How Exterview processes and protects Customer Personal Data
This Data Processing Agreement forms part of the agreement between Customer (the Controller) and Exterview AI (the Processor) for the provision of the Services. The DPA governs how Personal Data is processed while delivering the Services and is designed to support compliance with applicable privacy and data protection laws, including the EU General Data Protection Regulation (GDPR). This agreement applies whenever Exterview processes Personal Data on behalf of the Customer as part of delivering the Services. If there is any conflict between this DPA and the underlying Agreement regarding the processing of Personal Data, the terms of this DPA will prevail.
Unless otherwise defined in this Agreement, capitalized terms have the meanings given under the GDPR or the governing Agreement.
| Term | Definition |
|---|---|
| Controller | The organization that determines the purposes and means of processing Personal Data. |
| Processor | Exterview AI, acting on behalf of the Controller to process Personal Data in connection with the Services. |
| Sub-processor | A third party engaged by Exterview AI to process Personal Data while delivering the Services. |
| Personal Data | Any information relating to an identified or identifiable individual as defined under applicable data protection laws. |
| Data Transfer | Any transfer of Personal Data between the Controller, Processor, or an approved Sub-processor, including international transfers. |
| EU GDPR | Regulation (EU) 2016/679 (General Data Protection Regulation). |
| Standard Contractual Clauses (SCCs) | The European Commission's approved contractual clauses used to safeguard international transfers of Personal Data where required. |
The Controller authorizes Exterview AI to process Personal Data only as necessary to provide the Services. Data Subjects: Personal Data may relate to:
Customer administrators and authorized users
Candidates and interview participants
Individuals whose information is submitted through the Exterview platform
Categories of Personal Data: Depending on the Services used, Personal Data may include:
Name and contact information, user account information, and employment and education details
Interview recordings (audio and video), and voice and facial imagery
Assessment reports, AI-generated scores and rankings, and technical and system usage information. The detailed categories of Personal Data processed are described in Annex I of this Agreement.
Exterview AI will process Personal Data for the duration of the Agreement unless otherwise instructed in writing by the Controller or required by applicable law.
Exterview AI processes Personal Data solely to deliver the Services described in the Agreement, including:
Conducting interviews and processing candidate assessments
Generating evaluation reports and supporting recruitment workflows
Maintaining and securing the platform, and providing customer support
Meeting applicable legal and contractual obligations
Personal Data is processed only on documented instructions from the Controller and for the purposes authorized under the Agreement.
Controller Responsibilities: The Controller remains responsible for determining the purpose and legal basis for processing Personal Data. The Controller agrees to:
Ensure it has a lawful basis for processing Personal Data
Obtain any required consents from Data Subjects, and provide appropriate privacy notices
Maintain records of consent where required, and notify Exterview AI if consent is withdrawn or processing instructions change
Request deletion or return of Personal Data where appropriate
Promptly inform Exterview AI of Data Subject requests to access, correct, or delete Personal Data; privacy complaints or alleged violations; regulatory investigations or legal requests; or any other circumstance requiring Processor assistance
Throughout the provision of the Services, Exterview AI is committed to processing Personal Data in accordance with the following principles:
Process Personal Data lawfully, fairly, and transparently
Process data only for specified and legitimate purposes
Limit processing to the minimum information necessary
Maintain appropriate accuracy and integrity of Personal Data
Protect Personal Data through appropriate technical and organizational security measures
Support the Controller in meeting applicable privacy and regulatory obligations
Exterview AI processes Personal Data only on documented instructions received from the Controller. As Processor, Exterview AI will:
Process Personal Data only for the purposes defined in the Agreement, and comply with documented instructions provided by the Controller
Notify the Controller if any instruction appears to violate applicable data protection laws
Provide reasonable assistance in responding to Data Subject requests, and assist with Data Protection Impact Assessments (DPIAs) where required
Support compliance with applicable GDPR obligations, and ensure any international transfer of Personal Data is protected using appropriate contractual safeguards
Use only authorized personnel and approved Sub-processors, and maintain appropriate technical and organizational safeguards throughout the processing lifecycle
Exterview AI implements appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of Personal Data processed on behalf of the Controller.
All personnel with access to Personal Data are authorized to access it only where required for their role, bound by confidentiality obligations, regularly trained on data privacy, information security, and secure handling of Personal Data, and required to follow Exterview AI's internal security and privacy policies.
| Security Area | Key Controls |
|---|---|
| Security Governance | ISO/IEC 27001:2022 aligned Information Security Management System; regular independent risk assessments and security reviews; annual policy reviews; vendor risk management; formal vulnerability management and penetration testing. |
| Personnel Security | Confidentiality agreements for all personnel; background verification where permitted by law; security awareness and privacy training; role-based authorization; ongoing compliance training. |
| Identity & Access Management | Multi-factor authentication (MFA); Microsoft Entra ID Single Sign-On; Privileged Identity Management (PIM); role-based access controls; least-privilege access; periodic access reviews; comprehensive audit logging. |
| Infrastructure Security | Microsoft Azure cloud infrastructure; multi-region deployment; multiple Availability Zones; secure backup and disaster recovery; operating system hardening; continuous vulnerability scanning; patch management. |
| Data Protection | Encryption in transit (TLS/HTTPS) and at rest; secure key management; logical separation of customer environments; secure data destruction procedures. |
| Monitoring & Incident Response | Continuous infrastructure and security monitoring; centralized logging through Microsoft Sentinel; incident detection and response procedures; root cause analysis; corrective and preventive actions. |
Access to Personal Data is limited to authorized personnel on a least-privilege and need-to-know basis.
Exterview AI maintains a comprehensive Information Security Management System designed to safeguard Customer Personal Data throughout its lifecycle. These controls are further detailed in Annex II of this Agreement.
Upon reasonable written request, Exterview AI will provide information necessary to demonstrate compliance with this Data Processing Agreement and applicable data protection laws
Where reasonably required, the Controller may conduct an audit or appoint an independent representative to verify Processor compliance
At least 15 days' prior written notice is required before an audit, and audits must be conducted during normal business hours
Exterview AI will provide reasonable cooperation and access to relevant information
The Controller is responsible for the costs associated with its audit
Where Personal Data is transferred outside the European Economic Area (EEA) or another jurisdiction requiring transfer safeguards, Exterview AI ensures that appropriate legal mechanisms are in place before any transfer occurs
Where required, transfers are protected through Standard Contractual Clauses (SCCs)
Transfers may also be protected through applicable adequacy decisions
Or other lawful transfer mechanisms recognized under applicable privacy laws
International transfers are performed only to support the delivery of the Services and are subject to contractual and technical safeguards that maintain an equivalent level of protection for Personal Data.
To deliver the Services, Exterview AI may engage carefully selected Sub-processors that provide infrastructure, security, communications, and operational services.
Before engaging any Sub-processor, Exterview AI ensures that appropriate contractual obligations are in place requiring protection of Personal Data consistent with this Agreement
Exterview AI remains responsible for the performance of its Sub-processors and their compliance with applicable data protection obligations
The Controller will be notified at least 30 calendar days before any material changes to approved Sub-processors
If the Controller reasonably believes that a proposed Sub-processor creates a material data protection risk, both Parties will work together in good faith to resolve the concern.
A complete list of approved Sub-processors is provided below (Annex III of this Agreement).
Approved Sub-processors:
| Sub-processor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, hosting, AI processing, storage | United States, Europe, India |
| Microsoft Entra ID | Identity management, MFA, Single Sign-On | United States |
| Microsoft Intune | Endpoint and device management | United States |
| Microsoft Purview | Data governance and data loss prevention | United States |
| Microsoft Sentinel | Security monitoring and SIEM | United States |
| Google Workspace | Business email and collaboration | United States |
| GitHub Enterprise | Source code management and CI/CD | India |
| Notion | Internal documentation and knowledge management | United States |
| Linear | Project management | India |
| Scrut Automation | Governance, Risk & Compliance | India |
| Slack | Internal collaboration | United States |
| Twilio | SMS and voice communications | United States |
| Exotel | Cloud telephony services | India |
| VideoSDK | Interview video infrastructure and recording | United States |
| Tavus | AI Avatar video generation | United States |
| Zoho (People & Books) | HR and finance operations | India |
Exterview AI maintains documented procedures for identifying, investigating, managing, and responding to Personal Data Breaches. If Exterview AI becomes aware of a Personal Data Breach affecting Customer Personal Data, it will notify the Controller without undue delay, unless the incident is unlikely to result in a risk to the rights and freedoms of individuals
Where applicable, Exterview AI will provide reasonable assistance to help the Controller assess the impact of the incident and meet regulatory notification obligations
Exterview AI will also help notify affected individuals where required, and investigate the root cause of the incident
Exterview AI will help implement appropriate remediation measures to reduce future risk. A breach notification or incident response provided by Exterview AI does not constitute an admission of fault or liability
Upon termination of the Agreement or cessation of the Services, Exterview AI will, based on the Controller's instructions, return Customer Personal Data in a commonly used format, or securely delete Customer Personal Data from its systems
Unless otherwise required by applicable law, this process will begin within 30 days of termination or the end of the Services
Where legally required to retain certain information, Exterview AI will continue to protect that data in accordance with this Agreement until lawful deletion is permitted
Following completion of the retention period, Personal Data and all reasonably accessible copies will be securely deleted using industry-standard data destruction practices
Exterview AI is committed to maintaining a secure, transparent, and compliant processing environment that enables Customers to meet their obligations under applicable privacy and data protection laws while protecting the confidentiality, integrity, and availability of Personal Data throughout the processing lifecycle.
This Schedule forms part of the Data Processing Agreement and provides additional information about the parties involved, the categories of Personal Data processed, international data transfers, security controls, and approved Sub-processors supporting the delivery of the Services. Where the Controller is established within the European Economic Area, the competent supervisory authority shall be determined in accordance with applicable GDPR requirements and the Standard Contractual Clauses. Personal Data is retained only for the period necessary to deliver the Services or as otherwise specified in the Agreement and applicable law, and processing occurs on a continuous basis throughout the Customer's use of the Services.
| Role | Organization | Details |
|---|---|---|
| Data Exporter (Controller) | Customer (as identified in the applicable Agreement or Order Form) | Recipient of the Services provided by Exterview AI. Address & contact as specified in the applicable Agreement or Order Form. |
| Data Importer (Processor) | Exterview AI — 16192 Coastal Highway, Lewes, Delaware 19958, USA | Processing Personal Data solely to deliver the Services under the Agreement. Privacy Contact: Anusha Surapaneni, CISO (Interim DPO) — anusha@exterview.ai |
Exterview AI processes Personal Data to:
Collect interview information, and host and store customer data
Conduct AI-assisted interview analysis, and generate assessment reports
Deliver recruitment workflows, and provide platform administration and support
Secure and improve the Services, and delete or return Personal Data when required
Some Services process sensitive Personal Data, including biometric information (voice and facial imagery) and AI-generated candidate assessments. Where applicable, such processing is carried out under the Controller's instructions using appropriate safeguards, including:
Purpose limitation, and access controls
Encryption, and audit logging
Restricted onward transfers, and appropriate consent where required by law
Depending on the Services used, Exterview AI may process:
Name and contact information, user identifiers, and employment and education details
Candidate profile information
Audio and video interview recordings, voice recordings, and facial imagery
AI-generated assessment reports, and candidate scores and rankings
Technical and system usage information
Personal Data processed through the Services may relate to:
Customer administrators and authorized users
Recruiters and hiring managers
Job applicants and interview participants
Individuals whose Personal Data is submitted through the platform
If you have questions regarding this Data Processing Agreement or Exterview AI's data processing practices, please contact our privacy team.
Email: privacy@exterview.ai
Company: Exterview Solutions Private Limited
Privacy Team: Information Security & Privacy Office
Interim Data Protection Officer: Anusha Surapaneni, Chief Information Security Officer (CISO)
Security Contact: anusha@exterview.ai
Registered Address: 16192 Coastal Highway, Lewes, Delaware 19958, USA
We are committed to maintaining the highest standards of privacy, security, and regulatory compliance and welcome any questions regarding our data processing practices.