Skip to main content
QoriumBack to home

Legal

Data Processing Addendum

Effective 2026-05-01

Pre-launch: this document is under counsel review. The structure below reflects our intended posture; final binding language will replace it before public launch.

1. Purpose

This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (the “Customer”) and Talpro India Pvt Ltd (collectively, “Qorium”) and applies to the processing of personal data in the provision of the Service.

2. Roles

Customer is the data controller of the personal data submitted to the Service. Qorium is the data processor acting on Customer’s documented instructions.

3. Subject matter and duration

The processing is the provision of question generation, question delivery, and analytics for the duration of the Customer’s subscription.

4. Categories of data

Identifiers (name, email), professional context (company, role, hiring volume), assessment metadata (candidate session IDs, scores). No special category data is collected by default.

5. Sub-processors

The current list of sub-processors is at /security. We provide 30-day prior written notice of any addition. Customer may object in writing within 14 days of notice; if the objection cannot be resolved, Customer may terminate the affected portion of the Service.

6. Security measures

Qorium implements appropriate technical and organizational measures including encryption in transit (TLS 1.3) and at rest, access control via per-customer signed API keys, audit logging with 90-day retention, and segregated PostgreSQL schemas for Stack-Vault customers.

7. Data subject requests

Qorium will assist Customer in responding to data subject requests (access, correction, erasure, portability) within applicable legal timelines, including DPDPA and GDPR.

8. Personal data breach

Qorium will notify Customer without undue delay (within 72 hours) of becoming aware of a personal data breach affecting Customer data and provide reasonable assistance in fulfilling Customer’s breach notification obligations.

9. International transfers

Where personal data is transferred outside India or the EEA, the transfer is governed by Standard Contractual Clauses or an equivalent legal mechanism. The current sub-processor list (/security) flags region for each provider.

10. Audit

Qorium will make available to Customer (under NDA) information necessary to demonstrate compliance with this DPA, including SOC 2 reports once audited (status: in-progress).

11. Return / deletion

On termination or upon Customer’s written request, Qorium will return or delete Customer personal data within 30 days, except where retention is required by applicable law.

12. Counsel review

Final binding DPA language is delivered as part of the Customer’s signed order form. This published version is informational and reflects Qorium’s intended posture.