Data Processing Agreement

1. Definitions and Interpretation

1.1 Definitions

In this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings assigned in the Master Subscription Agreement ("Agreement").

1.2 Interpretation

References to "writing" or "written" include email. The word "including" means "including without limitation." Headings are for reference only and do not affect interpretation.

2. Scope and Applicability

2.1 Application

This DPA applies to all Processing of Customer Personal Data by NextMatch in connection with the provision of Services under the Agreement.

2.2 Order of Precedence

In the event of conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of data protection and privacy. The Standard Contractual Clauses shall prevail over any conflicting provisions of this DPA or the Agreement.

2.3 Duration

This DPA shall commence on the Effective Date and continue for the duration of the Agreement, and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 11 (Data Return and Deletion).

2.4 Incorporation

This DPA is hereby incorporated into and forms part of the Agreement. Any reference to the Agreement shall include this DPA.

3. Roles and Responsibilities

3.1 Parties' Roles

3.2 Processing Instructions

Customer instructs NextMatch to Process Customer Personal Data as follows:

1. To provide the Services as described in the Agreement and Documentation
2. To comply with Customer's instructions provided through use of the Services (uploads, searches, configurations)
3. As otherwise documented in writing (email to bg@floreal.ai)
4. As necessary to comply with Applicable Law

3.3 Details of Processing

The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex 1 (Details of Processing).

4. Security Measures

4.1 Technical and Organizational Measures

NextMatch has implemented and shall maintain appropriate technical and organizational measures to protect Customer Personal Data against Security Incidents, as described in Annex 2 (Security Measures).

These measures include:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
• Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access
• Infrastructure: EU region hosting (AWS Paris, eu-west-3), encrypted backups
• Monitoring: Intrusion detection, automated security scanning, logging and audit trails
• Personnel: Background checks, confidentiality agreements, security training

4.2 Updates to Security Measures

NextMatch may update Security Measures from time to time, provided such updates do not result in degradation of the overall security of the Services.

4.3 Customer Responsibilities

Customer is responsible for:

• Using security features made available by NextMatch (strong passwords, MFA)
• Restricting access to authorized End Users only
• Promptly notifying NextMatch of any suspected Security Incidents
• Maintaining security of Customer's own systems and networks

5. Subprocessors

5.1 Authorization

Customer provides general authorization for NextMatch to engage Subprocessors to Process Customer Personal Data, subject to the requirements of this Section 5.

5.2 Current Subprocessors

The current list of Subprocessors is set forth in Annex 3 (Subprocessor List) and is also available at:
https://nextmatch.com/trust-center/subprocessors

5.3 Subprocessor Requirements

NextMatch shall:

1. Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA
2. Remain fully liable for any breach by a Subprocessor as if the breach were by NextMatch
3. Ensure Subprocessors comply with Applicable Data Protection Law

5.4 New Subprocessors

Termination Right: If the parties cannot resolve Customer's objection, Customer may, as its sole remedy, terminate the affected Services that cannot be provided without the new Subprocessor and receive a pro-rata refund of prepaid fees for the terminated Services.

6. International Data Transfers

6.1 Data Storage Location

Primary Region: All Customer Personal Data is stored in the European Union (AWS Paris, eu-west-3 region) by default.

Custom Arrangements: Enterprise customers may request alternative regions on a case-by-case basis, subject to separate written agreement.

6.2 Transfers Outside the EEA

Certain Subprocessors are located in the United States or other countries outside the EEA. For transfers of Personal Data subject to the GDPR to such Subprocessors, NextMatch implements the following safeguards:

6.3 UK GDPR Transfers

For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs (Version B1.0) applies and is incorporated by reference.

6.4 Alternative Transfer Mechanisms

If NextMatch adopts an alternative transfer mechanism recognized under Applicable Data Protection Law (e.g., EU-US Data Privacy Framework adequacy decision), such mechanism may replace the SCCs to the extent legally compliant and applicable to the relevant transfers.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Customer is responsible for responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law ("Data Subject Requests"), including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making

7.2 NextMatch's Support

NextMatch shall, taking into account the nature of Processing:

1. Notify Customer promptly (within 2 business days) if NextMatch receives a Data Subject Request directly
2. Provide reasonable assistance to Customer to respond to Data Subject Requests, including:
   • Making available data export functionality within the Services (JSON, CSV format)
   • Facilitating deletion or return of Personal Data
   • Providing information about Processing activities
3. Self-Service Tools: Customer may use the Services' built-in features to fulfill many Data Subject Requests without NextMatch's direct involvement

7.3 Fees for Assistance

Customer shall reimburse NextMatch for time and costs incurred in providing assistance with Data Subject Requests beyond use of self-service tools, at NextMatch's then-current professional services rates. NextMatch shall obtain Customer's approval before incurring fees exceeding $500 USD for any single request.

8. Security Incidents

8.1 Notification

Notification Method: Email to the administrative contact on Customer's account and to bg@floreal.ai

Initial Notification Contents:

• Description of the nature of the Security Incident
• Types of Personal Data affected
• Approximate number of Data Subjects affected (if known)
• Contact information for further inquiries (bg@floreal.ai)

8.2 Investigation and Remediation

Upon becoming aware of a Security Incident, NextMatch shall:

1. Investigate the incident promptly and thoroughly
2. Contain the incident and prevent further unauthorized access
3. Remediate the root cause to prevent recurrence
4. Provide updates to Customer on a rolling basis as information becomes available

8.3 Cooperation

NextMatch shall reasonably cooperate with Customer's investigation and response activities, including:

• Providing additional details about the incident
• Assisting with notifications to Supervisory Authorities or Data Subjects (if legally required)
• Implementing additional safeguards as reasonably requested

8.4 Exclusions

NextMatch's obligations under this Section 8 do not apply to Security Incidents caused by:

• Customer's actions or omissions (e.g., sharing credentials, misconfiguration)
• Customer's End Users
• Third parties unrelated to NextMatch's Subprocessors
• Unsuccessful attempts that do not compromise Customer Personal Data

9. Audits and Compliance

9.1 Compliance Documentation

Upon Customer's written request, NextMatch shall make available to Customer documentation demonstrating compliance with this DPA, including:

• Summaries of Security Measures
• Certifications (SOC 2 Type II, ISO 27001 when obtained)
• Subprocessor list
• Data Processing details

9.2 Certifications and Reports

NextMatch is working toward obtaining the following certifications:

• SOC 2 Type II (target: within 12 months)
• ISO 27001 (target: within 12 months, best effort)

9.3 Customer Audits

Right to Audit: To the extent required by Applicable Data Protection Law, Customer may conduct an audit of NextMatch's compliance with this DPA, subject to the following conditions:

11. Data Return and Deletion

11.1 During Contract Term

During the term of the Agreement, Customer may retrieve Customer Personal Data at any time using the Services' export functionality.

Export Formats: JSON, CSV, or database dump (upon written request)

11.2 Upon Termination

11.3 Legal Retention

NextMatch may retain Customer Personal Data to the extent and for such period as required by Applicable Law (e.g., tax, accounting, or employment law requirements). Any such retained data shall remain subject to the confidentiality and security obligations of this DPA.

14. California Consumer Privacy Act (CCPA)

14.1 Applicability

This Section 14 applies to the extent Customer Personal Data includes "personal information" (as defined in the CCPA) of California residents.

14.2 NextMatch as Service Provider

NextMatch shall:

1. Not Sell Personal Information: NextMatch shall not sell or share Customer Personal Data (as "sell" and "share" are defined in the CCPA)
2. Not Retain, Use, or Disclose Customer Personal Data except:
   • For the specific business purposes set forth in this DPA and the Agreement
   • As permitted by the CCPA for service providers
   • As necessary to comply with Applicable Law
3. Not Combine Data: NextMatch shall not combine Customer Personal Data with personal information received from other sources, except as permitted by the CCPA
4. Certify Compliance: NextMatch certifies that it understands the restrictions in CCPA § 1798.140(w)(2)(A) and will comply with them

16. EU and UK Representative

16.1 NextMatch EU Representative

NextMatch has designated the following individual as its representative in the European Union pursuant to Article 27 of the GDPR:

16.2 UK Representative

NextMatch does not currently have a UK Representative. If required under UK GDPR, NextMatch will designate one and update this DPA accordingly.

Annex 1: Details of Processing

A. List of Parties

B. Description of Transfer

Subject Matter

The Processing of Customer Personal Data necessary to provide NextMatch's recruitment and talent matching platform services.

Nature and Purpose of Processing

• Candidate Matching: Analyzing CVs/resumes to match candidates with job opportunities
• CV Analysis: Extracting structured data from unstructured CV documents
• Search and Retrieval: Enabling search across candidate database using semantic search
• Interview Coordination: Scheduling, transcription, and analysis of interviews
• Communication: Facilitating communication between recruiters, clients, and candidates
• Analytics: Providing recruitment pipeline analytics and reporting

Type of Personal Data

Categories of Data Subjects

• Job Candidates: Individuals who upload CVs or apply for positions
• Agency Staff: Employees of staffing agencies using the platform
• Client Company Staff: Employees of companies hiring through agencies

C. Competent Supervisory Authority

Annex 2: Technical and Organizational Security Measures

Annex 3: Subprocessor List

Current as of: November 15, 2025 | Subscribe to updates at:https://nextmatch.com/trust-center/subprocessors

Annex 4: Standard Contractual Clauses (SCCs)

The complete text of the Standard Contractual Clauses is available for review and includes all provisions required by EU Commission Decision 2021/914. For the full SCC text, please refer to the complete DPA document or contact bg@floreal.ai.