HomeLabs
RecruiterTalent

Data Processing Agreement

(DPA – In accordance with Regulation (EU) 2016/679 – GDPR)

Privacy Illustration

Last updated: 06 March 2026

1. PREAMBLE

This Data Processing Agreement (“DPA”) governs the conditions under which Scalyz processes personal data on behalf of its professional clients in connection with the use of the Scalyz SaaS technical evaluation platform.

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation – “GDPR”).

This DPA forms an integral part of the Scalyz Enterprise General Terms and Conditions.

2. IDENTIFICATION OF THE PARTIES

2.1 Data Controller

The professional Client using the Scalyz Platform acts as the Data Controller.

2.2 Data Processor

Scalyz
Simplified joint-stock company (SAS)
Share capital: €1,000
Company registration number (SIREN): 930 123 989
Registered office: 24 Rue de Clichy, 75009 Paris, France
Data protection contact: dpo@scalyz.com

Scalyz acts exclusively as Data Processor.

3. PURPOSE OF PROCESSING

Scalyz processes personal data on behalf of the Data Controller for the purposes of:

  • Providing a technical evaluation platform
  • Generating evaluation reports
  • Analyzing technical performance
  • Providing dashboards and analytics

4. CATEGORIES OF PERSONAL DATA

Depending on platform usage, personal data processed may include:

  • First and last name
  • Professional email address
  • Professional information
  • Evaluation results
  • Technical execution logs

No special categories of personal data within the meaning of Article 9 GDPR are required.

5. CATEGORIES OF DATA SUBJECTS

  • Candidates
  • Consultants
  • Employees
  • Authorized Users of the Client

6. DATA RETENTION

Personal data is retained as follows:

  • Candidate accounts: automatically expire within 7 days
  • Technical logs: maximum 1 year
  • Evaluation reports: duration of the Client contract
  • Billing data: 10 years (legal requirement under French law)

Upon termination of the contract, personal data may be:

  • Returned to the Data Controller; or
  • Deleted within a maximum period of 90 days

7. OBLIGATIONS OF THE PROCESSOR

Scalyz undertakes to:

  1. Process personal data only on documented instructions from the Data Controller
  2. Ensure confidentiality of personal data
  3. Implement appropriate technical and organizational measures
  4. Ensure that authorized personnel are subject to confidentiality obligations
  5. Assist the Data Controller in fulfilling its GDPR obligations
  6. Notify the Data Controller without undue delay in case of a personal data breach

8. SECURITY MEASURES

Scalyz implements, in particular:

  • Hosting on cloud infrastructure located within the European Union
  • Encryption in transit (TLS)
  • Encryption at rest (databases and storage)
  • Daily encrypted backups
  • Log retention limited to 1 year
  • Mandatory multi-factor authentication (MFA) for employees
  • VPN-protected administrative access
  • Access control based on the principle of least privilege

9. SUBPROCESSORS

Scalyz may engage the following subprocessors:

  • Amazon Web Services (EU hosting)
  • Stripe (payment processing)
  • Chargebee (subscription management)
  • HubSpot (CRM)
  • AWS SES (transactional emails)
  • OpenAI (anonymized AI analysis)

Scalyz ensures that its subprocessors provide sufficient guarantees regarding data protection.

10. INTERNATIONAL TRANSFERS

Certain service providers may be located outside the European Union (e.g., OpenAI).

Such transfers are governed by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission; and
  • Appropriate contractual safeguards

Data transmitted to OpenAI for AI-based analysis is anonymized and does not allow identification of data subjects.

11. ASSISTANCE TO THE DATA CONTROLLER

Scalyz assists the Data Controller in:

  • Responding to data subject rights requests
  • Providing information necessary for supervisory authority inquiries
  • Conducting data protection impact assessments (if required)

12. PERSONAL DATA BREACHES

In the event of a personal data breach, Scalyz shall:

  • Notify the Data Controller without undue delay
  • Provide relevant information to assess the risk
  • Cooperate in managing the incident

13. AUDIT

The Data Controller may request reasonable information regarding the security measures implemented by Scalyz.

Any audit shall:

  • Be scheduled in advance
  • Be limited to relevant information
  • Not disrupt normal platform operations

14. LIABILITY

Each party remains responsible for its respective obligations under the GDPR.

Scalyz’s liability is limited in accordance with the applicable General Terms and Conditions.

15. TERM AND EFFECT

This DPA becomes effective upon acceptance of the Enterprise General Terms and Conditions.

It remains in effect for the entire duration of the Client’s use of the Platform.

Validate technical skills 
in real-world conditions.
facebook iconinstagram iconyoutube icontwitter iconlinkedin icon
Join Community
Company
About usCareersPricingPrivacySecurity & ComplianceTerms of Sale EnterpriseTerms of Use Enterprise
Contact
Join usBlogCommunityContactFAQ
More
Help centerValidation FrameworkData ProcessingTerms of Use TalentInformation Security PolicyLegal Notice
Copyright © 2026 Scalyz
Copyright © 2026 Scalyz