• “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” shall have the meanings ascribed to them in the GDPR.
• "Services" refers to the Ribbon AI-Powered Interviewing Platform and any related services provided by Ribbon to the Customer..
• "Sub-processor" means any third-party vendor engaged by Ribbon to Process Personal Data.

The parties agree that for the purposes of Applicable Data Protection Law, the Customer is the Data Controller and Ribbon is the Data Processor. Ribbon will only process Personal Data in accordance with the Customer's documented lawful instructions, which include the Agreement and this DPA.

The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are detailed in Annex I of this DPA.

Ribbon agrees to:

• Confidentiality: Ensure that any person authorized to Process Personal Data is subject to a strict duty of confidentiality.
• Security: Implement and maintain the appropriate technical and organizational measures detailed in Annex II to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
• Sub-processing: Only engage Sub-processors with the Customer’s general written authorization. The currently approved list of Sub-processors is available in Annex III. We will provide at least 30 days' prior notice of any new or replacement Sub-processors,
  giving the Customer an opportunity to object. We will maintain a written contract with each Sub-processor that imposes data protection obligations no less protective than those in this DPA.
• Data Subject Rights: Provide reasonable assistance to the Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, in line with our "Data Subject Rights and Request Policy".
• Personal Data Breaches: Notify the Customer without undue delay upon becoming aware of a Personal Data Breach. This notification will be supported by our formal Incident Response Policy.
• Data Protection Impact Assessments (DPIAs): Provide reasonable assistance to the Customer with any DPIAs or consultations with supervisory authorities as required.
• Data Deletion/Return: Upon termination of the Agreement, and at the Customer's choice, delete or return all Personal Data, as governed by our "Data Retention and Disposal Policy".
• Audits: Upon reasonable request, make available to the Customer all information necessary to demonstrate compliance with this DPA.

• Name: Arsham Ghahramani
• Email: arsham@ribbon.ai
• Phone: +1 647 914 5611

• Data Subjects: Job applicants ("candidates") who interact with the Ribbon platform on behalf of the Customer.
•  Categories of Personal Data:
  
  • Contact details, including names.
  • Video and audio recordings of interviews, along with their transcripts.
  • Any personaly identifiable information contained within a candidate's interview responses.
  • For bias auditing purposes, demographic data such as gender and ethnicity may also be processed.
• Nature and Purpose of Processing:
  
  • The primary purpose is to provide an automated interview screening platform that helps recruitment teams hire more efficiently and effectively.
  • Processing includes using a voice AI agent to autonomously conduct, record, and analyze video and voice interviews.
  • This involves analyzing interview performance against defined rubrics, evaluating skills and language proficiency, and generating scores and ranked shortlists for human recruiters.
• Duration of Processing: Personal Data will be processed for the duration of the Agreement or as otherwise defined by client requirements and the company's Data Retention and Disposal Policy.

• Security Framework: Our security framework is validated by a SOC 2 Type 1 Report. We employ strict access controls, including role-based access control with multi-factor authentication (MFA).
• Encryption: We use robust encryption protocols, including TLS for data in transit and AES-256 for data at rest, to protect all Personal Data.
• Bias and Fairness Mitigation: To mitigate the risk of algorithmic bias, we engage in ongoing, annual third-party Bias Audits conducted by Holistic AI. Our last audit found "No exceptions were observed" regarding adverse impact.
• Transparency and Human Oversight: Our "Automated Decision-Making Policy" provides candidates with the right to meaningful information about the logic involved in our assessments. It also grants candidates the right to obtain human intervention and
  contest a decision, preventing purely automated negative outcomes.
• Data Minimization: We adhere to data minimization principles, ensuring that only Personal Data strictly necessary for the interview analysis is collected and used solely for candidate evaluation.
• Resilience and Incident Response: We use secure hosting with Amazon Web Services (AWS) and maintain a formal Incident Response Policy to manage any potential security breaches effectively.