Data Processing Agreement

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Confirm HR, Inc. (“Confirm”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. 1.  Definitions

1.    1.1. In this DPA:

1. “Controller”, “Data Subject”, “Processing”, “Processor”, “Service Provider”, and “Supervisory Authority” have the meaning given to them in Data Protection Law (as defined below);
2. “Data Protection Law” means all data protection laws and regulations applicable to a party's processing of Customer’s data under the Agreement, including, where applicable: (i) EU/UK Data Protection Laws: (i.a) General Data Protection Regulation (EU 2016/679) (“GDPR”), (i.b) UK GDPR and Data Protection Act 2018, (i.c) all other Data Protection Laws of the European Union, the European Economic Area (“EEA”), and their respective Member States, Switzerland’s Swiss Federal Act on Data Protection, as revised (“FADP”), and the United Kingdom (“UK”), (ii) Non-EU Data Protection Laws: (ii.a) United States: all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, (ii.b) Australia: Australian Privacy Principles and the Australian Privacy Act (1988), (ii.c) Brazil: Lei Geral de Proteção de Dados (General Personal Data Protection Act), (ii.d) Canada: Federal Personal Information Protection and Electronic Documents Act (PIPEDA), (ii.e) Israel: Protection of Privacy Law, (ii.f) Japan: Act on the Protection of Personal Information (“APPI"), (ii.g) Mexico: Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations, (ii.h) Singapore: Personal Data Protection Act 2012 (“PDPA”), (ii.i) China: China’s Personal Information Protection Law (“PIPL“), (ii.j) Hong Kong: the Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (“PDPO“), (iii) Any other applicable data protection laws;
3. “Data Subject Rights” means all rights granted to Data Subjects by Data Protection Law, such as the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;
4. “Restricted Data Transfer” means any international transfer of Personal Data that would be prohibited under Data Protection Law in the EEA or UK without implementation of additional safeguards such as Standard Contractual Clauses.
5. “Personnel” means any natural person acting under the authority of Confirm;
6. “Personal Data” means any information that constitutes “personal data” or “personal information” within the meaning of applicable Data Protection Law that Confirm may access in performing the Services under the Agreement.
7. “Personal Data Breach” means actual or reasonable degree of certainty of unauthorized destruction, loss, control, alteration, disclosure of, or access to, Personal Data for which Confirm is responsible. Personal Data Breaches do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
8. “Sell” means to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Information to a third party for monetary or other valuable consideration.
9. “Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;
10. “Services” means the services and/or products to be provided by Confirm to Customer under the Agreement. The Services shall also include any required, usual, appropriate or acceptable methods to perform activities related to the Services, including (a) carrying out the Services or the business of which the Services are a part, (b) carrying out any benefits, rights and obligations related to the Services, (c) maintaining records relating to the Services, and (d) complying with any legal or self-regulatory obligations related to the Services;
11. “Share” means to share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Information to third parties for targeted advertising to an individual based on Personal Information obtained from the individual’s activity across non-affiliated or distinctly-branded websites, applications, or services.
12. “Subprocessor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;
13. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time; and‍
14. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner for parties making restricted transfers.

1.     1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2.   Roles‍

1. If Data Protection Law applies to the Processing of Personal Data, the parties agree that Confirm shall process Personal Data only as a Processor acting on behalf of Customer and, with respect to CCPA and other applicable U.S. state privacy laws, as a service provider, in each case, regardless of whether Customer acts as a Controller or as a Processor on behalf of a third-party Controller with respect to Personal Data.

3.   Scope‍

1. This DPA applies to Processing of Personal Data by Confirm in the context of the Agreement.
2. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

4.  Instructions

1. Confirm will only Process Personal Data to provide the Services (a) to Customer and (b) Customers’ employees at the employee’s request, as set out in the Agreement.
2. It is the parties’ intent that Confirm is a Service Provider, and Confirm certifies that it will not (a) Sell or Share Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than for the specific purpose of providing the Services under the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; or (c) retain, use, or disclose the Personal Data to any person other than as necessary to provide the Services or outside of the direct business relationship between the parties.
3. Customer’s instructions are documented in Annex I, the Agreement, and any applicable statement of work.
4. Customer may issue additional instructions to Confirm as it deems necessary to comply with Data Protection Law. Such instructions must be provided to Confirm in writing and acknowledged in writing by Confirm as constituting instructions for purposes of this DPA, and Confirm may charge a reasonable fee to comply with any such additional instructions.

5.  Customer Responsibilities

1. Customer is responsible for the lawfulness of Personal Data processing under or in connection with the Services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable Data Protection Law for Confirm to lawfully process Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) have complied with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Confirm and its Subprocessors; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).

6.  Subprocessing

1. Confirm will provide to Customer prior written notice to engage Subprocessors. Customer hereby authorizes Confirm to engage the Subprocessors listed in Annex III.
2. Confirm will inform Customer at least thirty (30) days prior to any intended change of Subprocessor, thereby giving Customer the opportunity to object to such change. Customer may only object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection. Customer and Confirm will work together in good faith to address Customer’s objection.
3. Confirm will enter into a written agreement with all Subprocessors which imposes substantially similar obligations on the Subprocessors as this DPA imposes on Confirm.
4. To the extent required by law, Confirm will provide a copy of Confirm’s agreements with Subprocessors to Customer upon request. Confirm may redact commercially sensitive information before providing such agreements to Customer.

7.   Restricted Data Transfers

1. To the extent required by Data Protection Law, by agreeing to this DPA Customer and Confirm conclude module 2 (Controller-to-Processor) of the EEA Standard Contractual Clauses, which are hereby incorporated by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Confirm; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 13, (a) paragraph 2is implemented; Clause 17 option 1 is implemented and the governing law is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; Annex 1, 2 and 3 to module 2 of the Standard Contractual Clauses are Annex I, II and III to this DPA respectively.
2. To the extent required by Data Protection Law in the UK, by signing this DPA Customer and Confirm agree to be bound by the UK Addendum. Part 1, table 1 of the UK Addendum will be deemed to be completed like its equivalent provisions in the Standard Contractual Clauses (module 2) in Annex I, Section 1. For the purpose of Part 1, Table 2 of the UK Addendum, the Approved EU SCCs are the Standard Contractual Clauses (module 2) incorporated by reference into this DPA pursuant to Section 7.1 of this DPA. For the purpose of Part 1, Table 3, Annex 1, 2 and 3 to the Standard Contractual Clauses(module 2) are Annex I, II and III to this DPA respectively. For the purpose of Part 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UK Addendum is the importer. For the purposes of any transfers covered by the Data Protection Law in the UK, the Standard Contractual Clauses (module 2) will be deemed to be amended as set out in Part 2 of the UK Addendum.
3. For transfers of Personal Data, Confirm shall ensure that the recipient of the Personal Data is subject to a law or binding scheme that upholds principles for fair handling of the information that are substantially similar to the Data Protection Law applicable.
4. For transfers of Personal Data from China, Customer shall not provide Confirm with sensitive information that subjects Confirm to China's data localization requirements of the PIPL, including but not limited to being required to undergo a personal information protection certification conducted by a specialized body according to the provisions by the State cybersecurity and informatization department in China.

8.   Personnel

1. Confirm will take steps to ensure that all Personnel authorized to Process Personal Data agree to appropriate confidentiality arrangements.
2. Confirm will train Personnel regarding the protection of Personal Data.

‍

9.   Security and Personal Data Breaches

      9.1  Confirm will implement technical and organizational measures to protect Personal Data from Personal Data Breaches, such as:

1. encryption of Personal Data;
2. measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing;
3. measures to detect Personal Data Breaches in a timely manner;
4. measures to restore the availability and access to Personal Data in a timely manner in the event of an incident;
5. Processes for regularly testing, assessing and evaluating the effectiveness of the security measures; and
6. as appropriate, the measures listed in Annex II.

    9.2  Confirm will inform Customer without undue delay after becoming aware of a Personal Data Breach. Confirm will inform Customer to the extent possible, of the nature of the Personal Data Breach, the categories and number of Data Subjects, the categories and amount of Personal Data, the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach and mitigate possible adverse effects.

     9.3  Confirm’s notification of or response to a Personal Data Breach under Section 9.2 will not be construed as an acknowledgment by Confirm of any fault or liability with respect to the Personal Data Breach.

     9.4  In the event of a Personal Data Breach, Customer is solely responsible for complying with all laws relating to investigation of such Personal Data Breaches and notification of affected individuals, regulators and other parties.

‍

10.  Assistance

      10.1  Confirm will reasonably assist Customer, including by implementing appropriate technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law, including:

1. complying with Data Subjects’ requests to exercise Data Subject Rights;
2. replying to inquiries or complaints from Data Subjects;
3. replying to investigations and inquiries from Supervisory Authorities;
4. conducting data protection impact assessments, and prior consultations with Supervisory Authorities; and
5. notifying Personal Data Breaches.

      10.2   Confirm will reasonably assist Customer, including by implementing appropriate technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law, including:

1. receives a request, complaint or other inquiry regarding the Processing of Personal Data from a Data Subject or Supervisory Authority;
2. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
3. is subject to a legal obligation that requires Confirm to Process Personal Data in contravention of Customer’s instructions; or
4. is otherwise unable to comply with Data Protection Law or this DPA.

     10.3   Unless prohibited by Data Protection Law, Confirm will obtain Customer’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in Section 10.2.

‍

11.  Records

1. Confirm will maintain records of all Processing of Personal Data, including at a minimum the categories of information required under Data Protection Law, and will provide a copy of such records to Customer upon request.
2. Confirm will inform Customer without undue delay if Confirm believes that a written instruction amending this DPA by Customer violates Data Protection Law, in which case Confirm may suspend the Processing until Customer has modified or confirmed the lawfulness of the instructions in writing.

‍

 12.  Audit

1. Upon Customer’s prior written request, and no more than once in a calendar year, Confirm will make available to Customer the required information reasonably necessary to demonstrate compliance with the obligations of Data Protection Law and this DPA.  Confirm shall provide additional information as reasonably necessary to allow for and contribute to audits, including inspections, conducted by a Supervisory Authority, Customer or another auditor mandated by law.
2. If a third party is to conduct the audit, Confirm may object to the auditor if the auditor is, in Confirm’s reasonable opinion, not suitably qualified or independent, a competitor of Confirm or otherwise manifestly unsuitable. Such objection by Confirm will require Customer to appoint another auditor or conduct the audit itself.
3. The audit must be conducted during regular business hours at the applicable facility, subject to an audit plan agreed to between the parties at least two weeks in advance and Confirm’s health and safety or other relevant policies and may not unreasonably interfere with Confirm’s business activities.
4. If Customer’s requested audit scope is addressed in an SSAE 16/ISAE3402 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Confirm confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
5. Any Customer-requested audits are at Customer’s expense. Customer shall reimburse Confirm for any time expended by Confirm or its Subprocessors in connection with any Customer-requested audits or inspections at Confirm’s then-current professional services rates, which shall be made available to Customer upon request.
6. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports are confidential information of the parties under the terms of the Agreement.

‍

13.  Liability

1. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with Agreement and this DPA combined, will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.

‍

14.  Confidentiality

1. Confirm will keep all Personal Data and all information relating to the Processing thereof, in strict confidence.

‍

15.  Analytics

1. Customer acknowledges and agrees that Confirm may create and derive from Processing related to the Services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve Confirm’s products and services and for its other legitimate business purposes.

‍

16.  Notifications

1. Confirm will make all notifications required under this DPA as agreed to in the Agreement or the then established daily point of contact with the Customer.

‍

17.  Term and Duration of Processing

1. On expiration or termination of the Agreement, or upon written request from Customer at anytime, Confirm will, as soon as reasonably practicable, return or securely delete and destroy all Personal Data in Confirm’s possession or control, except as otherwise required by law or set out in the Agreement. Upon request from Customer, Confirm will certify such secure deletion in writing within thirty (30) days of Customer’s request.

‍

18.  Modification of this DPA

1. This DPA may only be modified by a written amendment signed by both Customer and Confirm.

‍

19.  Invalidity and Severability

1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

‍ANNEX I

A. LIST OF PARTIES

Customer is the Controller and the data exporter and Confirm is the Processor and the data importer.

B. DESCRIPTION OF TRANSFER

Subject Matter: Confirm’s provision of the Services to Customer.

Duration of the Processing: For the term of the Agreement and as required under applicable law.

Nature and Purpose of the Processing: Confirm will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the DPA.

Frequency of the Processing: Continuous

Categories of Data: Data relating to individuals provided to Confirm in connection with the Services, by (or at the direction of) Customer, including: first and last name, email address, company, occupation, and employee’s performance review files.

Sensitive Data Processed: The Services are not intended to Process special categories of data unless otherwise agreed to in assigned amendment to this Annex.

Subjects: Customers’ authorized users of the Services which include Customer’s employees, contractors and affiliates, as well as Customer’s employees.

‍C. COMPETENT SUPERVISORY AUTHORITY

Where the EU GDPR applies, the competent authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses. Where the UK GDPR applies, the competent authority shall be the UK Information Commissioner's Office.

‍

ANNEX II

Confirm shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.

Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data Processing equipment and personal computers.

Virtual access control

Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one master record per user, user-master data procedures per data Processing environment; and (f) encryption of archived data media.

Data access control

Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.

Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.

Entry control

Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.

Control of instructions

Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.

Availability control

Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.

Separation control

Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) separation of databases; (b) “internal client” concept / limitation of use; (c) segregation of functions (production/testing); and (d) procedures for storage, amendment, deletion, transmission of data for different purposes.

‍

ANNEX III

List of Subprocessors

Customer authorizes Confirm to engage the following Subprocessors:

Sub-processors in production environment

‍