Data Processing Agreement

About This Agreement

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service (the "Agreement") between Mockwin Technologies Private Limited, a company incorporated under the laws of India ("Processor" or "Mockwin") and the Organisation subscribing to the Services ("Controller" or "Customer"). This DPA governs the processing of Personal Data by the Processor on behalf of the Controller. Effective Date: April 2026 | Last Updated: April 2026 | Website: https://www.mockwin.ai | Entity: Mockwin Technologies Private Limited, India.

Regulatory Compliance

This DPA is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), and other applicable data protection legislation worldwide.

Defined Terms

• "Personal Data" means any information relating to an identified or identifiable natural person (the "Data Subject" or "Candidate") processed by Mockwin on behalf of the Controller.
• "Sub-processor" means any third party engaged by Mockwin to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
• "SCC" means the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.
• "Technical and Organisational Measures" means the security measures implemented by Mockwin as described in Annex II.

2.1 Subject Matter

Mockwin provides AI-powered recruitment screening and assessment tools. The Processor will process Candidate Personal Data strictly for the purpose of providing the Services as defined in the Agreement and as further described in Annex I.

2.2 Duration

Processing shall continue for the duration of the Agreement. Upon termination, the provisions of Section 10 (Data Deletion and Return) shall apply.

2.3 Categories of Data Subjects

The Data Subjects are job candidates, applicants, and interviewees invited by the Controller to complete assessments via the Mockwin platform.

2.4 Types of Personal Data

The types of Personal Data processed are detailed in Annex I and include: names, email addresses, resumes, video and audio recordings, AI transcripts, assessment scores, proctoring logs, identity verification data, and browser activity logs.

Controller Warrants and Undertakes That

• It has a lawful basis for processing Personal Data through Mockwin (e.g., consent, legitimate interest, or contractual necessity).
• It has provided appropriate privacy notices to Candidates, informing them of the types of data collected, the purposes of processing, the use of AI-powered tools, and the identity of any recipients.
• It has obtained all necessary consents from Candidates for proctoring, identity verification, and biometric processing where required by applicable law.
• It shall comply with all applicable data protection laws in its jurisdiction, including obligations relating to automated decision-making disclosures.
• It shall promptly inform Mockwin of any Data Subject requests that require Mockwin's assistance.

Mockwin Agrees To

• Process Personal Data only on documented instructions from the Controller, including with respect to international data transfers, unless required to do so by applicable law.
• Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the Technical and Organisational Measures described in Annex II.
• Comply with the conditions for engaging Sub-processors set out in Section 6.
• Assist the Controller, by appropriate technical and organisational measures, to fulfil the Controller's obligations to respond to Data Subject rights requests.
• Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR (security, breach notification, DPIAs, and prior consultation), taking into account the nature of processing and the information available to Mockwin.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, as described in Section 8.
• Immediately inform the Controller if, in Mockwin's opinion, an instruction from the Controller infringes applicable data protection laws.

Enterprise-Grade Security

Mockwin implements enterprise-grade technical and organisational measures to ensure data security, as detailed in Annex II. These include, but are not limited to:

• AES-256 encryption for all Personal Data at rest.
• TLS 1.3 encryption for all Personal Data in transit.
• Multi-Factor Authentication (MFA) for all administrative and recruiter access.
• Role-Based Access Control (RBAC) enforcing principle of least privilege.
• Regular penetration testing by independent third-party security firms (at least annually).
• Automated vulnerability scanning and patch management.
• Comprehensive logging and monitoring of all data access events.
• Incident response procedures with defined escalation paths and documentation.
• Employee background checks and mandatory security awareness training.
• Physical security controls for data centre access (via cloud hosting providers).

6.1 General Authorisation

The Controller grants Mockwin general written authorisation to engage Sub-processors for the purpose of providing the Services.

6.2 Notification of Changes

Mockwin shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by providing at least thirty (30) days' prior written notice (via email to the Controller's designated contact). The Controller shall have the opportunity to object to such changes within fourteen (14) days of receiving notice.

6.3 Objection Process

If the Controller reasonably objects to a new Sub-processor on data protection grounds, the parties shall negotiate in good faith to find an alternative solution. If no resolution can be reached within thirty (30) days, the Controller may terminate the affected Service without penalty.

6.4 Sub-processor Obligations

Mockwin shall impose data protection obligations on each Sub-processor no less protective than those set out in this DPA by way of a written contract. Mockwin remains fully liable to the Controller for the performance of the Sub-processor's obligations.

6.5 Current Sub-processors

A list of current Sub-processors is maintained at mockwin.ai/legal/sub-processors and is available upon request.

7.1 Notification Timeline

If Mockwin becomes aware of a confirmed Data Breach affecting the Controller's Personal Data, Mockwin shall notify the Controller without undue delay and in any event no later than forty-eight (48) hours after becoming aware of the breach.

7.2 Contents of Notification

The notification shall include, to the extent reasonably available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and data records concerned.
• The name and contact details of Mockwin's point of contact for further information.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

7.3 Ongoing Cooperation

Mockwin shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach. Mockwin shall provide updated information as it becomes available.

8.1 Audit Rights

The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits to verify Mockwin's compliance with this DPA. Such audits shall:

• Be conducted no more than once per calendar year (unless a Data Breach has occurred or a supervisory authority requests an audit).
• Be conducted during normal business hours with at least thirty (30) days' prior written notice.
• Be subject to reasonable confidentiality obligations.
• Not unreasonably interfere with Mockwin's business operations.

8.2 Certifications and Reports

Mockwin shall, upon request, provide the Controller with copies of relevant compliance certifications (e.g., SOC 2 Type II, ISO 27001), penetration test summaries, and data protection impact assessment templates to demonstrate compliance without requiring a full on-site audit.

DPIA Assistance

Where a Controller is required to carry out a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR or equivalent local law, Mockwin shall provide reasonable assistance and information to enable the Controller to complete the assessment. This includes providing documentation about the AI models used, the data processed, the security measures in place, and the retention periods applied.

10.1 Acknowledgment

The Controller acknowledges and agrees that Mockwin may use anonymised, aggregated, and de-identified data derived from Assessments conducted on the platform to train, improve, test, benchmark, and develop Mockwin's AI models, algorithms, and Services ("Model Training"). Such anonymised data does not constitute Personal Data within the meaning of this DPA or applicable data protection law.

10.2 Anonymisation Standard

Before any data is used for Model Training, Mockwin applies rigorous anonymisation and de-identification processes that meet the standards set out in Recital 26 of the GDPR (and equivalent standards under other applicable laws). This includes removing all direct identifiers (names, emails, photographs, video likenesses) and applying statistical techniques to prevent re-identification.

10.3 BYOKB Exclusion

Any proprietary knowledge base content uploaded by the Controller via the Bring Your Own Knowledge Base (BYOKB) feature is excluded from Model Training. BYOKB content remains confidential, is isolated per tenant, and is used solely to generate interview questions for the Controller's own Assessments.

10.4 Enterprise Opt-Out

Enterprise Controllers with custom Master Services Agreements (MSAs) may negotiate a full opt-out of Model Training for Assessment data processed under their account. Such opt-out must be documented in writing within the MSA or a written amendment to this DPA. Anonymised data already incorporated into trained models prior to the opt-out cannot be individually extracted or reversed.

10.5 Purpose Limitation

Data used for Model Training is used exclusively for improving Mockwin's AI systems. Mockwin will not:

• Sell anonymised training data to third parties.
• Use it to build products for third-party licensees.
• Attempt to re-identify individuals from anonymised training datasets.

11.1 Upon Termination

Upon termination or expiry of the Agreement, Mockwin shall, at the Controller's election:

• Return: Provide the Controller with an export of all Personal Data in a structured, commonly used, machine-readable format (e.g., JSON, CSV).
• Delete: Permanently and irreversibly delete all Personal Data from Mockwin's systems, including all copies and backups.

Deletion Timeline

The Controller must communicate its election within thirty (30) days of termination. If no instruction is received, Mockwin shall delete all Personal Data within sixty (60) days of termination.

11.2 Retention Exceptions

Mockwin may retain Personal Data to the extent required by applicable law (e.g., tax records, regulatory compliance). Any retained data shall remain subject to the protections of this DPA.

12.1 Transfer Mechanisms

If Mockwin transfers Personal Data originating in the EEA, the UK, or Switzerland to a country not recognised as providing an adequate level of protection, such transfers shall be governed by:

• Standard Contractual Clauses (SCCs): The SCCs approved by the European Commission (Implementing Decision 2021/914), Module Two (Controller to Processor), are incorporated by reference into this DPA.
• UK International Data Transfer Agreement (IDTA): For transfers from the UK, the UK Addendum to the EU SCCs (as approved by the UK ICO) shall apply.
• Supplementary Measures: Including encryption in transit and at rest, pseudonymisation, and access controls.

12.2 Government Access Requests

If Mockwin receives a request from a government authority for access to the Controller's Personal Data, Mockwin shall (unless legally prohibited):

• Promptly notify the Controller of such request.
• Challenge the request if there are reasonable grounds to consider it unlawful.
• Provide only the minimum amount of data required to comply.

Liability Limitations

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of data protection law to the extent such limitation is prohibited by applicable law.

Survival Clauses

This DPA shall remain in effect for the duration of the Agreement. Sections 7 (Data Breach Notification), 8 (Audits), 10 (AI Model Training), 11 (Data Deletion and Return), 12 (Cross-Border Transfers), and 13 (Liability) shall survive termination of this DPA.

Processing Details

• Data Exporter (Controller): The Organisation subscribing to Mockwin's B2B Services.
• Data Importer (Processor): Mockwin Technologies Private Limited, India.
• Data Subjects: Job candidates, applicants, and interviewees invited by the Controller.
• Categories of Personal Data: Names, email addresses, phone numbers, resumes/CVs, employment history, educational background, video recordings, audio recordings, AI transcripts, assessment scores, communication analytics, proctoring logs (browser activity, dual-camera feeds), identity verification images, IP addresses, device information.
• Special Categories of Data: Biometric data (facial comparison for identity verification) – processed only with explicit consent and where legally permitted.
• Processing Operations: Collection, storage, organisation, structuring, analysis by AI models, scoring, transcription, reporting, anonymisation, and deletion.
• Purpose of Processing: Providing AI-powered candidate screening, assessment, fraud detection, and recruitment analytics services on behalf of the Controller.
• Retention Period: As configured by the Controller, or as specified in Mockwin's Privacy Policy. Default: data deleted within 30 days of Controller request or contract termination.
• Transfer Mechanisms: Standard Contractual Clauses (EU 2021/914), UK IDTA, encryption, and access controls.

Security Domains and Measures

• Encryption: AES-256 at rest; TLS 1.3 in transit; encrypted backups.
• Access Control: RBAC with principle of least privilege; MFA for all administrative access; unique user credentials; automatic session timeout.
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, network segmentation.
• Application Security: Secure SDLC practices, code reviews, automated SAST/DAST testing, dependency vulnerability scanning.
• Data Minimisation: Processing limited to data strictly necessary for the Services; pseudonymisation applied where feasible.
• Incident Management: Documented incident response plan; 48-hour breach notification; post-incident review and remediation.
• Business Continuity: Automated backups; geographic redundancy; disaster recovery plan with defined RTO/RPO targets.
• Personnel Security: Background checks for personnel with data access; mandatory security awareness training; confidentiality agreements.
• Physical Security: Managed by cloud hosting providers (AWS/GCP) with SOC 2 Type II and ISO 27001 certifications.
• Audit and Monitoring: Centralised logging; real-time alerting for anomalous access patterns; annual third-party penetration testing.
• Vendor Management: Sub-processor due diligence; contractual data protection obligations; periodic compliance reviews.

Acceptance by B2B Organisations

By using the Mockwin platform as a B2B Organisation, you digitally accept and execute this Data Processing Agreement.

Contact

For questions regarding this DPA, please contact:

• DPA Enquiries: dpa@mockwin.ai
• Legal: legal@mockwin.ai