Data Processing Agreement

Recitals

This Data Processing Agreement (“Agreement” or “DPA”) is entered into between HeadsIn Technologies Pvt. Ltd. (“Saral AI”), the operator of the Saral AI talent sourcing platform, and the recruiter, HR professional, founder, or organization accessing the platform (“Recruiter” or “Data Processor”).

This Agreement governs how the Recruiter accesses, processes, uses, and manages candidate personal data made available through the Saral AI platform. It is entered into in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), collectively referred to as the “DPDP Framework.”

By creating an account on saralhire.ai and accepting this Agreement at registration, the Recruiter confirms they have read, understood, and agree to be bound by the terms herein.

1. Definitions

In this Agreement, the following terms have the meanings set out below:

2. Scope and purpose of data processing

2.1 What this Agreement covers

This Agreement applies to all personal data of candidates that the Recruiter accesses, views, downloads, exports, or otherwise processes through the Saral AI platform, including but not limited to:

• Full name and professional title
• Current and past employer information
• Email address (publicly listed or enriched)
• Phone number (where publicly available)
• GitHub profile URL, repositories, and contribution data
• LinkedIn profile URL and publicly visible professional information
• X (Twitter) handle, bio, and publicly posted contact information
• Other publicly available social and professional profile links (such as personal portfolios, Behance, Dribbble, and similar platforms)
• Fit Check evaluations, AI-generated summaries, and shortlist status within the platform

2.2 Permitted purpose

The Recruiter may process candidate personal data solely for the following purpose:

Identifying, evaluating, and reaching out to candidates for legitimate job vacancies within the Recruiter's organization or a client organization on whose behalf the Recruiter is hiring.

Any other use of candidate data — including but not limited to marketing, data resale, non-recruitment profiling, investor research, or competitive intelligence — is strictly prohibited.

2.3 Instructions based

Saral AI (as Data Fiduciary) authorizes the Recruiter to process candidate personal data only on the documented instructions contained in this Agreement. The Recruiter shall not process candidate data in any manner inconsistent with these instructions without prior written consent from Saral AI.

2.4 Lawful basis for processing

Saral AI processes candidate personal data on the following documented lawful bases, as required by Sections 4, 5, and 6 of the DPDP Act:

• Public data exemption – Section 3(c)(ii): Personal data that the Data Principal (candidate) has caused to be made publicly available falls outside the scope of the DPDP Act. Saral AI relies on this exemption for data sourced from public GitHub profiles (usernames, bios, public repositories, contribution activity), public X (Twitter) accounts (handles, bios, publicly posted contact details), publicly accessible LinkedIn profile information, and other publicly available social and professional platforms (including personal portfolios, Behance, Dribbble, and similar platforms). Saral AI maintains documentation of source categorization for each data type and will produce this to the Data Protection Board upon request.
• Third-party enrichment data: Where candidate contact data (email addresses, phone numbers) is sourced through third-party data enrichment tools, Saral AI requires those vendors to confirm the lawful basis and consent chain under which that data was collected, via executed Data Processing Agreements with each vendor. Saral AI does not rely on the public data exemption for enriched contact data and will obtain vendor documentation of lawful basis before using any enrichment tool for Indian personal data.
• Recruiter platform data: Personal data provided by Recruiters during registration (name, work email, company) is processed under Section 6 of the DPDP Act based on the Recruiter's consent given at registration and the performance of this contractual Agreement.

Saral AI reviews the lawful basis applicable to each data source category at least annually and updates this documentation as the DPDP Framework and judicial guidance evolve.

2.5 Cross-border data transfers

In accordance with Section 16 of the DPDP Act, candidate personal data may be processed on servers or infrastructure located outside India as part of Saral AI's cloud and technology stack. Saral AI ensures all such cross-border transfers comply with Section 16 and are restricted to countries not notified as restricted by the Central Government of India.

Recruiters accessing the Saral AI platform from outside India, or using the platform via foreign entities, offices, or IP addresses, including for hiring in India or hiring Indian candidates for roles in foreign locations, acknowledge that such access may involve cross-border processing of candidate data. The Recruiter is solely responsible for ensuring compliance with all applicable data protection laws in relevant jurisdictions. Saral AI does not control or guarantee the geographic location of access or data usage by Recruiters and is not required to maintain or publish a list of countries to which data may be transferred.

3. Recruiter obligations

3.1 Lawful use only

The Recruiter shall:

• Use candidate data exclusively for the permitted purpose defined in Clause 2.2
• Not contact candidates for purposes unrelated to active hiring requirements
• Not use candidate contact information (email, phone) for unsolicited commercial communications unrelated to recruitment
• Not add candidate data to any third-party CRM, marketing tool, or database without a separate lawful basis

3.2 No sharing or onward transfer

The Recruiter shall not:

• Share, sell, license, or transfer candidate personal data to any third party who is not directly and necessarily involved in the relevant hiring process
• Post, upload, or distribute candidate profiles sourced from Saral AI on any public platform, job board, or social network
• Provide access to candidate data to subcontractors, recruitment agencies, or partner firms without (a) a separate DPA with that party and (b) written notice to Saral AI

3.3 Data minimisation

The Recruiter shall access, download, or export only the specific candidate records directly relevant to open, active job vacancies. Bulk downloading of candidate profiles for speculative pipeline building without immediate hiring need is not permitted.

3.4 Accuracy and correction

If the Recruiter becomes aware that any candidate's personal data accessible through the platform is inaccurate, out of date, or misleading, the Recruiter shall promptly notify Saral AI at privacy@saralhire.ai with sufficient detail to identify the record and the nature of the inaccuracy.

3.5 Candidate rights facilitation

If a candidate directly contacts the Recruiter to exercise any right under the DPDP Act — including the right to access, correct, or erase their personal data — the Recruiter shall:

1. Acknowledge the request to the candidate within 72 hours of receipt
2. Immediately delete all copies of that candidate's data from the Recruiter's internal systems, including any CRM, ATS, email threads, or downloaded exports
3. Notify Saral AI at privacy@saralhire.ai within 15 business days, confirming the deletion and providing the candidate's name and the platform from which their data was sourced

The Recruiter shall not refuse or delay a valid data deletion request from a candidate.

3.6 No automated profiling beyond recruitment

The Recruiter shall not use candidate data to build automated profiles, scores, or rankings for any purpose beyond evaluating suitability for specific job roles. Use of candidate data to train machine learning models, build third-party datasets, or generate market intelligence reports is expressly prohibited.

3.7 AI-generated evaluations — Fit Check

Saral AI uses artificial intelligence to generate a “Fit Check” evaluation of candidate profiles against each recruiter's specified role requirements. This evaluation produces a structured verdict (Yes / No / Sort of) and a plain-English summary based on the candidate's publicly available professional data.

The Recruiter acknowledges and agrees that:

• The Fit Check evaluation is advisory only. It does not constitute a definitive assessment of a candidate's suitability and must not be used as the sole or primary basis for rejecting a candidate from a hiring process
• The Recruiter remains responsible for exercising independent human judgment in all hiring decisions. Automated evaluations are a sourcing aid, not a decision-making mechanism
• Candidates have the right to request a human review of any Fit Check evaluation by writing to privacy@saralhire.ai. Saral AI will respond to such requests within 30 days
• Saral AI discloses the use of AI evaluation to candidates in its Privacy Notice and does not make Fit Check evaluations available to any party outside of the platform

4. Security

4.1 Security standards

In accordance with Rule 6(f) of the DPDP Rules, 2025, the Recruiter agrees to implement and maintain reasonable security safeguards to protect candidate personal data against unauthorised access, disclosure, alteration, or destruction. These safeguards must include, at minimum:

• Encryption of candidate personal data in transit and, where technically feasible, at rest
• Masking and obfuscation of sensitive data fields (email address, phone number) when not actively required for a specific recruitment communication
• Access controls that restrict visibility of candidate personal data to team members with a direct and active need in connection with a specific open role
• Audit logs of all access to and export of candidate personal data, retained for a minimum of one year
• Password protection and, where available, multi-factor authentication on all accounts and devices used to access Saral AI
• Prohibition on storing candidate personal data in unsecured formats, including unencrypted spreadsheets shared via personal email accounts or consumer file-sharing services
• Prompt revocation of access for team members who change roles, leave the organization, or no longer require access to candidate data for active hiring purposes

4.2 Device and access security

The Recruiter is responsible for ensuring that devices used to access the Saral AI platform are secured with appropriate access controls. The Recruiter shall not access the platform on shared or public devices without logging out immediately after each session.

4.3 Vendor tools

If the Recruiter uses third-party Applicant Tracking Systems (ATS), CRM tools, or communication platforms to store or process candidate data sourced from Saral AI, the Recruiter is responsible for ensuring those tools maintain data security standards consistent with this Agreement.

5. Data breach notification

5.1 Immediate notification duty

If the Recruiter becomes aware of, or reasonably suspects, any actual or potential breach of candidate personal data accessed through Saral AI, the Recruiter shall:

1. Notify Saral AI in writing at privacy@saralhire.ai within 48 hours of becoming aware of the breach
2. Include in the notification: (a) nature and likely scope of the breach, (b) data categories and approximate number of candidates affected, (c) immediate steps taken or planned to contain the breach
3. Not communicate about the breach to any external party (including candidates or media) without prior written coordination with Saral AI, unless required to do so by law

5.2 Cooperation

The Recruiter shall fully cooperate with Saral AI in any investigation, mitigation, notification, or regulatory reporting arising from a data breach. This includes providing access to relevant records, systems, and personnel as reasonably requested.

5.3 Saral AI's obligations on breach

Saral AI shall, upon becoming aware of a breach affecting data it holds:

• Notify affected Recruiters without undue delay
• File a detailed report with the Data Protection Board of India within 72 hours as required by Rule 7 of the DPDP Rules, 2025
• Notify affected candidates in a concise, plain-language manner as mandated by the DPDP Framework

6. Data retention and erasure

6.1 Retention limit

The Recruiter shall not retain candidate personal data beyond the period reasonably necessary to complete the relevant hiring process. As a general guideline:

• Active candidate under consideration for a specific role: retain for the duration of that hiring process plus 90 days
• Candidate not progressed: delete within 60 days of the decision not to proceed

6.2 Erasure on request

Upon receiving a valid data deletion request from a candidate (whether directly or via Saral AI), the following procedure applies in accordance with Rule 8(2) of the DPDP Rules, 2025:

• 48-hour pre-erasure notice: Before executing any permanent deletion, Saral AI shall notify the candidate at least 48 hours in advance, via their registered contact details. The notification shall describe: (a) the specific data to be erased, (b) the scheduled date of erasure, and (c) how the candidate may object or request that the data be retained. If the candidate does not respond within 48 hours, erasure shall proceed.
• Recruiter-side deletion: The Recruiter shall permanently delete all copies of that candidate's data within 30 days of the deletion request being confirmed. Deletion must include:
• Data stored within the Saral AI platform (Saral AI handles this)
• Any exported or downloaded candidate profiles
• Candidate information stored in ATS, CRM, or email systems
• Any internal notes, assessments, or summaries that include the candidate's personal data

6.3 Data handling upon account termination

Upon termination of the Recruiter's Saral AI account, the Recruiter shall cease further use of all candidate personal data obtained through the platform. The Recruiter is responsible for handling, retaining, or deleting such data in compliance with applicable data protection laws and their internal policies.

Saral AI does not control or monitor data once accessed or exported by the Recruiter. However, Saral AI reserves the right to request confirmation of compliance or conduct reasonable audits in case of suspected misuse or regulatory requirements.

6.4 Processing log retention

In accordance with Rule 8(3) of the DPDP Rules, 2025, notwithstanding any erasure of candidate personal data, Saral AI shall retain all associated processing logs for a minimum period of one year from the date of the relevant processing activity. These logs include:

• Records of which Recruiter accounts accessed or viewed each candidate profile, including timestamps
• Records of any exports, downloads, or outreach actions taken on candidate data
• Records of data deletion and erasure confirmations, including timestamps and method of deletion
• Associated traffic data and technical logs of all processing operations as described in the Seventh Schedule to the DPDP Rules, 2025

These logs shall be made available to the Data Protection Board of India upon request. After the one-year minimum period, logs shall themselves be erased unless further retention is required under any other applicable law. This log retention obligation applies irrespective of whether the underlying candidate data has been erased.

7. Sub-processors and third-party tools

If the Recruiter engages any third-party service provider to process candidate personal data on their behalf (e.g., an ATS vendor, background verification firm, or recruitment agency), the Recruiter shall:

1. Ensure that a written Data Processing Agreement is in place with the sub-processor before sharing any candidate data
2. Ensure the sub-processor's security and data protection standards are at least equivalent to those required under this Agreement
3. Remain fully liable to Saral AI for the acts or omissions of any sub-processor in relation to candidate personal data
4. Notify Saral AI in writing before engaging any new sub-processor who will have access to candidate data sourced from the Saral AI platform

8. Candidate rights under the DPDP Act

The Recruiter acknowledges that all candidates whose data is accessible through Saral AI retain the following rights under the DPDP Act, 2023, which the Recruiter must respect and facilitate:

8.2 Grievance redressal – response timeframes

In accordance with Rule 14 of the DPDP Rules, 2025, Saral AI publishes the following binding grievance response timeframes, applicable to all candidate data rights requests received at privacy@saralhire.ai or via saralhire.ai/remove-my-data:

• Acknowledgement of request: within 72 hours of receipt
• Resolution of standard requests (access, correction, erasure): within 30 days of receipt
• Resolution of complex grievances: no later than 90 days from receipt, as permitted by Rule 14
• Escalation to Data Protection Board: candidates may refer unresolved grievances to the Data Protection Board of India at dpboard.gov.in if Saral AI does not resolve the matter within 90 days

These timeframes are published at saralhire.ai/privacy in compliance with Rule 14 of the DPDP Rules, 2025. Recruiters are independently responsible for responding to candidate rights requests they receive directly within the same timeframes.

9. Liability and indemnification

9.1 Recruiter liability

Important: Nothing in this Agreement overrides or limits Saral AI's own obligations as Data Fiduciary under Section 8(1) of the DPDP Act, which are non-delegable by law. Saral AI remains ultimately responsible for ensuring compliance with the DPDP Framework for all processing carried out on its platform or on its behalf. This clause does not exempt Saral AI from its statutory duties; it establishes the Recruiter's independent liability and Saral AI's right to seek indemnification where the Recruiter's breach caused or contributed to a regulatory action against Saral AI.

Subject to the above, the Recruiter shall be independently liable for any loss, damage, claim, penalty, or regulatory fine arising directly from the Recruiter's own actions, including:

• Use of candidate data outside the permitted purpose defined in this Agreement
• Failure to maintain adequate data security
• Failure to honour candidate rights requests in the timeframes required
• Sharing or transferring candidate data to unauthorized third parties
• Any breach of the DPDP Framework by the Recruiter or their sub-processors

9.2 Indemnification

The Recruiter agrees to indemnify, defend, and hold harmless HeadsIn Connect LLP. (Saral AI), its directors, officers, employees, and agents from and against any claims, liabilities, damages, penalties, and costs (including legal fees) arising from the Recruiter's breach of this Agreement or the DPDP Framework.

9.3 Saral AI liability

Saral AI's liability under this Agreement is limited to losses directly and demonstrably caused by Saral AI's own failure to comply with its obligations as Data Fiduciary. Saral AI is not liable for how Recruiters use candidate data once it has been accessed through the platform.

9.4 Maximum liability

To the extent permitted by applicable law, Saral AI's total liability to the Recruiter under this Agreement shall not exceed the total fees paid by the Recruiter to Saral AI in the 3 months preceding the event giving rise to the claim.

10. Term and termination

10.1 Duration

This Agreement commences on the date the Recruiter accepts it at registration and continues for as long as the Recruiter maintains an active account on saralhire.ai. It will automatically renew for successive one-year periods unless terminated.

10.2 Termination by Recruiter

The Recruiter may terminate this Agreement at any time by closing their Saral AI account. Termination does not relieve the Recruiter of the obligation to delete candidate data as set out in Clause 6.3.

10.3 Termination by Saral AI

Saral AI may suspend or terminate the Recruiter's access immediately, without notice, if:

• The Recruiter breaches any material term of this Agreement
• The Recruiter is found to be using candidate data for prohibited purposes
• A regulatory investigation implicates the Recruiter's data processing practices
• Saral AI is required to do so by law or regulatory direction

10.4 Survival

Clauses 3, 4, 5, 6, 8, 9, and 10.5 of this Agreement survive termination or expiry for a period of 3 years.

10.5 Post-subscription candidate data erasure

The Recruiter's obligation to protect and erase candidate personal data does not end when their Saral AI subscription expires or their account is closed. Candidate personal data accessed through the platform remains subject to this Agreement and to the DPDP Framework for as long as the Recruiter retains it, regardless of subscription status.

Specifically, after subscription expiry or account termination, the following obligations continue to apply:

• Forward erasure requests: If a candidate submits a “Remove my data” request to Saral AI (via saralhire.ai/remove-my-data) after the Recruiter's subscription has ended, Saral AI will forward that request to the Recruiter at the email address registered at the time of account creation. The Recruiter must permanently delete all copies of that candidate's data, including from any ATS, CRM, email threads, spreadsheets, or downloaded exports, within 30 days of receiving the forwarded request, and confirm deletion to Saral AI at privacy@saralhire.ai.
• General post-subscription deletion: All candidate personal data sourced from Saral AI must be permanently deleted within 90 days of subscription expiry, unless the Recruiter has an ongoing, active hiring process in which a specific candidate is being considered. In that case, retention is permitted only for the duration of that specific hiring process, after which the data must be deleted.
• No re-use after expiry: The Recruiter may not use candidate data sourced during their active subscription for new hiring searches, pipeline building, or outreach campaigns initiated after their subscription has ended. Such use would constitute processing without a valid legal basis under the DPDP Framework.
• Email contact obligation: By accepting this Agreement, the Recruiter expressly consents to receiving post-subscription erasure request forwards from Saral AI at their registered email address for up to 3 years following account closure, solely for the purpose of fulfilling candidate data deletion obligations. The Recruiter must ensure their registered email remains accessible or provide Saral AI with an updated contact address upon account closure.

Saral AI will maintain a record of all Recruiter email addresses for the sole purpose of forwarding candidate erasure requests for the 3-year post-termination period. Saral AI will not use former Recruiter contact details for any other purpose.

11. Governing law and dispute resolution

This Agreement is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the DPDP Rules, 2025, and the Information Technology Act, 2000, as amended.

Any dispute arising from or in connection with this Agreement shall first be subject to good-faith negotiation between the parties. If unresolved within 60 days, disputes shall be referred to arbitration under the Arbitration and Conciliation Act, 1996, with proceedings held in Surat, Gujarat, India.

12. Amendments and updates

Saral AI may update this Agreement from time to time to reflect changes in the DPDP Framework, platform features, or business practices. Where changes are material, Saral AI will provide 30 days' written notice by email. Continued use of the platform after the notice period constitutes acceptance of the updated Agreement.

Recruiters are encouraged to review this Agreement periodically at saralhire.ai/legal/dpa.

13. General provisions

• Entire Agreement: This DPA, together with Saral AI's Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the processing of candidate personal data.
• Severability: If any provision of this Agreement is found to be unenforceable, the remaining provisions remain in full force.
• No Waiver: Failure to enforce any provision of this Agreement does not constitute a waiver of that provision.
• Notices: All notices under this Agreement to Saral AI shall be sent to privacy@saralhire.ai. Notices to the Recruiter shall be sent to the email address registered with their Saral AI account.
• Language: This Agreement is written in English. In case of any translation, the English version prevails.

Signatures

By signing below (or by clicking “I accept” at registration on saralhire.ai), both parties agree to be legally bound by the terms of this Data Processing Agreement.

Appendix A — Data categories processed

The following table describes the categories of personal data that may be processed by the Recruiter through the Saral AI platform:

Appendix B — Contact details for data and privacy requests

Appendix C — Operational compliance notes

C.1 Language access — Rule 3 DPDP Rules 2025

In accordance with Rule 3 of the DPDP Rules, 2025, Saral AI's Privacy Notice is required to be made available in English and in any of the 22 languages listed in the Eighth Schedule of the Constitution of India, upon request by a Data Principal.

Saral AI commits to the following:

• The Privacy Notice published at saralhire.ai/privacy is available in English as the primary language
• Any candidate who requests the Privacy Notice in a language listed in the Eighth Schedule of the Constitution of India may write to privacy@saralhire.ai. Saral AI will provide a translated version within 30 days of the request
• Saral AI will progressively publish translations of the Privacy Notice in Hindi, Tamil, Telugu, Kannada, Bengali, Marathi, Gujarati, and Malayalam by May 2027 in advance of full DPDP Framework enforcement, and will expand to all 22 scheduled languages as resources permit
• In the event of any conflict between a translated version and the English version of the Privacy Notice, the English version shall prevail

C.2 Consent withdrawal and opt-out — Rule 3(c)(i) anti-dark pattern requirement

Rule 3(c)(i) of the DPDP Rules, 2025 mandates that the ease of withdrawing consent must be comparable to the ease with which consent was originally given. This is an explicit anti-dark pattern provision. Saral AI implements the following measures to satisfy this requirement:

• The “Remove my data” request form at saralhire.ai/remove-my-data requires only two mandatory fields: full name and email address. No account creation, no identity verification, no multi-step process is imposed on the candidate
• The link to the removal form is placed in: (a) the footer of the saralhire.ai website alongside the Privacy Policy link, (b) the footer of every candidate-facing outreach email sent via the Saral AI platform, and (c) within the Privacy Notice page itself
• No dark patterns are employed to deter, delay, confuse, or discourage candidates from submitting a removal request. Any update to the removal form design must be reviewed against Rule 3(c)(i) before deployment
• Saral AI maintains an internal audit trail of all consent withdrawal and data removal requests, including submission timestamp, acknowledgement timestamp, and completion timestamp, retained for a minimum of one year per Rule 8(3)

C.3 Annual review and DPDP compliance calendar

Saral AI commits to reviewing this Agreement and its associated Privacy Notice at least once every 12 months, and additionally upon: (a) any amendment to the DPDP Act or DPDP Rules; (b) any guidance issued by the Data Protection Board of India that materially affects Saral AI's obligations; (c) any significant change to Saral AI's data sources, processing activities, or technology infrastructure.

The following key compliance deadlines apply to Saral AI under the phased DPDP implementation schedule, and Saral AI commits to meeting each:

• November 13, 2026: Consent Manager framework becomes operational (Rule 4). Saral AI will integrate with or register under the Consent Manager framework and update this Agreement to reflect any resulting changes to how candidate consent is managed
• May 13, 2027: Full substantive compliance mandatory (Rules 3, 5–16, 22–23). All privacy notices, consent flows, erasure workflows, security safeguards, breach protocols, and Data Processing Agreements must be fully operational and auditable by this date
• Ongoing: Saral AI will appoint a formally designated Data Protection Officer and conduct mandatory annual Data Protection Impact Assessments (DPIAs) if and when it is designated a Significant Data Fiduciary under Section 10 of the DPDP Act

Recruiters will be notified of any material update to this Agreement at least 30 days before it takes effect, in accordance with Clause 12. The current version of this Agreement is always accessible at saralhire.ai/legal/dpa.