Operating across regions

The honest starting point

Data protection rules are not the same in every region. The EU has the GDPR. Saudi Arabia has the PDPL. The UAE, Qatar,

Bahrain, and others have their own frameworks. CCPA covers California. Most countries have at least something.

Talinty does not hold formal certifications under any of these frameworks today. We are building toward them deliberately. In the

meantime, this article describes what is in place and what your team is responsible for handling directly.

We say this in writing because the alternative (vague language that lets the reader assume more than is true) is worse for

everyone, including us. When you give us candidate data, you should know what you are working with.

What is in place today

The practices described in How Talinty handles your data apply regardless of region:

Encryption in transit and at rest as baseline.

Role-based access controls inside your workspace.

No third-party sale or sharing of candidate data.

No use of your candidate data to train AI models for other customers.

Deletion mechanics that purge candidate data from active systems on your request.

Logged actions for accountability.

These practices are consistent with what most data-protection frameworks require of a processor. They are not the same as

certification under any specific framework. The difference matters and we are not going to paper over it.

What your team is responsible for

You are the data controller for the candidates in your workspace. That role carries obligations the platform cannot meet for you.

The most common ones, briefly:

Lawful basis for collection. You need a legal basis for collecting candidate data in your jurisdiction. In most cases this is the

candidate's consent to your application process or your legitimate interest as a prospective employer. Confirm with your legal

counsel.

Notice to the candidate. You owe candidates a privacy notice explaining what you collect, why, how long you keep it, and how

they can exercise their rights. This notice is yours to draft and publish on your application flow or career page, not Talinty's.

Responding to candidate rights requests. When a candidate exercises a right (access, deletion, correction, objection, portability),

the response is your team's responsibility. Talinty provides the mechanics; you decide what to include, what to refuse, and how

to communicate it. The previous article covers the mechanics.

Cross-border transfers. If your team is in one country and your candidates are in another, the data may be transferred across

borders by the act of being in Talinty. Cross-border transfer rules vary by region. Your legal counsel is the right resource for

whether your specific situation needs anything (a data transfer agreement, candidate notification, a different consent flow).

What to do for an audit, RFP, or vendor review

When your security or legal team asks for documentation about Talinty's practices, two paths:

For practices already described. This help center category, the privacy notice on our marketing site, and our standard terms of

service together describe most of what a vendor review covers. If your team is happy with a help-center-level description, they

can stop here.

For anything beyond that. Contact us. We will share what we have in writing: a description of our security practices, our

subprocessor list, our incident response process, and any specific commitments we can make for your account. We will be

honest about what we do not yet have. The path is in Contacting Talinty support.

[Illustration: A simple two-column layout. Left column header "Talinty handles" with four short bullets (encryption, access

controls, deletion mechanics, action logs). Right column header "You handle" with four short bullets (lawful basis, candidate

notice, rights responses, cross-border review). A horizontal divider between them labeled "Shared responsibility". Forest

typography on Signal White. Talinty Green accent on the left header, Sage on the right.]

A note on regional features

Talinty offers right-to-left resume parsing for Arabic CVs and is built with multi-region hiring in mind. These are product

capabilities, not compliance attestations. The ability to parse an Arabic CV is not the same as certification under the KSA PDPL.

The ability to operate in the EU is not the same as a GDPR adequacy attestation.

Where we have the certifications, this help center will say so plainly. Today we do not, and this help center says so plainly. As

that changes, this article will be updated and the date of the update will be visible at the bottom of the page.