Data Processing Addendum

This Data Processing Addendum (“Addendum“) is entered into between ManaVritti Solutions Private Limited, operating the product Intervuebox (“Intervuebox“, “Processor” or “Service Provider“), and the Customer (as defined in the Agreement). This Addendum forms part of and is incorporated into the Intervuebox Terms of Service, Master Services Agreement, or any other written or electronic agreement governing Customer’s access to and use of the Services (the “Agreement“).

This Addendum applies where Intervuebox Processes Personal Data on behalf of Customer and is effective as of the effective date of the Agreement.

Definitions

Capitalized terms not otherwise defined in this Addendum shall have the meanings given to them in the Agreement or under applicable Data Protection Laws.

Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
Audit Report: A third-party independent audit or certification report demonstrating compliance with recognized security and privacy standards, including but not limited to SOC 2 Type I or Type II, ISO/IEC 27001, ISO/IEC 27701, or equivalent frameworks.
Applicable Security Standards: Industry-recognized information security and privacy standards reasonably appropriate to the nature of the Services and the risk profile of the Processing, including ISO/IEC 27001, SOC 2, and applicable guidance issued by regulators.
Confidential Information: All non-public information disclosed by one Party to the other in connection with this Addendum or the Agreement, including Customer Personal Data, security documentation, Audit Reports, business, technical, and financial information, whether disclosed orally, electronically, or in writing.
Customer Personal Data: Any Personal Data provided by or made available by Customer to Intervuebox or collected by Intervuebox on behalf of Customer in connection with the Services.
Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach, Sub-processor: As defined under applicable Data Protection Laws.
Data Protection Laws: All applicable data protection, privacy, and security laws, including but not limited to:
- Regulation (EU) 2016/679 (GDPR).
- UK GDPR.
- Swiss Federal Data Protection Act.
- India Digital Personal Data Protection Act, 2023 (DPDP Act).
- Any successor or related laws.
Security Incident: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
EU Area: The European Union, European Economic Area, United Kingdom, and Switzerland.
Standard Contractual Clauses (SCCs): The Controller-to-Processor standard contractual clauses adopted by the European Commission on 4 June 2021, together with the UK International Data Transfer Addendum and Swiss equivalents.

Scope and Applicability

This Addendum applies to Intervuebox’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum shall be governed by the governing law of the Agreement unless otherwise required by applicable Data Protection Laws.

Roles of the Parties

The customer acts as a Controller (or Business).
Intervuebox acts as a Processor (or Service Provider).

Intervuebox shall Process Customer Personal Data solely on behalf of and in accordance with the documented instructions of Customer and shall not act as an independent Controller with respect to Customer Personal Data, except to the extent required by applicable law.

Customer is solely responsible for:

Lawful collection of Personal Data.
Providing appropriate notices and obtaining valid consents from Data Subjects.
Ensuring instructions provided to Intervuebox comply with Data Protection Laws.

Description and Purpose of Processing

The subject matter, nature, purpose, and duration of Processing, categories of Personal Data, and categories of Data Subjects are described in Annex 1.

Intervuebox Processes Customer Personal Data solely for:

Providing AI-based interview, assessment, and recruitment services.
Operating, maintaining, securing, and improving the Services.
Complying with legal obligations.

Data Processing Obligations

Intervuebox maintains a comprehensive information security program aligned with Applicable Security Standards, including ISO/IEC 27001, SOC 2 Type II, or equivalent frameworks. Such program includes, where appropriate:

Periodic risk assessments and security reviews.
Vulnerability management and remediation processes.
Independent penetration testing conducted at reasonable intervals.
Ongoing security awareness and data protection training for employees with access to Customer Personal Data.

Intervuebox shall:

Process Customer Personal Data only on documented instructions of Customer and in accordance with this Addendum and the Agreement.
Not sell, rent, or share Customer Personal Data for advertising or unrelated commercial purposes.
Inform Customer if Intervuebox believes an instruction violates Data Protection Laws.
Ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organizational measures in accordance with Article 32 GDPR, including:
- Encryption of data in transit and at rest.
- Access controls and least-privilege access.
- Logging and monitoring.
- Backup and disaster recovery measures.
Maintain records of Processing activities as required by applicable law.

Sub-processing

Customer authorizes Intervuebox to engage Sub-processors.

Intervuebox shall:

Maintain an up-to-date list of Sub-processors available proactively via a publicly accessible trust or security page.
Notify Customer at least 14 days in advance of any intended material changes to Sub-processors.
Not replace or materially change critical Sub-processors involved in core. infrastructure, AI processing, or data storage without prior notice to Customer.
Impose data protection obligations on Sub-processors equivalent to this Addendum.
Remain fully liable for Sub-processors’ compliance.

Customers may object on reasonable data protection grounds within 14 days of receiving notice. If no reasonable alternative exists, either Party may terminate the affected Services without penalty.

Security Incidents and Breach Notification

Upon becoming aware of a Personal Data Breach, Intervuebox shall:

Notify Customer without undue delay and in any event within seventy-two (72) hours of confirmation of the breach, unless a shorter timeline is required by applicable law.
Provide Customer with available information reasonably required to meet regulatory, contractual, and notification obligations, including the nature of the breach, affected data categories, and mitigation steps.
Take reasonable steps to contain, investigate, mitigate, and remediate the incident.
Cooperate in good faith with Customer and relevant authorities, including providing reasonable assistance with forensic investigations, audits, and incident response activities, subject to applicable law.

Notification shall not constitute an admission of fault or liability.

Data Subject Rights Assistance

Taking into account the nature of the Processing, Intervuebox shall reasonably assist Customer in responding to Data Subject requests including access, rectification, erasure, restriction, portability, and objection, within five (5) to ten (10) business days of receiving a valid request from Customer.

Intervuebox shall not respond directly to any Data Subject request unless expressly instructed by Customer or required by applicable law, in which case Intervuebox shall, to the extent legally permitted, promptly inform Customer of such request.

Intervuebox may charge reasonable fees for extensive, repetitive, or manifestly unfounded assistance where permitted by law.

Data Retention and Deletion

Intervuebox shall retain Customer Personal Data according to the following retention periods unless otherwise specified in the client contract:

Type of Data	Retention Period
Application and related database – Client Personal Data (Client Master setup)	As long as the client contract continues or three (3) months from contract termination
Application and related database – Client end-user or employee data	As long as the client contract continues or three (3) months from contract termination
Application – Client Files and media within cloud	As long as the client contract continues or three (3) months from contract termination
Backup of Database	As long as the client contract continues or three (3) months from contract termination
Trial Customer Data	Delete within one (1) month after end of trial
User Desktops/Laptops	Deleted when user exits the company
Employee-owned devices	Out of scope; employees are encouraged not to store data
Personal Drives	Not permitted
Corporate Drives/Archives (e.g., Dropbox, OneDrive)	Retention period determined by data type
Client Data – Hard Copies	Within 30 days or as per contractual/regulatory requirements
Offline Payroll Processing – Excel input files	As per regulatory requirements
Offline Payroll – Output files sent to clients	Retain for 7 years or one (1) year from contract termination, whichever is earlier
Marketing CRM	Retain until opt-out; dormant contacts inactive >2 years deleted; opt-out list retained indefinitely
Client Communication	Not retained – API call
Finance – Invoices	As per statutory limits
Finance – Client Master Data	Retain as long as client contracts continue
Website – Cookie Data	Retain 180–365 days

Upon termination or expiry of the Agreement, Intervuebox shall, at Customer’s option, return or delete Customer Personal Data and retain data only where required by applicable law, subject to confidentiality obligations.

Audits and Compliance

Intervuebox shall make available information reasonably necessary to demonstrate compliance with this Addendum.

Customers agree that, where available, current Audit Reports (including SOC 2 Type II, ISO/IEC 27001, or equivalent certifications) provided by Intervuebox shall be deemed sufficient to verify compliance with this Addendum.

On-site or remote audits may be conducted only where:

Applicable law requires such audit, or
Customer reasonably determines that the provided Audit Reports are insufficient to address a material compliance concern

Any audit shall:

Be limited to once per year unless legally required.
Be conducted with reasonable prior written notice.
Occur during normal business hours.
Be scoped to Customer Personal Data and relevant systems only.
Avoid unreasonable disruption to Intervuebox’s business and security.

Customer shall bear reasonable audit-related costs, unless the audit reveals a material non-compliance with this Addendum.

Cross-Border Data Transfers

Where Customer Personal Data is transferred outside the EU Area:

SCCs are deemed incorporated by reference.
Module Two (Controller-to-Processor) applies.
Governing law: Ireland (EU), United Kingdom (UK Addendum), Switzerland (Swiss DPA).

Intervuebox shall conduct and maintain Transfer Impact Assessments (TIAs) where required under applicable Data Protection Laws and shall implement supplementary technical and organizational measures appropriate to the transfer risk.

Intervuebox commits to challenge any unlawful or disproportionate government or law enforcement access request for Customer Personal Data, to the extent permitted by law, and to notify Customer of such requests unless legally prohibited.

Intervuebox shall implement supplementary safeguards where required.

AI Processing

Intervuebox uses AI and machine learning technologies solely to deliver the Services in accordance with Customer instructions and applicable Data Protection Laws.

Intervuebox shall ensure that:

Customer Personal Data is logically isolated from other customers’ data and processed within tenant-specific or access-controlled environments
Customer Personal Data is not used to train or improve global or shared AI models by default. Free/Trial and SMB plan customers are opted in by default with the option to opt out, whereas Enterprise customers are opted out by default and may opt in only if agreed during negotiation.
Any use of Customer Personal Data for model training, evaluation, or service improvement shall occur only where explicitly enabled or instructed by Customer.
AI Processing does not involve automated decision-making producing legal or similarly significant effects on Data Subjects unless explicitly configured by Customer.

Where applicable, Intervuebox shall implement human-in-the-loop safeguards, audit logs, and reasonable explainability measures to support transparency, oversight, and regulatory compliance.

Customer controls whether interview data is used for training, evaluation, or service improvement.

Warranties

Each Party warrants compliance with its respective obligations under applicable Data Protection Laws.

Indemnity

To the extent permitted by law, Customer shall indemnify and hold harmless Intervuebox from claims arising from Customer’s breach of this Addendum or applicable Data Protection Laws.

Precedence

Order of precedence:

Standard Contractual Clauses / Transfer Mechanisms.
This Addendum.
The Agreement.

Severability

If any provision of this Addendum is held unenforceable, the remainder shall remain in full force and effect.

Contact – Data Protection Officer

Data Protection Officer (DPO)
Intervuebox (ManaVritti Solutions Private Limited)

Email: [email protected]

ANNEX 1 – Description of Processing

Purpose of Processing	Categories of Personal Data	Categories of Data Subjects	Legal Basis
AI-based interview and assessment services	Name, email, phone, resume, employment details, interview audio/video, transcripts, AI insights	Candidates, Recruiters, Interviewers	Performance of contract, legitimate interest
Recruitment workflow enablement	Usage logs, access metadata	Authorized users of the Services	Legitimate interest
Security, debugging, analytics, and service improvement	System logs, usage data, performance metrics	All Data Subjects	Legitimate interest

Sensitive Personal Data

Not intentionally processed.

Frequency of Processing

Continuous.

Retention Periods

Retention periods are as described in Section 9 of this Addendum.

ANNEX 2 – Sub-Processors

A current list of Intervuebox Sub-processors is available upon request or via the Intervuebox Trust & Security page.