Data Processing

How Exterview processes and protects Customer Personal Data

About this Agreement

This Data Processing Agreement forms part of the agreement between Customer (the Controller) and Exterview AI (the Processor) for the provision of the Services. The DPA governs how Personal Data is processed while delivering the Services and is designed to support compliance with applicable privacy and data protection laws, including the EU General Data Protection Regulation (GDPR). This agreement applies whenever Exterview processes Personal Data on behalf of the Customer as part of delivering the Services. If there is any conflict between this DPA and the underlying Agreement regarding the processing of Personal Data, the terms of this DPA will prevail.

Definitions

Unless otherwise defined in this Agreement, capitalized terms have the meanings given under the GDPR or the governing Agreement.

TermDefinition
ControllerThe organization that determines the purposes and means of processing Personal Data.
ProcessorExterview AI, acting on behalf of the Controller to process Personal Data in connection with the Services.
Sub-processorA third party engaged by Exterview AI to process Personal Data while delivering the Services.
Personal DataAny information relating to an identified or identifiable individual as defined under applicable data protection laws.
Data TransferAny transfer of Personal Data between the Controller, Processor, or an approved Sub-processor, including international transfers.
EU GDPRRegulation (EU) 2016/679 (General Data Protection Regulation).
Standard Contractual Clauses (SCCs)The European Commission's approved contractual clauses used to safeguard international transfers of Personal Data where required.

Scope of Processing

The Controller authorizes Exterview AI to process Personal Data only as necessary to provide the Services. Data Subjects: Personal Data may relate to:

Customer administrators and authorized users

Candidates and interview participants

Individuals whose information is submitted through the Exterview platform

Categories of Personal Data: Depending on the Services used, Personal Data may include:

Name and contact information, user account information, and employment and education details

Interview recordings (audio and video), and voice and facial imagery

Assessment reports, AI-generated scores and rankings, and technical and system usage information. The detailed categories of Personal Data processed are described in Annex I of this Agreement.

Duration of Processing

Exterview AI will process Personal Data for the duration of the Agreement unless otherwise instructed in writing by the Controller or required by applicable law.

Exterview AI processes Personal Data solely to deliver the Services described in the Agreement, including:

Conducting interviews and processing candidate assessments

Generating evaluation reports and supporting recruitment workflows

Maintaining and securing the platform, and providing customer support

Meeting applicable legal and contractual obligations

Personal Data is processed only on documented instructions from the Controller and for the purposes authorized under the Agreement.

Processing Principles

Throughout the provision of the Services, Exterview AI is committed to processing Personal Data in accordance with the following principles:

Process Personal Data lawfully, fairly, and transparently

Process data only for specified and legitimate purposes

Limit processing to the minimum information necessary

Maintain appropriate accuracy and integrity of Personal Data

Protect Personal Data through appropriate technical and organizational security measures

Support the Controller in meeting applicable privacy and regulatory obligations

Processor Responsibilities

Exterview AI processes Personal Data only on documented instructions received from the Controller. As Processor, Exterview AI will:

Process Personal Data only for the purposes defined in the Agreement, and comply with documented instructions provided by the Controller

Notify the Controller if any instruction appears to violate applicable data protection laws

Provide reasonable assistance in responding to Data Subject requests, and assist with Data Protection Impact Assessments (DPIAs) where required

Support compliance with applicable GDPR obligations, and ensure any international transfer of Personal Data is protected using appropriate contractual safeguards

Use only authorized personnel and approved Sub-processors, and maintain appropriate technical and organizational safeguards throughout the processing lifecycle

Security & Confidentiality

Exterview AI implements appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of Personal Data processed on behalf of the Controller.

All personnel with access to Personal Data are authorized to access it only where required for their role, bound by confidentiality obligations, regularly trained on data privacy, information security, and secure handling of Personal Data, and required to follow Exterview AI's internal security and privacy policies.

Security AreaKey Controls
Security GovernanceISO/IEC 27001:2022 aligned Information Security Management System; regular independent risk assessments and security reviews; annual policy reviews; vendor risk management; formal vulnerability management and penetration testing.
Personnel SecurityConfidentiality agreements for all personnel; background verification where permitted by law; security awareness and privacy training; role-based authorization; ongoing compliance training.
Identity & Access ManagementMulti-factor authentication (MFA); Microsoft Entra ID Single Sign-On; Privileged Identity Management (PIM); role-based access controls; least-privilege access; periodic access reviews; comprehensive audit logging.
Infrastructure SecurityMicrosoft Azure cloud infrastructure; multi-region deployment; multiple Availability Zones; secure backup and disaster recovery; operating system hardening; continuous vulnerability scanning; patch management.
Data ProtectionEncryption in transit (TLS/HTTPS) and at rest; secure key management; logical separation of customer environments; secure data destruction procedures.
Monitoring & Incident ResponseContinuous infrastructure and security monitoring; centralized logging through Microsoft Sentinel; incident detection and response procedures; root cause analysis; corrective and preventive actions.

Access to Personal Data is limited to authorized personnel on a least-privilege and need-to-know basis.

Exterview AI maintains a comprehensive Information Security Management System designed to safeguard Customer Personal Data throughout its lifecycle. These controls are further detailed in Annex II of this Agreement.

Audit & Compliance

Upon reasonable written request, Exterview AI will provide information necessary to demonstrate compliance with this Data Processing Agreement and applicable data protection laws

Where reasonably required, the Controller may conduct an audit or appoint an independent representative to verify Processor compliance

At least 15 days' prior written notice is required before an audit, and audits must be conducted during normal business hours

Exterview AI will provide reasonable cooperation and access to relevant information

The Controller is responsible for the costs associated with its audit

International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or another jurisdiction requiring transfer safeguards, Exterview AI ensures that appropriate legal mechanisms are in place before any transfer occurs

Where required, transfers are protected through Standard Contractual Clauses (SCCs)

Transfers may also be protected through applicable adequacy decisions

Or other lawful transfer mechanisms recognized under applicable privacy laws

International transfers are performed only to support the delivery of the Services and are subject to contractual and technical safeguards that maintain an equivalent level of protection for Personal Data.

Sub-processors

To deliver the Services, Exterview AI may engage carefully selected Sub-processors that provide infrastructure, security, communications, and operational services.

Before engaging any Sub-processor, Exterview AI ensures that appropriate contractual obligations are in place requiring protection of Personal Data consistent with this Agreement

Exterview AI remains responsible for the performance of its Sub-processors and their compliance with applicable data protection obligations

The Controller will be notified at least 30 calendar days before any material changes to approved Sub-processors

If the Controller reasonably believes that a proposed Sub-processor creates a material data protection risk, both Parties will work together in good faith to resolve the concern.

A complete list of approved Sub-processors is provided below (Annex III of this Agreement).

Approved Sub-processors:

Sub-processorPurposeRegion
Microsoft AzureCloud infrastructure, hosting, AI processing, storageUnited States, Europe, India
Microsoft Entra IDIdentity management, MFA, Single Sign-OnUnited States
Microsoft IntuneEndpoint and device managementUnited States
Microsoft PurviewData governance and data loss preventionUnited States
Microsoft SentinelSecurity monitoring and SIEMUnited States
Google WorkspaceBusiness email and collaborationUnited States
GitHub EnterpriseSource code management and CI/CDIndia
NotionInternal documentation and knowledge managementUnited States
LinearProject managementIndia
Scrut AutomationGovernance, Risk & ComplianceIndia
SlackInternal collaborationUnited States
TwilioSMS and voice communicationsUnited States
ExotelCloud telephony servicesIndia
VideoSDKInterview video infrastructure and recordingUnited States
TavusAI Avatar video generationUnited States
Zoho (People & Books)HR and finance operationsIndia

Personal Data Breach

Exterview AI maintains documented procedures for identifying, investigating, managing, and responding to Personal Data Breaches. If Exterview AI becomes aware of a Personal Data Breach affecting Customer Personal Data, it will notify the Controller without undue delay, unless the incident is unlikely to result in a risk to the rights and freedoms of individuals

Where applicable, Exterview AI will provide reasonable assistance to help the Controller assess the impact of the incident and meet regulatory notification obligations

Exterview AI will also help notify affected individuals where required, and investigate the root cause of the incident

Exterview AI will help implement appropriate remediation measures to reduce future risk. A breach notification or incident response provided by Exterview AI does not constitute an admission of fault or liability

Data Retention & Deletion

Upon termination of the Agreement or cessation of the Services, Exterview AI will, based on the Controller's instructions, return Customer Personal Data in a commonly used format, or securely delete Customer Personal Data from its systems

Unless otherwise required by applicable law, this process will begin within 30 days of termination or the end of the Services

Where legally required to retain certain information, Exterview AI will continue to protect that data in accordance with this Agreement until lawful deletion is permitted

Following completion of the retention period, Personal Data and all reasonably accessible copies will be securely deleted using industry-standard data destruction practices

Our Commitment

Exterview AI is committed to maintaining a secure, transparent, and compliant processing environment that enables Customers to meet their obligations under applicable privacy and data protection laws while protecting the confidentiality, integrity, and availability of Personal Data throughout the processing lifecycle.

Parties & Data Transfer Details

This Schedule forms part of the Data Processing Agreement and provides additional information about the parties involved, the categories of Personal Data processed, international data transfers, security controls, and approved Sub-processors supporting the delivery of the Services. Where the Controller is established within the European Economic Area, the competent supervisory authority shall be determined in accordance with applicable GDPR requirements and the Standard Contractual Clauses. Personal Data is retained only for the period necessary to deliver the Services or as otherwise specified in the Agreement and applicable law, and processing occurs on a continuous basis throughout the Customer's use of the Services.

RoleOrganizationDetails
Data Exporter (Controller)Customer (as identified in the applicable Agreement or Order Form)Recipient of the Services provided by Exterview AI. Address & contact as specified in the applicable Agreement or Order Form.
Data Importer (Processor)Exterview AI — 16192 Coastal Highway, Lewes, Delaware 19958, USAProcessing Personal Data solely to deliver the Services under the Agreement. Privacy Contact: Anusha Surapaneni, CISO (Interim DPO) — anusha@exterview.ai

Processing Activities

Exterview AI processes Personal Data to:

Collect interview information, and host and store customer data

Conduct AI-assisted interview analysis, and generate assessment reports

Deliver recruitment workflows, and provide platform administration and support

Secure and improve the Services, and delete or return Personal Data when required

Special Categories of Data

Some Services process sensitive Personal Data, including biometric information (voice and facial imagery) and AI-generated candidate assessments. Where applicable, such processing is carried out under the Controller's instructions using appropriate safeguards, including:

Purpose limitation, and access controls

Encryption, and audit logging

Restricted onward transfers, and appropriate consent where required by law

Categories of Personal Data (Annex I)

Depending on the Services used, Exterview AI may process:

Name and contact information, user identifiers, and employment and education details

Candidate profile information

Audio and video interview recordings, voice recordings, and facial imagery

AI-generated assessment reports, and candidate scores and rankings

Technical and system usage information

Categories of Data Subjects (Annex I)

Personal Data processed through the Services may relate to:

Customer administrators and authorized users

Recruiters and hiring managers

Job applicants and interview participants

Individuals whose Personal Data is submitted through the platform

Contact

If you have questions regarding this Data Processing Agreement or Exterview AI's data processing practices, please contact our privacy team.

Company: Exterview Solutions Private Limited

Privacy Team: Information Security & Privacy Office

Interim Data Protection Officer: Anusha Surapaneni, Chief Information Security Officer (CISO)

Security Contact: anusha@exterview.ai

Registered Address: 16192 Coastal Highway, Lewes, Delaware 19958, USA

We are committed to maintaining the highest standards of privacy, security, and regulatory compliance and welcome any questions regarding our data processing practices.