Data Processing Agreement

Last Updated: 18 February 2026

Agreement Information

Provider:

TalentSyncHub is owned and operated by m2TALENTS.

Registered Address:

Schwandorfer Straße 1, 81459 München, Germany.

VAT ID:

DE367567001

Privacy Contact:

tshprivacy@m2talents.com

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Recruiter (“Controller”) and m2TALENTS operating as TalentSyncHub (“Processor”).

1. Subject Matter and Duration

TalentSyncHub provides infrastructure and communication services (including candidate aliases, feedback routing, and dashboards) to recruiters. The processing of personal data begins with the acceptance of the Terms of Service and continues until the termination of the account or contract.

2. Roles and Responsibilities

Under applicable data protection laws (including the GDPR), the Recruiter acts as the Data Controller, and TalentSyncHub acts as the Data Processor. For the purposes of US state privacy laws (including the CCPA), TalentSyncHub acts exclusively as a "Service Provider."

The Recruiter is responsible for ensuring a lawful basis for processing and providing appropriate privacy notices to candidates and clients. TalentSyncHub processes data solely on the documented instructions of the Recruiter, except where required otherwise by law.

3. Categories of Data and Data Subjects

The data processed via the platform includes:

Candidate Data:

Names, contact details, system-generated aliases, CVs (if routed), and interview status/feedback.

Client Data:

Hiring manager names, email addresses, and interview feedback.

Communication Metadata:

Email headers, routing logs, timestamps, and message contents routed via the TalentSyncHub smart alias system.

4. Processor Obligations

TalentSyncHub agrees to:

  • Process personal data only on the documented instructions of the Recruiter.
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
  • Implement appropriate Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk.
  • Assist the Recruiter, insofar as this is possible, in fulfilling their obligation to respond to Data Subject Access Requests (DSARs) and to assist with Data Protection Impact Assessments (DPIAs).
  • Notify the Recruiter without undue delay after becoming aware of a personal data breach.
  • At the choice of the Recruiter, delete or return all personal data to the Controller within 30 days of the termination of services, unless applicable law requires continued storage.

5. Subprocessors

The Recruiter authorizes TalentSyncHub to engage third-party subprocessors (e.g., cloud hosting, email delivery providers like Mailgun, and payment processors) to fulfill its contractual obligations. TalentSyncHub ensures that any subprocessor is bound by data protection obligations equivalent to those in this DPA.

6. International Transfers

If TalentSyncHub transfers personal data outside of the European Economic Area (EEA) or the UK to countries not deemed to have an adequate level of data protection, such transfers will rely on valid transfer mechanisms, such as the Standard Contractual Clauses (SCCs).

7. Audit and Demonstration of Compliance

TalentSyncHub will make available to the Recruiter all information necessary to demonstrate compliance with the obligations laid down in this DPA. TalentSyncHub will allow for and contribute to audits, including inspections, conducted by the Recruiter or another auditor mandated by the Recruiter, provided reasonable advance notice is given.

8. Liability and Indemnity

Each party is liable for its own breaches of applicable data protection laws.

The Recruiter agrees to indemnify TalentSyncHub against any claims, damages, or fines arising from the Recruiter’s failure to establish a lawful basis for processing, or for the misuse of the platform (e.g., sending unsolicited spam or unlawful marketing). TalentSyncHub’s overall liability is limited as set out in the Terms of Service.

9. Governing Law

This DPA shall be governed by the laws of Germany. Exclusive jurisdiction lies with the courts of Munich.

Annex 1 - Technical and Organizational Measures (TOMs)

TalentSyncHub implements the following security measures to protect Controller data:

Access Control

Role-based access, strict authentication protocols, and zero-trust internal architecture.

Encryption

Data is encrypted in transit (TLS) and at rest (AES-256).

Availability and Resilience

Automated daily backups, redundant infrastructure, and continuous system monitoring/logging.

Data Minimization

Smart deactivation ("Frozen State") routines and automated deletion schedules to purge old communication channels in accordance with the Recruiter's retention limits.

Staff Training

Regular security and privacy training for all employees and contractors handling data.

Data Protection Team

For any DPA-related inquiries, subprocessor audits, or security documentation requests, please contact our legal desk at tshprivacy@m2talents.com.