This DPA forms part of the Terms of Service between Sprintflux Technologies Pvt. Ltd. (“Processor”) and the Customer (“Controller”) for the processing of Personal Data by TeamsOnGo.
1. Subject matter
The Processor processes Personal Data on behalf of the Controller in connection with the recruiting Services. The duration is the term of the subscription.
2. Nature & purpose
To deliver recruitment services: sourcing, screening, scheduling, offer management, BGV, onboarding handoff, and supporting analytics. AI features are used only as described in our Privacy Policy.
3. Categories of data subjects
- Customer's users (employees, hiring managers, interviewers).
- Candidates evaluated for Customer's roles.
4. Categories of Personal Data
- Identification: name, email, phone, location.
- Professional: resume, employment history, education, skills.
- Communications: emails, chat, interview notes, transcripts (with consent).
- Special categories: only where explicitly provided by data subjects (e.g., disability accommodations).
5. Sub-processors
Approved sub-processors include cloud hosting, email, analytics, payment, BGV and AI providers. The current list is available at info@teamsongo.com. We will notify Controllers of changes 30 days in advance.
6. Security measures
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Logical isolation per tenant + row-level security.
- RBAC with least privilege; MFA on production access.
- SDLC with code review, SAST, dependency scanning.
- Annual penetration testing; quarterly DR drills.
7. Data subject rights
The Processor will assist the Controller in fulfilling data subject requests within 5 business days of receiving a verified request.
8. Personal data breach
The Processor will notify the Controller without undue delay (within 72 hours) of becoming aware of a personal data breach, including all material information available.
9. International transfers
Standard Contractual Clauses (or equivalent) apply for cross-border transfers. Default data residency is India.
10. Audit
Once per year, the Controller may request a summary of the Processor's SOC 2 audit and answer reasonable security questionnaires.
11. Termination
Upon termination the Processor will return or delete Personal Data within 30 days, subject to legal retention requirements.