GDPR Compliance

Our Commitment to GDPR Compliance

At Talky, we take data protection seriously. We are fully committed to complying with the General Data Protection Regulation (GDPR) and ensuring that all personal data is processed lawfully, fairly, and transparently.

1. GDPR Principles We Follow

We adhere to all six GDPR principles:

1.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, based on appropriate legal grounds, and inform data subjects clearly about our data processing activities.

1.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

1.3 Data Minimization

We only collect data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

1.4 Accuracy

We ensure personal data is accurate and kept up to date. Inaccurate data is erased or rectified without delay.

1.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected.

1.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure data security.

2. Your Rights Under GDPR

As a data subject, you have the following rights:

How to Exercise Your Rights

To exercise any of your rights, contact us at:

• Email: hello@talenty.ai
• Data Protection Officer: hello@talenty.ai
• Mail: Digital David AG, Weserstr. 4, 60329 Frankfurt, Germany

We will respond to your request within 30 days.

3. Legal Basis for Processing

We process personal data under the following legal bases:

• Consent (Art. 6(1)(a) GDPR): You have given explicit consent
• Contract (Art. 6(1)(b) GDPR): Processing is necessary to perform our contract with you
• Legal Obligation (Art. 6(1)(c) GDPR): Processing is required by law
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary for our legitimate business interests

4. Data We Process

4.1 Employer/Client Data

• Contact information (name, email, phone)
• Company information
• Account credentials
• Billing and payment information
• Usage data and analytics

4.2 Candidate Data

• Personal information (name, contact details)
• Interview recordings and transcripts
• Evaluation scores and reports
• Employment history and qualifications
• Consent records

5. Data Security Measures

We implement comprehensive technical and organizational measures:

5.1 Technical Measures

• End-to-end encryption (TLS 1.3) for data in transit
• AES-256 encryption for data at rest
• Regular security audits and penetration testing
• Secure authentication (MFA available)
• Automated backup systems
• Intrusion detection and prevention systems

5.2 Organizational Measures

• Data Protection Officer (DPO) appointed
• Regular staff training on data protection
• Strict access controls and role-based permissions
• Data Processing Agreements (DPAs) with all processors
• Incident response procedures
• Privacy by design and default

6. Data Storage and Location

• Primary Storage: EU data centers (Frankfurt, Germany)
• Backup Storage: EU data centers (Amsterdam, Netherlands)
• Data Residency: All personal data remains within the EU
• No Third-Country Transfers: We do not transfer data outside the EU/EEA

7. Data Retention Periods

8. Third-Party Processors

We work with the following GDPR-compliant processors:

• Cloud Infrastructure: AWS (Ireland), Google Cloud (Frankfurt)
• AI Processing: Anthropic (Claude API) - DPA in place
• Payment Processing: Stripe (Ireland) - PCI DSS compliant
• Email Services: Resend (EU servers)
• Analytics: Google Analytics 4 (anonymized IP, DPA in place)

All processors have signed Data Processing Agreements (DPAs) with us.

9. Data Protection Impact Assessment (DPIA)

We have conducted Data Protection Impact Assessments for our high-risk processing activities, including:

• AI-powered interview analysis
• Voice recording and transcription
• Automated candidate evaluation

DPIAs are reviewed annually and updated as needed.

10. Candidate Consent Management

For candidates being interviewed through our platform:

• Explicit consent is obtained before interview starts
• Clear information about data processing is provided
• Consent can be withdrawn at any time
• Recording notification is given at interview start
• Data access and deletion requests are honored promptly

11. Data Breach Procedures

In the event of a data breach:

• We will notify the relevant supervisory authority within 72 hours
• Affected data subjects will be informed without undue delay
• We maintain a breach register as required by GDPR
• Incident response team activates immediately
• Root cause analysis and remediation measures implemented

12. Automated Decision-Making

Our AI system assists in candidate evaluation, but we ensure:

• No solely automated decisions affecting candidates
• Human review is always required for final hiring decisions
• Transparency about AI evaluation criteria
• Right to explanation of AI assessments
• Right to contest automated evaluations

13. Certifications and Audits

• ✓ SOC 2 Type II certified
• ✓ ISO 27001 certified
• ✓ Annual GDPR compliance audits
• ✓ Regular penetration testing
• ✓ Privacy by Design methodology

14. Supervisory Authority

Our lead supervisory authority is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden, Germany
Phone: +49 (0)611 1408-0
Email: poststelle@datenschutz.hessen.de
Website: datenschutz.hessen.de

15. Contact Our DPO

For all data protection inquiries, contact our Data Protection Officer:

Dr. Maria Schneider
Data Protection Officer
Digital David AG
Email: hello@talenty.ai
Phone: 069-348687777