These Terms of Service ("Terms") govern access to and use of the Provider's SaaS application supporting recruitment and candidate evaluation ("Platform", "Service") provided to business customers under the Early Adopters / Beta Program ("Beta Program"). By creating an account, clicking "I agree", or using the Service, the Customer agrees to these Terms and the Data Processing Agreement in Appendix 1 ("DPA").

1. Definitions

2. Scope of Service

2.1 What the Platform does

The Platform supports recruitment by analyzing Candidate Profiles and Customer's job requirements to generate Reports and Recommendations (including match scores). Outputs are decision-support only.

2.2 No candidate access

The Platform is provided only to Customers and their Users. Candidates do not receive access, accounts, or dashboards.

2.3 Business customers only

The Service is available only to businesses (including sole traders).

2.4 Continuous development

The Platform is under active development; features may change, be unstable, or be removed. Provider may update the Platform at any time.

3. Beta Program (Early Adopters) – Free Access

3.1 Free access; no SLA

Access is provided free of charge for the Beta Program. The Beta Program is provided "AS IS" and without any service level commitments.

3.2 Duration

The Beta Program runs for 3 months from Account activation unless ended earlier by Provider.

3.3 Termination by Provider

Provider may end or suspend the Beta Program or any Customer's participation at any time (with or without cause), including to protect security, compliance, or Platform integrity.

3.4 Data export window

Following termination or end of Beta, Customer may request an export of Customer Data within 30 days. After that period, Provider may delete Customer Data in accordance with the DPA and Section 10.

4. Data protection roles and responsibilities

4.1 Roles

For Candidate Personal Data:

• Customer is the Controller.
• Provider is the Processor and processes Personal Data only on documented instructions of the Customer as described in these Terms and the DPA.

4.2 Customer obligations (Controller)

Customer represents and warrants that it:

• has a valid legal basis to collect and process Candidate Personal Data and to provide it to Provider,
• provides required notices to Candidates (including information about AI-supported evaluation where required),
• ensures that hiring decisions are made with human oversight,
• complies with laws relating to recruitment, discrimination, and employment.

4.3 No special category data

The Platform is not intended for processing special category data (GDPR Art. 9) or criminal-offence data (GDPR Art. 10). Customer shall not upload such data. If Customer does, Customer is solely responsible for legal basis and notices.

4.4 Data Processing Agreement

The DPA in Appendix 1 applies and is incorporated into these Terms. If there is a conflict between the DPA and these Terms on data protection topics, the DPA prevails.

5. AI use and human oversight

5.1 Advisory only; no automated decisions

Reports and Recommendations are advisory. The Platform does not make hiring decisions. Customer must ensure that:

• a human reviews outputs before making decisions,
• outputs are not used as the sole basis for final decisions producing legal or similarly significant effects.

5.2 Limitations of AI

AI outputs may be incomplete, inaccurate, or biased. Customer is responsible for verifying outputs and using them appropriately.

5.3 Transparency to Candidates

Customer is responsible for providing Candidates with any legally required information about profiling/AI-assisted evaluation and for handling Candidate requests/objections.

6. Account and acceptable use

6.1 Registration and security

Customer must ensure that Users:

• keep credentials secure,
• use strong passwords,
• access the Platform only within their authorization.

6.2 Prohibited uses

Customer must not:

• reverse engineer or attempt to extract models, code, or underlying logic,
• use the Platform to unlawfully discriminate or violate employment laws,
• upload illegal content or data not permitted under Section 4.3,
• interfere with the Platform, probe security, or overload systems.

6.3 Suspension

Provider may suspend Accounts for breaches, suspected security incidents, or legal/compliance risks.

7. Intellectual property

7.1 Provider IP

Provider owns all rights in the Platform, including software, models, and documentation. Customer receives a limited, revocable right to use the Platform during the Beta Program for internal recruitment purposes.

7.2 Customer Data

Customer retains ownership of Customer Data. Provider may process Customer Data to provide the Service.

7.3 Feedback

Customer grants Provider a perpetual, worldwide, royalty-free right to use feedback to improve the Platform.

8. Confidentiality

Each party will keep the other's confidential information confidential and use it only as needed to perform under these Terms. Provider's Platform, non-public features, and documentation are Provider confidential information.

9. Warranties and disclaimers (Beta)

9.1 AS IS

THE PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE". PROVIDER DISCLAIMS ALL WARRANTIES TO THE MAXIMUM EXTENT PERMITTED BY LAW, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

9.2 No guarantee

Provider does not guarantee uptime, availability, accuracy of outputs, or suitability for Customer's purposes.

10. Liability

10.1 No liability for hiring decisions

Customer is solely responsible for recruitment decisions. Provider is not responsible for business outcomes or hiring decisions made by Customer.

10.2 Limitation of liability

To the maximum extent permitted by law, Provider is not liable for indirect, consequential, special, or punitive damages, including loss of profits, revenue, goodwill, or data.

11. Term and termination

11.1 Term

These Terms start when Customer accepts them and continue until ended by Customer or Provider.

11.2 Termination

Either party may terminate participation at any time by notice (email sufficient). Provider may terminate immediately for cause.

12. Changes to the Terms

Provider may update these Terms. Provider will notify Customer via email or in-app notice. Continued use after the effective date means acceptance. If Customer does not agree, it must stop using the Platform and may terminate.

13. Governing law and jurisdiction

Polish law applies. Disputes shall be resolved by courts competent for Provider's registered office, unless mandatory law provides otherwise.

14. Contact

Email: info@3of100.tech
Company: 3 of 100 P.S.A., NIP 7162849841
Address: ul. Ignacego Mościckiego 1, 24-110 Puławy

APPENDIX 1 – DATA PROCESSING AGREEMENT (DPA)

This DPA forms part of the Terms and is entered into between:

1. Customer – the Controller; and
2. 3 of 100 P.S.A. – the Processor.

1. Subject matter and duration

Processor processes Personal Data solely to provide the Service. Processing lasts for the term of the Terms plus limited backup retention as described in Section 9.

2. Nature and purpose of processing

Processing includes storage, structuring, analysis, retrieval, transmission, and deletion as needed to:

• provide recruitment support and profile analysis,
• maintain security and reliability,
• provide support,
• comply with legal obligations.

3. Categories of data and data subjects

3.1 Data subjects

• job Candidates,
• Customer Users,
• other individuals whose data Customer uploads.

3.2 Personal Data types

• identity and contact data,
• employment/education history, skills, qualifications,
• AI-generated match scores and recommendations linked to Candidates,
• technical logs necessary for security.

Special category data is not required. Customer must not upload it.

4. Controller obligations

Controller warrants it:

• has a valid legal basis and provides required notices,
• ensures lawful profiling and human oversight,
• issues lawful documented instructions.

5. Processor obligations

Processor shall:

• process Personal Data only on documented instructions,
• ensure confidentiality,
• implement security measures (Section 7),
• assist with data subject rights and DPIAs to the extent reasonably possible,
• notify breaches per Section 10,
• delete or return data per Section 9,
• make compliance information available per Section 11.

6. Sub-processors

6.1 General authorization

Controller grants general authorization to use Sub-processors.

6.2 Current Sub-processors

• AWS (hosting, storage, infrastructure; EU region where configured)
• OpenRouter / LLM providers via OpenRouter – only on anonymized data (see Section 8)

6.3 Notice and objection

Processor will notify Controller of material Sub-processor changes. Controller may object on reasonable data protection grounds within 14 days. If unresolved, Controller may terminate the Service.

7. Security measures

Processor implements appropriate measures including:

• role-based access controls,
• encryption in transit (TLS) and at rest where applicable,
• logging/monitoring,
• backups and disaster recovery,
• vulnerability management,
• incident response,
• tenant separation.

8. Anonymized data and LLM use

8.1 Anonymization

Before sending any content to LLM processing, Processor will remove direct identifiers (e.g., name, email, phone) and apply measures intended to prevent identification of the Candidate.

8.2 Scope limitation

Processor will use LLMs only for anonymized data and will not intentionally send Candidate identifiers or special category data.

8.3 Residual risk

Controller acknowledges that no anonymization is perfect. Processor applies reasonable safeguards to reduce re-identification risk.

9. Data return and deletion

Upon termination:

• Controller may request export within 30 days.
• Processor deletes Personal Data from active systems after the export window, except:
  • anonymized/aggregated data,
  • data required by law,
  • limited backup retention for a reasonable technical period.

10. Personal Data Breaches

Processor will notify Controller without undue delay and, where feasible, within 72 hours of becoming aware, providing required information.

11. Audits

Processor will provide reasonable documentation and cooperation to verify compliance no more than once per year, on reasonable notice, subject to confidentiality.

12. International transfers

Where Personal Data is transferred outside the EEA, Processor ensures appropriate safeguards (e.g., SCCs and supplementary measures where required).

13. Liability

Each party is responsible for GDPR compliance in its own scope. Processor liability is limited as permitted under the Terms, except where mandatory law provides otherwise.

14. Governing law

Polish law applies. If conflict, this DPA prevails on data protection matters.