Data Processor Agreement
This Data Processing Agreement (the “DPA”) is between Customer (“Controller”) and the supplier identified below (“Data Processor”) (each a “party”, together the “parties”).
Agreed and accepted
A. Company is a controller of certain personal data (as described in Annex A) and wishes to appoint Supplier as a processor to process this personal data on its behalf in connection with Supplier’s performance of a Entelo Subscription Agreement signed by and between the parties (the “Master Services Agreement”)].
B. The parties have entered into this Agreement to ensure that Supplier conducts such data processing in accordance with Company’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.
C. Supplier further acknowledges that Company has self-certified its compliance to the EU-US Privacy Shield framework and pursuant to the Privacy Shield is required to flow down certain Privacy Shield data protection requirements to Supplier under this Agreement.
1. Definitions and interpretation
1.1. Definitions: In this Agreement, the following terms shall have the following meanings:
(a) “Applicable Data Protection Law” shall mean all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU Data Protection Law.
(b) “controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in Applicable Data Protection Law.
(c) “EU Data Protection Law” shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementation of it; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(d) “Master Services Agreement” shall have the meaning given in paragraph A of the Introduction to this Agreement.
(e) “Privacy Shield” means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
1.2. Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.
2. Data Protection
2.1. Relationship of the parties: Company (the controller) appoints Supplier as a processor to process the personal data described in Annex A that is the subject of the Master Services Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
2.2. Purpose limitation: Supplier shall process the Data as a processor only for the purposes described Annex A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Company (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Supplier. In no event shall Supplier process the Data for its own purposes or those of any third party.
2.3. International transfers: Supplier shall not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area (“EEA”) or the United States unless (i) it has first obtained Company’s prior written consent (for example, as evidenced at Annex C); and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
2.4. Confidentiality of processing: Supplier shall ensure that any person that it authorises to process the Data (including Supplier’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Supplier shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
2.5. Security: Supplier shall implement appropriate administrative, physical, technical and organisational measures (“Security Measures”) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
At a minimum, such Security Measures shall include the measures identified in Annex B.
2.6. Subprocessing: Supplier shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Company. A list of approved subprocessors as at the date of this Agreement is attached at Annex C, and Supplier shall maintain and provide updated copies of this list to Company when it adds or removes subprocessors in accordance with this Clause. If Company refuses to consent to Supplier’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Supplier will not appoint the subprocessor or Company may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.
2.7. Cooperation and data subjects’ rights: Supplier shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Company (at its own expense) to enable Company to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Supplier, Supplier shall promptly inform Company providing full details of the same.
2.8. Data Protection Impact Assessment: If Supplier believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Company and provide Company with all such reasonable and timely assistance as Company may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
2.9. Security incidents: Upon becoming aware of a Security Incident, Supplier shall inform Company without undue delay and shall provide all such timely information and cooperation as Company may require in order for Company to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Supplier shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Company informed of all developments in connection with the Security Incident.
2.10. Deletion or return of Data: Upon termination or expiry of this Agreement, Supplier shall (at Company’s election) destroy or return to Company all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Supplier is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Supplier shall isolate and protect the Data from any further processing except to the extent required by such law.
2.11. Audit: Supplier has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Company, Supplier will provide summaries of previous audit results. Once in a rolling 12-month period, of following a Security Incident, Supplier will permit Company or its auditor to conduct an audit of Supplier to verify Supplier’s compliance with this DPA, at Company’s expense (“Audit”). If Company elects, Company or its auditor may conduct the Audit by reviewing the Supplier’s privacy- or security-related certificate (for example, ISO 27001). Company and Supplier will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Supplier’s trade secrets and data belonging to Supplier’s other customers). If the Security Incident is caused by Company then Supplier may charge Company a reasonable fee for the Audit if Supplier documents the basis and calculation of the fee in advance. If Company provides Supplier with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Supplier will remediate the deficiency as appropriate, within a reasonable timeframe.
3. Privacy Shield
3.1. During the Term of the Master Services Agreement, Supplier is, and will remain a certified member of the EU-US Privacy Shield under a registration (“Registration”) and shall maintain the Registration. Supplier adheres to, and shall continue to comply with, the Privacy Shield Principles with respect to the transfers or access of any Personal Information from the EU to the United States under this Agreement. If Supplier’s Registration expires, lapses, or is revoked (each a “Notifiable Event”) then it shall notify Customer in writing as soon as possible and, if directed to do so by Customer, shall stop processing Data promptly after the occurrence of any Notifiable Event. Where a Notifiable Event occurs, or should Privacy Shield otherwise cease to provide a valid legal basis to transfer personal data to the United States, Supplier shall (upon the direction of Customer) enter into the model contract for the transfer of personal data to processors in third countries as set out under European Commission 2010/87/EU of 5 February 2010 (“Model Clauses”) and/or any amending or superseding legislation in order to ensure an adequate level of protection with respect to the privacy rights of individuals.
3.2. Supplier acknowledges that Company may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Data Protection Law.
Signed by the parties or their duly authorised representatives:
Signed for and on behalf of Entelo, Inc.
Signed for and on behalf of Company
Data Processing Description
This Annex A forms part of the Agreement and describes the processing that the processor will performed on behalf of the controller.
The controller is (please specify briefly the controller’s activities relevant to the processing):
Customer as identified on attached Data Processing Agreement
The processor is (please specify briefly the processor’s activities relevant to the transfer):
Entelo, Inc., a Delaware corporation (“Supplier”)
The personal data to be processed concern the following categories of data subjects (please specify):
• data subjects are talent recruiting team employees of data exporter and job candidates of data exporter
Categories of data
The personal data to be processed concern the following categories of data (please specify):
• Personal identification and contact details: names and email addresses of Users (as defined in the Master Services Agreement) who are granted access to the Entelo Services by Customer
• Digital device profile: IP addresses of these Users which may indicate locational data for each User
• Other categories of data related to the personal information of the User or job candidate. These categories of data are contained in: (a) comments created by Users and uploaded to the Entelo Services by Users and (b) email messages written by Users and delivered over the Entelo platform. Comments and email content may be of any nature permitted under the Entelo Service Agreement with Customer, but typically relate to the suitability of a job candidate for Customer.
Special categories of data (if appropriate)
The personal data to be processed concern the following special categories of data (please specify):
The personal data will be subject to the following basic processing activities (please specify):
• To authenticate and provide access control
• To send / receive communication on behalf of the Users
• To report on activities
• To tag and export data to ATS / other recruiting tools.
• To perform back up and restore
• To review product usage, customer success and troubleshooting
The personal data will be stored and processed only in order to provide the services described in the Master Services Agreement for the benefit of the Controller.
Minimum Security Measure
Minimum Security Measures shall include an information security program that safeguards Company Data and Company confidential information. Such Security Measures must include:
(a) strict logical or physical separation between Company Data and Company confidential information, Supplier’s own data and data of other customers of Supplier;
(b) maintaining industry-standard perimeter protection for Supplier’s network and devices connected thereto (“Supplier’s System”);
(c) applying, as soon as practicable, patches or other controls to Supplier’s System that effectively address actual or potential code-based security vulnerabilities;
(d) employing commercially reasonable efforts to ensure that Supplier’s System remains free of security vulnerabilities, viruses, malware, and other harmful code;
(e) employing commercially reasonable efforts to practice safe coding standard and practices which address common application security vulnerabilities;
(f) providing appropriate education and training to Supplier employees and workers regarding these Security Measures and ensuring that those individuals are bound by confidentiality obligations;
(g) accessing or transferring Company Data or Company confidential information to or from Company systems only in a secure and confidential manner, including complying with specific security provisions and procedures set forth by Company in advance in writing, and
(h) limiting Supplier employee/agent/subcontractor access to Supplier’s network, systems, devices and facilities to those with a need for such access, and whose access privileges shall be revoked promptly upon their termination.
Supplier shall provide to Company an individual point of contact for security purposes, and shall update this information from time to time as necessary.