Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between TalentNeuron, LLC, a Delaware limited liability company, on behalf of itself and its affiliates “(Company”) and client named below (“Client”), as of the date last signed below (the “Effective Date”). This DPA sets out the obligations of the contracting parties in regard to data protection, associated with the Processing of Personal Data by Company on behalf of the Client in delivery of services covered by a Service Order executed by the parties (the “Agreement”). This DPA is valid throughout the term of the Agreement unless replaced by a newer DPA. To the extent that any terms of this DPA conflict with any terms contained in the Agreement, the terms of this DPA shall take precedence only as to the processing of Personal Data.  

1. Definitions

1.1 Terms not defined in this DPA, but in the General Terms have the meaning stipulated in the General Terms.

1.2 “Client Data” means electronic data and information, including content, materials and personal data submitted by Client to the SaaS

1.3 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.4 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.5 “Data Protection Law” encompasses laws and regulations, including, applicable to the Processing of Personal Data under the Agreement, including—for the European Economic Area (“EEA”) and their member states—GDPR, similar laws and binding regulations of the Switzerland and the United Kingdom and the laws regulating Processing of Personal Data in other countries insofar they apply to Processing under this DPA

1.6 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom and the countries of the European Economic Area.

1.7 “Personal Data” means any Client Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.

1.8 “Personal Data Breach” means a confirmed:

  1. accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized third-party access to Personal Data; or  
  2. similar incident involving Personal Data, in each case for which a Controller is required under Data Protection Law to provide notice to competent data protection authorities or Data Subjects.  

1.9 “Processor” means any a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.10 “Sub-processor” means any Processor engaged by Company in the processing of Personal Data on behalf of Controller under this DPA and

1.11 “Sub-processing” refers to all activities done by such Sub-processor under this DPA, both as further described in sec. 4 (Sub-Processing).

1.12 “Third Country” means any country, organization, or territory not acknowledged by the European Commission or the government of the United Kingdom, as applicable, to assure an adequate level of protection for Personal Data.  

1.13 “UK Addendum” means the set of standard contractual clauses (SCCs) issued by the United Kingdom government under Section 119A(1) of the UK Data Protection Act 2018 (DPA 2018) for the purposes of exporting personal data when relying on an appropriate safeguard under Article 46(1) of the UK GDPR. 

2. Commissioned Data Processing

In the context of Service delivery, Company may process Personal Data as a Processor for Client, and, as set out herein, for Client’s affiliates. Where that is the case, the processing is subject to this DPA.

2.1 Roles of the Parties. Company acts as a Processor under this DPA. Client is the Controller. As an exception to that, where an affiliate of Client is the Controller, Client acts on behalf of such Controller and confirms that it is authorized to do so, to exercise rights, to act as recipient in case of duties by Company and Client commits to fulfill any duties by such affiliate being a Controller. For such case, Client agrees to bundle requests by different Controllers under this contract as much as reasonably possible to reduce the additional burden.

2.2 Details of processing and purpose limitation. Company shall process and the Personal Data only for the specific purpose(s) of the processing, as set out in Appendix 1 (Scope and details of data processing), unless it receives further instructions from the Client. Company will require its staff to abide this processing restriction. Company agrees that it will not use, process, share, or disclose Personal Data for any purpose other than to deliver the Services for which it was provided. Company agrees that it will (i) not “Sell” or “Share” the Personal Data, as those terms are defined under the CCPA, (ii) retain, use or disclose the Personal Data outside of the direct business relationship between Client and the Company, or (iii) except as permitted by applicable Data Protection Laws, combine Personal Data with other information it receives from, or on behalf of, another person or persons, or collects from its own interaction with an individual.  

2.3 Instructions.  

  1. Company shall process Personal Data, including with regard to transfers of personal data to a third country or an international organization, only on documented instructions from Client, unless required to do so by law to which Company is subject. In this case, Company shall inform the controller of that legal requirement before processing, unless the law prohibits this.  
  2. The General Terms, Service Orders, DPA and Documentation constitute the full and comprehensive instructions given by Client to Company.
  3. Subsequent instructions shall always be documented. Regarding the use of SaaS, the use constitutes instructions are in general given by using the Services. Client can give further instructions during the Subscription Term, provided that these are in line with the contractual agreements and scope of services delivered. Instructions not foreseen in or covered by the contractual agreements or which are out of scope of the Services delivered shall be treated as requests for changes to the Service Order. Client shall, without undue delay, confirm in writing or in text form any instruction issued orally.
  4. Client shall ensure it has obtained all necessary consents or has established an appropriate legal basis under applicable Data Protection Laws for the processing of Personal Data.

3. Confidentiality and Security of Processing

3.1 For the avoidance of doubt, all Personal Data Processed by Company under the Agreement shall be considered Confidential Information as defined therein.

3.2 Company shall implement technical and organizational measures (referred to as a “TOM”)  to ensure the adequate protection of Client Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects. This includes measures required for ongoing confidentiality, integrity, availability and resilience of processing systems and services. Upon Client’s request, Company will make available to Client, a summary of the then-current TOM.

3.3 Company strongly encourages Client to review the TOM and confirm that, as to the SaaS selected by Client in the Service Order, the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data.

3.4 Company will regularly review the TOM and has the right to modify the measures and safeguards implemented, provided, however, that the overall level of security shall not be less protective than initially agreed and that Company will publish an updated summary of the TOM in its customer portal and provide it to Client upon request.

3.5 Without prejudice to Company’s security obligations under the Agreement, Client is responsible for its use and of the Services and its storage of any copies of Client Data outside Company’s or Company’s subprocessors’ systems.  

4. Sub-Processing

4.1 Authorization to use Sub-processors. Client hereby generally authorizes Company to use Sub-processors. Company remains responsible for the compliance with this DPA and is responsible for ensuring that its obligations on data protection resulting from the Agreement (including this DPA) are valid and binding upon Sub-Processors; The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this agreement, respectively if the obligations laid down in art. 28 para. 3 GDPR are imposed on the Sub-Processor.

4.2 The current Sub-Processors for SaaS are set out in Appendix 2.

4.3 Objection to new Sub-processors. When Company intends to retain a new Sub-Processor, it will notify Client at least 30 days in advance (“New Sub-processor Notice”). If Client has legitimate reason under Data Protection Law to object to the use of such Sub-Processor, Client may object the use of a new Sub-Processor within 30 days of the notice; the notice is required to state the legitimate reasons; in such case Company will take commercially reasonable effort to provide the Services to Client without using such Sub-Processor, in case Company fails to do so within 30 days, Client has the right to terminate with a notice period of no more than 30 days solely the respective Service by providing notice without undue delay and Company will reimburse prepaid fees for the part Service terminated in line with this provision; in case such termination is not notified within 60 days of the New Sub-processor Notice, Controller is deemed not to have objected the Sub-Processor and the general authorization applies.  

4.4 Emergency replacement of Sub-Processors. If there are urgent reasons to replace a Sub-Processor (e.g. security), Company may do so. In such case, it will notify Client without undue delay (“New Sub-processor Notice”) and 4.3 applies accordingly, except for the fact that the New Sub-processor Notice is replaced by the notice under this paragraph.  

4.5 Ancillary services. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Personal Data cannot be excluded, as long as the Supplier takes reasonable steps to protect the confidentiality of the Personal Data.

5. Locations of Processing

5.1. Compliance with Transfer Restrictions under applicable Data Protection Laws. If Client Personal Data is transferred to any country subject to transfer restrictions under European data protection law, the parties shall cooperate to ensure that such activity complies with such laws are taken, including supplementing this DPA with additional terms required by applicable Data Protection Laws.

5.2. International Data Transfers

  1. EEA Restricted Transfers.  To the extent the Services require a transfer or onward transfer of Personal Data originating in the EEA to a Third Country (an “EEA Restricted Transfer”) and provided that no Alternative Transfer Mechanism applies, Client and the Company agree to the following:
    1. If Client is not located in a Third Country and acts as a data exporter, Client will enter into the EU Standard Contractual Clauses under module 3 (Transfer Processor to Processor) with any Subprocessors located in Third Countries that act as data importers.
    2. If Company is acting as a data exporter with respect to such a transfer, Client and the Company agree that they shall be deemed to have entered into the EU Standard Contractual Clauses, and that those terms will be incorporated into this DPA by reference, as follows:
      1. Module Two (Transfer Controller to Processor) will apply when Client is the Data Controller.
      2. Module Three (Transfer Processor to Processor) will apply when Client is acting as a Processor of the Personal Data.
      3. For purposes of Section II, Clause 8.1 (Modules Two and Three), the Agreement and this DPA constitute the instructions to Company for the Processing of Personal Data.  Any additional instructions must be mutually agreed upon separately in writing and signed by both parties.
      4. For purposes of Section II, Clause 8.9 (Modules Two and Three), the parties agree that any audits or inspections be conducted in accordance with the terms set forth in the DPA.
      5. For purposes of Section II, Clause 9 (Modules Two and Three), the parties select Option 2 and agree that Company may engage Subprocessors in accordance with Section
      6. For purposes of Section II, Clause 11 (Modules Two and Three), the parties agree that the optional language in Clause 11(a) will not apply.
      7. For purposes of Section II, Clause 13(a) (Modules Two and Three):
        1. If the data exporter is established in an EEA Member state, the supervisory authority with responsibility for ensuring compliance by the data exporter with GDPR as regards to the data transfer shall act as competent supervisory authority.
        2. If the data exporter is not established in an EEA Member State but falls within the territorial scope of application of GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of GDPR, the supervisory authority of the EEA member state in which the representative sits within the meaning of Article 27(1) of GDPR is established shall act as competent supervisory authority.
    3. If the data exporter is not established in an EU Member State, but falls within the territorial scope of application of GDPR in accordance with Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of GDPR, the supervisory authority of one of the EEA Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
      1. For purposes of Section IV, Clause 17 (Modules Two and Three), the parties select Option 2, and if the data exporter’s member state does not allow for third-party beneficiary rights, then the law of Ireland shall apply.
      2. For the purpose of Section IV, Clause 18 (Modules Two and Three), the parties agree that disputes arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.
    4. Annex I is deemed to be completed with the details set out in this DPA.
    5. Annex II is deemed to be completed with the security measures set forth in the DPA
  2. UK Restricted Transfers.  If and to the extent Company’s performance of the Services involve a transfer or onward transfer to a Third Country of personal data originating in the UK (a “UK Restricted Transfer”), the terms of this Section will apply to such transfers provided that no Alternative Transfer Mechanism applies.
    1. If Client is not located in a Third Country and acts as a data exporter, Client will enter into the EU Standard Contractual Clauses under Module 3 (Transfer Processor to Processor) and the UK Addendum with any Subprocessors located in Third Countries that act as data importers.
    2. If Client is acting as a data exporter with respect to such a transfer, Client and the Company agree that they shall be deemed to have entered into the EU Standard Contractual Clauses, as set forth in Section 8.3, and the UK Addendum, which are incorporated by reference.  For purposes of any such transfer:
      1. Table 1 of the UK Addendum is deemed to be completed with the parties’ details and contact information as set forth in this DPA.
      2. For purposes of Table 2 of the UK Addendum, the Addendum EU SCCs are the EU Standard Contractual Clauses entered into between the parties under Section 8.3 of this Addendum.
      3. For purposes of Table 3 of the UK Addendum, the Appendix Information is set forth in this DPA and the security measures set forth in this DPA.
      4. For purposes of Table 4 of the UK Addendum, the parties select both the importer and the exporter, and agree that either of them may end the UK Addendum in accordance with Section 19 thereof.

5.3 Alternative Transfer Mechanisms.  If Client, the Company, or both adopt a solution that permits the lawful transfer of Personal Data from the EEA and/or the UK in compliance with applicable Data Protection Laws (any such solution, an “Alternative Transfer Mechanism,” then parties may notify the each other in writing of the existence of the Alternative Transfer Mechanism, in which case the Alternative Transfer Mechanism will apply to any transfers of Personal Information to which it applies after the date of such written notification.

5.4 Additional Measures.  In the event that the mechanisms described in this section are inadequate to properly safeguard transfers of Personal Data from Third Countries, the party acting as the data importer will promptly implement supplementary measures to ensure that Personal Data is protected to the standard required by Applicable Privacy Laws.

6. Supporting obligations

6.1 Data Subject requests. Company will promptly notify via e-mail Client of requests by Data Subjects it receives in conjunction with data processing hereunder. Company shall not respond to the request itself, unless authorized to do so by the controller except where required by applicable Data Protection Laws; it is Client’s responsibility to handle the data subject request timely and adequately and Company is not responsible in case Client fails to respond to such request in total, correctly or in a timely manner.
Both parties will keep each other appropriately informed and will cooperate reasonably with the aim to resolve the matter with the Data Subject. Company shall assist to a commercially reasonable extent Client in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.  

6.2 Data Protection Impact Assessment. Upon Client’s request, Company will provide access to generally available documentation for assessing the privacy impact of the Services within the scope of this DPA. Where no such generally available documentation exists for a given Service, Company will provide assistance at a remuneration to be agreed between the Parties. Any additional assistance shall be mutually agreed between the Parties.

6.3 Data breaches. Company will notify Client, without undue delay after becoming aware of Personal Data Breach. It will reasonably assist Client in meeting Client’s obligations to report a Personal Data Breach as required under applicable Data Protection Laws, such assistance shall be reasonable in view of the kind of Service provided and will in general consist in providing the relevant information available to Company and, as reasonably required, cooperation with requests from Data Subjects and authorities regarding the processing hereunder. The duties under this clause and their implementation shall not be interpreted or construed as an admission of fault or liability by the Company.

7. Return of Client Data including Personal Data

7.1 Retrieval by Client. Client may access and export in a standard format its Personal Data during the Subscription Term of the respective Service and subject to the Agreement. In case there are technical limitations to exports, the parties will collaborate to create a reasonable path for Client to suitably access Personal Data.  

7.2 Deletion after Subscription Term has ended. Upon the termination of the Agreement, Client hereby instructs Company to delete Client Data within a reasonable time period (not to exceed 6 months) in line with Data Protection Law unless applicable law requires retention.

8. Documentation and Audits

8.1 Company shall document appropriately its compliance with the obligations agreed upon in this DPA. At Client’s request, Company will provide Client with the information required and available to Company to prove such compliance.

8.2 The Parties agree that the favorable way to prove such compliance is provision of suitable third-party certification, e.g. ISO27001.

8.3 Where on-site audits and inspections by Client or a suitably qualified and reasonably independent auditor appointed by Client are necessary, such audits and inspections will be limited to Company’s own premises and conducted during regular business hours, and without interfering with Company’s operations, upon prior notice, and observing an appropriate notice period. Company is entitled to a remuneration for such audit unless the audit reveals material breach of this DPA by Company. Client will provide the audit results to Company.

Company is entitled, at its own discretion and taking into account the legal obligations of Client, not to disclose information which is sensitive with regard to Company’s business or if Company would be in breach of statutory or other contractual provisions as a result of its disclosure. Client is not entitled to get access to data or information about Company’s other customers, cost information, quality control and contract management reports, or any other confidential data of Company that is not directly relevant for the agreed audit purposes. Client will treat all information found in the audit as Confidential Information.

Company is entitled to reject auditors which are competitors to Company.

8.4 Where a data protection supervisory authority or another supervisory authority with statutory competence for Controller conducts an inspection, sec. 8.3 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.