HYREMYND INC.

DATA PROCESSING ADDENDUM

Last Updated: January 2025

1. INTRODUCTION

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Master Service Agreement ("MSA") and Terms and Conditions ("Terms") between **HyreMynd Inc.** ("HyreMynd," "Processor," or "we") and the customer ("Customer," "Controller," or "you") for the provision of the HyreMynd platform and services (the **"Service"**).

This DPA sets forth the parties' obligations with respect to the Processing of Personal Data and ensures compliance with applicable Data Protection Laws, including **PIPEDA**, **GDPR** (where applicable), and other relevant privacy legislation.

In the event of any conflict between this DPA and the MSA or Terms, **this DPA governs with respect to data protection matters**.

2. DEFINITIONS

Capitalized terms not defined herein have the meanings set forth in the MSA and Terms.

  • **Affiliate** – Any entity under common control with a party
  • **Candidate** – Any individual assessed through the Service
  • **Candidate Data** – Personal Data relating to Candidates, including assessments and scores
  • **Controller** – Entity determining purposes and means of Processing
  • **Customer Data** – Personal Data submitted to or generated by Customer
  • **Data Protection Laws** – PIPEDA, provincial laws, GDPR (if applicable), and successors
  • **Data Subject** – Identifiable natural person
  • **Non-Identifiable Data** – Aggregated or anonymized data
  • **Personal Data** – Any information relating to an identifiable individual
  • **Processing** – Any operation performed on Personal Data
  • **Processor** – Entity Processing Personal Data on behalf of Controller
  • **Security Incident** – Unauthorized access, disclosure, loss, or breach
  • **Sensitive Personal Data** – Special category data (health, biometrics, etc.)
  • **Sub-processor** – Third party Processing Personal Data on behalf of HyreMynd

3. ROLES AND RESPONSIBILITIES

3.1 Controller and Processor Roles

  • Customer is Controller for Customer Data
  • HyreMynd is Processor for Customer Data
  • HyreMynd is Controller for Candidate Data prior to hiring
  • Upon hiring, identifiable Candidate Data transfers to Customer
  • Upon termination, data reverts to HyreMynd unless deleted

3.2 Customer Responsibilities

Customer shall:

  • Ensure lawful data collection and transfer
  • Obtain required notices and consents
  • Provide lawful Processing instructions
  • Secure Customer-controlled systems
  • Respond to Data Subject requests

3.3 HyreMynd Responsibilities

HyreMynd shall:

  • Process data per documented instructions
  • Ensure confidentiality of personnel
  • Maintain security safeguards
  • Assist with Data Subject and regulator requests
  • Notify of Security Incidents
  • Delete or return data upon termination

4. SCOPE OF PROCESSING

4.1 Purpose

Processing for psychometric assessment, scoring, ranking, profiling, analytics, and recruitment support.

4.2 Categories of Data Subjects

  • Candidates
  • Customer employees and Authorized Users
  • Other individuals submitted by Customer

4.3 Types of Personal Data

  • Identification data
  • Professional data
  • Assessment data
  • Technical data
  • Other submitted Personal Data

4.4 Sensitive Personal Data

Processed only with explicit consent, lawful basis, or legal authorization. Customer bears responsibility for legal basis.

4.5 Duration

Processing lasts for the MSA term and post-termination retention.

5. PROCESSING INSTRUCTIONS

  • Processing only per documented instructions
  • MSA + Terms + DPA constitute final instructions
  • Additional Processing requires agreement
  • Unlawful instructions may be suspended

6. CANDIDATE CONSENT

6.1 Consent Mechanism

Consent clearly discloses controller identity, purposes, data categories, recipients, retention, rights, and withdrawal rights.

6.2 Consent Records

HyreMynd maintains auditable consent records.

6.3 Withdrawal

Upon withdrawal:

  • Processing ceases
  • Identifiable data deleted within 30 days
  • Customer notified if applicable

7. DATA SUBJECT RIGHTS

7.1 Assistance

HyreMynd assists with access, rectification, erasure, restriction, portability, objection, and automated decision-making rights.

7.2 Timeframes

Assistance provided within **10 business days**.

7.3 Direct Requests

HyreMynd redirects requests to Customer unless legally required.

7.4 Automated Decision-Making

AI outputs are decision-support only; humans make final decisions.

8. SUB-PROCESSORS

8.1 Authorization

General authorization granted.

8.2 Sub-processor List

Maintained at **[URL]**.

8.3 Changes

30 days' advance notice for new Sub-processors.

8.4 Objections

Customer may object within 15 days; unresolved objections permit termination of affected Service.

8.5 Obligations

  • Written agreements required
  • HyreMynd remains liable
  • Security measures enforced

9. SECURITY INCIDENTS

9.1 Notification

Notification within **72 hours** of awareness.

9.2 Incident Details

Includes scope, impact, mitigation, and contact details.

9.3 Cooperation

Ongoing updates and remediation support.

9.4 Regulatory Notices

Customer determines notification obligations.

9.5 No Admission

No admission of fault implied.

10. SECURITY MEASURES

10.1 Measures

Encryption, access controls, MFA, network security, audits, secure development, training, physical security, logging, and continuity plans.

10.2 Standards

Aligned with:

  • ISO/IEC 27001
  • SOC 2 Type II
  • NIST Cybersecurity Framework

10.3 Documentation

Provided upon reasonable request.

11. DATA RETENTION AND DELETION

11.1 Event-Based Retention

Triggered by assessment completion, hiring decisions, consent withdrawal, termination, or deletion requests.

11.2 Ownership Lifecycle

The following table shows data ownership at different stages:

EventIdentifiable DataNon-Identifiable Data
Assessment completedHyreMyndHyreMynd
Candidate hiredCustomerHyreMynd
TerminationHyreMynd*HyreMynd
Deletion requestDeletedHyreMynd

* Unless deletion requested.

11.3 Termination of MSA

  • Export available for 30 days
  • Deletion within 30 days upon request
  • Non-identifiable data retained indefinitely

11.4 Legal Retention

Data retained as required by law.

12. INTERNATIONAL DATA TRANSFERS

12.1 Safeguards

Adequacy decisions, SCCs, BCRs, certifications, or lawful mechanisms.

12.2 GDPR Transfers

EU SCCs (Module Two) incorporated by reference.

12.3 PIPEDA

Comparable protection ensured.

13. AUDIT RIGHTS

  • Compliance information available
  • One audit per year with notice
  • SOC 2 accepted in lieu of audit

14. REGULATORY COOPERATION

HyreMynd assists with regulator inquiries, remediation, and DPIAs.

15. LIABILITY

Liability and indemnification governed by the MSA.

16. TERM AND TERMINATION

Effective for MSA duration; survival provisions apply.

17. GENERAL PROVISIONS

  • Governing law: Ontario, Canada
  • Amendments with notice
  • Severability
  • Entire agreement
  • Order of precedence: DPA controls

18. CONTACT INFORMATION

HyreMynd Inc.

Data Protection Officer

HYREMYND AI INC.

559 Sammon Ave East York, ON, Canada, M4C 2E1

GST Number: 76433 8836 RT0001

📧 [email protected]

SCHEDULE A — SCHEDULE A — DETAILS OF PROCESSING

  • **Subject Matter:** Psychometric assessment and recruitment analytics
  • **Duration:** MSA term + retention
  • **Nature:** Collection, analysis, scoring, reporting, deletion
  • **Purpose:** Recruitment support
  • **Data Subjects:** Candidates, employees, Authorized Users
  • **Personal Data:** Identification, professional, assessment, technical
  • **Sensitive Data:** With consent and lawful basis
  • **Retention:** Event-based (Section 11)