropriate responding party, TalentLane will promptly forward the request to the Controller.
8 Security Measures
TalentLane implements and maintains the following technical and organizational measures to protect Personal Data:
- Encryption in transit: TLS 1.2+ for all data transmitted between users and the platform; all inter-service communication within AWS uses encrypted channels.
- Encryption at rest: All files stored in Amazon S3 use Server-Side Encryption (SSE-S3).
- Access control: Role-based access control enforced at every route; principle of least privilege applied to internal system access; all authentication managed by Auth0 (Okta).
- Database security: All database queries use parameterized placeholders — no dynamic SQL; PostgreSQL operates within an AWS VPC not exposed to the public internet.
- Application security: Jinja2 template auto-escaping for XSS prevention; HttpOnly, Secure, and SameSite=Lax session cookies; file uploads validated and stored to S3 without server execution.
- Personnel controls: Access to production systems is limited to authorized personnel and governed by confidentiality obligations.
- Incident response: A documented breach response process is maintained targeting 72-hour notification (see Section 9).
A full description of current security measures is available at talentlane.biz/security.
9 Data Breach Notification
In the event of a Personal Data breach, TalentLane will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach;
- Provide, to the extent known at the time of notification: the nature of the breach; the categories and approximate number of Data Subjects and Personal Data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects;
- Cooperate fully with the Controller's investigation and assist in fulfilling any breach notification obligations to supervisory authorities and Data Subjects as required by applicable law; and
- Maintain written records of all Personal Data breaches, including those that do not require notification to Data Subjects or supervisory authorities.
Breach notifications will be sent to the Controller's account email address and, if a separate security contact has been designated by the Controller, to that contact as well.
10 Return and Deletion of Personal Data
Upon termination or expiration of the Agreement, TalentLane will, at the Controller's written election:
- Return all Personal Data processed on behalf of the Controller in a machine-readable format within 30 days of written request; or
- Securely delete or destroy all such Personal Data within 30 days and, upon written request, certify such deletion to the Controller.
TalentLane may retain Personal Data beyond this period only where required by applicable law (for example, financial and billing records may be retained for 7 years in compliance with US law). In any such case, TalentLane will continue to apply the security measures described in Section 8 to such retained data and will not process it for any other purpose.
11 International Data Transfers
TalentLane operates from and stores data in the United States. Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, such transfers are governed by the Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission under Decision 2021/914/EU, which are incorporated by reference into this DPA.
TalentLane agrees to execute the SCCs with any Controller subject to GDPR upon written request. For UK transfers, TalentLane will rely on the UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office.
12 Audit Rights
TalentLane will make available all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct or commission audits of TalentLane's data processing activities relevant to this DPA, subject to the following conditions:
- At least 30 days' advance written notice to TalentLane;
- Reasonable written confidentiality obligations on any third-party auditor;
- A frequency limit of once per calendar year unless a Personal Data breach has occurred; and
- Audit costs are borne by the Controller, unless non-compliance with this DPA is found, in which case costs are borne by TalentLane.
TalentLane may satisfy an audit request by providing a copy of a relevant third-party audit report (such as a SOC 2 report, once available) in lieu of an on-site audit, provided such report is reasonably sufficient to address the audit scope requested.
13 Term and Termination
This DPA is effective as of the date both parties have executed it (or, if earlier, the date the Customer accepted the TalentLane Terms of Service) and continues in force until the Agreement expires or is terminated by either party.
The following sections survive termination or expiration of this DPA: Section 4(b) (confidentiality), Section 8 (security measures, for retained data), Section 9 (breach notification, for incidents occurring prior to termination), Section 10 (return and deletion), and Section 11 (international transfers).
14 Order of Precedence
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA controls with respect to data protection and data processing matters. In the event of any conflict between this DPA and the Standard Contractual Clauses incorporated pursuant to Section 11, the SCCs control.
15 Contact and Execution
To request a countersigned copy of this DPA for your organization:
Email: legal@talentlane.biz
Subject line: "DPA Execution Request — [Your Company Name]"
Please include: your company's legal name; the full name and title of your authorized signatory; the email address to which the countersigned copy should be returned; and any deadline or procurement reference number.
The parties below agree to the terms of this Data Processing Agreement as of the effective date indicated.
Controller (Customer)
Processor (NEXTCORE AI LLC / TalentLane)
Countersigned copies are provided by TalentLane upon receipt and review of the execution request. Allow up to 3 business days for countersignature.