Customer Data Processing Agreement
Version v1 — August 2025
INTRODUCTION
This Data Processing Agreement (DPA) is entered into between the Customer (and, if applicable, the Customer’s Affiliates) and The People Idea Pty Ltd (ACN 602 736 836) trading as TALY Australia (“TALY”). This DPA sets out the legal terms and conditions governing TALY’s processing of Customer Personal Data through the provision of its Services.
1. SCOPE
This DPA governs TALY’s processing of End User Data, which may include personal data, provided to TALY by the Customer or generated by use of TALY’s Services.
2. DEFINITIONS
Unless otherwise defined, the following definitions apply throughout this DPA:
“Agreement” means TALY’s Terms of Use, any applicable ordering documents, service level agreements, privacy policies, and other instructions agreed between the parties.
“Customer Personal Data” means all Personal Information collected, accessed or processed by TALY in connection with the Services, including (a) client business data such as contact details, CRM, support and sales information; and (b) Candidate Data, which includes personality profiles and psychometric test data uploaded or completed by candidates; results and reports produced by TALY’s assessments; candidate communications and responses; hiring outcomes; employer notes or feedback stored in the platform; user account details; session logs; device identifiers; IP addresses; file names and content uploaded for analysis or storage; any metadata generated through the use of the TALY platform; and any other information reasonably required to provide, improve or secure the Services.
“Data Protection Laws” means all privacy, data protection, and information security laws and regulations applicable to TALY in its processing of Customer Personal Data under this DPA, including the Australian Privacy Act 1988 (Cth) as amended (including the Privacy and Other Legislation Amendment Act 2024 (Cth)), and, where applicable, the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and any other equivalent international privacy laws.
“DPA” means this Data Processing Agreement.
“Information Security Measures” means the technical and organisational measures described in TALY’s security documentation to protect personal data.
“Security Incident” means any unauthorised access to, loss, disclosure, alteration or destruction of Customer Personal Data processed by TALY that compromises the privacy, security or confidentiality of such Customer Personal Data, including but not limited to breaches of security leading to accidental or unlawful access or disclosure while data is stored, transmitted or otherwise processed.
3. RESPONSIBILITIES AS PROCESSOR OF PERSONAL DATA
3.1 TALY shall process Customer Personal Data solely on documented instructions from the Customer, including those in this DPA and the Agreement, unless required otherwise by applicable law.
3.2 TALY processes personal data as a processor as defined by applicable Data Protection Laws, the following shall apply:
· Processing Required by Law: If TALY is required by law to process Customer Personal Data, it will notify the Customer (unless legally restricted) to allow the Customer to issue further instructions.
· Compliance: TALY shall comply with applicable Data Protection Laws and make available information necessary to demonstrate compliance, under applicable Data Protection Laws where relevant.
· Data Subject Requests: TALY will assist the Customer, as reasonably practicable, to respond to data subject requests under applicable Data Protection Laws.
· Data Protection Impact Assessments: Upon written request, TALY will provide reasonable assistance with data protection impact assessments or consultations with relevant supervisory authorities.
· Authorised Personnel: TALY shall ensure personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
· Sub-Processors: The Customer authorises TALY to engage sub-processors listed in Appendix 1. TALY will inform the Customer of changes to sub-processors within fifteen (90) days of such change and allow reasonable objections. TALY remains responsible for its sub-processors’ compliance.
· Cross-Border Transfers: Where TALY transfers Customer Personal Data outside Australia or other relevant jurisdictions, such transfers shall comply with applicable Data Protection Laws, including by implementing Standard Contractual Clauses where required.
· Safeguards: TALY shall maintain appropriate technical and organisational measures to secure Customer Personal Data, including measures to pseudonymise or encrypt data, ensure availability, and test security effectiveness.
· Security Incidents: In the event of a Security Incident, TALY shall promptly inform the Customer, investigate the incident, and take reasonable steps to mitigate any harm, including notifying relevant regulators as required by law.
· Incident Response Plan: TALY shall implement and maintain an incident response plan that defines procedures for detecting, responding to, and recovering from Security Incidents, including containment, investigation, notification, and remediation steps, in line with applicable Data Protection Laws.
· Audit Rights: Upon reasonable notice, TALY shall provide summaries of any third-party security certifications (e.g., ISO 27001, SOC2) to demonstrate compliance with this DPA.
· Retention and Deletion: Upon termination of the Agreement, TALY will delete or return Customer Personal Data unless otherwise required by law. Customer Personal Data no longer needed shall be securely deleted or de-identified.
4. DETAILS OF CUSTOMER PERSONAL DATA PROCESSED
4.1 Subject Matter: Processing of Customer Personal Data to deliver TALY’s psychometric and profiling Services.
4.2 Duration: For the term of the Agreement.
4.3 Purpose: The purpose of the Processing of Customer Personal Data under this DPA is to enable TALY to deliver the Services and perform its obligations under the Agreement, including providing psychometric assessments, personality profiles, team development insights, reporting and analytics, candidate experience services, and any other related features or support as requested by the Customer, or as otherwise agreed by the Parties in writing.
4.4 Nature of Processing: To provide services as described in the Agreement (including analysis, profiling, reporting, and storage), and limited transfer of Customer Personal Data as instructed by the Customer.
4.5 Categories of Data Subjects: Employees, contractors, job applicants, candidates participating in assessments, consultants, and any other individuals whose Personal Data is Processed as part of providing the Services.
4.6 Categories of Personal Data: May include identification and contact information (such as name, address, email, phone number, job title); psychometric and personality profiling data; answers and responses to assessment questions; test results and scores; session and usage data; device and connection information (such as IP addresses and device identifiers); employment details (such as department, manager, team); notes or feedback submitted by the Customer; communications between Customer and candidates; and any files, documents or additional data uploaded or provided to TALY as part of the Services.
4.7 Sensitive Data: May include sensitive personal data if explicitly submitted, such as information revealing gender, origin or health data, only to the extent necessary for Services.
4.8 Frequency: The transfer and processing of Customer Personal Data between the Customer and TALY will occur on a continuous basis as needed to provide the Services, for the duration of the Agreement, or as otherwise required to comply with TALY’s legal obligations.
5. PROCESSING OF END-USER DATA
Customer may configure the Services to collect, store and transfer Customer Personal Data and Candidate Data. Customer grants TALY the right to process such data as necessary to operate, maintain, improve and support the Services in accordance with this DPA and applicable laws.
6. COMPLIANCE WITH LAWS
Both Parties shall comply with applicable Data Protection Laws in connection with the processing of Customer Personal Data. The Customer represents that its instructions to TALY comply with such laws and that it has obtained all necessary consents and permissions.
7. PCI COMPLIANCE
TALY is not a payment processor and does not process payment card information as part of the Services. However, if TALY receives payment information incidentally, it will maintain security controls in line with industry standards and applicable PCI DSS requirements.
8. LIMITATION OF LIABILITY
This DPA does not limit or extend TALY’s liability under the Agreement. Any claims arising from or related to this DPA shall be governed by the limitations and exclusions of liability set forth in the Agreement.
9. CONFLICT OF TERMS
In the event of a conflict between this DPA and any other terms of the Agreement, the terms of this DPA shall prevail to the extent they relate to the processing of Customer Personal Data and compliance with Data Protection Laws.
APPENDIX 1 — Authorised Sub-Processors
Sub-Processor - Purpose
Amazon Web Services - Cloud infrastructure and storage
Google Workspace - Email, file storage, collaboration
Dropbox - File storage and sharing
HubSpot - CRM and email communications
Zendesk - Customer support
Sentry - Application monitoring
OpenAI (ChatGPT) - AI report generation or automated comms
Google Gemini - AI processing for reports or automation
Slack - Messaging and file sharing
Twilio - SMS and notification delivery
By using TALY’s Services, the Customer accepts this DPA.