Data Processing Addendum

1. Definitions

• "Controller" means the Customer that determines the purposes and means of the processing of Personal Data under the MSA.
• "Processor" means Prelim (operated by CMG Labs), which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Prelim on Customer's behalf in connection with the Service.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates; in the context of the Service this is primarily a candidate.
• "Sub-processor" means any third party engaged by Prelim to process Personal Data on Customer's behalf.
• "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the MSA, including, where applicable, the EU GDPR, the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act, and other US state privacy laws.

2. Scope and Purpose of Processing

Prelim processes Personal Data solely on documented instructions from the Customer for the purpose of providing the Service, which consists of AI-assisted, text-based screening interviews, scoring, and reporting. Specific processing activities include: hosting interview content, transmitting candidate responses to and from the AI sub-processor for evaluation and scoring, storing the resulting scores and reasoning, and making them available to Customer through the Service.

Prelim will not process Personal Data for any other purpose unless required by applicable law, in which case Prelim will notify Customer in advance unless the law prohibits notice.

3. Duration

This DPA applies for the term of the MSA and, with respect to any obligations that by their nature survive termination (including deletion or return of Personal Data), until those obligations have been satisfied.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects: candidates and applicants who participate in interviews issued by Customer through the Service, and Customer's authorized users (e.g., recruiters and hiring managers).

Categories of Personal Data:

• Candidate name and email address.
• Interview transcripts (candidate-provided text responses and the questions asked).
• AI-generated scores, written reasoning, and recommendations (strong_yes / yes / maybe / no / strong_no).
• Customer-provided job descriptions, scoring rubrics, and interview configurations.
• Authorized-user account data (name, email, company, authentication information).

Prelim is a text-only screening service. The Service does not process video, voice, or biometric data. Customer agrees not to instruct candidates to provide special categories of data (such as health, racial, or religious information) through the Service.

5. Sub-processors

Customer authorizes Prelim to engage Sub-processors to process Personal Data on its behalf. The current list of Sub-processors is maintained on the Prelim Privacy Policy and on the Compliance page.

Prelim will (i) impose written contractual obligations on each Sub-processor that are no less protective than this DPA; (ii) remain responsible for each Sub-processor's performance; and (iii) provide Customer with at least 30 days' prior notice of the addition or replacement of a Sub-processor that processes Personal Data. Customer may object on reasonable data-protection grounds within that 30-day period, in which case the parties will work in good faith to address the objection; if unresolved, Customer may terminate the affected portion of the MSA without penalty.

6. Security Measures

Prelim implements and maintains appropriate technical and organizational measures designed to protect Personal Data, including:

• Encryption of Personal Data in transit (TLS 1.2+).
• Encryption of Personal Data at rest.
• Role-based access controls and least-privilege principles for Prelim personnel; production access restricted to authorized personnel.
• Audit logging of administrative and production-data access.
• Authentication controls including multi-factor authentication for administrative accounts.
• Secure software-development practices, including code review and dependency management.
• Regular review of Sub-processors' security postures.

7. Data Subject Rights

Taking into account the nature of the processing, Prelim will, to the extent reasonably possible, assist Customer in fulfilling Customer's obligations to respond to Data Subject requests to exercise rights under Applicable Data Protection Laws, including the rights of access, correction, deletion, restriction, objection, and portability. Where a Data Subject submits a request directly to Prelim, Prelim will promptly forward the request to Customer and will not respond substantively without Customer's instructions, except to confirm receipt or as required by law.

8. Personal Data Breach Notification

Prelim will notify Customer without undue delay, and in any event within seventy-two (72) hours after Prelim becomes aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent known: a description of the nature of the breach; the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures Prelim has taken or proposes to take. Prelim will reasonably cooperate with Customer in investigating and mitigating any such breach.

9. Audit Rights

Prelim will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Customer may, no more than once per calendar year and upon at least thirty (30) days' prior written notice (or sooner if required by a supervisory authority or following a Personal Data Breach), audit Prelim's compliance with this DPA. Provision of Prelim's then-current SOC 2 (or equivalent) report, when available, will be deemed sufficient to satisfy Customer's audit right. Audits will be conducted during business hours, will not unreasonably interfere with Prelim's operations, and will be subject to reasonable confidentiality obligations.

10. International Transfers

Prelim and its Sub-processors are located in the United States. Prelim does not currently market the Service to candidates or customers located in the European Economic Area, the United Kingdom, or Switzerland, and Prelim geo-fences candidates located in the European Union.

To the extent the parties agree that the Service may be used to process Personal Data subject to EU GDPR, UK GDPR, or Swiss FADP, the parties incorporate by reference the applicable Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: controller-to-processor) and the UK International Data Transfer Addendum, as applicable, with Customer as data exporter and Prelim as data importer. Schedules to the SCCs will be populated using the corresponding sections of this DPA. This Section 10 is provided for completeness; nothing in this DPA obligates Prelim to process Personal Data originating in those jurisdictions.

11. Deletion or Return upon Termination

Within thirty (30) days after termination or expiration of the MSA, Prelim will, at Customer's election, delete or return all Personal Data processed on Customer's behalf, including any copies held by Sub-processors, except to the extent retention is required by applicable law. Prelim's standard retention policy for interview transcripts and scores is 18 months from interview completion, after which the data is deleted automatically regardless of MSA status. Backups containing Personal Data are overwritten on a rolling basis.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations of liability set forth in the MSA, and any reference in the MSA to a party's liability means aggregate liability under the MSA and this DPA combined.

13. Contact

For questions about this DPA, or to request a counter-signed copy, contact marcus@prelim.chat.