Skima AI
LEARN
AI powered Search Blogs

Learn More about how Skima AI can help to streamline the process

job description Job Descriptions

Attract Talent with Better Job Descriptions

AI powered Search Docs

Useful guide to get started with Skima AI

Product Updates Product Updates

Stay in the Loop with Skima AI's Latest Releases!

About Us
Pricing

SKIMA INNOVATION PRIVATE LIMITED. DATA PROTECTION ADDENDUM

This Data Protection Addendum ("Addendum") between Skima Innovation Private Limited ("Skima ") and the Customer (as defined in the Agreement) forms part of the Skima Innovation Private Limited Terms of Service set forth at https://help.skima.ai/en/articles/8304623-terms-and-conditions or such other written or electronic agreement incorporating this Addendum, in each case governing Customer's access to and use of the Services (the "Agreement"). This addendum was last updated in May, 2026.

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Skima Innovation Private Limited. For the purposes of this Addendum only, and except where otherwise indicated, references to "Customer" shall include Customer and such Affiliates.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

  1. Definitions
    1. In this DPA, the following terms shall have the meanings set out below. Capitalised terms not otherwise defined shall have the meaning ascribed to them in the Principal Agreement. Terms such as "Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Supervisory Authority", and "Personal Data Breach" shall have the same meanings as under the Applicable Data Protection Laws:
      1. "Applicable Data Protection Laws" means all laws and regulations governing the processing of Personal Data that are applicable to either Party, including without limitation: (i) the Digital Personal Data Protection Act, 2023 ("DPDPA") and rules thereunder; (ii) the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; (iii) Regulation (EU) 2016/679 ("EU GDPR"); (iv) the UK General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"); (v) the Swiss Federal Act on Data Protection ("Swiss DPA" / nFADP); and (vi) any other applicable national or regional data protection legislation, in each case as amended or replaced from time to time.
      2. "Business Purpose" has the meaning given to that term under the California Consumer Privacy Act and California Privacy Rights Act (collectively, "CCPA/CPRA"), applicable solely where the Client processes California consumer personal information. See Appendix A.
      3. "Customer Personal Data" means any Personal Data provided by or on behalf of Client to Skima, or collected by Skima on behalf of Client, in connection with the provision of the Services pursuant to the Principal Agreement.
      4. "Controller / Data Fiduciary" means the natural or legal person that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Controller / Data Fiduciary is the Client.
      5. "Data Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Skima. For the avoidance of doubt, Data Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, or denial of service attacks on firewalls or networked systems.
      6. "Data Principal / Data Subject" means the natural person to whom the Personal Data relates. Under the DPDPA, such person is referred to as a "Data Principal"; under the GDPR, as a "Data Subject".
      7. "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
      8. "Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.
      9. "Processor / Data Processor" means a natural or legal person that processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor / Data Processor is Skima.
      10. "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries, approved by the European Commission pursuant to Decision of 4 June 2021 (Module 2: Controller to Processor), as may be amended or replaced from time to time.
      11. "Services" means the talent intelligence and AI-powered candidate matching and recruitment platform services provided by Skima to Client as more particularly described in the Principal Agreement and any applicable Order Forms.
      12. "Sub-Processor" means any third party engaged by Skima to process Customer Personal Data in connection with the provision of the Services.
      13. "Technical and Organisational Measures (TOMs)" means the security safeguards implemented and maintained by Skima as detailed in Schedule 2 to this DPA.
    2. Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.
  2. Scope and Processing Roles
    1. This DPA applies to Skima's Processing of Customer Personal Data in connection with the Services to the extent such Processing is subject to Applicable Data Protection Laws.
    2. The Parties acknowledge and agree that, with respect to the Processing of Customer Personal Data: (i) Client acts as the Controller / Data Fiduciary, determining the purposes and means of Processing; and (ii) Skima acts as the Processor / Data Processor, processing solely on behalf of and in accordance with the documented instructions of Client. The subject matter, nature, duration, and categories of Processing are set out in Schedule 1 to this DPA.
    3. Skima shall process Customer Personal Data only: (a) in accordance with Client's documented instructions as set out in the Principal Agreement, this DPA, and any applicable Order Forms; (b) as necessary to perform the Services; or (c) as required by Applicable Data Protection Laws, in which case Skima shall, to the extent permitted by law, inform Client of that legal requirement prior to such processing.
    4. Client warrants that it has obtained all necessary rights, authorisations, consents, and lawful bases required under Applicable Data Protection Laws to enable the transfer and processing of Customer Personal Data by Skima as contemplated by this DPA and the Principal Agreement.
    5. Client agrees not to provide Skima with special categories of Personal Data within the meaning of Article 9 of the EU GDPR, or equivalent categories under other Applicable Data Protection Laws, without prior written agreement between the Parties.
  3. Client's Obligations
    1. Client shall comply with all Applicable Data Protection Laws in connection with the performance of this DPA and the Processing of Customer Personal Data.
    2. Client shall: (i) ensure that a valid lawful basis exists under Applicable Data Protection Laws for each Processing activity instructed to Skima; (ii) obtain all necessary consents from Data Subjects / Data Principals and maintain records thereof; (iii) promptly communicate to Skima in writing any revocation of consent or objection to Processing that may affect Skima's obligations under this DPA; and (iv) provide all required privacy notices to Data Subjects / Data Principals in accordance with Applicable Data Protection Laws.
    3. Client shall handle all Data Subject / Data Principal rights requests in the first instance and shall promptly communicate to Skima any such requests where Skima's assistance is required.
    4. Client shall immediately notify Skima in writing upon becoming aware of: (i) any data privacy complaint or inquiry from a Data Subject / Data Principal relating to Customer Personal Data processed by Skima; (ii) any regulatory inquiry, investigation, or enforcement action relating to the Processing; (iii) any search warrant, subpoena, court order, or governmental process requiring disclosure of Customer Personal Data held by Skima.
    5. Client shall be solely responsible for compliance with Security Incident notification obligations applicable to Client as Controller / Data Fiduciary, including any obligation to notify government authorities, affected Data Subjects / Data Principals, or other relevant parties.
    6. Client shall not instruct Skima to process Customer Personal Data in a manner that would cause Skima to violate any Applicable Data Protection Law.
  4. Processor's Obligations
    1. Purpose Limitation and Instructions. Skima shall process Customer Personal Data only for the purposes specified in Schedule 1 and on the documented instructions of Client. Skima shall not sell, share, or disclose Customer Personal Data to any third party except as necessary to provide the Services or as required by Applicable Data Protection Laws.
    2. Permitted Operational Processing. Notwithstanding Section 4(a), Skima shall have the right to process Customer Personal Data to the extent strictly necessary to: (i) operate, manage, test, maintain, and enhance the Services; (ii) produce and disclose aggregate statistics about the Services in a manner that prevents the identification or re-identification of any individual; (iii) protect the Services or Customer Personal Data against a credible security or technical threat; or (iv) comply with a court order or legally binding governmental request, provided that Skima gives prior written notice to Client where legally permissible.
    3. AI and Machine Learning Restrictions. Skima is expressly prohibited from using Customer Personal Data, including candidate profiles, resumes, and personally identifiable information, to train, retrain, improve, or develop any foundational or generalised machine learning model. Any machine learning training is strictly limited to the Client's specific tenant environment and shall not be aggregated into Skima's global models. External AI sub-processors are restricted exclusively to non-personally identifiable administrative tasks, being job description generation. Customer Personal Data is never transmitted to any external AI provider.
    4. Privacy by Design and Default. Skima implements data protection by design and by default in accordance with GDPR Article 25 and equivalent provisions of Applicable Data Protection Laws, integrating privacy considerations into the development, operation, and maintenance of the Services, and ensuring that only Personal Data necessary for each specified purpose is processed by default.
    5. No Temporary Files. As a design principle of the Services, Customer Personal Data is not stored in temporary files during processing. All processing occurs within controlled, persistent storage environments subject to the security measures described in Schedule 2.
    6. Confidentiality. Skima shall ensure that all personnel and contractors authorised to process Customer Personal Data are subject to binding confidentiality obligations, whether contractual or statutory, and are made aware of their obligations under this DPA. Access to Customer Personal Data shall be limited to those individuals who require it on a need-to-know, least-privilege basis.
    7. Security. Skima shall implement and maintain the TOMs described in Schedule 2 to ensure a level of security appropriate to the risks presented by the Processing, in accordance with GDPR Article 32 and the equivalent provisions of Applicable Data Protection Laws. These measures shall include at a minimum: (i) AES-256 encryption of data at rest; (ii) TLS 1.2 or higher encryption of data in transit; (iii) multi-factor authentication for all administrative and privileged access; (iv) quarterly access reviews; and (v) annual third-party penetration testing.
    8. Data Subject / Data Principal Rights Assistance. Skima shall provide reasonable assistance to Client through appropriate technical and organisational measures to fulfil Client's obligations to respond to Data Subject / Data Principal rights requests under Applicable Data Protection Laws, including rights of access, rectification, erasure, portability, restriction, and objection. Skima shall notify Client within 24 hours of receiving any such request directly and shall not respond to any such request except on Client's documented instructions or as required by law.
    9. Security Incident Notification. Skima shall notify Client without undue delay and in any event within 48 hours of becoming aware of a Data Incident involving Customer Personal Data. Such notification shall include, to the extent reasonably available: (i) a description of the nature of the incident; (ii) the categories and approximate number of Data Subjects / Data Principals affected; (iii) the categories and approximate volume of Customer Personal Data affected; (iv) the likely consequences of the incident; and (v) the measures taken or proposed to address the incident and mitigate its effects. Skima shall cooperate fully with Client in the investigation, containment, mitigation, and remediation of the incident.
    10. No Acknowledgement of Fault. Skima's notification of or response to a Data Incident shall not be construed as an acknowledgement by Skima of fault, culpability, or liability with respect to such incident.
    11. DPIA Assistance. Skima shall provide reasonable assistance to Client in conducting Data Protection Impact Assessments and, where required, in carrying out prior consultations with Supervisory Authorities in accordance with GDPR Articles 35 and 36 and equivalent provisions of Applicable Data Protection Laws. Skima shall promptly notify Client if it considers that any instruction or proposed Processing activity is likely to result in a high risk to the rights and freedoms of Data Subjects / Data Principals. Client shall reimburse Skima for its reasonable time and out-of-pocket expenses incurred in providing assistance under this Section.
    12. Records and Compliance Demonstration. Skima shall maintain complete and accurate records of all Processing activities carried out on behalf of Client, as required under GDPR Article 30(2) and equivalent provisions of the DPDPA, and shall make such records available to Client upon reasonable written request.
  5. Sub-Processors
    1. Client provides general authorisation for Skima to engage and appoint Sub-Processors in connection with the delivery of the Services, subject to the conditions set out in this Section.
    2. Skima's current list of approved Sub-Processors is maintained and publicly available at https://skima.scrut.io/. Skima shall update this list at least 30 calendar days in advance of any new Sub-Processor being engaged or any material change to an existing Sub-Processor's processing scope.
    3. In relation to any notice of a new or changed Sub-Processor, Client shall have 30 calendar days from the date of notice to object in writing on reasonable data protection grounds. The Parties shall work together in good faith to resolve such objection within a further 30 days. Where no commercially reasonable solution can be found, either Party may terminate the affected Services on written notice, without penalty.
    4. With respect to each Sub-Processor, Skima shall: (i) carry out appropriate due diligence prior to engagement; (ii) impose data protection obligations that are materially equivalent to those set out in this DPA; (iii) remain fully liable to Client for any failure by the Sub-Processor to fulfil its data protection obligations; and (iv) conduct annual recertification reviews of each Sub-Processor's compliance and security posture.
  6. International Data Transfers
    1. Data Residency. All Customer Personal Data is stored permanently on Amazon Web Services infrastructure located in Dublin, Ireland (AWS eu-west-1). By default, Customer Personal Data does not leave the European Union.
    2. EU and EEA Transfers. Where Customer Personal Data is transferred from the EU or EEA to a third country in connection with the Services, such transfer shall be subject to the SCCs, which are hereby incorporated by reference into this DPA as follows: (i) Module Two (Controller to Processor) applies; (ii) the optional docking clause in Clause 7 applies; (iii) in Clause 9, Option 2 applies with a 30-day Sub-Processor notice period as set out in Section 5 above; (iv) in Clause 17, the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; (vi) Annex I of the SCCs is deemed completed with the information in Schedule 1; and (vii) Annex II of the SCCs is deemed completed with the information in Schedule 2.
    3. UK Transfers. For Customer Personal Data protected by the UK GDPR, the International Data Transfer Addendum issued by the UK Information Commissioner's Office (effective 21 March 2022) applies and is incorporated by reference into this DPA as a modification to the EU SCCs.
    4. Swiss Transfers. For Customer Personal Data protected by the Swiss Federal Act on Data Protection (nFADP), the EU SCCs apply as set out in Section 6(b) with the following modifications: (i) references to "Regulation (EU) 2016/679" are replaced with the Swiss nFADP; (ii) references to "EU", "Union", and "Member State" are replaced with Switzerland and Swiss law as applicable; (iii) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC); and (iv) disputes shall be resolved before the competent courts of Switzerland.
    5. India — DPDPA. For Personal Data of Indian Data Principals, Skima shall comply with the cross-border transfer provisions of the DPDPA 2023 and any rules or governmental directions notified thereunder.
    6. Commitment to Execute Transfer Mechanisms. Skima shall not unreasonably withhold or delay execution of any template model clauses, including SCCs or equivalent transfer mechanisms, where transfer of Customer Personal Data outside the EEA or applicable jurisdiction is required for performance of the Services.
    7. AI Processing Architecture. Skima employs a tiered approach to AI processing: (i) Tier 1 — Internal Models: all Customer Personal Data, including candidate profiles, resumes, matching scores, and retrieval operations, is processed exclusively using Skima's internal proprietary models hosted on AWS Dublin (EU); (ii) Tier 2 — External LLM APIs: external AI APIs are used solely for non-personally identifiable tasks, being job description generation. No Customer Personal Data is transmitted to any external AI or LLM provider.
  7. Government and Authority Requests
    1. To the extent legally permissible, Skima shall promptly notify Client upon receiving any legally binding request from a government authority, law enforcement agency, court, or regulatory body for the disclosure of Customer Personal Data.
    2. Where a disclosure request is not legally binding, Skima shall reject the request and notify Client of such rejection without undue delay.
    3. Where Skima is required to comply with a legally binding request, it shall: (i) disclose only the minimum amount of Customer Personal Data strictly necessary to satisfy the request; (ii) maintain a written record of all legally binding disclosure requests received and all Customer Personal Data disclosed pursuant thereto; and (iii) make such records available to Client upon request.
    4. Where Skima is legally prohibited from notifying Client prior to disclosure, Skima shall notify Client at the earliest opportunity following the expiry of any applicable prohibition.
  8. Data Retention, Return, and Deletion
    1. Skima shall retain Customer Personal Data only for as long as is necessary for the provision of the Services or as required by Applicable Data Protection Laws, in accordance with the retention schedule set out in Schedule 1.
    2. Upon the earlier of: (i) the termination or expiry of the Principal Agreement; (ii) the cessation of the relevant Services; or (iii) a written request from Client, Skima shall, within 30 calendar days and at Client's sole discretion:
      1. return all Customer Personal Data to Client in a commonly used machine-readable format, such as CSV or JSON, or in the current storage format in which the data is held, as directed by Client; and / or
      2. permanently and securely delete all Customer Personal Data from its systems, including all backup copies, and provide Client with written certification confirming the date, scope, and method of deletion.
    3. Skima may retain Customer Personal Data beyond the periods above solely where required to do so by Applicable Data Protection Laws, in which case Skima shall notify Client and shall continue to apply the protections set out in this DPA to such retained data.
  9. Audit Rights
    1. Skima shall make available to Client all information reasonably necessary to demonstrate compliance with its obligations under this DPA. In the first instance, Skima shall provide its current SOC 2 Type II audit report and GDPR Compliance Audit report, available under a mutually executed non-disclosure agreement, to satisfy compliance demonstration obligations.
    2. Where Client is unable to establish Skima's compliance from the audit reports provided, Client may request an on-site or remote audit of Skima's processing operations, subject to: (i) 30 calendar days' prior written notice; (ii) the audit being conducted during Skima's normal business hours with minimum disruption to its operations; (iii) a maximum of one such audit per 12-month period, except where required by instruction of a competent Supervisory Authority or where Client has reasonable grounds to believe a further audit is necessary following a confirmed Data Incident.
    3. Client shall reimburse Skima for its reasonable time and out-of-pocket expenses incurred in connection with: (i) assistance provided with Data Subject / Data Principal rights requests; (ii) DPIA preparation and Articles 35–36 consultations; and (iii) audit and compliance assessment assistance, beyond Skima's standard annual reporting obligations.
  10. Confidentiality
    1. Skima shall ensure that all personnel, contractors, and Sub-Processors with access to Customer Personal Data are subject to binding obligations of confidentiality, whether contractual or statutory. The existence and terms of this DPA are confidential and shall not be disclosed by either Party to any third party without the prior written consent of the other Party, except as required by Applicable Data Protection Laws or by order of a court or competent authority.
  11. Warranties
    1. Each Party warrants that it shall comply with all of its respective obligations under Applicable Data Protection Laws for the duration of this DPA.
    2. Skima warrants that: (i) it has the necessary expertise, resources, and organisational capability to fulfil its obligations under this DPA; (ii) its TOMs are and shall remain appropriate to the nature and risks of the Processing; and (iii) it shall promptly notify Client of any material change to its processing practices that may affect Client's ability to comply with Applicable Data Protection Laws.
    3. Client warrants that: (i) it has a valid lawful basis under Applicable Data Protection Laws for each Processing activity instructed to Skima; (ii) it has provided all required privacy notices to Data Subjects / Data Principals; and (iii) all instructions given to Skima under this DPA comply with Applicable Data Protection Laws.
  12. Liability and Indemnity
    1. Each Party shall be individually liable to Data Subjects / Data Principals and third parties for any damage caused by that Party's breach of its obligations under Applicable Data Protection Laws or this DPA.
    2. Processor Indemnity. Skima shall indemnify and hold harmless Client from and against any third-party claims, losses, damages, liabilities, fines, administrative penalties, and reasonable legal costs arising directly from Skima's breach of its obligations under this DPA, Applicable Data Protection Laws, or from Skima's wilful misconduct.
    3. Controller Indemnity. Client shall defend Skima and its Affiliates from and against any and all claims, demands, actions, or proceedings brought by any third party, and shall indemnify and hold harmless Skima and its Affiliates from and against all losses, damages, liabilities, fines, administrative fines, penalties, settlements, and costs and expenses, including reasonable legal and investigatory fees, arising from: (i) any breach by Client of its obligations under this DPA; (ii) Client's failure to comply with Applicable Data Protection Laws in its capacity as Controller / Data Fiduciary; (iii) Client's failure to have a valid lawful basis for any Processing activity instructed to Skima; or (iv) any inaccuracy in, or invalidity of, any representation or warranty given by Client under this DPA.
    4. The total liability of each Party under this DPA shall be subject to any limitations of liability agreed in the Principal Agreement, except to the extent such limitations are prohibited by Applicable Data Protection Laws.
  13. Term and Termination
    1. This DPA shall take effect on the effective date of the Principal Agreement and shall remain in force for its duration.
    2. Either Party may terminate this DPA immediately on written notice if the other Party commits a material breach of its obligations under this DPA and fails to remedy such breach within 15 business days of receiving written notice specifying the breach.
    3. The following obligations shall survive termination or expiry of this DPA: Sections 7 (Government and Authority Requests), 8 (Data Retention, Return, and Deletion), 10 (Confidentiality), and 12 (Liability and Indemnity).
    4. This DPA may be amended only by a written instrument duly executed by authorised representatives of both Parties.
  14. General Provisions
    1. Severability. If any provision of this DPA is held by a court or competent authority to be invalid, unlawful, or unenforceable, that provision shall be deemed severed and the remaining provisions shall continue in full force and effect.
    2. Notices. All notices under this DPA shall be in writing and delivered to the registered addresses of the Parties set out in the Principal Agreement. Notices to Skima's Data Protection Officer shall be addressed to: Yash Dave, [email protected].
    3. Assignment. Neither Party may assign or transfer any of its rights or obligations under this DPA without the prior written consent of the other Party, except that Client may assign its rights and obligations to any Affiliate or successor entity.
    4. Entire Agreement. This DPA, together with its Schedules and any incorporated Standard Contractual Clauses, constitutes the entire agreement between the Parties with respect to the processing of Customer Personal Data and supersedes all prior representations, agreements, and understandings on the subject matter hereof.
    5. Waiver. No failure or delay by either Party in exercising any right under this DPA shall constitute a waiver of that right.
    6. This DPA shall be subject to such amendments as may be required from time to time by the DPDPA Rules (India), EU GDPR, or other Applicable Data Protection Laws.
  15. Precedence
    1. In the event of any conflict or inconsistency between the documents governing the relationship of the Parties with respect to data protection, the following order of precedence shall apply:
      1. First — the Standard Contractual Clauses or any other cross-border transfer mechanism agreed between the Parties;
      2. Second — this Data Processing Addendum and its Schedules;
      3. Third — the Principal Agreement.
    2. To the extent of any conflict, the Standard Contractual Clauses shall prevail over this DPA and the Principal Agreement, and this DPA shall prevail over the Principal Agreement on data protection matters.
  16. Miscellaneous
    1. Privacy by Design. The Parties acknowledge that Skima has designed its systems and processes in accordance with the principle of privacy by design and default under GDPR Article 25, ensuring that data protection measures are integrated into the Services from their inception.
    2. No Temporary Processing Files. Skima confirms that, as a matter of system design, no temporary files containing Customer Personal Data are generated during the ordinary course of processing.
    3. No Fault on Breach Notification. Nothing in Skima's notification of a Data Incident, or in Skima's cooperation with Client in responding to a Data Incident, shall be construed as an admission of fault, liability, or culpability on the part of Skima in respect of such incident.
    4. Framework Certification. Skima operates its information security management programme in accordance with ISO/IEC 27001:2022 and ISO/IEC 27701:2019, and holds a current SOC 2 Type II certification, independently verified by Scrut Automation. Skima shall promptly notify Client of any material change to its certification status.
  17. Governing Law and Jurisdiction

    This DPA and any dispute, controversy, or claim arising out of or in connection with it shall be governed by [GOVERNING LAW] and subject to the exclusive jurisdiction of [COURTS]. The Parties agree to insert the applicable governing law and jurisdiction from the matrix below based on the Client's operating territory:

    Client Jurisdiction Governing Law and Competent Courts
    India Laws of India. Exclusive jurisdiction of the courts of Mumbai, Maharashtra.
    European Union (including Germany, France, Netherlands) Laws of Ireland. Exclusive jurisdiction of the courts of the Republic of Ireland. (Consistent with EU SCCs, Clause 17.)
    United Kingdom Laws of England and Wales. Exclusive jurisdiction of the courts of England and Wales.
    Switzerland Laws of Switzerland. Exclusive jurisdiction of the competent courts of Zurich, Switzerland.
    United States Laws of the State of Delaware. Exclusive jurisdiction of the courts of the State of Delaware.
    Other Jurisdictions To be mutually agreed in writing by the Parties prior to execution.

Schedule 1 — Description of Processing Activities

Part A — Identification of the Parties

Specification Pillar Data Importer (Processor)
Full Legal Name Skima Innovation Private Limited
Registered Address 3rd Floor, Chintamani Plaza, Andheri-Kurla Road, Mota Nagar, Andheri East, Mumbai, Maharashtra 400053, India
DPO / Privacy Contact Yash Dave | [email protected]
Role Processor / Data Processor
Certifications SOC 2 Type II (April 2025 – September 2025, No Exceptions Noted) | GDPR Compliant (September 2025, Scrut Automation)

Part B — Processing Operation Details

Processing Dimension Operational Framework Status
Subject Matter Talent intelligence and AI-powered candidate matching and recruitment facilitation services as described in the Principal Agreement.
Nature of Processing Collection, storage, structuring, retrieval, and analysis of candidate personal data for the purpose of recruitment facilitation. All candidate personal data is processed exclusively by Skima's internal proprietary AI models. External AI APIs are restricted to non-personally identifiable tasks only.
Purpose of Processing To facilitate Client's recruitment processes, including candidate search, matching, profile parsing, and enrichment, as set out in the Principal Agreement and applicable Order Forms.
Duration of Processing For the term of the Principal Agreement. Upon termination: client account data is retained for a maximum of 3 months; candidate and end-user data is retained for a maximum of 12 months, following which it is securely deleted.
Frequency Continuous — data is processed on an ongoing basis throughout the term of the Agreement.
Primary Data Location Amazon Web Services, Dublin, Ireland (AWS eu-west-1). All data at rest is held within the European Union.
Transfers Outside EU Limited to ephemeral, non-personally identifiable API calls for job description generation only. No Customer Personal Data is transferred outside the primary hosting region.

Part C — Categories of Data Subjects and Personal Data

Data Category Tier Explicit System Data Parameters Fields
Data Subjects / Data Principals Candidates whose profiles and data are processed through the Services; and authorised users of Client's account on the Skima platform.
Standard Personal Data Processed Full name; email address; telephone number; employment history and work experience; educational qualifications and certifications; curriculum vitae and resume content; current and previous job titles; location and address details.
Additional Personal Data
(where provided by Client or candidate)		 Date of birth; nationality; age; gender; profile photograph or image; user identifier and username (platform account data); professional profile URLs and related web links (e.g., LinkedIn); language preferences.
Special Categories of Personal Data None. Client expressly agrees not to upload, submit, or process special categories of personal data as defined under GDPR Article 9, or equivalent sensitive personal data under other Applicable Data Protection Laws, without prior written agreement between the Parties.
Competent Supervisory Authority As determined by application of Clause 13 of the EU SCCs and the applicable Applicable Data Protection Law governing the Client's jurisdiction.

Schedule 2 — Technical and Organisational Security Measures (TOMs)

The following technical and organisational measures have been implemented by Skima Innovation Private Limited and are independently verified under Skima's SOC 2 Type II audit (audit period April 1 – September 30, 2025, No Exceptions Noted) and GDPR Compliance Audit (September 26, 2025, Compliant — Scrut Automation). Skima's full SOC 2 Type II and GDPR audit reports are available for review under a mutually executed non-disclosure agreement by contacting: [email protected].

Security Domain Measures Implemented & Enforced
Encryption — Data at Rest AES-256 encryption applied to all production databases, backup copies, and data stored on AWS Dublin infrastructure.
Encryption — Data in Transit TLS 1.2 or higher enforced for all data transmitted over public networks. HTTPS enforced across all application endpoints.
Access Control Role-Based Access Control (RBAC) implemented on least-privilege and need-to-know principles. Multi-Factor Authentication (MFA) mandatory for all administrative and privileged access. AWS Identity and Access Management (IAM) enforced. Quarterly access reviews conducted.
Network Security AWS Virtual Private Cloud (VPC) with private subnets for all database instances. No direct public internet access to databases. Cloudflare Web Application Firewall (WAF) deployed in Block mode with OWASP Top 10 rule sets. DDoS mitigation at network, transport, and application layers.
Vulnerability Management Annual third-party penetration testing and vulnerability assessment. Automated vulnerability scanning prior to every production release. Critical and high-severity vulnerabilities remediated without undue delay.
Availability and Resilience Multi-Availability Zone (Multi-AZ) deployment on AWS Dublin providing synchronous data replication across geographically separated facilities. Recovery Time Objective (RTO): ≤ 30 minutes (AZ failure); ≤ 1 hour (full regional DR). Recovery Point Objective (RPO): ≤ 15 minutes (AZ failure); ≤ 5 minutes (cross-region DR). Daily incremental and full database backups. Quarterly disaster recovery simulation exercises.
Security Monitoring 24/7 automated monitoring via AWS CloudWatch and New Relic with alerting for anomalous conditions. Defined incident escalation matrix from engineering level to CTO level on an hourly cadence.
Data Segregation Logical isolation of all client data within dedicated database structures. No cross-customer data aggregation, shared datasets, or pooled model training repositories.
Personnel Security Background screening for all personnel with access to customer data prior to engagement. Binding confidentiality and non-disclosure agreements on hire. Annual security awareness and data protection training programme.
AI and Model Security All Customer Personal Data processed exclusively by Skima's internal proprietary models hosted on AWS Dublin, Ireland (EU). External LLM APIs restricted solely to non-personally identifiable job description generation tasks. Zero Data Retention (ZDR) Enterprise API agreements in place with all external AI providers.
Change Management Peer code review and explicit approval required for all production changes. Segregated development, testing, and production environments. Automated security scanning in the CI/CD pipeline.
Incident Response Formal documented Incident Response Plan. 48-hour client notification SLA for confirmed Data Incidents. Root Cause and Corrective Action process for all high-risk incidents. Annual Business Continuity and Disaster Recovery plan testing.
Compliance SOC 2 Type II certification (Security, Availability, Confidentiality Trust Services Criteria). GDPR Compliance verified by Scrut Automation. Data Protection Officer appointed. Record of Processing Activities (ROPA) and Data Protection Impact Assessment (DPIA) programme maintained. CIS Benchmark hardening applied to all production systems.
Privacy by Design Privacy protection measures integrated into the design, development, and operation of the Services in accordance with GDPR Article 25. Customer Personal Data processed only to the extent necessary for the specified purpose by default.

Schedule 3 — Approved Sub-Processors

The following sub-processors are approved by the Data Fiduciary as of the Effective Date. The authoritative and current sub-processor list is maintained at https://skima.scrut.io/ , which is updated at least 30 calendar days in advance of any change. Skima will notify Client in accordance with Section 5 of this DPA of any intended additions or modifications to the approved sub-processor list.

Sub-Processor Entity Name Corporate Country Explicit Processing Core Purpose PII Content Access Status
Amazon Web Services (AWS) Ireland (EU) Primary application hosting, database storage, compute infrastructure, automated backups, and disaster recovery. Yes — All Customer Personal Data
Cloudflare, Inc. United States Edge security, DDoS mitigation, Web Application Firewall, content delivery, and DNS management. Transit only — Not stored persistently
OpenAI, L.L.C. United States Job description generation (non-personally identifiable inputs only). No — No PII Transmitted
OpenRouter, Inc. United States Job description generation (non-personally identifiable inputs only). No — No PII Transmitted
GitHub, Inc. United States Source code repository, infrastructure version control management systems. No Client Personal Data
HubSpot, Inc. United States Customer relationship management and B2B corporate tracking communications. No Client Personal Data
Google LLC (Google Workspace) India Internal corporate email, calendar, and identity management. No Client Personal Data
IBM Corporation (MaaS360) United States Mobile device management — endpoint encryption, remote management, and patch deployment. No Client Personal Data
Scrut Automation, Inc. United States Continuous compliance monitoring and security posture management (SOC 2, ISO). No Client Personal Data
Linear Orbit, Inc. (Linear) United States Internal project management and issue tracking. No Client Personal Data

Appendix A — US Data Privacy Addendum (CCPA / CPRA)

This Appendix applies solely where Client is a "Business" as defined under the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) as amended by the California Privacy Rights Act ("CCPA/CPRA"), and where Skima processes personal information of California consumers on behalf of Client. Where this Appendix does not apply, it may be disregarded and does not form part of this DPA.

A.1 Statutory Definitions

For the purposes of this Appendix, the following terms shall have the meanings ascribed to them under the CCPA/CPRA:
CCPA Statutory Term Contractual Operational Definition mapping
Business The legal entity that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information and satisfies the applicable thresholds under the CCPA/CPRA. For this DPA: Client.
Business Purpose The use of personal information for the business's operational purposes, or other notified purposes reasonably necessary and proportionate to the collection purpose, as specified in CCPA/CPRA regulations.
Commercial Purpose The advancement of a business's commercial or economic interests, including inducing a consumer to purchase, rent, or lease goods, services, or land.
Contractor A person to whom the Business makes available a consumer's personal information for a Business Purpose pursuant to a written contract satisfying the requirements of CCPA/CPRA. For this DPA: Skima.
Service Provider A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that processes personal information on behalf of a Business. For this DPA: Skima.
Sell / Sale Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to a third party for monetary or other valuable consideration.
Share / Sharing Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to a third party for cross-context behavioural advertising.
Third Party A person who is not the Business, Service Provider, Contractor, or Consumer.

A.2 Permitted Business Purposes Checklist

Skima processes Consumer personal information solely for the following specified, covered operational Business Purposes verified in strict accordance with CCPA/CPRA rules:

  • Helping to ensure the security and integrity of the Services to the extent the use of Consumer personal information is reasonably necessary and proportionate for those purposes;
  • Debugging to identify and repair errors that impair existing intended functionality of the Services;
  • Performing services on behalf of the Business, including maintaining or servicing accounts, providing customer service, processing transactions, verifying consumer information, providing storage, or providing similar services;
  • Undertaking internal research for technological development and demonstration;
  • Undertaking activities to verify or maintain the quality or safety of the Services;
  • Detecting, preventing, safeguarding, and investigating data security incidents or protecting against malicious, deceptive, fraudulent, or illegal activity.

A.3 CCPA Statutory Restrictions on Skima

In its institutional capacity as a Service Provider and Contractor under the CCPA/CPRA, Skima explicitly covenants that it shall not:

  1. Sell or Share any Consumer personal information;
  2. Retain, use, or disclose Consumer personal information for any purpose other than for the specific Permitted Business Purposes specified in Section A.2 of this Appendix, unless otherwise explicitly permitted under the CCPA/CPRA;
  3. Retain, use, or disclose Consumer personal information outside of the direct, bounded business relationship established between Skima and the Client;
  4. Combine Consumer personal information received from, or on behalf of, the Business with personal information received from or collected from any alternative upstream source, except strictly under specific conditions allowed to perform essential platform processing tasks by CCPA/CPRA regulations.