Current legal agreement

Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of Personal Data that talyzr SpA ("Processor") performs on behalf of the Customer ("Controller") in the course of providing the talyzr service. It forms an integral part of the Main Agreement between the parties and applies automatically to all customers using the service.

Last updated: May 14, 2026 · Version: 1.0

1. Definitions and parties

The Parties. This DPA is entered into between the Customer ("Controller"), the entity that contracts the talyzr service and determines the purposes and means of processing Personal Data; and talyzr SpA, a Chilean corporation ("Processor" or "talyzr"), which processes Personal Data exclusively on behalf of the Controller.

For the purposes of this DPA the following definitions apply:

Personal Data: any information relating to an identified or identifiable natural person, as defined under Chile's Law 21.719, EU GDPR 2016/679, Brazil's LGPD (Law 13.709/2018) and other applicable equivalent regulations.
Processing: any operation performed on Personal Data (collection, storage, organization, consultation, communication, deletion, etc.).
Sub-processor: a third party engaged by talyzr to process Personal Data on behalf of the Controller, listed in Annex B.
Data Subject: a natural person to whom the Personal Data relates (typically, the Controller's employees, candidates and managers).
Personal Data Breach: an incident resulting in the destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
Documented Instructions: the Main Agreement, this DPA and any additional instructions issued by the Controller in writing or through the service's configuration panels.

2. Subject matter and duration

talyzr processes Personal Data solely and exclusively to provide the talyzr service to the Controller in accordance with the Main Agreement and Documented Instructions. talyzr will not use Personal Data for its own purposes, will not sell it, will not share it with third parties other than the Sub-processors listed in Annex B, and will not use it to train its own artificial intelligence models.

Processing will remain in effect for as long as the contractual relationship between the Controller and talyzr is in force, plus a post-termination retention period of 30 (thirty) calendar days to allow the Controller to export its data, as further detailed in the "Return and deletion" section.

3. Nature of processing

The detailed description of the Personal Data processed, the categories of Data Subjects, the purposes, the frequency and the duration is set out in Annex A of this DPA.

Special categories under GDPR Art. 9 / Law 21.719 (specially protected data): talyzr does not process data concerning health, sex life or sexual orientation, political opinions, religious or philosophical beliefs, trade-union membership, racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data relating to criminal convictions and offences. The Controller undertakes not to include such data in the talyzr service unless a prior written agreement with talyzr defines the additional safeguards that will apply.

4. Processor obligations

Pursuant to GDPR Article 28(3) and equivalent provisions in LGPD and Law 21.719, talyzr undertakes to:

Process Personal Data only on the Controller's Documented Instructions, including with regard to international transfers, unless required to do otherwise by applicable law, in which case talyzr will inform the Controller of that legal requirement before processing.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality.
Implement appropriate technical and organizational measures as described in the "Security measures" section and in Annex II of the Main Agreement where applicable.
Comply with the sub-processing conditions set out in the "Sub-processors" section.
Assist the Controller in fulfilling Data Subject requests (access, rectification, deletion, objection, portability, restriction) by means of the technical features available in the service.
Assist the Controller in ensuring compliance with security obligations, breach notification, data protection impact assessments (DPIA) and prior consultations with supervisory authorities.
At the Controller's choice, delete or return all Personal Data after the end of the provision of services and delete existing copies, unless storage is required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for the audits described in the corresponding section.

5. Personal data breach notification

talyzr will notify the Controller of any Personal Data Breach affecting its Personal Data without undue delay, and in any event within 72 (seventy-two) hours of talyzr becoming aware of the breach.

The notification will contain, at a minimum:

The nature of the breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned.
Contact details of talyzr's representative for the breach.
The likely consequences of the breach.
The measures taken or proposed by talyzr to address the breach and mitigate its possible adverse effects.

Where complete information is not available at the time of the initial notification, talyzr will provide it in phases as it becomes available, without further undue delay.

Notification will be sent by email to the technical/legal contact designated by the Controller in the talyzr panel. The Controller is responsible for keeping this contact information current.

The Controller, as Data Controller, remains responsible for notifying supervisory authorities and Data Subjects where required. talyzr will provide all reasonable assistance so the Controller can comply with those obligations on a timely basis.

6. Data Subject rights

The Controller, as Data Controller, directly handles requests from Data Subjects relating to their rights of access, rectification, deletion, objection, portability, restriction of processing and withdrawal of consent.

talyzr will assist the Controller in handling such requests through:

Product features: structured data export (ZIP archive with JSON/CSV files) available via the panel's "GDPR export" flow; record edit and deletion from the Controller's interface; immutable AuditLog history of changes.
Operational assistance: response to specific Controller queries within 10 (ten) business days of receipt, without prejudice to shorter statutory deadlines.

If a Data Subject contacts talyzr directly to exercise a right, talyzr will refer the request to the Controller without processing it, unless the Controller has expressly instructed otherwise.

7. Sub-processors

The Controller grants general authorization to talyzr to engage Sub-processors for the processing of Personal Data, subject to the conditions in this section and the up-to-date list in Annex B.

talyzr undertakes to:

Enter into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those set out in this DPA.
Maintain the up-to-date list of Sub-processors in Annex B and notify the Controller of any planned addition or replacement at least 30 (thirty) days in advance.
Remain liable to the Controller for the performance of the Sub-processor's obligations as if they were its own.

Right to object: within 30 days of being notified of a Sub-processor change, the Controller may object on reasonable grounds related to data protection. If the objection cannot be resolved through additional technical or organizational measures, the Controller may terminate the Main Agreement without penalty with respect to the affected service, with proportional refund of any pre-paid unearned amounts.

8. International transfers

talyzr's primary infrastructure is hosted on AWS region sa-east-1 (São Paulo, Brazil). Data of LATAM customers remains resident in this region.

Some Sub-processors listed in Annex B process data outside the primary region (United States, European Union, United Kingdom). For these transfers, the following legal mechanisms apply:

For Controllers established in the European Economic Area or the United Kingdom, transfers are made under the Standard Contractual Clauses (SCCs) adopted by the European Commission in Implementing Decision (EU) 2021/914 — Module Two (Controller-to-Processor), incorporated by reference in Annex C of this DPA.
For Controllers established in Brazil or Chile, transfers are made in accordance with the mechanisms provided by LGPD and Law 21.719 respectively.

talyzr applies additional technical and organizational measures for international transfers, including encryption in transit (TLS 1.2+) and at rest, access controls based on the principle of least privilege, and periodic review of the suitability of the destination consistent with the Schrems II criteria.

9. Technical and organizational measures

talyzr implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Art. 32 and equivalent regulations.

Current technical measures:

Encryption in transit with TLS 1.2 or higher for all public communications.
Encryption at rest of databases (Neon managed PostgreSQL) and object storage (Amazon S3 with SSE-S3).
Multi-tenant isolation enforced at the ORM layer through mandatory filtering by company identifier across all queries, with fail-closed behavior when the identifier is absent.
Authentication based on short-lived JWTs, TOTP second factor, optional enterprise SSO (SAML 2.0, OIDC) and SCIM 2.0 provisioning.
Password validation against Have I Been Pwned to block known compromised credentials.
Automated backups with point-in-time recovery managed by the database provider.
Persistent audit logging of all critical actions (creation, modification and deletion of resources) queryable by the Controller.
Error and availability monitoring through Sentry with automatic personally-identifiable information (PII) scrubbing.
Health-check endpoints (/health/live, /health/ready) for external availability monitoring.
Web security headers: 2-year HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, restrictive Permissions-Policy, Content-Security-Policy in Report-Only mode with planned migration to enforce.
Global CDN and WAF with managed rule sets and custom rules tuned to talyzr's use case.
Global rate limiting (default 60 requests per minute) and stricter limits on authentication endpoints.
Personally identifiable information redaction before sending prompts to artificial intelligence providers.
Mandatory code review through pull requests before every production deployment.

Current organizational measures:

Personnel with access to Personal Data have signed a confidentiality agreement (NDA) and are bound by contractual and statutory confidentiality obligations under the Chilean Labour Code and equivalent regulations.
Access to production systems restricted under the principle of least privilege with periodic review.
Mandatory two-factor authentication for all accounts with access to production.
Documented incident response policy with defined phases (detection, containment, eradication, recovery and post-mortem) and Controller notification timelines aligned with the "Breach notification" section.
Formal onboarding and offboarding processes including timely provisioning and revocation of credentials.
Credential management policy and periodic rotation of vendor keys.

10. Audits and inspection rights

talyzr makes available to the Controller the information reasonably necessary to demonstrate compliance with the obligations of this DPA, including:

Public documentation on architecture, sub-processors and security measures available on talyzr.com.
Responses to standard security questionnaires (SIG Lite, CAIQ, or equivalents) once per year per Controller at no additional cost.
Reports of certifications obtained by talyzr (SOC 2, ISO/IEC 27001) when available. talyzr is actively working toward obtaining these reports.

The Controller may request on-site audits subject to the following cumulative conditions: (a) maximum once per calendar year, (b) with at least 30 calendar days of prior written notice, (c) during Chilean business hours, (d) subject to the auditor signing a confidentiality agreement with talyzr, (e) the auditor's costs and the reasonable costs imposed on talyzr by the exercise of this right shall be borne by the Controller, unless the audit reveals material non-compliance by talyzr.

An audit shall not compromise the confidentiality or security of other talyzr customers' data. talyzr may reasonably object to a specific auditor where it has well-founded reasons to do so (for example, a conflict of interest with a competitor).

11. Return and deletion of data upon termination

Upon termination of the Main Agreement for any reason, talyzr will make available to the Controller the export of Personal Data in a structured, machine-readable format for a period of 30 (thirty) calendar days from the effective date of termination.

Once the retention period has elapsed, talyzr will proceed with irreversible deletion of Personal Data from the production database, ancillary systems (caches, queues, indexes) and operational logs, within an additional period of up to 30 calendar days.

Backups containing Personal Data are automatically overwritten within the backup retention cycle of the database provider (point-in-time recovery up to 30 days). talyzr does not extract or segregate individual Personal Data from backups; data will leave backups through the natural backup rotation cycle.

Upon Controller request, talyzr will issue a certificate of destruction signed by its Legal Representative confirming compliance with the obligations in this section.

The foregoing does not apply to Personal Data that talyzr must retain by express legal mandate (for example, tax or accounting records), which will be safeguarded under the same security measures described in this DPA for the minimum statutory period and then deleted.

12. Liability and final provisions

The parties' liability arising from the breach of obligations under this DPA is governed by the limits and conditions set out in the Main Agreement. The parties agree that this DPA neither increases nor reduces the liability limits agreed therein, except to the extent strictly necessary to comply with imperative legal obligations.

Order of precedence. In case of conflict between this DPA and the Main Agreement, this DPA shall prevail exclusively with respect to the processing of Personal Data.

Amendments. talyzr may update this DPA to reflect regulatory changes, the introduction of new security measures or adjustments to the Sub-processor list. Material changes will be notified to the Controller at least 30 calendar days in advance. The Controller may object to material changes under the same procedure applicable to Sub-processors.

Governing law and jurisdiction. This DPA is governed by the laws of the Republic of Chile and, where applicable, by the data protection regulations of the place of establishment of the Controller. Disputes shall be submitted to the jurisdiction agreed in the Main Agreement. Failing such agreement, the ordinary courts of the city of Santiago de Chile shall have jurisdiction.

Annex A

Description of processing

Categories of Data Subjects	Employees, executives, candidates and managers of the Controller's organization, as well as any person whose data the Controller loads into the talyzr service.
Categories of Personal Data	Identifiers (first name, last name, email address, national ID or equivalent, optional profile picture). Employment data (job title, area, department, direct manager, hire date, base salary, contract type). Talent data (performance assessments, potential assessments, skill levels, role criticality scores, talent risk index, succession candidates, AI-generated recommendations, assigned action plans, training records).
Special (sensitive) categories	None. talyzr does not process special categories under GDPR Art. 9 or specially protected data under Law 21.719.
Frequency of processing	Continuous during the term of the Main Agreement: automated HRIS sync (where applicable), ad-hoc manual imports, access by the Controller's authorized personnel, on-demand AI recommendation generation.
Duration of processing	Term of the Main Agreement plus 30 calendar days of post-termination retention period.
Purposes of processing	Provision of the talyzr service: talent risk analysis, succession planning, coverage maps, action recommendations, skill assessment, 360° profile, what-if scenarios, CHRO dashboard, Taly conversational agent over the Controller's data, talent review cycles and executive reports.
Retention period	During the term of the Main Agreement and up to 30 calendar days after termination. Persistent audit logs while the Controller retains access to the service. Backups according to the database provider's point-in-time recovery cycle (maximum 30 days).

Annex B

List of authorized Sub-processors

talyzr uses the following Sub-processors for the provision of the service. This list is updated with changes notified to the Controller at least 30 days in advance pursuant to the "Sub-processors" section.

Sub-processor	Purpose	Data processed	Country / Region
Neon, Inc.	Managed serverless PostgreSQL database with pgvector for embeddings.	All Controller Personal Data.	United States (AWS sa-east-1)
Amazon Web Services, Inc.	Cloud infrastructure: compute (EC2/ECS), storage (S3), CDN (CloudFront), load balancing (ALB), WAF.	All Controller Personal Data in transit and stored files (exports, images).	United States (data in sa-east-1, São Paulo)
Anthropic, PBC	Language model (Claude Sonnet) for talent recommendation generation, Taly agent and skill profiles.	Prompts derived with personally identifiable information previously redacted by talyzr's guardrail system. Anthropic's API contract prohibits training on Controller data.	United States
Voyage AI, Inc.	Generation of vector embeddings for semantic search by the Taly agent and the knowledge base.	Text from Controller documents for vectorization (no retention by the vendor).	United States
Resend Labs, Inc.	Transactional email delivery (invitations, alerts, password recovery, weekly digest, notifications).	Recipient email addresses, recipient name, and content of email sent by talyzr.	United States
Paddle.com Market Ltd	Payment processing and billing as Merchant of Record (subscriptions, checkout, global VAT, dunning).	Controller billing information (legal name, tax ID, address, admin email) and tokenized payment data (Paddle does not expose card numbers to talyzr).	United Kingdom / Ireland
Upstash, Inc.	Managed Redis for work queues (HRIS sync, background jobs), rate limiting and cache.	Transient data in processing queues (typically, job identifiers and payloads) with short TTL.	United States / EU
Functional Software, Inc. (Sentry)	Backend and frontend error monitoring, breadcrumbs and observability.	Stack traces and error metadata with automatic personally identifiable information (PII) scrubbing.	EU (Frankfurt) / United States
HubSpot, Inc.	Commercial CRM for prospects and marketing information.	Marketing lead data only (visitors requesting information). Controller Data Subject information is not loaded into HubSpot.	United States

talyzr maintains a signed or accepted DPA with each Sub-processor, with obligations equivalent to those undertaken with the Controller.

Annex C

Standard Contractual Clauses (SCCs) — EU 2021/914

If the Controller is established in the European Economic Area, the United Kingdom or Switzerland, or is otherwise subject to GDPR or UK GDPR, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, Module Two (Controller-to-Processor) are automatically incorporated by reference into this DPA and deemed entered into between the Controller (as "Data Exporter") and talyzr (as "Data Importer").

SCC selections applicable:

Clause 7 (Docking clause): applicable, allowing additional parties to accede.
Clause 9 (Use of sub-processors): option 2 — general authorization with 30 calendar days of prior notice, in accordance with the "Sub-processors" section of this DPA.
Clause 11 (Redress): the independent dispute resolution body is not applicable.
Clause 17 (Governing law): law of Ireland.
Clause 18 (Jurisdiction): courts of Ireland.
Annex I.A (List of Parties): the Controller is the Exporter identified in the Main Agreement; talyzr SpA is the Importer.
Annex I.B (Description of Transfer): see Annex A of this DPA.
Annex I.C (Competent Supervisory Authority): the supervisory authority of the Member State in which the Exporter's representative is established, or any supervisory authority pursuant to GDPR Art. 56.
Annex II (Technical and Organizational Measures): see "Technical and organizational measures" section of this DPA.
Annex III (List of Sub-processors): see Annex B of this DPA.

For Controllers established in the United Kingdom, the SCCs apply together with the UK International Data Transfer Addendum issued by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018, which is incorporated by reference.

The full and current text of the SCCs is available in the Official Journal of the European Union. In case of any conflict between the SCCs and other provisions of this DPA, the SCCs shall prevail exclusively with respect to the international transfers covered by them.

View official SCC text on EUR-Lex ↗

Need us to formally sign this DPA?

If your legal team requires signature of a PDF version of this DPA with the Controller's legal name and details, write to us and we'll coordinate electronic signature within 1 business day.

Request DPA signature Ask our team