This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of the Services Agreement, Terms of Service, or other agreement about the delivery of the contracted services between Textio, Inc. (“Textio”, “we”, “us”, or “our”), and the Company (the “Agreement”) named in such Agreement.
1. Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Data in connection with our execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
2. Definitions.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
2.1. “Company Personal Data” means Data that is Personal Data Processed by us on behalf of Company in providing the Services under the Agreement.
2.2. "Data” has the meaning set forth in the Agreement, or if not set forth in the Agreement, means data, information, documents or other materials that Company provides, inputs, modifies or prepares using the Services.
2.3. “Data Protection Laws” means the applicable data privacy and data protection laws, rules and regulations to which the Company Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
2.4. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
2.5. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.6. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data attributable to us.
2.7. “Services” means the services that we perform under the Agreement.
2.8. “Subprocessor(s)” means our authorized vendors and third-party service providers that Process Company Personal Data.
3. Data Use and Processing.
3.1. Documented Instructions. We shall Process Company Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. We will, unless legally prohibited from doing so, inform Company in writing if we reasonably believe that there is a conflict between Company’s instructions and applicable law or otherwise seek to Process Company Personal Data in a manner that is inconsistent with Company’s instructions.
3.2. Authorization to Use Subprocessors. To the extent necessary to fulfill our contractual obligations under the Agreement, Company hereby authorizes us to engage Subprocessors.
3.3. Subprocessor Compliance. We agree to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Company Personal Data that imposes on such Subprocessors data protection requirements for Company Personal Data that are consistent with this Addendum; and (ii) remain responsible to Company for our Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Data.
3.4. Right to Object to Subprocessors. Where required by Data Protection Laws, we will notify Company’s Designated POC as set forth in Section 11 of this Addendum prior to engaging any new Subprocessors that Process Company Personal Data and allow Company ten (10) days to object. If Company has legitimate objections to the appointment of any new Subprocessor that relates to our compliance with this Addendum, we will make reasonable efforts to address Company’s objection. After this process, if a resolution has not been agreed to within five (5) calendar days, we may proceed with engaging the Subprocessor. Failing any such resolution, Company may terminate the part of the Service provided under the Agreement that cannot be performed by us without use of the objectionable Subprocessor.
3.5. Confidentiality. Any person authorized to Process Company Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
3.6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, we agree to provide reasonable assistance and comply with reasonable instructions from Company related to any requests from individuals exercising their rights in Company Personal Data granted to them under Data Protection Laws. Company shall be responsible for any costs arising from our provision of such assistance.
3.7. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, we agree to provide reasonable assistance at Company’s expense to Company where, in Company’s judgement, the type of Processing performed by us requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
3.8. Demonstrable Compliance. We agree to provide information reasonably necessary to demonstrate compliance with this Addendum upon Company’s reasonable request.
3.9. California Specific Terms. To the extent that our Processing of Company Personal Data is subject to the CCPA, this Section shall also apply. Company discloses or otherwise makes available Company Personal Data to us for the limited and specific purpose of us providing the Services to Company in accordance with the Agreement and this Addendum. We shall: (i) comply with our applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Company if we can no longer meet our obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Company Personal Data; (v) not retain, use, or disclose Company Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Company Personal Data outside of the direct business relationship between Company and us; and (vii) unless otherwise permitted by the CCPA, not combine Company Personal Data with Personal Data that we (a) receive from, or on behalf of, another person, or (b) collect from our own, independent consumer interaction. We will permit Company, upon reasonable request, to take reasonable and appropriate steps to ensure that we Processes Company Personal Data that is subject to this section in a manner consistent with a business’ obligations under the CCPA by requesting that we attest to our compliance with this CCPA section. Following any such request, we will promptly provide that attestation or notice about why we cannot provide it. If Company reasonably believes that we are engaged in unauthorized Processing of Company Personal Data that is subject to this section, Company will immediately notify us of such belief via email, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.
3.10. Aggregation and De-Identification. We may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify any data subject to whom Company Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for our lawful business purposes. Aggregated and/or De-identified Data shall not be considered Company Personal Data and we may retain such data at our discretion.
4. Cross-Border Transfers of Personal Data.
4.1. Cross-Border Transfers of Personal Data. Company authorizes us and our Subprocessors to transfer Company Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
4.2. EEA, Swiss, and UK Standard Contractual Clauses. If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Company to us in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
5. Information Security Program. We will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Company Personal Data.
6. Security Incidents. Upon becoming aware of a Security Incident, we agree to provide written notice without undue delay and within the time frame required under Data Protection Laws to Company’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Company to comply with our own notification obligations to regulatory authorities or individuals affected by the Security Incident.
7. Audits. To the extent Data Protection Laws afford Company an audit right, Company (or its appointed representative) may carry out an audit of our policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit must be: (i) conducted during our regular business hours; (ii) with reasonable advance notice to us; (iii) carried out in a manner that prevents unnecessary disruption to our operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction. Company shall be responsible for any costs arising from such audit.
8. Data Deletion. At the expiry or termination of the Agreement, we will, at Company’s request, delete all Company Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with our data retention schedule), except where we are required to retain copies under applicable laws, in which case we will isolate and restrict that Company Personal Data from any further Processing except to the extent required by applicable laws.
9. Processing Details.
9.1. Subject Matter. Processing in connection with the provision of the Services.
9.2. Duration. Processing will continue as set forth in the Agreement.
9.3. Categories of Data Subjects. Categories of Data Subjects includes the following:
9.3.1. Company’s employees (interviewers, hiring managers, recruiters, administrators)
9.3.2. Job candidates
9.4 Nature and Purpose of the Processing. Processing in connection with the provision of the Services.
9.5 Types of Company Personal Data. Company Personal Data that is Processed under the Agreement, the extent of which is determined and controlled Company. Company Personal Data may include the following:
9.5.1 Company’s Employees:
9.5.1.1. Contact information and professional details (e.g., full name, email address, phone number, job title)
9.5.1.2.Electronic identification information (e.g., IP address, device information, analytics identifiers)
9.5.1.3.Authentication credentials (encrypted passwords, OAuth tokens from connected services)
9.5.1.4.Calendar and scheduling data from connected accounts (Google, Microsoft)
9.5.1.5.Audio and video recordings of interviews conducted by the employee
9.5.1.6.Interview transcripts, notes, feedback, and assessments authored by the employee
9.5.2. Job Candidates:
9.5.2.1.Contact information (e.g., full name, email addresses, phone number)
9.5.2.2.Professional details (e.g., current job title, current company, location, professional links)
9.5.2.3.Resume and application documents
9.5.2.4.Audio and video recordings and transcripts of interviews
9.5.2.5.Hiring pipeline status and interview stage progression
10. Company’s Obligations. Company represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Company Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Company’s practices with respect to the Processing of Company Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Company Personal Data as contemplated by the Agreement; and (iv) our Processing of Company Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Company and any third party.
11. Contact Information.
11.1.The parties agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:
Exhibit A – Supplemental Terms for the Standard Contractual Clauses
This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.
The parties agree that the following terms shall supplement the Standard Contractual Clauses:
1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:
A. List of Parties
Data Exporter: Company.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: Company’s Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Controller.
Data Importer: Textio.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: Our Designated POC.
Activities relevant to the data transferred under these Clauses: The Services.
Role: Processor.
B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: The categories of data subjects set forth in the Addendum.
Categories of personal data transferred: The categories of personal data set forth in the Addendum.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Any sensitive data that is transferred under the Clauses. Such data shall be subject to the security measures referenced in the Addendum.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
Nature of the processing: The Services.
Purpose(s) of the data transfer and further processing: The Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as identified above.
C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D. Additional Data Transfer Impact Assessment Questions:
Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?
Not to data importer’s knowledge.
Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:
As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.
Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:
No.
Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:
No.
E. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
F. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.
3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:
Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with the Addendum.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.
4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:
The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.
Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.
Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.
5. Please list the Subprocessors that will have access to Company Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom.
The subprocessors you are agreeing to are listed below. We may update these from time to time and will provide you notice and objection rights as set forth in Section 3.4.
