Data Processing Addendum
Effective Date: August 31, 2019
Last Updated Date: August 31, 2019
DATA PROCESSING ADDENDUM
- The customer agreeing to these terms (“Customer”) has entered into an agreement with RecruitBot (the “Agreement”, as amended) under which RecruitBot has agreed to provide Services to Customer.
- This Data Processing Addendum (“DPA”), including its annexes, will be effective and replace any previously applicable data processing and security terms as of the Addendum Effective Date (as defined below).
- This DPA is incorporated into and forms part of the Agreement.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
- Addendum Effective Date means the date on which the parties agreed to this DPA.
- Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
- Applicable Data Protection Laws means European Data Protection Laws, and as of its effective date, the CCPA, in each case, to the extent applicable to the relevant Personal Data or processing thereof under the Agreement.
- CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
- EEA means the European Economic Area.
- EU means the European Union.
- European Data Protection Laws means the GDPR and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the relevant Personal Data or processing thereof under the Agreement.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.
- Information Security Incident means a breach of RecruitBot’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in RecruitBot’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
- Personal Data means Customer Data that constitutes “personal data,” “personal information,” or similar information governed by Applicable Data Protection Laws, including but not limited to the GDPR and CCPA, provided to or accessed by RecruitBot by or on behalf of Customer or Customer’s end users in connection with the Services. For purposes of this DPA, Personal Data does not include personal data of representatives of Customer.
- Security Measures has the meaning given in Section 4.1 (RecruitBot’s Security Measures).
- Standard Contractual Clauses means the mandatory provisions of the standard contractual clauses for the transfer of personal data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU.
- Subprocessors means third parties authorized under this DPA to process Personal Data in relation to the Service.
- Third Party Subprocessors has the meaning given in Section 5 (Subprocessors) of Annex 1.
- The terms controller, data subject, processing, processor and supervisory authority as used in this DPA have the meanings given in the GDPR.
- Duration and Scope of DPA
- This DPA will, notwithstanding the expiration of the Agreement, remain in effect so long as RecruitBot processes Personal Data.
- Annex 1 (EU Annex) to this DPA applies only to Personal Data or the processing thereof subject to European Data Protection Laws. Annex 2 (California Annex) to this DPA, applies from and after the operative date of CCPA only to Personal Data or the processing thereof subject to the CCPA with respect to which Customer is a “Business” (as defined in CCPA).
- Customer Instructions
RecruitBot will process Personal Data only in accordance with Customer’s instructions. By entering into this DPA, Customer instructs RecruitBot to process Personal Data only to provide the Services, and to perform its other obligations and exercise its rights under the Agreement. Customer acknowledges and agrees that RecruitBot, as part of the Services, may create and derive from processing related to the Services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve RecruitBot’s products and services and for its other legitimate purposes.
- RecruitBot Security Measures. RecruitBot will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (the “Security Measures”), including, without limitation, the measures described in Annex 3 (Security Measures). The Security Measures may be updated or modified from time to time provided the updated measures do not decrease the overall protection of Personal Data.
- Information Security Incidents. If RecruitBot becomes aware of an Information Security Incident, RecruitBot will (a) notify Customer of the Information Security Incident without undue delay and (b) take reasonable steps to identify the cause of such Information Security Incident, mitigate potential risks associated therewith and prevent a recurrence. Notifications made pursuant to this Section 4.2 will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps RecruitBot recommends Customer take to address the Information Security Incident. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Information Security Incident(s). RecruitBot’s notification of or response to an Information Security Incident under this Section 4.2 will not be construed as an acknowledgement by RecruitBot of any fault or liability with respect to the Information Security Incident.
- Customer’s Security Responsibilities and Assessment
- Customer’s Security Responsibilities. Customer agrees that, without limitation of RecruitBot’s obligations under Section 4.1 (RecruitBot Security Measures) and Section 4.2 (Information Security Incidents), Customer is solely responsible for its use of the Service, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; (c) securing Customer’s systems and devices that RecruitBot uses to provide the Service; and (d) backing up Personal Data. RecruitBot has no obligation to protect Personal Data that Customer elects to store or transfer outside of RecruitBot and its Subprocessors’ systems (for example, offline or on-premises storage).
- Customer’s Security Assessment. Customer is solely responsible for evaluating for itself whether the Service, the Security Measures and RecruitBot’s commitments under this DPA will meet Customer’s needs, including with respect to any security obligations of Customer under applicable laws. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by RecruitBot provide a level of security appropriate to the risk in respect of the Personal Data.
- Data Subject Rights
- Customer’s Responsibility for Requests. If RecruitBot receives any request from an individual in relation to the individual’s Personal Data, RecruitBot will advise the individual to submit the request to Customer and Customer will be responsible for responding to any such request.
- RecruitBot’s Data Subject Request Assistance. RecruitBot will (taking into account the nature of the processing of Personal Data) provide Customer with self-service functionality through the Service or other assistance reasonably necessary for Customer to perform its obligation under Applicable Data Protection Laws to fulfill requests by individuals to exercise their rights under Applicable Data Protection Laws. Customer shall compensate RecruitBot for any such assistance, beyond providing self-service features included as part of the Service, at RecruitBot’s then-current professional services rates, which shall be made available to Customer upon request.
- Customer Responsibilities
Customer represents and warrants to RecruitBot that Customer Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (“HIPAA”), medical information subject to the California Confidentiality of Medical Information Act, any biometric information, any payment card information subject to the Payment Card Industry Data Security Standard, Personal Data of children under 13 years of age, or any other information that falls within any special categories of data (as defined in GDPR) other than such information as is apparent solely from a photograph of a natural person required to be included in the Customer Data for RecruitBot to provide the Service or is required by law to be included in any government-issued identification required by RecruitBot to perform the Service. .
- Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this DPA and the Standard Contractual Clauses (if applicable) will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement, subject to Section 7.2 (Liability Cap Exclusions).
- Liability Cap Exclusions. Nothing in Section 7.1 (Liability Cap) will affect any party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses (if applicable) to the extent limitation of such rights is prohibited by applicable European Data Protection Laws.
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by RecruitBot to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to RecruitBot’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
- Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that RecruitBot’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Accepted and agreed to by the authorized representative of each party:
Annex 1 to DPA
- Processing of Data
- Subject Matter and Details of Processing. The parties acknowledge and agree that (a) the subject matter of the processing under the Agreement is RecruitBot’s provision of the Service; (b) the duration of the processing is from RecruitBot’s receipt of Personal Data until deletion of all Personal Data by RecruitBot in accordance with the Agreement; (c) the nature and purpose of the processing is to provide the Service; (d) the data subjects to whom the processing pertains are identified or identifiable persons who live in the EU ; and (e) the categories of personal data are any information which is related to an identified/identifiable data subject (e.g., name, address and IP address of the data subjects).
- Roles and Regulatory Compliance; Authorization.
- The parties acknowledge and agree that (a) RecruitBot is a processor of that Personal Data under European Data Protection Laws; (b) Customer is a controller (or a processor acting on the instructions of a controller) of that Personal Data under European Data Protection Laws; and (c) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the processing of that Personal Data.
- If Customer is a processor, Customer represents and warrants to RecruitBot that Customer’s instructions and actions with respect to Personal Data, including its appointment of RecruitBot as another processor, have been authorized by the relevant controller.
- RecruitBot’s Compliance with Instructions. RecruitBot will only process Personal Data in accordance with Customer’s instructions described in Section 3 (Customer Instructions) of the DPA unless European Data Protection Laws requires otherwise, in which case RecruitBot will notify Customer (unless that law prohibits RecruitBot from doing so on important grounds of public interest).
- Data Deletion. Upon termination of Customer’s access to the Service, Customer instructs RecruitBot to delete all Personal Data from RecruitBot’s systems in accordance with the Agreement as soon as reasonably practicable, unless European Data Protection Laws requires otherwise.
- Data Security
- RecruitBot Security Measures, Controls and Assistance
- RecruitBot Security Assistance. RecruitBot will (taking into account the nature of the processing of Personal Data and the information available to RecruitBot) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 4.2 (Information Security Incidents) of the DPA; and (c) complying with this Annex 1.
- Security Compliance by RecruitBot Staff. RecruitBot will grant access to Personal Data only to personnel who need such access for the scope of their job duties, and are subject to appropriate confidentiality arrangements.
- Reviews and Audits of Compliance
- Customer may audit RecruitBot’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Customer’s supervisory authority. RecruitBot will contribute to such audits by providing Customer or Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit.
- If a third party is to conduct the audit, RecruitBot may object to the auditor if the auditor is, in RecruitBot’s reasonable opinion, not independent, a competitor of RecruitBot, or otherwise manifestly unsuitable. Such objection by RecruitBot will require Customer to appoint another auditor or conduct the audit itself.
- To request an audit, Customer must submit a detailed proposed audit plan to RecruitBot at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. RecruitBot will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise RecruitBot security, privacy, employment or other relevant policies). RecruitBot will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2.2 shall require RecruitBot to breach any duties of confidentiality.
- If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and RecruitBot has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.
- The audit must be conducted during regular business hours, subject to the agreed final audit plan and RecruitBot’s safety, security or other relevant policies, and may not unreasonably interfere with RecruitBot business activities.
- Customer will promptly notify RecruitBot of any non-compliance discovered during the course of an audit and provide RecruitBot any audit reports generated in connection with any audit under this Section 2.2, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
- Any audits are at Customer’s sole expense. Customer shall reimburse RecruitBot for any time expended by RecruitBot or its Third Party Subprocessors in connection with any audits or inspections under this Section 2.2 at RecruitBot’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this DPA shall be construed to require RecruitBot to furnish more information about its Third Party Subprocessors in connection with such audits than such Third Party Subprocessors make generally available to their customers.
- RecruitBot Security Measures, Controls and Assistance
- Impact Assessments and Consultations
RecruitBot will (taking into account the nature of the processing and the information available to RecruitBot) reasonably assist Customer in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of RecruitBot’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement, including this DPA.
- Data Transfers
- Data Processing Facilities. RecruitBot may, subject to Section 4.2 (Transfers out of the EEA), store and process Personal Data in the United States or anywhere RecruitBot or its Subprocessors maintains facilities.
- Transfers out of the EEA. If Customer is established in the EEA and transfers Personal Data out of the EEA to RecruitBot in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this DPA. In furtherance of the foregoing, the parties agree that:
- for purposes of the Standard Contractual Clauses, (a) Customer will act as the data exporter and (b) RecruitBot will act as the data importer;
- for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the processing operations shall be as set out in Section 1.1 to this Annex 1 (Subject Matter and Details of Processing);
- for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;
- upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand;
- the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 2.2 of this Annex 1 (Reviews and Audits of Compliance);
- Customer’s authorizations in Section 5 of this Annex 1 (Subprocessors) will constitute Customer’s prior written consent to the subcontracting by RecruitBot of the processing of Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses; and
- certification of deletion of Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided upon Customer’s request;
- Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of Personal Data outside the EEA (e.g., US-E.U. Privacy Shield, binding corporate rules) applies to the transfer.
- Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of RecruitBot’s Affiliates as Subprocessors. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).
- Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: recruitbot.com/dpa-subprocessors (as may be updated by RecruitBot from time to time in accordance with this Agreement) or such other website address as the RecruitBot may provide to customer from time to time (the “Subprocessor Site”).
- Requirements for Subprocessor Engagement. When engaging any Subprocessor, RecruitBot will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. RecruitBot shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
- Opportunity to Object to Subprocessor Changes. When any new Third Party Subprocessor is engaged after the effective date of the Agreement, RecruitBot will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to RecruitBot within ten days after being informed thereof on reasonable grounds relating to the protection of Personal Data, Customer and RecruitBot will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Service by providing written notice to RecruitBot.
- Processing Records
- Customer acknowledges that Recruit may be required under European Data Protection Laws to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which RecruitBot is acting and, where applicable, or such processor or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested, provide such information to RecruitBot and will ensure that all information provided is kept accurate and up-to-date.
Annex 2 to DPA
- For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
- It is the parties’ intent that with respect to any personal information, Customer is a business and RecruitBot is a service provider. To that end, RecruitBot shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Service, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Service; or (c) retain, use or disclose the personal information outside of the direct business relationship between RecruitBot and Customer. RecruitBot hereby certifies that it understands its obligations under this Section 2 and will comply with them.
- The parties acknowledge that RecruitBot’s retention, use and disclosure of personal information authorized by Customer’s instructions described in Section 3 of the DPA (Customer Instructions) are integral to Customer’s provision of the Services and the business relationship between the parties.
Annex 3 to DPA
As from the Addendum Effective Date, RecruitBot will implement and maintain the Security Measures set out in this Annex 3. RecruitBot may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.
Security measures include:
- Access Control
- Preventing Unauthorized Product Access
- Outsourced processing: RecruitBot hosts its Service with outsourced cloud infrastructure providers. Additionally, RecruitBot maintains contractual relationships with vendors in order to provide the Service in accordance with our DPA. RecruitBot relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
- Physical and environmental security: RecruitBot hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
- Authentication: RecruitBot implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
- Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of RecruitBot’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API key, through direct user/password login, or through SAML authorization.
- Preventing Unauthorized Product Use
- RecruitBot implements industry standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: RecruitBot implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
- Static code analysis: Security reviews of code stored in RecruitBot’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
- Third Party Testing: Other forms of external testing are performed, for instance validation of correct SSL implementations.
- Limitations of Privilege & Authorization Requirements
- Product access: A subset of RecruitBot’s employees have access to the products and to Customer Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employees are granted access by role, and reviews of high risk privilege grants are initiated frequently. Employee roles are reviewed at least once every six months.
- Preventing Unauthorized Product Access
- Transmission Control
- In-transit: RecruitBot makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the RecruitBot products. RecruitBot’s HTTPS implementation uses industry standard algorithms and certificates.
- At-rest: RecruitBot stores user passwords following policies that follow industry standard practices for security. RecruitBot has implemented technologies to ensure that stored data is encrypted at rest.
- Input Control
- Detection: RecruitBot designed its infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. RecruitBot personnel are responsive to known incidents.
- Response and tracking: RecruitBot maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, RecruitBot will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
- Communication: If RecruitBot becomes aware of unlawful access to Customer data stored within its products, RecruitBot will: 1) notify the affected Customers of the incident; 2) provide a description of the steps RecruitBot is taking to resolve the incident; and 3) provide status updates to the Customer contact, as RecruitBot deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form RecruitBot selects, which may include via email or telephone.
- Availability Control
- Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
- RecruitBot’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists RecruitBot operations in maintaining and updating the product applications and backend while limiting downtime.