Data Processing Agreement

• “Controller” means the client organisation that determines the purposes and means of processing personal data.
• “Processor” means RelyOnAI LLP, the registered legal entity operating the IQMela™ platform, which processes personal data on behalf of the Controller.
• “IQMela™” means the AI-powered hiring intelligence platform, a product and intellectual property of RelyOnAI LLP.
• “Data Subject” means the individual to whom personal data relates (primarily candidates).
• “Personal Data” has the meaning given in Section 2(t) of the Digital Personal Data Protection Act 2023 (DPDP Act) and Section 2(1)(o) of the Information Technology Act 2000.
• “Processing” has the meaning given in Section 2(x) of the DPDP Act 2023.
• “Sub-Processor” means any third party engaged by RelyOnAI LLP to process personal data.
• “Competent Authority” means the Data Protection Board of India as constituted under the DPDP Act 2023.

IQMela processes personal data on behalf of the Controller for the purpose of:

• Conducting, managing, and analysing live and asynchronous interview sessions
• Deploying AI conversational avatars to interact with candidates and conduct interviews
• Parsing, storing, and scoring candidate resumes using Large Language Models (LLMs)
• Generating AI-powered interview assistance, question recommendations, and candidate analysis
• Recording and transcribing interview sessions (with candidate consent)
• Computing behavioural signals and proctoring events during live sessions for integrity review
• Managing hiring pipelines, feedback, and decisions
• Facilitating Background Verification (BGV) checks when explicitly initiated by the Controller

The Processor processes the following categories of personal data on behalf of the Controller:

• Candidate identity data (name, email, phone)
• Candidate professional data (resume content, work history, skills, education)
• Interview video and audio recordings
• Speech transcriptions
• Behavioural signal data (eye gaze patterns, posture indicators, speaking pace)
• AI-generated scoring and analysis
• Interviewer notes and evaluation scores
• Hiring decisions and their rationale

The Processor shall:

• Process personal data only on documented instructions from the Controller (these Terms and the Service configuration)
• Ensure that persons authorised to process personal data have committed to confidentiality
• Implement appropriate technical and organisational security measures consistent with the DPDP Act 2023 and information security standards under the IT Act 2000
• Not engage Sub-Processors without prior written authorisation from the Controller (general authorisation given at contract signing; Controller notified of specific additions)
• Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests
• Delete or return all personal data upon termination of the agreement
• Make available all information necessary to demonstrate compliance with this DPA
• Notify the Controller without undue delay upon becoming aware of a personal data breach affecting Controller data

The Controller shall:

• Ensure there is a valid legal basis for all processing instructions it gives to the Processor
• Obtain all necessary consents from candidates prior to their data being submitted to the platform
• Ensure that any processing instructions comply with applicable law
• Notify IQMela promptly of any data subject requests the Controller receives relating to data processed by IQMela

RelyOnAI LLP implements the following security measures in accordance with the DPDP Act 2023 and IT Act 2000:

• Pseudonymisation: Candidate data accessed via cuid identifiers, not exposed PII
• Encryption in transit: TLS 1.3 for all communications
• Encryption at rest: Via sub-processor infrastructure
• Access controls: RBAC enforced at application layer for all data access
• Audit logging: All data access events logged with user, timestamp, and action
• Automatic deletion: Recordings auto-deleted after 90 days
• Availability: Multi-region failover via Vercel and Neon infrastructure

The Controller provides general authorisation for IQMela to engage the sub-processors listed in the Privacy Policy. IQMela will notify the Controller of any intended changes to the sub-processor list with at least 14 days' notice, giving the Controller the opportunity to object.

All sub-processors are bound by data processing agreements that impose obligations equivalent to those in this DPA.

Some sub-processors are located outside India. All such transfers are carried out under appropriate contractual safeguards and data processing agreements consistent with the Digital Personal Data Protection Act 2023 (DPDP Act) and the Information Technology Act 2000. RelyOnAI LLP ensures all sub-processors maintain equivalent data protection standards by contract.

In the event of a personal data breach affecting Controller data, IQMela will:

• Notify the Controller without undue delay, and in any event within 72 hours (or as required by the DPDP Act 2023) of becoming aware
• Provide all information required by the DPDP Act 2023 and IT Act 2000 to the extent available
• Assist the Controller in meeting its own notification obligations to the Data Protection Board of India and Data Principals

Upon termination or expiry of the Master Service Agreement, IQMela will:

• Make available a full data export in JSON format within 14 days of request
• Permanently delete all Controller personal data from active systems within 30 days of termination
• Confirm deletion in writing upon the Controller's request
• Backup copies will be overwritten within the normal backup rotation cycle (maximum 90 days)

The Controller may, with 30 days' written notice, conduct audits or inspections of IQMela's processing activities under this DPA, at the Controller's cost. IQMela may satisfy this obligation by providing third-party audit reports (SOC 2, ISO 27001 equivalent) where available.

For DPA queries, contact RelyOnAI LLP: legal@iqmela.com

RelyOnAI LLP · IQMela™ Platform · May 1, 2026