TalentVector Data Processing Addendum

provided by EdMyst Inc. d/b/a TalentVector

Effective as of: April 12, 2026

This Data Processing Addendum (“DPA”) supplements and is incorporated into the agreement referencing this DPA (“Agreement”) entered into by EdMyst Inc., a Delaware corporation, doing business as TalentVector (“TalentVector,” “Company,” “we,” “us,” or “our”), and the customer entering into that Agreement (“Customer”) (TalentVector and Customer being the “parties” under this DPA).

Brand and Legal Entity. Customer acknowledges that TalentVector is the market-facing brand and trade name used by EdMyst Inc. for its talent assessment, analytics, AI-supported assessment, and talent development services. Unless expressly stated otherwise in an applicable Order Form or Agreement, the legal entity providing the Services and assuming the obligations of processor, service provider, data importer, and contracting party under this DPA is EdMyst Inc. d/b/a TalentVector. Use of the TalentVector name, logo, domain, platform, documentation, or communications does not create a separate legal entity, assignment, novation, or change of processor and does not limit or alter EdMyst Inc.’s obligations under this DPA.

1. Definitions

“Data Protection Laws” means all data protection and privacy laws applicable to a party in its respective role with respect to personal data under the Agreement, including, where each is applicable: (i) the California Consumer Privacy Act of 2018, as may be amended, including as amended by the California Privacy Right Act (“CCPA”); (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (iii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018; (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its ordinances; and (v) the laws of any state of the United States governing protection and/or privacy of personal data or personal information.

“SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data that is personal data transmitted, stored, or otherwise processed by TalentVector.

“Services” means the services defined in the Agreement, including AI-powered assessment, analytics, and talent development services provided by EdMyst Inc. d/b/a TalentVector through the TalentVector platform, website, APIs, software, and related services, including services made available at or through www.talentvector.com.

“Sub-processor” means any other processor engaged by TalentVector to process personal data in connection with the Services.

“UK Addendum” means the UK Addendum to the SCCs, issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, currently available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

Terms Defined by Law: As used in this DPA, the terms “controller,” “data subject,” “natural person,” “personal data,” “processing” (and derivatives thereof), “processor” and their equivalent terms used in applicable Data Protection Laws, will each have the meaning given to it by applicable Data Protection Laws or, if not defined by applicable Data Protection Laws, each will have the meaning given to it by the GDPR.

Equivalent Terms: Where the CCPA or other Data Protection Laws that use the following terms apply to this DPA, references in this DPA to: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; and “personal data” includes “Personal Information,” in each case as the latter is defined by the CCPA or the applicable Data Protection Law.

“TalentVector” means EdMyst Inc., a Delaware corporation, doing business as TalentVector, together with its Affiliates where applicable under the Agreement.

Capitalized Terms: Capitalized terms not defined in this DPA will have the same meaning as in the Agreement.

2. Roles of the Parties

Controller and Processor. The parties acknowledge and agree that: (a) Customer will determine the purposes and means of the processing of personal data; (b) TalentVector will process personal data on behalf of Customer. To the extent applicable, for the purposes of GDPR, UK GDPR, and other Data Protection Laws using these terms, Customer is the “controller” of personal data and TalentVector is the “processor” of personal data on behalf of Customer. To the extent applicable, for the purposes of the CCPA, Customer is a "business" and TalentVector is the "service provider.”

Scope of DPA. DPA applies to, and references to personal data within this DPA refer to, personal data of which Customer is the controller and TalentVector is the processor.

3. Description of Processing

Processing may include the use of AI systems to analyze inputs, generate insights, scoring, benchmarking, or recommendations, strictly in accordance with Customer instructions and applicable Data Protection Laws.

4. Obligations of the Parties

Customer Instructions.

TalentVector will process personal data only: (i) in accordance with Customer’s documented, reasonable, and lawful instructions; or (ii) as otherwise agreed upon by the parties or as required by applicable law and, if required by law, TalentVector will notify Customer in writing of that legal requirement before processing unless the law prohibits this on important grounds of public interest.

The parties agree that the Agreement (including this DPA) and the performance of TalentVector’s obligations thereunder sets out Customer’s instructions to TalentVector for the processing of personal data and that processing outside the scope of the Agreement, if any, requires prior written agreement of the parties.

TalentVector will immediately inform Customer if, in TalentVector’s opinion, processing instructions given by Customer infringe on applicable Data Protection Laws.

Purpose Limitation. TalentVector will process personal data only for the purpose of providing the Services, including AI-supported functionalities, and in accordance with Customer instructions.

5. Security of Processing

Technical and Organization Measures. TalentVector will implement at least the technical and organizational measures described in the Addendum (“Technical and Organizational Measures”) to ensure the security of personal data, which includes protecting personal data against Security Incidents.

Technical and Organizational Measures Assessment and Updates. In assessing the appropriate level of personal data security, the parties will take account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects. The parties acknowledge and agree that Technical and Organizational Measures are subject to technical progress and development such that TalentVector may occasionally update or modify its Technical and Organizational Measures, provided that any update and/or modification does not materially diminish the overall security of the Services or the protection afforded to personal data.

Confidentiality of Processing. TalentVector will grant access to personal data to its personnel only to the extent necessary for implementing, managing, or monitoring the Services provided to Customer. TalentVector will ensure that its personnel authorized to process personal data have committed themselves to maintaining confidentiality or are under an appropriate statutory obligation of confidentiality with respect to personal data.

6. Sensitive Data

TalentVector will not process sensitive data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person) unless otherwise agreed by the parties in writing or required by applicable law.

7. Documentation and Compliance

Compliance With Data Protection Laws. Each party will comply with and be able to demonstrate its compliance with all Data Protection Laws applicable to that party in its performance under this DPA.

Inquiry Response. TalentVector will deal promptly and adequately with inquiries from Customer about the processing of personal data.

Audit Rights. TalentVector will maintain and make available to Customer information reasonably necessary to demonstrate TalentVector’s compliance with this DPA. To the extent permitted by applicable Data Protection Laws, Customer may conduct an audit of processing under this DPA by itself or through an independent auditor (subject to reasonable confidentiality obligations) and Customer’s request, TalentVector will permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are reasonable indications of TalentVector’s non-compliance with this DPA. Any audit under this DPA may be conducted upon at least 30 days prior written notice to TalentVector, at Customer’s sole expense, and during normal business hours. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls. To the extent possible, TalentVector may satisfy audit obligations through the provision of third-party audit reports, certifications (such as ISO 27001), or similar documentation in lieu of on-site audits.

Audit Terms. Customer may request an audit of processing activities conducted under this DPA, upon at least 30 days prior written notice to TalentVector. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls. Audits will be conducted at Customer’s sole expense and during normal business hours. Any audits conducted in accordance with the SCC’s will be subject to the audit terms of this DPA.

8. Sub-processors

General Authorization. TalentVector has Customer’s general authorization to engage the Sub-processors listed on TalentVector’s Sub-processor page, available at: www.talentvector.com/about-us/sub-processor-list, or such successor URL as TalentVector may designate through the Services, customer documentation, or written notice.

Sub-processor Changes. If TalentVector replaces or adds new Sub-processors, TalentVector will make commercially reasonable efforts to provide Customer with notice of the replacement or addition at least 30 days prior to, but will in any case provide notice at least 10 days prior to, the Sub-processor addition or replacement. TalentVector will provide notice by maintaining an updated list of Sub-processors on TalentVector’s Sub-processor page noted above and also by email if Customer subscribes to receive updates by email via the page noted above.

Sub-processor Objections. Customer may object to the appointment or replacement of a Sub-processor prior to the appointment or replacement, provided that the objection is in writing and based on reasonable grounds related to data protection. If Customer objects to the appointment of a new Sub-processor, TalentVector and Customer will discuss commercially reasonable alternative solutions in good faith. If the TalentVector and Customer cannot reach a resolution within 30 days after the date TalentVector receives Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to TalentVector, without prejudice to fees owed for the time period unaffected by the discontinuation. If Customer does not raise an objection prior to TalentVector replacing or adding a Sub-processor, Customer will be deemed to have authorized the new Sub-processor.

Sub-processor Obligations. Where TalentVector engages Sub-processors, it will do so by way of a contract which imposes on the Sub-processor, in substance, personal data protection obligations at least as protective of personal data as those imposed on TalentVector under this DPA. TalentVector will be responsible for each Sub-processor's compliance with the obligations of this DPA and with applicable Data Protection Laws.

Sub-processor Responsibility. TalentVector will remain fully responsible to Customer for the performance of the Sub-processor’s obligations in accordance with its contract with TalentVector.

Sub-processors may include providers of cloud infrastructure, analytics, AI processing, and communication services necessary to deliver the Services.

9. Data Subject Rights

Notification of Data Subject Requests. TalentVector will promptly notify Customer of any request it receives from a data subject. TalentVector will not respond to the request itself except as reasonably appropriate (for example, to confirm receipt or direct the data subject to contact Customer) or as may be legally required or authorized by Customer.

Assistance. TalentVector will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing, and in accordance with Customer’s lawful instructions.

Assessments and Consultations. Taking into account the nature of the processing and the information available to TalentVector in each case, TalentVector will assist Customer in complying with any of Customer’s obligations required by applicable Data Protection Laws with respect to the following: (a) the obligation to carry out a Data Protection Impact Assessment (including where AI-based processing may present higher risk); (b) the obligation to consult with regulatory authorities that may be required; and (c) the obligation to ensure that personal data is accurate and up to date.

Where TalentVector is a Controller. For clarity, nothing in the DPA will restrict or prevent TalentVector from responding to a data subject or data protection authority requests in relation to personal data for which TalentVector is a controller (as opposed to the processor).

10. Security Incident

Security Incident Notification. If TalentVector becomes aware of a Security Incident, TalentVector will notify Customer without undue delay, and in any case, within seventy-two (72) hours after becoming aware of the Security Incident. TalentVector may send notification of a Security Incident by any notification means set forth in the Agreement or, in any case, by email to the administrator contact that Customer designates in Customer’s account within the Services. TalentVector will maintain internal incident response procedures aligned with industry standards to detect, respond to, and mitigate Security Incidents.

Notification Details. TalentVector’s notification of a Security Incident will at least contain a description of:

• (a)the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects and records concerned;
• (b)the details of a contact point where more information concerning the Security Incident can be obtained;
• (c)its likely consequences; and
• (d)the measures taken or proposed to be taken by TalentVector to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

If, and to the extent, TalentVector is not reasonably able to provide all the information at the same time, TalentVector’s initial notification will contain the information then available and it will provide further information without undue delay as it becomes available.

Reporting Assistance. TalentVector will provide reasonable assistance to Customer in the event Customer is required by applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.

Mitigation. TalentVector will take reasonable steps to investigate and, as necessary, address and mitigate an actual or threatened Security Incident. TalentVector’s notification or addressing of, or response to, a Security Incident will not be construed as an acknowledgment by TalentVector of any fault or liability with respect to the Security Incident.

Return or Deletion of Personal Data.

11. Deletion or Return of Personal Data

Following termination of the Agreement, TalentVector will, at the choice of Customer, delete or return to Customer all personal data processed by TalentVector, except to the extent applicable law requires the retention of any personal data. In the event Customer does not notify TalentVector of their preferred choice within 30 days following termination of the Agreement, TalentVector will dispose of Customer’s data in accordance with TalentVector’s standard data retention and deletion policies, consistent with applicable Data Protection Laws. Until the personal data is deleted or returned, it will remain subject to the terms of this DPA.

12. International Data Transfers

Transfer of Data. TalentVector may transfer and process Customer personal data to and in the United States and anywhere else in the world where TalentVector, its Affiliates, or its Sub-processors maintain data processing operations. TalentVector will transfer personal data solely in performance of its obligations under the Agreement.

Transfer Mechanism; SCCs. If TalentVector transfers personal data to or through the Services, either directly or by onward transfer, from the European Economic Area or Switzerland to the United States or any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection to personal data, then that transfer will be governed by and made pursuant to the SCCs.

SCC Schedule. Schedule 2 to this DPA sets forth certain details of TalentVector’s processing of personal data in accordance with the SCCs, if and to the extent the SCCs apply.

13. Term and Termination

Governing Law. This DPA will be governed by, and construed in accordance with, the governing law of the Agreement, and any dispute between TalentVector and Customer will be subject to the exclusive jurisdiction of the forum set forth on the Agreement, unless otherwise required by applicable Data Protection Laws.

Term. This DPA will remain in effect for as long as TalentVector processes personal data on behalf of Customer.

Order of Precedence. In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, the provisions of first the SCCs and then of this DPA will prevail over any provisions of any documents of the Agreement to the contrary.

Agreement Unchanged. Except for any modifications to the Agreement as may be made by this DPA, the Agreement remains unchanged and in full force and effect.

No Third-Party Beneficiaries. No one other than the parties to this DPA and their successors and permitted assigns will have any right to enforce any terms of this DPA, but without prejudice to the rights available to data subjects under applicable Data Protection Laws or this DPA (including the SCCs).

14. General

California. Where TalentVector’s processing of personal data is subject to the CCPA as personal information under the CCPA, the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:

• Each party will comply with its obligations under the CCPA.
• Any data subject rights and TalentVector’s obligations with respect to those data subject rights, as described in this DPA, also apply to Consumer rights under the CCPA.
• The parties intend for TalentVector’s provision of the Services and the exercise of its rights under the Agreement or as permitted by the CCPA to constitute a “business purpose” under the CCPA.
• TalentVector will not “sell” or “share” personal information, as each term is defined by the CCPA.
• TalentVector will not retain, use, or disclose personal information outside of the direct business relationship between TalentVector and Customer.
• TalentVector will not combine personal information controlled by Customer with personal information TalentVector receives from other customers, except as may be permitted by the Agreement or applicable Data Protection Laws.
• TalentVector will take steps to ensure that Sub-processors or any other person engaged by TalentVector to assist in the processing of personal information are “Service Providers” under the CCPA, and TalentVector will enter into a written agreement with each service provider obligating the service provider to the applicable requirements under the CCPA.
• TalentVector will notify Customer if TalentVector makes a determination that it can no longer meet its obligations under the CCPA.
• Customer will have the right, upon notice to TalentVector, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information and to help to ensure that TalentVector uses the personal information in a manner consistent with Customer’s obligations under the CCPA.

United Kingdom. Where TalentVector’s processing of personal data is subject to UK GDPR, the UK Addendum to the SCCs included with this DPA will apply.

SCHEDULE 1: DETAILS OF PROCESSING

1. Categories of Data Subjects

The categories of data subjects whose personal data may be processed are:

• (a)Customer’s employees and contractors
• (b)Candidates for employment invited to use the Services by Customer
• (c)Other persons designated by Customer to use the Services in connection with Customer’s use under the Agreement

2. Categories of Personal Data Processed

TalentVector may process the following categories of personal data in providing the Services:

• (a)Identifiers: Including first and last name, username, email address, business title, contact information, TalentVector password, country, and photograph if using certain features that provide for photographs.
• (b)Internet or other electronic network activity information: Technical data to the extent relating to a data subject in the form of IP address and the features accessed and interactions taken with respect to the Services.
• (c)Results: Results of a Candidates’ ranking or scoring to the extent they relate to a data subject in connection with use of features of the Services.
• (d)Provided data: Any other personal data that a data subject provides to TalentVector when signing up for, using, or requesting support for the Services or that Customer requests the data subject provide in connection with Customer’s use of the Services (such as personal data Customer requests of a Candidate in connection with an assessment).
• Assessment and AI-derived data: Outputs such as scores, rankings, behavioral indicators, recommendations, or inferred insights generated through use of the Services, to the extent they relate to an identifiable individual.

3. Sensitive Data

TalentVector does not intentionally, and the parties do not anticipate that TalentVector will, collect or process any “special categories of personal data” or “sensitive personal information” (as each is defined by applicable Data Protection Laws) in connection with the use or provision of the Services.

4. Nature of Processing

TalentVector will process personal data in connection with the provision of TalentVector Services, including collection, storage, analysis, and generation of outputs (including AI-assisted insights), as set forth in the Agreement.

5. Frequency and Duration of Processing

Personal data is processed on a continuous basis until the data is deleted or returned to Customer in accordance with the Agreement.

SCHEDULE 2: DETAILS OF STANDARD CONTRACTUAL CLAUSES

1. Module 2 (Controller to Processor). For transfers of personal data where the SCCs apply, the SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

The “data exporter” is Customer; and

The “data importer” is EdMyst Inc. d/b/a TalentVector

Module Two (Controller to Processor) of the SCCs will apply as set forth throughout the SCCs where Customer is a controller of personal data and TalentVector is the processor of personal data.

2. Specific Clauses. The following clauses of the SCCs will apply as set forth below:

• In Clause 7 of the SCCs, the Docking Clause will apply.
• In Clause 9 of the SCCs, Option 2 (general written authorization) will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 8.2 (Sub-processor Changes) of this DPA.
• In Clause 11 of the SCCs, the optional language will not apply.
• In Clause 17 of the SCCs, the SCCs will be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they will be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The parties agree that this will be the law of Ireland.
• In Clause 18(b) of SCCs, the parties agree that the courts of the EU Member State for resolution of disputes arising from the SCCs will be the courts of Ireland.

3. Appendix to SCCs. The Annexes to this DPA set forth information that populates the corresponding Annex to the SCCs.

ANNEX I

A. LIST OF THE PARTIES:

Data Exporter: Customer

(i) Contact Information: The email address(es) designated by Customer as the administrator of Customer’s account within the Services.

(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Exporter is deemed to have signed the SCCs incorporated herein, including their Annexes.

(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.

Data Importer: EdMyst Inc. d/b/a TalentVector

(i) Contact Information: 16192 Coastal Highway, Lewes, DE 19958, USA

Email: legal@talentvector.com

(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Importer is deemed to have signed the SCCs incorporated herein, including their Annexes.

(iii) Role: As set forth in Section 2, EdMyst Inc. d/b/a TalentVector acts as processor/service provider with respect to Customer personal data processed on behalf of Customer.

B. DESCRIPTION OF TRANSFER

The transfer of personal data is as described in Schedule 1 of this DPA.

C. SUPERVISORY AUTHORITY

(i) As applicable to the SCCs, the supervisory authority will be: (A) if Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer's compliance with the GDPR; or (B) if Customer is not established in an EU Member State but is within the extra-territorial scope of the GDPR, then (1) if Customer has appointed a representative, the supervisory authority of the EU Member State in which Customer's representative is established, or (2) if Customer has not appointed a representative, the supervisory authority of the EU Member State in which the data subjects are predominantly located.

(ii) With respect to personal data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority will be the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

The technical and organizational measures are as described in the DPA. Measures include safeguards for AI-supported processing, where applicable, including monitoring, access controls, and risk mitigation aligned with the nature of the Services.

ANNEX III: LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors: As authorized by the DPA.

UK ADDENDUM PROVISIONS

Where TalentVector’s processing of personal data is subject to Data Protection Laws of the United Kingdom (including the UK GDPR and Data Protection Act of 2018), the SCC terms above in this Schedule will apply, as supplemented or modified by the UK Addendum, as follows:

Part 1 (Tables)

Table 1: Parties. In Table 1 of the UK Addendum: The party details are as set forth in the foregoing Annex I to the SCCs.

Table 2: Selected SCCs, Modules, and Selected Clauses. In Table 2 of the UK Addendum: The version of the Approved EU SCCs (as defined by the UK Addendum) which this UK Addendum is appended to, detailed below, including the Appendix Information: The SCCs made part of the agreement between the parties hereto.

Table 3: Appendix Information. In Table 3 of the UK Addendum: (i) The list of parties is set forth in the foregoing Annex I to the SCCs; (ii) The description of the transfer is set forth in the foregoing Annex I to the SCCs; (iii) The technical and organizational measures are set forth in the foregoing Annex II of the SCCs; and (iv) The list of sub-processors is set forth in the foregoing Annex III to the SCCs.

Table 4: Ending this Addendum when the Approved Addendum Changes. In Table 4 of the UK Addendum: The option “neither party” will be deemed selected.

Part 2 (Mandatory Clauses)

The SCCs are deemed amended as set forth in Part 2 of the UK Addendum.