Last updated: May 2, 2025

These Website Terms of Service (“Terms”) are a legally binding contract between Studio 1 Works, Inc. (“Company,” “we,” “us”) and the individual or entity accessing this Website (“Visitor,” “you”). By accessing or using this Website, you acknowledge that you have read, understood, and agree to be bound by these Terms and by the Privacy Policy referenced below.

These Terms apply to all access and use of our public websites and marketing pages operated by Studio 1 Works, Inc., including taluate.com and any campaign-specific landing pages (collectively, the “Website”).

1. Website Use
This Website is provided for informational purposes only and does not constitute legal, HR, or employment advice. While we strive to provide accurate information, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the Website or the information contained on it.

2. Data Collection & Privacy

We collect certain information from visitors to this Website, including:

• Information you voluntarily provide (such as contact information)
• Basic usage data and cookie/analytics data as described in our Cookie & Tracking Policy

For complete details on how we collect, use, and protect your data, please review our Privacy Policy and Cookie & Tracking Policy.

3. Intellectual Property
All content on this Website, including but not limited to text, graphics, logos, images, and software, is the property of Studio 1 Works, Inc. and is protected by intellectual property laws. You may not reproduce, distribute, modify, or create derivative works from any content without our prior written consent.

4. Age Restriction
You represent and warrant that you are at least 16 years old and accessing this Website in a business capacity. This Website is not intended for use by individuals under 16 years of age.

5. Acceptable Use

You agree not to:

• Use this Website in any way that violates applicable laws or regulations
• Attempt to gain unauthorized access to any portion of the Website
• Use automated means to access or interact with the Website without our express permission
• Upload viruses or other malicious code
• Interfere with the proper functioning of the Website

6. Third-Party Links
This Website may contain links to third-party websites. These links are provided for your convenience only. We have no control over the content of these websites and accept no responsibility for them or for any loss or damage that may arise from your use of them.

7. Limitation of Liability
To the fullest extent permitted by law, Studio 1 Works, Inc. shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising out of or relating to your access to or use of this Website.

8. Changes to Terms
We may update these Terms by posting a revised version on this Website. Your continued use of the Website after such changes constitutes acceptance of the revised Terms.

9. Governing Law
These Terms are governed by the laws of British Columbia, Canada, without regard to conflict-of-law rules. The parties consent to the exclusive jurisdiction of the courts of British Columbia.

10. Contact Information

Questions? Email privacyNoSpam@NoSpamtaluate.com

© 2025 Studio 1 Works, Inc.

Last updated: May 2, 2025

These Terms of Service (“Terms”) are a legally-binding contract between Studio 1 Works Inc. (“Taluate,” “we,” or “Company”) and the entity or individual clicking “I agree” (“Subscriber,” “you”). By checking the acceptance box or accessing the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms and by the Privacy Policy referenced below.

These Terms apply to all access and use of the Service via our application at app.taluate.com and any related application interfaces. Use of our public marketing websites and any campaign-specific landing pages is governed by our Website Terms.

IMPORTANT (EU/UK): If you are located in the European Economic Area or the United Kingdom, Section 14 incorporates the 2021 Standard Contractual Clauses (Module 2: Controller → Processor) and the UK Addendum. The act of accepting these Terms constitutes execution of those clauses on your behalf.

1. Definitions

• “Service” – The cloud-based competency-assessment platform available at [DOMAIN.APP].
• “Subscriber” – The entity or person accepting these Terms and responsible for the account.
• “Authorized Users” – Subscriber’s employees or contractors permitted to administer Assessments through the Service.
• “Assessed Individuals” – candidates or employees who complete Assessments.
• “References / Respondents” – third parties invited by Subscriber or an Assessed Individual to provide assessment responses.
• “Recruiter Client” – An end-client to whom the Subscriber provides candidate reports generated through the Service.
• “Customer Data” – all Candidate Data plus assessment inputs, responses, compiled reports, consent status, consent timestamps, and submission status metadata, and any files or notes uploaded to the Service.
• “Candidate Data” – Personal data relating to Assessed Individuals or References processed in the Service.
• “Subscription Term” – The period stated on the Order Form or selected at self-signup.
• “Order Form” – any ordering document, checkout flow, or SOW specifying plan, seats, pricing, and term.

2. Account Creation & Age Gate

You represent and warrant that (a) you are at least 16 years old and acting solely in a business capacity; (b) the information you provide during signup is accurate; and (c) you have authority to bind the business named on the account. You must keep login credentials confidential, enable multi-factor authentication (MFA) when the feature is made available, and notify us immediately of any unauthorized use.

Subscriber is responsible for all activity conducted by Authorized Users under its account, including invitations sent to Assessed Individuals and References.

3. License Grant

Subject to payment of Fees, we grant you a non-exclusive, non-transferable, worldwide licence to access and use the Service during the Subscription Term for your internal recruitment and talent-assessment purposes.

4. Fees, Taxes & Refunds

Fees. Subscription Fees are charged in US dollars, unless selected otherwise at checkout, and are payable in advance.

Taxes. Prices exclude all applicable sales, VAT, GST, or similar taxes. If you supply a valid VAT or GST registration number for your billing country, the reverse-charge mechanism applies. If you fail to provide such number where required, we will charge tax and remit it via the EU Non-Union OSS or UK VAT scheme.

Refund Policy. Except as expressly stated in Section 9 (Service Levels) or required by law, Fees are non-refundable. Our detailed Refund Policy is available here and is incorporated by reference.

5. Intellectual Property

All intellectual-property rights in the Service, including software, documentation, and our competency catalogue, are owned by Company or its licensors. No rights are granted to Subscriber except as expressly stated herein.

Subscriber retains all rights, title, and interest in Customer Data. Company receives only the limited rights necessary to host, process, and display Customer Data to provide the Service as described in Section 6.

6. Data Protection & Privacy

Processor Relationship. Subscriber is the Data Controller for Customer Data. Company acts as a Data Processor / service provider, processing Customer Data only on Subscriber’s documented instructions to provide and secure the Service.

Subscriber Compliance Obligations. Subscriber represents and warrants that it has a lawful basis to collect, use, and share Customer Data with Company and to invite Assessed Individuals and References to participate in Assessments. Subscriber will provide all required notices and obtain all consents under applicable privacy, employment, and human-rights laws before submitting Customer Data to the Service or sending invitations.

Consent and participant notices. Subscriber will ensure that Assessed Individuals and References are presented with all required notices and, where the Service prompts for consent, Subscriber will not instruct Company to treat assessment responses as “submitted” or to disclose compiled reports unless the participant has provided the required consent within the Service.

Company Processing. Company will:

(a) process Customer Data solely to provide, maintain, and improve the Service;
(b) implement commercially reasonable technical and organisational safeguards; and
(c) use subprocessors only as listed in the Privacy Policy Annex A, subject to written DPAs.

De-Identified Analytics. Company may create and use aggregated or de-identified data derived from Customer Data to improve the Service, provided such data cannot reasonably identify any individual.

Privacy Policy. Processing details, retention, subprocessors, and data subject rights are described in our Privacy Policy, which is incorporated by reference.

7. Recruiter Client Sharing

You may disclose compiled reports to Recruiter Clients under your own controller responsibility. You must not publicly post Candidate Data or referee comments without explicit consent. Recruiter Clients have no rights to access the Service unless they create their own account.

Sharing scope and consent. Subscriber acknowledges that compiled reports are intended for use in hiring decisions and may be shared with Subscriber’s internal hiring stakeholders and Recruiter Clients, but only in accordance with applicable law and any participant consents captured through the Service. Subscriber is solely responsible for determining which recipients receive reports and for limiting access to authorized persons.

Subscriber is responsible for ensuring lawful sharing of reports with Recruiter Clients and for providing any required notices to Assessed Individuals and References.

8. Acceptable Use

You shall not (a) decompile or reverse-engineer the Service; (b) upload viruses; (c) use the Service to discriminate against candidates or violate employment laws; (d) allow use by minors under 16; or (e) attempt to circumvent or interfere with any AI-safety or security measure, including prompt-injection attacks, attempts to extract model parameters, or providing disallowed personal or sensitive data in AI-assist fields.

9. Service Levels & Credits

We target 99.9% monthly uptime for the core Service components we control. Downtime caused by (i) scheduled maintenance (with 48 hours’ notice), (ii) force-majeure events, or (iii) outages of third-party hosting providers outside our reasonable control does not count against this target.

10. Warranties & Disclaimers

The Service and AI-assisted features are provided “as is.” We do not warrant that the Service will be error-free or that its output will guarantee hiring success. Subscriber remains solely responsible for human review of assessment results and AI suggestions and for compliance with employment laws.

Company does not provide legal, HR, or employment advice, and does not make employment decisions on Subscriber’s behalf.

11. Indemnification

Subscriber will indemnify, defend, and hold harmless Company and its officers, directors, employees, and agents from and against any claims, damages, liabilities, fines, and expenses (including reasonable legal fees) arising out of or related to

(a) Subscriber’s collection, use, disclosure, or processing of Customer Data;
(b) invitations sent to Assessed Individuals or References, including any failure to provide required notices or obtain lawful consent;
(c) employment, hiring, promotion, or termination decisions made using or in connection with the Service;
(d) Subscriber’s breach of Section 6 (Data Protection & Privacy) or Section 8 (Acceptable Use); or
(e) any allegation that Subscriber-provided content or assessment responses are unlawful, discriminatory, defamatory, or infringe third-party rights.

Company will promptly notify Subscriber of any claim and reasonably cooperate at Subscriber’s expense.

12. Limitation of Liability

To the fullest extent allowed by law, Company’s aggregate liability shall not exceed the Fees paid by Subscriber in the 12 months preceding the claim. In no event shall either party be liable for indirect or consequential damages.

13. Term & Termination

Either party may terminate for Material Breach not remedied within 30 days after written notice.

“Material Breach” means: (a) failure to pay Fees within 15 days after the due date; (b) unauthorized disclosure, processing, or misuse of Candidate Data; (c) violation of Section 8 (Acceptable Use); or (d) any other breach that substantially frustrates the terminating party’s purpose in entering into these Terms.

Upon termination, Subscriber’s access ceases. Company will make Customer Data available for export for 30 days after termination upon request. After that period, Company will delete or anonymize Customer Data in accordance with the Privacy Policy, unless retention is required by law.

13.1 Account Deletion vs. Subscription Cancellation

Deleting your tenant account does not automatically cancel your active subscription or stop recurring billing. You must cancel your subscription separately before deleting your account. If you attempt to delete your account while an active subscription exists, you will be prompted to cancel the subscription first. Subscriber remains responsible for any subscription fees until the subscription is properly cancelled through the designated cancellation procedures.

14. Cross-Border Data Transfers – SCC Annex

The Standard Contractual Clauses Module 2 (Controller → Processor) adopted by Commission Implementing Decision (EU) 2021/914 and the UK Addendum are incorporated by reference and deemed executed as of the Effective Date.

The required SCC annexes (Annex I.A, Annex I.B, Annex II, and Annex III) are set out in the Data Processing Addendum (“DPA”) and Privacy Policy Annex A, which are incorporated into these Terms by reference.

In the event of any conflict, the SCCs and UK Addendum control for EU/UK transfers, followed by the DPA, and then these Terms.

15. Governing Law & Dispute Resolution

These Terms are governed by the laws of British Columbia, Canada, without regard to conflict-of-law rules. The parties consent to the exclusive jurisdiction of the courts of British Columbia.

16. Changes to Terms

We may update these Terms by posting a revised version and notifying you via email or in-app. Changes will take effect on the stated effective date. Continued use of the Service after that date constitutes acceptance.

17. Entire Agreement

Questions? Email privacyNoSpam@NoSpamtaluate.com

© 2025 Studio 1 Works, Inc.

Last updated: May 2, 2025

Fast-Facts Summary

Who? Studio 1 Works Inc. ("Taluate", "Company", "we", "our"), headquartered in British Columbia, Canada.

What? We collect recruiter account details, candidate and referee assessment data, telemetry, and payment information.

Why? To operate our assessment platform, improve hiring outcomes, comply with law, and run our business.

Where is your data stored? Bubble.io servers in the United States; encrypted in transit and at rest.

Your key rights: Access, correction, deletion, portability, objection/opt-out (plus "/Do Not Sell or Share" for California, additional portability for Québec).

Read the full policy below for the details or email privacyNoSpam@NoSpamtaluate.com with any questions.

Table of Contents

• Who We Are & Scope of This Policy
• The Personal Data We Collect
• How & Why We Use Your Personal Data (Lawful Bases)
• Cookies & Similar Tracking Technologies
• AI-Assisted Features
• How We Share Personal Data
• International Transfers
• Data Retention
• Your Privacy Rights & How to Exercise Them
• Security Measures
• Children
• Changes to This Policy
• Contact Us
• Annex A – SubProcessor List
• Annex B – Cookie Categories

1. Who We Are & Scope of This Policy

Studio 1 Works Inc., a corporation organized under the laws of British Columbia, provides a software-as-a-service platform (the "Service") that enables recruiters to build and conduct competency assessments for job candidates.

Hiring-use consent. If you are a candidate or referee, you will be asked in the Service to consent to (i) your information being used for the hiring process and (ii) your assessment responses being shared with the recruiting organization and, where applicable, the hiring manager(s) and/or the recruiter’s end-client (“Recruiter Client”). Unless and until you provide that consent, your assessment responses are not submitted as part of the hiring report.

This Privacy Policy applies to personal data processed through:
(a) our public marketing websites and pages (the “Website”) at vip.taluate.com, get.taluate.com, taluate.com;
(b) our competency-assessment application and related services (the “Service”) at app.taluate.com; and
(c) all related communications, including support, emails, and API calls.

If you are a recruiter, candidate, or referee using the Service, this Policy tells you how we handle your information. Separate commercial terms for the Service are set out in our Terms of Service, and Website use is governed by our Website Terms.

2. The Personal Data We Collect

We do not intentionally collect sensitive personal data (e.g., health, ethnicity, religion, political opinions). Please do not provide such data in free-text fields. If sensitive data is submitted, we may delete or redact it to protect data subjects, and Recruiters remain responsible for ensuring any collection is lawful and necessary.

3. How & Why We Use Your Personal Data (Lawful Bases)

*For Québec residents, processing relies on express consent or exceptions under Law 25; for California residents, purposes are as defined in CPRA §1798.140.

4. Cookies & Similar Tracking Technologies

We use Enzuzo to display a geo-aware consent banner. Cookies are grouped as:

• Strictly Necessary – session token, CSRF.
• Analytics – Google Analytics 4; stored for 14 months, IP truncated in the EU.
• Functional – remembers language preference.

You can withdraw consent at any time via the Cookie Settings link in the footer.

5. AI-Assisted Features

The Service offers optional text suggestions powered by large-language models provided by OpenAI or equivalent providers. These suggestions are:

• Reviewed by a human recruiter, referee, or candidate before use;
• Not used for automated decision-making with legal effect; and
• Filtered through Prompt Security to remove bias and personal identifiers.

We log prompts and responses for 30 days for security auditing.

6. How We Share Personal Data

We never sell personal data. We share it only with:

• Subprocessors listed in Annex A (e.g., Bubble, Stripe, Kintsugi, Google Analytics, OpenAI, Prompt Security);
• Recruiter customers (controller-to-controller relationship);
• Recruiter clients (controller-to-controller relationship);
• Authorities when required by law;
• A successor entity in case of merger or acquisition.

Consent before sharing. For candidates and referees, assessment responses are shared with the recruiter customer (and, if applicable, the hiring manager(s) and/or Recruiter Client) only after the participant provides the required consent in the Service. If a participant does not provide consent, their responses are not included in compiled reports or made available to the recruiter’s stakeholders.

Recruiters are responsible for ensuring they have a lawful basis to share reports with Recruiter Clients and for providing any required notices to candidates, employees, or references.

All subprocessors are bound by written DPAs and the 2021 Standard Contractual Clauses where applicable.

7. International Transfers

Personal data is stored on servers located in the United States. Transfers from the EU/EEA or UK are governed by:

• 2021 Standard Contractual Clauses, Module 2 (Controller → Processor); and
• the UK Addendum to the SCCs for UK transfers.

A Transfer Impact Assessment has concluded that encryption at rest/in transit and U.S. executive-order safeguards are designed to provide a comparable level of protection.

8. Data Retention

We maintain an immutable log of deletion requests (non-personal) for accountability.

9. Your Privacy Rights & How to Exercise Them

To exercise any right, email privacyNoSpam@NoSpamtaluate.com. We respond within 30 days (Law 25) or 45 days (CPRA).

10. Security Measures

• AES-256 encryption at rest, TLS 1.2+ in transit
• Role-based access control
• Annual penetration test and Bubble SOC 2 Type II report
• Data-processing records maintained under GDPR Art 30
• Privacy program reviewed annually against GDPR/UK GDPR principles

11. Children

Our Service is not directed to children under 16. We do not knowingly collect data from minors. If we become aware of such data, we will delete it promptly.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email or in-app. The “Last updated” date reflects the latest revision.

13. Contact Us

Privacy Officer
Studio 1 Works Inc.
777 Hornby Street
Vancouver, BC, Canada
Email: privacyNoSpam@NoSpamtaluate.com

If you are in the EU/UK and feel we have not resolved your concern, you may lodge a complaint with your local supervisory authority.

Annex A – SubProcessor List

We will provide at least 30 days’ notice before adding or replacing subprocessors that materially affect processing.

Annex B – Cookie Categories

• strictlyNecessaryCookies: session_id (expires: 24 h)
• analyticsCookies: _ga (Google Analytics, expires: 14 months)
• functionalCookies: locale_pref (expires: 12 months)

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents have the right to opt out of the “sale” or “sharing” of their personal information for cross-context behavioral advertising.

Studio 1 Works Inc. (“Taluate”) does not sell or share personal information for advertising purposes. We provide this page so California residents can exercise their rights easily and so we remain transparent if our practices ever change.

This notice applies to personal information collected through both:

• our public marketing websites and pages (the “Website”); and
• our competency-assessment application and related services (the “Service”).

1 How to Submit an Opt-Out Request

You will not be charged or experience degraded service for exercising this right.

2 Verification & Scope

We verify requests using your email address and may ask for additional information (e.g., recent login IP) to prevent fraudulent opt-outs.

The opt-out applies prospectively. It does not require us to delete information processed before we received your request. To request deletion, use the “Erase My Data” option in My Profile.

3 Changes to This Notice

Questions? Email privacyNoSpam@NoSpamtaluate.com

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

This Cookie & Tracking Policy explains how Studio 1 Works Inc. (“Taluate,” “we,” or “us”) uses cookies and similar technologies when you visit www.taluate.com, app.taluate.com, or any website or service that links to this Policy (collectively, the “Sites”). It should be read together with our Privacy Policy.

This Policy applies to both:

• our public marketing websites and pages (the “Website”); and
• our competency-assessment application and related services (the “Service”).

1. What Are Cookies?

Cookies are small text files placed on your device that allow us to recognize your browser, store preferences, and maintain secure sessions. We also use browser storage, pixels, and device identifiers—together referred to as “cookies” in this Policy.

2. Why We Use Cookies

No cross-context behavioural advertising: We do not use adtech cookies or share data for targeted advertising.

3. Cookie Details

A full, autogenerated list is available in the Enzuzo banner under “Show Details.”

4. Consent Management

We deploy Enzuzo CMP to display a geo-aware consent banner.

• EU/EEA/UK visitors: Analytics cookies are blocked until you click “Allow selection” or “Allow all.” You can withdraw consent any time via the “Cookie Settings” link in the footer.
• California visitors: Our Sites include a “Do Not Sell or Share My Information” link that honors CPRA opt-out signals, including Global Privacy Control (GPC).

How to Change Your Settings Manually

You can also control cookies in your browser settings:

Chrome: Settings → Privacy & Security → Cookies and Site Data
Brave: Settings → Privacy & Security → Sites & Shields Settings
Firefox: Preferences → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and Site Permissions

Blocking Strictly Necessary cookies may break core functionality.

5. Similar Technologies

We may also use:

• LocalStorage / SessionStorage for short-term caching (same categories & lawful bases as cookies).
• Server logs (IP address, device, user-agent) for security monitoring; retained 30 days under Legitimate Interest.
• Invisible reCAPTCHA (if enabled) to mitigate bots. When enabled, Google acts as a processor for this data and transfers are protected by the 2021 Standard Contractual Clauses Module 2 (Controller → Processor), where applicable.

6. Updates to This Policy

We may update this Policy to reflect legal or technical changes. Material changes will be announced via the banner or by email. The “Last updated” date indicates the most recent revision.

7. Contact Us

Questions about this Policy? Email privacyNoSpam@NoSpamtaluate.com or write to 777 Hornby Street, Vancouver, BC, Canada.

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

At Studio 1 Works Inc. (“Taluate”), we believe privacy is a fundamental right and a pillar of trust in the recruiting process. Although we are headquartered in Canada and host data in the United States, we design every feature of our competency-assessment platform to meet or exceed the standards of the European Union’s General Data Protection Regulation (GDPR) and the UK GDPR.

1 Lawful, Fair & Transparent Processing

• Purpose limitation: We collect only what is necessary to create, administer, and analyze competency assessments.
• Lawful bases: We rely on legitimate interests for recruitment, contract performance for platform delivery, and consent where required (e.g., optional longitudinal trend tracking).
• Layered transparency: We provide a plain-language Privacy Policy, Cookie & Tracking Policy, and in-app just-in-time notices.

2 Data Subject Rights by Design

• An in-app Privacy Portal enables recruiters, candidates, employees, and referees to request access, rectification, erasure, portability, restriction, or objection.
• Automated workflows cascade deletions across assessments, reference checks, compiled reports, logs, and AI prompt history.
• Requests are logged and fulfilled within 30 days (Law 25 Canada) or within GDPR/CPRA timelines (30/45 days).

3 Security & Confidentiality

• Data is encrypted in transit (TLS 1.2+) and at rest (AES-256) on Bubble.io.
• Multi-Factor Authentication (MFA) is available for all users and required for administrators.
• We undergo annual third-party penetration testing, monthly vulnerability scans, and rely on a SOC 2 Type II hosting provider.
• Confidential referee comments are shown to candidates only in anonymized form, protecting whistleblower identity under GDPR Art. 15(4).

4 International Transfers

All EU/UK personal data is transferred to the United States under:

• the 2021 Standard Contractual Clauses, Module 2 (Controller → Processor); and
• the UK Addendum to the SCCs for UK transfers.

A Transfer Impact Assessment confirms that our encryption measures and applicable U.S. redress mechanisms (including EO 14086 safeguards) are designed to provide a comparable level of protection to EU/UK standards.

5 Vendor & SubProcessor Governance

• We maintain written Data Processing Addenda (DPAs) with every subprocessor, including Bubble.io, Stripe, Kintsugi, Google Analytics 4, Zoho Campaigns, OpenAI, Prompt Security, and Enzuzo.
• Our subprocessor list is published in Annex A of our Privacy Policy and we notify customers at least 30 days in advance of any material changes.

6 Data Protection Impact Assessments (DPIA) & AI Oversight

• We have completed a DPIA for recruitment-related processing in a high-risk employment context and review it as our features evolve.
• AI-assist features pass prompts through bias-removal filters and always require human review; we do not use AI for automated scoring or employment decisions.
• We monitor EU AI Act obligations and will register the system in the EU high-risk AI database if/when required by the final scope and enforcement timeline.

7 Accountability & Governance

• A Privacy Officer is appointed in Vancouver and reports directly to the CEO.
• Records of Processing Activities (ROPA) are maintained under GDPR Art. 30.
• We conduct annual policy and training reviews to address new regulations.

8. Contact & Redress

Have a privacy concern or data‑subject request? Email privacyNoSpam@NoSpamtaluate.com or write to us at 777 Hornby Street, Vancouver, BC, Canada. EU/UK data subjects may lodge complaints with their local supervisory authority.

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

At Studio 1 Works Inc. (“Taluate”), artificial intelligence is a tool to assist humans—not replace them. Our competency-assessment platform uses AI exclusively to generate optional suggestions that help candidates, referees, and recruiters express feedback more clearly. We do not use AI for automated scoring, ranking, or hiring decisions.

1 Guiding Principles

Human Autonomy – Every AI suggestion requires human review, edit, and explicit save before it enters a report. No auto-publish.

Fairness & Non-Discrimination – Prompts and model outputs are filtered through bias-reduction rules and Prompt Security. We do not request or process sensitive attributes (race, health, religion, etc.).

Transparency – The “✨ AI-assist” (or similar) icon appears next to any field where suggestions are available, and a tooltip explains that a large-language model is involved.

Privacy by Design – Only the competency-comment text required to generate a suggestion is sent; full CVs or other free-form content are never transmitted.

AI prompts are filtered through Prompt Security to strip bias and personal identifiers before dispatch. Our AI providers are contractually prohibited from using our data to train their models and retain prompts only for abuse monitoring (up to 30 days).

Accountability – Logs of prompts and responses are retained for security auditing and can be surfaced in Data Subject Access Requests. A human reviewer can override or delete any AI output.

2 Model & Provider Details

Both providers are bound by written DPAs and the 2021 Standard Contractual Clauses Module 2 (Controller → Processor), and are listed in our Privacy Policy Annex A.

3 EU AI Act Alignment

Because our Service is used in an employment context, it is likely to be considered High-Risk under Annex III (Employment). We are preparing accordingly, even though our AI features are assistive only and do not make automated decisions.

We have completed a preliminary risk-management file, and will complete conformity assessment steps required by the EU AI Act before applicable enforcement milestones. We will register the system in the EU High-Risk AI Database and publish a risk-management summary if/when required by final scope.

4 Opt-Out & Feedback

Recruiters and account Administrators can disable AI suggestions per workspace.

End-users can flag problematic outputs via the “Report AI Issue” link next to each suggestion. Reports are reviewed within 72 hours.

5 Governance

We hold an annual AI ethics review with Engineering, Product, and Privacy teams.

Questions or concerns about our AI approach? Email aiNoSpam@NoSpamtaluate.com

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

This Refund Policy explains when Studio 1 Works Inc. (“Taluate”, “we”, “our”) issues refunds or account credits for subscriptions to the Taluate competency-assessment platform (the “Service”). It applies to all paid plans purchased after the Effective Date and should be read together with our Terms of Service / Subscription Agreement.

Trials first. Every regular-priced plan starts with a 14-day free trial—no card is charged—so you can evaluate the Service before paying.

1. Plan Types

Each subscription has a minimum of 2 seats for Agency/Company plans.

2. Monthly Plans

Cancel in-app under Account → Subscription → Manage Plan or email billingNoSpam@NoSpamtaluate.com.

3. Annual Plans

Annual Plans are billed annually in advance at a discounted rate and come with a two-seat minimum for Agency/Company plans. Our refund approach balances flexibility with fairness, especially for small and independent recruiting teams.

Refund Policy

3.1 Cancellation & Refunds

Clarification on mid-term annual cancellations: if you cancel an Annual Plan your subscription remains active through the end of the paid annual term, and will not renew at the next billing date unless you re-subscribe. No prorated refunds or credits apply.

Cash refunds are issued only in the scenarios above or where required by law.

Important: Account Deletion Does Not Cancel Subscriptions

Deleting your tenant account does not cancel your subscription or stop billing. You must cancel your subscription separately using the methods described in this policy before deleting your account. Failure to cancel your subscription prior to account deletion will not result in refunds for charges incurred during the active subscription term.

3.2 Seat Reduction (Agency/Company Plans Only)

You may reduce the number of seats once per 12-month subscription term, subject to a minimum of 2 seats per Agency/Company plan.

Seat reductions are permitted only at renewal time and are subject to a 2-seat minimum per Agency/Company plan. Reductions below this threshold require switching to a Recruiter plan.

3.3 Promotional Lifetime-Discount Seats (“Trailblazer”, etc.)

Seats purchased during limited-time promotional campaigns follow these rules:

• Additional seats added during the promotional window receive the same discounted price.
• Seats added after the promotion closes are billed at the promotional price associated with the subscription.
• Cancelled promotional seats are not eligible for prorated credits. Refunds are only available as outlined in Section 3.1.

Promotional pricing is granted on a per-subscription basis and remains in effect for the lifetime of the subscription, subject to cancellation.

14-Day Guarantee for Promotional Plans

Some promotional plans (including limited-time, early-access, or discounted offers) may be billed upfront. Promotional plans that are billed upfront do not include a free trial and are instead covered by a 14-day money-back guarantee.

If you cancel within 14 days of purchase, you’ll receive a full refund. After this period, no refunds or prorated credits are issued.

Promotional plans that include a free trial follow the standard trial terms described elsewhere in this Policy.

4. How to Request a Refund or Credit

Email us at billingNoSpam@NoSpamtaluate.com from the account owner’s address. Provide your subscription ID and reason (“cancellation”, “seat reduction”, “mistaken renewal”). We’ll confirm eligibility within 3 business days. Approved cash refunds post back to the original payment method within 10 business days (Stripe timelines may vary).

5. Jurisdiction-Specific Rights

These Terms are B2B-focused. If mandatory law grants you broader rights (e.g., EU consumer 14-day withdrawal for non-business purchasers), we will honor those rights even if they differ from this Policy.

6. Changes to This Policy

We may update this Policy from time to time. Material changes take effect 30 days after notice via email or in-app. Continued use of the Service after that date means you accept the revised terms.

Questions? Contact billingNoSpam@NoSpamtaluate.com or write to 777 Hornby Street, Vancouver, BC, Canada.

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service / Subscription Agreement (the “Agreement”) between Studio 1 Works Inc. (“Company,” “Processor,” “we,” “us”), and the entity entering into the Agreement (“Subscriber,” “Controller,” “you”).

This DPA applies to Company’s Processing of Personal Data on behalf of Subscriber in connection with the Service.

If there is any conflict between this DPA and the Agreement, this DPA controls with respect to data protection and Processing of Personal Data.

1. Definitions

Capitalized terms not defined here have the meaning in the Agreement or Privacy Policy.

• “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including GDPR, UK GDPR, the Swiss FADP, PIPEDA, Québec Law 25, and CPRA/CCPA where applicable.
• “Personal Data” means any information relating to an identified or identifiable natural person that Company Processes on Subscriber’s behalf.
• “Customer Data” has the meaning in the Agreement and includes Candidate Data, Reference data, assessment responses, compiled reports, and related metadata (including consent and submission status, and consent timestamps/logs).
• “Data Subject” means an Assessed Individual, Reference/Respondent, Authorized User, or any other individual whose Personal Data is Processed under the Agreement.
• “Processing” (and “Process”) has the meaning given in GDPR Article 4(2).
• “Subprocessor” means any third party engaged by Company to Process Personal Data on Subscriber’s behalf.

2. Roles and Scope of Processing

2.1 Controller and Processor. Subscriber is the Controller of Personal Data. Company acts as Processor and Processes Personal Data only on documented instructions from Subscriber, to provide and secure the Service.

2.2 Subscriber Instructions. Subscriber instructs Company to Process Personal Data as necessary to:

(a) host and operate the Service;
(b) enable creation, delivery, and analysis of competency assessments;
(c) generate compiled reports within the Service;

(d) record and apply participant consent and submission status (including consent timestamps/status flags) to control whether assessment responses are treated as submitted and included in compiled reports and made available to Subscriber and Subscriber-authorized recipients;
(e) provide support, prevent abuse, and maintain security; and
(f) perform de-identified/aggregated analytics to improve the Service, consistent with the Privacy Policy.

2.3 No Independent Purposes. Company will not Process Personal Data for its own independent purposes except where Personal Data has been de-identified or aggregated so it cannot reasonably identify a person.

3. Subscriber Obligations

3.1 Lawful Basis and Notices. Subscriber represents and warrants that it has a lawful basis to collect, use, and disclose Personal Data to Company and to invite Data Subjects to participate in assessments, including providing any required notices and obtaining consents under Applicable Data Protection Law and employment/human-rights law.

Subscriber acknowledges that the Service may require participants to provide consent before responses are included in compiled reports, and Subscriber remains responsible for ensuring the appropriate lawful basis and notices for its hiring use and onward disclosures.

3.2 Accuracy and Minimization. Subscriber is responsible for the accuracy, quality, and legality of Personal Data and must avoid submitting sensitive data in free-text fields unless lawful and necessary.

3.3 Controller Compliance. Subscriber is solely responsible for decisions made using the Service, including hiring, promotion, or termination decisions, and for complying with Applicable Data Protection Law in connection with those decisions.

4. Company (Processor) Obligations

4.1 Confidentiality. Company ensures that persons authorized to Process Personal Data are bound by confidentiality obligations.

4.2 Security. Company will implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. TOMs are described in Annex II.

4.3 Data Subject Requests. To the extent legally permitted, Company will promptly notify Subscriber if Company receives a request from a Data Subject to exercise rights. Company will reasonably assist Subscriber in fulfilling such requests.

4.4 Assistance. Company will provide reasonable assistance to Subscriber with:

(a) DPIAs and risk assessments where required;
(b) prior consultations with regulators; and
(c) compliance with security, breach notification, and transfer obligations.

4.5 Records. Company will maintain records of Processing activities as required by GDPR Article 30(2).

5. Subprocessors

5.1 Authorization. Subscriber provides a general authorization for Company to engage Subprocessors.

5.2 List. Current Subprocessors are listed in Annex A of the Privacy Policy, incorporated here by reference.

5.3 Flow-down. Company will enter into written agreements with Subprocessors that impose data-protection obligations no less protective than this DPA.

5.4 Change Notice. Company will provide at least 30 days’ notice before adding or replacing Subprocessors that materially affect Processing. Subscriber may object on reasonable data-protection grounds; if unresolved, Subscriber may terminate the affected Service without penalty.

6. International Transfers

6.1 Primary Hosting. Personal Data is hosted on servers located in the United States.

6.2 EEA/UK Transfers. Where Applicable Data Protection Law requires transfer safeguards, the parties agree that the 2021 EU Standard Contractual Clauses (Module 2: Controller → Processor) and the UK Addendum apply, incorporated in Annex III.

6.3 Order of Precedence. If there is a conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum govern for the transfer.

7. Security Incidents & Breach Notification

7.1 Notification. Company will notify Subscriber without undue delay after becoming aware of a Personal Data breach affecting Customer Data, and will provide information reasonably required for Subscriber to meet legal breach-notification duties.

7.2 Mitigation. Company will take reasonable steps to contain, investigate, and remediate the breach.

8. Retention and Deletion

8.1 Term. Company will Process Personal Data for the duration of the Agreement unless otherwise required by law.

8.2 Return/Deletion. Upon termination or expiration, Company will make Customer Data available for export for 30 days after termination upon request. After that period, Company will delete or anonymize Personal Data in accordance with the Privacy Policy, unless retention is required by law.

9. Audits

9.1 Audit Rights. Subscriber may audit Company’s compliance with this DPA no more than once per year, on at least 30 days’ notice, during normal business hours.

9.2 Scope. Audits are limited to systems relevant to Customer Data and must not unreasonably interfere with Company operations or compromise other customers’ data.

9.3 Third-Party Reports. Company may satisfy audit requests by providing recent third-party security reports (e.g., SOC 2 Type II from hosting providers, penetration test summaries) where appropriate.

10. Liability

Liability under this DPA is subject to the limitations and exclusions in the Agreement.

Annex I — Details of Processing

A. Subject matter
Provision of a SaaS competency-assessment platform enabling recruiters/managers to invite candidates/employees and references to provide structured competency feedback and to generate compiled reports.

B. Duration
For the Subscription Term plus any export/deletion period.

C. Categories of Data Subjects

• Authorized Users (recruiters/managers)
• Assessed Individuals (candidates/employees)
• References / Respondents (invited third parties)

D. Categories of Personal Data

• Account Data: name, business email, role, login data
• Candidate/Employee Profile Data: identifiers, role history, assessment history
• Reference Profile Data: identifiers, relationship context
• Assessment Inputs/Responses: competency ratings, free-text comments, timestamps
• Consent & Submission Metadata: consent status, consent timestamp, submission state (e.g., draft/submitted), audit log references.
• Compiled Reports: aggregated scores/comments; recruiter narrative
• Telemetry: IP address, browser/device, usage logs
• AI-assist prompts/responses (pseudonymized; 30-day logs)

E. Special categories
Not intentionally collected. Subscriber must not submit special category data in free-text fields unless lawful and necessary.

F. Nature and purpose of Processing
Hosting, storing, transmitting, analyzing, and displaying Customer Data to provide the Service; security monitoring; support; de-identified analytics to improve the Service.

Annex II — Technical and Organizational Measures (TOMs)

Company maintains measures designed to protect Personal Data, including:

1. Encryption

• TLS 1.2+ in transit
• AES-256 at rest

2. Access Controls

• Role-based access
• Least privilege
• Admin-level MFA available/required

3. Operational Security

• Centralized logging and monitoring
• Security scanning
• Annual third-party penetration testing

4. Vendor Security

• SOC 2 Type II hosting provider (Bubble.io)
• DPAs with Subprocessors

5. Data Minimization & Isolation

• Prompt Security removes identifiers from AI prompts
• Customer data is processed within a shared, multi-tenant environment and protected through role-based access controls, tenant identifiers, and application-level authorization rules.

6. Incident Response

• Documented breach playbook
• Subscriber notification without undue delay

Annex III — Standard Contractual Clauses

The parties incorporate by reference:

• EU SCCs (2021/914) Module 2 (Controller → Processor)
• UK SCC Addendum

Annex III.A (Exporter/Importer):

• Data Exporter: Subscriber
• Data Importer: Studio 1 Works Inc.

Annex III.B (Transfer description):
As described in Annex I above.

Annex III.C (Subprocessors):
As listed in Privacy Policy Annex A.

Questions? Contact privacyNoSpam@NoSpamtaluate.com or write to 777 Hornby Street, Vancouver, BC, Canada.

© 2025 Studio 1 Works, Inc. | All rights reserved.

Last updated: May 2, 2025

This page is a plain-language summary of our Data Processing Addendum (DPA). The full DPA is incorporated into our Terms of Service and controls if there’s any inconsistency.

Quick Summary (1 minute)

• Who is who?
  Recruiter/Subscriber = Data Controller.
  Studio 1 Works / Taluate = Data Processor.
  We process personal data only to deliver and secure the Service.

• What data do we process?
  Candidate/employee profiles, reference/respondent details, assessment ratings/comments, compiled reports, and limited telemetry. We don’t intentionally collect sensitive data.

• Where is data hosted?
  On servers in the United States (Bubble.io infrastructure).

• How are international transfers protected?
  EU SCCs (2021) Module 2 (Controller → Processor) + UK Addendum.

• Do we use customer data to train AI?
  No. AI-assist prompts are filtered for identifiers and are not used to train third-party models. Prompts/responses are retained up to 30 days for abuse monitoring/security.

• Subprocessors?
  Listed in Annex A of our Privacy Policy. We give 30 days’ notice before material changes.

• What happens when a contract ends?
  You can export data for 30 days after termination; then we delete or anonymize it per our Privacy Policy unless law requires retention.

FAQ

1. Are you a controller or a processor?

We are a processor / service provider for identifiable Candidate and Reference data. You (the Recruiter/Subscriber) decide why and how the assessments are used, so you are the controller.

2. What counts as “Customer Data”?

Customer Data includes:

• candidate/employee profile info
• reference/respondent info
• assessment inputs and responses (scores + free text)
• compiled reports
• related timestamps/metadata
• AI-assist prompt text (pseudonymized)
• consent/submission status (e.g., consent timestamp/status flags)

3. Do you collect special category / sensitive data?

We do not intentionally collect sensitive attributes (health, ethnicity, political beliefs, etc.). We ask customers not to enter sensitive data in free-text fields, and we may redact/delete it if submitted accidentally.

4. What lawful basis do you rely on?

You determine the lawful basis for collecting and using assessment data. We process under your instructions to provide the Service. (Typical bases are legitimate interest/contract for recruitment, and consent where required for optional features.)

5. Where do you store data and who can access it?

Data is stored in the US on secure cloud infrastructure. Access is limited to authorized personnel under confidentiality obligations, using role-based access controls and audit logging.

6. How do you handle EU/UK transfers?

Transfers are covered by:

• EU Standard Contractual Clauses (2021) Module 2
• UK SCC Addendum

We also use encryption in transit and at rest.

7. What security measures do you have?

Highlights:

• TLS 1.2+ in transit, AES-256 at rest
• role-based access + least privilege
• MFA for admins (and available to all users)
• centralized monitoring, security scanning
• SOC 2 Type II hosting provider

Full technical/organizational measures are in Annex II of the DPA.

8. Which subprocessors do you use?

We use vetted vendors for hosting, payments, analytics, and AI-assist (e.g., Bubble, Stripe, Kintsugi, GA4, OpenAI, Prompt Security, Enzuzo, Zoho Campaigns, Loops.so).

The authoritative list is always Privacy Policy Annex A.

9. How will you notify us about subprocessor changes?

We give at least 30 days’ notice for any material addition/replacement. You can object on reasonable privacy grounds; if unresolved, you can terminate the affected Service without penalty.

10. How do data subject requests work?

If a candidate/employee/reference contacts us directly, we route the request to you. We support you in fulfilling access, deletion, correction, portability, or objection requests.

11. What happens at termination?

Upon termination:

1. access ends
2. you may export data for 30 days
3. after that, we delete/anonymize data per our retention rules unless legally required to keep it

12. Where can I read the full DPA?

13. When are assessment responses shared?

Responses are made available in compiled reports only after the participant provides the required in-Service consent (where enabled/required by the workflow). After that, the recruiter controls who the report is shared with as part of their hiring process.

Questions? Contact privacyNoSpam@NoSpamtaluate.com or write to 777 Hornby Street, Vancouver, BC, Canada.

© 2025 Studio 1 Works, Inc. | All rights reserved.