Data Processing Addendum
0.1 The customer agreeing to these terms (“Customer”) has entered into an agreement with RecruitBot (the “Agreement”, as amended) under which RecruitBot has agreed to provide the Product to Customer.
0.2 This Data Processing Addendum (“DPA”), including its annexes, will be effective and replace any previously applicable data processing and security terms as of the Addendum Effective Date (as defined below).
0.3 This DPA is incorporated into and forms part of the Agreement.
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
1.1 Addendum Effective Date means the date on which the parties agreed to this DPA.
1.2 Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
1.3 Applicable Data Protection Laws means European Data Protection Laws, and as of its effective date, the CCPA, in each case, to the extent applicable to the relevant Personal Data or processing thereof under the Agreement.
1.4 CCPA means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
1.5 EEA means the European Economic Area.
1.6 EU means the European Union.
1.7 European Data Protection Laws means the laws and regulations of the EEA and United Kingdom relating to privacy, data protection or data security, including, without limitation, the GDPR.
1.8 GDPR means collectively (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time (“EU GDPR”), and any Member State laws, rules or regulations implementing the GDPR and (ii) EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications Regulations 2019) (“UK GDPR”).
1.9 Information Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.10 Personal Data means any information that constitutes “personal data,” “personal information,” or similar information governed by Applicable Data Protection Laws. For purposes of this DPA, Personal Data does not include personal data of representatives of Customer.
1.11 Restricted Transfer means the disclosure, grant of access or other transfer of Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
1.12 Security Measures has the meaning given in Section 4.1 (RecruitBot’s Security Measures).
1.13 Standard Contractual Clauses (or “SCCs”) means collectively (i) the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”) and (ii) International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner (Version B1.0, in force on 21 March 2022) (“UK SCCs”), the current forms of which are attached hereto, respectively, as Part 1 and Part 2 of Annex 5 to this DPA.
1.14 Subprocessors means third parties authorized under this DPA to process Personal Data in relation to the Product.
1.15 Third Party Subprocessors has the meaning given in Section 5 (Subprocessors) of Annex 1.
1.16 The terms controller, data subject, processing, processor and supervisory authority as used in this DPA have the meanings given in the GDPR.
2. Duration and Scope of DPA
2.1 This DPA will, notwithstanding the expiration of the Agreement, remain in effect so long as RecruitBot processes Personal Data.
2.2 Annex 1 (EEA/UK Annex) to this DPA applies only to Personal Data or the processing thereof subject to European Data Protection Laws. Annex 2 (California Annex) to this DPA, applies from and after the operative date of CCPA only to Personal Data or the processing thereof subject to the CCPA with respect to which Customer is a “Business” (as defined in CCPA).
3. Customer Instructions
RecruitBot will process Personal Data only in accordance with Customer’s instructions. By entering into this DPA, Customer instructs RecruitBot to process Personal Data only to provide the Product, and to perform its other obligations and exercise its rights under the Agreement.
4. Specific Purposes
4.1 The parties acknowledge and agree that they shall act as separate controllers where:
(i) RecruitBot uses the technology that perceives the applicable Product environment and reuse the Personal Data to (a) identify future opportunities for development and to improve and personalize the Product, and (b) identify customer opportunities and market these to Customer, and
(ii)unless Customer opts out, RecruitBot shares and provides through the Product specific insights about Customer’s candidates or end users to other customers that have not opted-out on a reciprocal basis;, and
(iii) RecruitBot maintains a database of Personal Data associated to Customer’s candidates’ profiles.
Customer acknowledges and agrees that these purposes for processing Personal Data (together the “Specific Purposes”) are compatible with the processing of Personal Data necessary to provide the Product under the Agreement.
4.2 With respect to the Specific Purposes, the parties shall comply with their respective obligations under the Applicable Data Protection Laws. Customer grants to RecruitBot a non-exclusive, worldwide right to use Personal Data for the Specific Purposes (i) in order to provide the Product to Customer; (ii) to compile, use and disclose anonymous, aggregated statistics, provided that no such information will directly identify and cannot be used to identify Customer; and (iii) as necessary to maintain and improve the Product.
5. 1 RecruitBot Security Measures. RecruitBot will implement and maintain the Security Measures described in Annex 3 (Security Measures). The Security Measures may be updated or modified from time to time provided the updated measures do not decrease the overall protection of Personal Data.
5.2 Information Security Incidents. If RecruitBot becomes aware of an Information Security Incident, RecruitBot will (a) notify Customer of the Information Security Incident without undue delay and (b) take reasonable steps to identify the cause of such Information Security Incident, mitigate potential risks associated therewith and prevent a recurrence. Notifications made pursuant to this Section 5 .2 will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps RecruitBot recommends Customer to take to address the Information Security Incident. RecruitBot’s notification of or response to an Information Security Incident under this Section 5.2 will not be construed as an acknowledgement by RecruitBot of any fault or liability with respect to the Information Security Incident.
5. 3 Customer’s Security Responsibilities and Assessment
5.3.1 Customer’s Security Responsibilities. Customer agrees that, without limitation of RecruitBot’s obligations under Section 5 .1 (RecruitBot Security Measures) and Section 5.2 (Information Security Incidents), Customer is solely responsible for its use of the Product. RecruitBot has no obligation to protect Personal Data that Customer elects to store or transfer outside of RecruitBot and its Subprocessors’ systems (for example, offline or on-premises storage).
5.3.2 Customer’s Security Assessment. Customer is solely responsible for evaluating for itself whether the Service, the Security Measures and RecruitBot’s commitments under this DPA will meet Customer’s needs, including with respect to any security obligations of Customer under applicable laws. Customer acknowledges and agrees that the Security Measures implemented and maintained by RecruitBot provide a level of security appropriate to the risk in respect of the Personal Data.
6. Data Subject Rights
6.1 Customer’s Responsibility for Requests. If Customer receives any requests in relation to the data subject’s Personal Data, where RecruitBot acts as a processor, RecruitBot will provide the necessary functionality to delete such data. For candidates explicitly uploaded, the user can explicitly delete the data. For candidates “synced” via the ATS, deleting the candidate from the ATS will also delete the candidate from RecruitBot.
6.2 RecruitBot’s Data Subject Request Assistance. RecruitBot will (taking into account the nature of the processing of Personal Data) provide Customer with self-service functionality through the Product or other assistance reasonably necessary for Customer to perform its obligation under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws. Customer shall compensate RecruitBot for any such assistance, beyond providing self-service features included as part of the Product, at RecruitBot’s then-current professional services rates, which shall be made available to Customer upon request.
7. Customer Responsibilities
Customer represents and warrants to RecruitBot that the Personal Data disclosed to RecruitBot does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (“HIPAA”), medical information subject to the California Confidentiality of Medical Information Act, any biometric information, any payment card information subject to the Payment Card Industry Data Security Standard, Personal Data of children under 13 years of age, or any other information that falls within any special categories of personal data (as defined in GDPR) other than such information as is apparent solely from a photograph of a natural person required to be included in the Personal Data for RecruitBot to provide the Product or is required by law to be included in any government-issued identification required by RecruitBot to provide the Product.
8.1 Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with the Agreement, this DPA and the SCCs (if applicable) will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement, subject to Section 8.2 (Liability Cap Exclusions).
8.2 Liability Cap Exclusions. Nothing in Section 8.1 (Liability Cap) will affect any party’s liability to data subjects under the third-party beneficiary provisions of the SCCs (if applicable) to the extent limitation of such rights is prohibited by applicable European Data Protection Laws.
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by RecruitBot to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to RecruitBot’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Product-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that RecruitBot’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Annex 1 to the DPA
1. Processing of Personal Data
1.1 Subject Matter and Details of Processing. The parties acknowledge and agree that (a) the subject matter of the processing under the Agreement is RecruitBot’s provision of the Service; (b) the duration of the processing is from RecruitBot’s receipt of Personal Data until deletion of all Personal Data by RecruitBot in accordance with the Agreement; (c) the nature and purpose of the processing is to provide the Product; (d) the data subjects to whom the Personal Data pertains are identified or identifiable persons who live in the EEA/UK.
1.2 Roles and Regulatory Compliance; Authorization.
1.2.1 Without prejudice to Section 4.1 of the DPA, the parties acknowledge and agree that (a) RecruitBot is a processor of that Personal Data under European Data Protection Laws; (b) Customer is a controller (or a processor acting on the instructions of a controller) of that Personal Data under European Data Protection Laws; (c) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the processing of that Personal Data, (d) RecruitBot has implemented a comprehensive privacy notice that addresses the processing activities that it conducts as a controller, accessible at https://www.recruitbot.com/privacy/.
1.2.2 If Customer is a processor, Customer represents and warrants to RecruitBot that Customer’s instructions and actions with respect to Personal Data, including its appointment of RecruitBot as another processor, have been authorized by the relevant controller.
1.3 RecruitBot’s Compliance with Instructions.
RecruitBot will only process Personal Data in accordance with Customer’s instructions described in Section 3 (Customer Instructions) of the DPA unless European Data Protection Laws requires otherwise, in which case RecruitBot will notify Customer (unless that law prohibits RecruitBot from doing so on important grounds of public interest).
1.4 Data Deletion. Upon termination of Customer’s access to the Service, RecruitBot will delete all Personal Data from RecruitBot’s systems at Customer’s request, or as otherwise determined in accordance with the Agreement, unless RecruitBot’s legal administrative or accounting obligations require otherwise.
2. Data Security
2.1 RecruitBot Security Measures, Controls and Assistance
2.1.1 RecruitBot Security Assistance. RecruitBot will (taking into account the information available to RecruitBot) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 5.2 (Information Security Incidents) of the DPA; and (c) complying with this Annex 1.
2.1.2 Security Compliance by RecruitBot Staff.
RecruitBot will grant access to Personal Data only to personnel who need such access for the scope of their job duties, and are subject to appropriate confidentiality arrangements.
2.2 Reviews and Audits of Compliance
2.2.1 Audit Report. Our internal processes shall be regularly audited against the SOC2 standard (or equivalent). The audit may, in RecruitBot’s sole discretion, be an internal audit, or an audit performed by a third party. Upon written request, RecruitBot will provide Customer with a summary of the audit report(s) (“Audit Report”), so that Customer can verify RecruitBot’s compliance with the audit standards and this DPA. Such Audit Reports, as well as any conclusions or findings specified therein, are RecruitBot’s Confidential Information (as defined in the Agreement).
2.2.2 Customer information requests. RecruitBot will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. RecruitBot will provide written responses to reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are reasonable in scope and necessary to confirm compliance with this DPA, provided that Customer (i) has first made a reasonable effort to obtain the requested information from the documentation, Audit Reports and other information provided or made public by RecruitBot, and (ii) will not exercise this right more than once per year, unless a Security Incident or significant change in RecruitBot’s processing activities in relation to the Product requires that an additional questionnaire is executed. All responses provided are our Confidential Information.
3. Customer Audit.
If Customer is under a regulatory or statutory obligation to carry out an audit on RecruitBot or if an Audit Report provided by RecruitBot to Customer gives the Customer substantiated reasons to believe that RecruitBot is in breach of its obligations under this DPA, related to the Personal Data provided by Customer, RecruitBot will allow an independent and qualified third party auditor appointed by Customer and approved by RecruitBot, to audit the relevant applicable Personal Data processing activities, provided that the following requirements are met:
a. Customer shall give RecruitBot at least sixty (60) days reasonable advance notice before exercising the right to audit;
b. The auditor agrees to market standard confidentiality obligations with RecruitBot;
c. Customer and the auditor take measures to minimize disruption to RecruitBot’s business operations;
d. The audit will be carried out during regular business hours;
e. RecruitBot shall not be obliged to provide access to customer data of other customers or systems not involved in the provision of the Product; and
f. Customer shall pay for all costs of the audit.
4. Impact Assessments and Consultations
RecruitBot will (taking into account the nature of the processing and the information available to RecruitBot) reasonably assist Customer in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of RecruitBot’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement, including this DPA.
5. Personal Data Transfers
5.1 Data Transfer of Personal Data to a Subprocessor. Customer consents to the transfer and access of Personal Data to and by any RecruitBot Affiliate or Subprocessor listed in the Subprocessor Site (as defined in Section 5.2 below).
5.2 Incorporation of the EU SCCs. To the extent that any processing of Personal Data under this DPA involves an EU Restricted Transfer from Customer to RecruitBot, the parties shall comply with their respective obligations set out in the EU SCCs (Controller-Processor) which are hereby deemed to be: entered into by the parties and incorporated by reference into this DPA; and populated in accordance with Part 1 of Annex 5 to the DPA.
5.3 Incorporation of UK SCCs. To the extent that any processing of Personal Data under this DPA involves a UK Restricted Transfer from Customer to RecruitBot, the parties shall comply with their respective obligations set out in the UK SCCs as set out in Part 2 of Annex 5 to the DPA, which is hereby deemed entered into by the parties and incorporated by reference into this DPA; and varied to address the requirements of the UK GDPR in accordance with UK SCCs and populated in accordance with Part 2 of Annex 5 to the DPA.
5.4 Provision of full-form SCCs. In respect of any given Restricted Transfer, if requested from either party (“Requesting Party”) by a supervisory authority or data subject, on specific written request, the other party shall provide the Requesting Party with an executed version of the full-form SCCs, populated in accordance with the information set out in Annexes 4 and 5, as applicable.
6.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of RecruitBot’s Affiliates as Subprocessors. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).
6.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: www.recruitbot.com/dpa-subprocessors (as may be updated by RecruitBot from time to time in accordance with this Agreement) or such other website address as the RecruitBot may provide to customer from time to time (the “Subprocessor Site”).
6.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, RecruitBot will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. RecruitBot shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
6.4 Opportunity to Object to Subprocessor Changes. When any new Third Party Subprocessor is engaged after the effective date of the Agreement, RecruitBot will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating Subprocessor Site or by other written means. If Customer objects to such engagement in a written notice to RecruitBot within 10 (ten) days after being informed thereof on reasonable grounds relating to the protection of Personal Data, Customer and RecruitBot will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the services by providing written notice to RecruitBot.
7. Processing Records
7.1 Customer acknowledges that RecruitBot may be required under European Data Protection Laws to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which RecruitBot is acting and, where applicable, or such processor or controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested, provide such information to RecruitBot and will ensure that all information provided is kept accurate and up-to-date.
Annex 2 to DPA
1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information governed by the CCPA.
2. It is the parties’ intent that with respect to any personal information, Customer is a business and RecruitBot is a service provider. To that end, RecruitBot shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Service, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Service; or (c) retain, use or disclose the personal information outside of the direct business relationship between RecruitBot and Customer. RecruitBot hereby certifies that it understands its obligations under this Section 2 and will comply with them.
3. The parties acknowledge that RecruitBot’s retention, use and disclosure of personal information authorized by Customer’s instructions described in Section 3 of the DPA (Customer Instructions) are integral to Customer’s provision of the Product and the business relationship between the parties.
Annex 3 to DPA
As from the Addendum Effective Date, RecruitBot will implement and maintain the Security Measures set out in this Annex 3. RecruitBot may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Product.
Security measures include:
1. Access Control
1.1.1 Preventing Unauthorized Product Access
Outsourced processing: RecruitBot hosts its Product with outsourced cloud infrastructure providers. Additionally, RecruitBot maintains contractual relationships with vendors in order to provide the Product in accordance with our DPA. RecruitBot relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
1.1.2 Physical and environmental security: RecruitBot hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
1.1.3 Authentication: RecruitBot implemented a uniform password policy for its customer products and single sign-on options. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
1.1.4 Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of RecruitBot’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
1.1.5 Application Programming Interface (API) access: Public product APIs may be accessed using an API key, through direct user/password login, or through SAML authorization.
1.2 Preventing Unauthorized Product Use
1.2.1 RecruitBot implements industry standard access controls and detection capabilities for the internal networks that support its products.
1.2.2 Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
1.2.3 Intrusion detection and prevention: RecruitBot implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
1.2.4 Static code analysis: Security reviews of code stored in RecruitBot’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
1.2.5 Third Party Testing: Other forms of external testing are performed, for instance validation of correct SSL implementations.
1.3 Limitations of Privilege & Authorization Requirements
1.3.1 Product access: A subset of RecruitBot’s employees have access to the products and to Personal Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employees are granted access by role, and reviews of high risk privilege grants are initiated frequently. Employee roles are reviewed at least once every six months.
2. Transmission Control
2.1 In-transit: RecruitBot makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the RecruitBot products. RecruitBot’s HTTPS implementation uses industry standard algorithms and certificates.
2.2 At-rest: RecruitBot stores user passwords following policies that follow industry standard practices for security. RecruitBot has implemented technologies to ensure that stored data is encrypted at rest.
3. Input Control
3.1 Detection: RecruitBot designed its infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. RecruitBot personnel are responsive to known incidents.
3.2 Response and tracking: RecruitBot maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, RecruitBot will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
3.3 Communication: If RecruitBot becomes aware of unlawful access to Customer data stored within its products, RecruitBot will: 1) notify the affected Customers of the incident; 2) provide a description of the steps RecruitBot is taking to resolve the incident; and 3) provide status updates to the Customer contact, as RecruitBot deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form RecruitBot selects, which may include via email or telephone.
4. Availability Control
4.1 Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
4.2 Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
4.3 RecruitBot’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists RecruitBot operations in maintaining and updating the product applications and backend while limiting downtime.
Annex 4 to DPA
Data Processing Details
|Address:||2030 Vallejo St, #205, San Francisco, CA, 9423|
Name: Jeremy Schiff
RecruitBot operates an artificial intelligence-based recruitment platform intended to find candidates according to customers’ open positions. RecruitBot’s platform maintains a collection of global candidate profiles and allows to reach out to the suitable candidates with the use of machine learning.
Where Section 4.2 of the DPA applies: Controller
|Name:||Customer, as identified in the applicable Order Form|
|Address:||Customer’s address, as identified in the applicable Order Form|
Customer’s authorized representative’s contact details, as identified in the applicable Order Form
|Data Importer Activities:||The Customer’s activities are determined by Customer on a case-by-case basis|
The parties agree that the Processing of Personal Data is subject to the following scope:
Subject Matter: Customer has engaged RecruitBot to use the Product described in the Agreement
Duration: See Section 2 of the DPA (“Duration and Scope of DPA”).
Nature of the Processing: RecruitBot will provide the Product described in the Agreement, which may include: granting access to the RecruitBot platform.
For candidate data, this includes 1) enhancing data by cross-referencing data provided from customers, with our internal datasets or by inferring additional attributes via algorithmic measures including Machine Learning to infer attributes such as demographic data, 2) allowing users to search for relevant candidates using different candidate attributes, 3) provide an intelligent ranking of candidate profiles based, 4) map RecruitBot’s candidate data to customer data to automatically enhance Customer Data, as well as understand which candidates have been engaged with or not in the past.
For the Email data, this includes reading / sending emails, as well as tracking activity such as open rates.
For ATS data, this includes reading, writing, and updating records in both systems to keep them in a consistent state.
For users’ assessment of candidates including rating and text data, to understand user preferences, and facilitate communication between users.
For interaction data, this includes letting users understand the activity and effectiveness of users.
Purpose of the Processing: To provide the Product as well as customer and technical support to end users, on behalf of the Customer. In particular, provide the Product as well as customer and technical support to end users. Specific examples include allowing users to search for and prioritize relevant candidates (inside and excluding candidates in the ATS), send automated email campaigns to candidates, review analytics of candidate information as they move between stages both in the email systems, and in the ATS. The product also processes interaction data to alert users when they can take actions to be more effective, or to better collaborate between users.
Type of Personal Data: name, education, work experience, contact details, location, email address, phone number, demographic attributes (inferred by Machine Learning, not collected from the customer)
Categories of Data Subjects: employees, candidates
Annex 5 to DPA
Standard Contractual Clauses
PART 1: POPULATION OF THE EU SCCs
1. SIGNATURE OF THE EU SCCs:
Where the EU SCCs apply in accordance with Section 4 of the DPA (Specific Purposes) or Section 4 of Annex 1 of the DPA (Personal Data Transfers) each of the parties is hereby deemed to have signed the EU SCCs at the relevant signature block in Annex I to the Appendix to the EU SCCs.
By principle, Module Two (Controller to Processor) of the EU SCCs applies to any EU Restricted Transfer involving processing of Personal Data in respect of which RecruitBot acts as a processor, and Customer acts as a controller.
In the context of Section 4 of the DPA (Specific Purposes), Module One (Controller to Controller) of the EU SCCs applies to EU Restricted Transfer involving processing of Personal Data in respect of which each party is a controller.
3. POPULATION OF THE BODY OF THE EU SCCs
3.1 The following applies as and where applicable to Module One and/or Two and the Clauses thereof:
a. The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
b. In Clause 9:
(i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies with respect to Module Two, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 5.4 of Annex 1 (EEA/UK Annex) to the DPA; and
(ii) OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used in all other circumstances and that language is deleted; as is, therefore, Annex III to the Appendix to the EU SCCs.
c. In Clause 11, the optional language is not used and is deleted.
d. In Clause 13, all square brackets are removed and all text therein is retained.
e. In Clause 17: OPTION 1 applies, and the Parties agree that the EU SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
f. For the purposes of Clause 18, the parties agree that any dispute arising from the EU SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
3.2 In this Paragraph 3, references to “Clauses” are references to the Clauses of the EU SCCs.
4. POPULATION OF ANNEXES TO THE APPENDIX TO THE EU SCCs
4. 1 Annex I to the Appendix to the EU SCCs is populated with the corresponding information detailed in Annex 4 to the DPA, with: Customer being ‘data exporter’; and RecruitBot being ‘data importer’.
4.2 Part C of Annex I to the Appendix to the EU SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
- Where Customer is established in an EEA Member State: the competent supervisory authority shall be the supervisory authority of that EEA Member State in which Customer is established.
- Where Customer is not established in an EEA Member State, Article 3(2) of the EU GDPR applies and Customer has appointed an EEA representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EEA Member State in which Customer’s EEA representative relevant to the processing hereunder is based (from time-to-time).
- Where Customer is not established in an EEA Member State, Article 3(2) of the EU GDPR applies, but Customer has not appointed an EU representative under Article 27 of the EU GDPR: the competent supervisory authority shall be the supervisory authority of the EEA Member State notified in writing to Customer’s contact point for data protection identified in Attachment 1 to Annex 4 (EEA/UK Annex) to the DPA, which must be an EEA Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
4.3 Annex II to the Appendix to the EU SCCs is populated as below:
- Please refer to Annex 3 (Security Measures) to the DPA.
- In the event that Customer receives a data subject request under the EU GDPR and requires assistance from RecruitBot, Customer should email RecruitBot’s contact point for data protection identified in Annex 4 to the DPA.
Sub-Processors: When RecruitBot engages a Subprocessor under these Clauses, RecruitBot shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
- applicable information security measures;
- notification of Information Security Incidents to RecruitBot;
- return or deletion of Personal Data as and where required; and
- engagement of further Subprocessors.
PART 2: UK RESTRICTED TRANSFERS
1. UK TRANSFER ADDENDUM
4.4 Where relevant in accordance with Section 4.3 of Annex 1 of the DPA, the EU SCCs also apply in the context of UK Restricted Transfers as varied by the UK SCCs in the manner described below –
a. Part 1 to the UK SCCs. The parties agree:
(i) Tables 1, 2 and 3 to the UK SCCs are deemed populated with the corresponding details set out in Annex 4 to the DPA and the foregoing provisions of Annex 5 (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
(ii) Table 4 to the UK SCCs is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
b. Part 2 to the UK SCCs. The parties agree to be bound by the UK Mandatory Clauses of the UK SCCs.
4.5 As permitted by Section 17 of the UK Mandatory Clauses, the parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK SCCs in the manner set out in Paragraph 1.1 of this Part 2; provided that the parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
4.6 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the EU SCCs, shall be read as a reference to those UK SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.