Data Processing Agreement

This Data Processing Addendum is supplemental to and forms part of Applicantz Terms of Service found on Applicantz website at www.applicantz.io/terms-and-conditions (“Agreement”), between Applicantz LLC (“Applicantz”) and the customer entity that is party to the Agreement (“Data Controller”).

In consideration of the mutual rights and obligations adopted in this addendum and in further consideration of the mutual rights and obligations in the Agreement, Applicantz and the Data Controller hereby agree as follows:

1. Definitions

1.1. In this addendum:

1.1.1. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organizational measures shall have the meanings set out in the Data Protection Legislation.

1.1.2. Data Protection Legislation: means all applicable data protection and privacy legislation in force from time to time in the US including the Data Protection Act 2018 (and regulations made thereunder); the US GDPR (which has the meaning given to it in the Data Protection Act 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.1.3. Protected Data means Personal Data received by Applicantz from or on behalf of the Data Controller in connection with the Agreement, or in respect of applicants using Applicantz website to apply for employment with or hire by the Data Controller.

2. Compliance with Data Protection Legislation

2.1. The parties agree that the Data Controller is a Controller and that Applicantz is a Processor for the purposes of processing Protected Data pursuant to this addendum. Applicantz shall process Protected Data in compliance with the obligations placed on it under Data Protection Legislation and this addendum. Should the determination in this clause change, then each party shall work together in good faith to make any changes which are necessary to this addendum. Part A of this addendum sets out the scope, nature and purpose of processing by Applicants, the duration of the processing and the types of Personal Data and categories of Data Subject.

2.2. The Data Controller shall ensure that all instructions given by it to Applicantz in respect of Protected Data (including the terms of this addendum) shall at all times be in accordance with Data Protection Legislation. Without prejudice to the generality of the foregoing, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Protected Data to Applicantz for the duration and purposes of this addendum.

3. Instructions

3.1. Applicantz shall only process the Protected Data in accordance with this addendum (and not otherwise unless alternative processing instructions are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform the Data Controller of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). If Applicantz believes that any instruction received by it from the Data Controller is likely to infringe the Data Protection Legislation it shall promptly inform the Data Controller.

4. Security

4.1. Applicantz shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Protected Data and against accidental loss or destruction of, or damage to, Protected Data, which is appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it) so as to allow the Data Controller to comply with its obligations under the Data Protection Legislation.

5. Sub-processing and personnel

5.1. The Data Controller hereby provides its prior, general authorization for Applicantz to appoint processors to process the Protected Data, including initially those sub-processors set out in Part B, provided that Applicantz:

5.2. shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on Applicants in this

5.3. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Applicantz;

5.4. shall inform the Data Controller of any intended changes concerning the addition or replacement of the processors, thereby giving the Data Controller the opportunity to object to such changes provided that if the Data Controller objects to the changes and cannot demonstrate, to Applicantz reasonable satisfaction, that the objection is due to an actual or likely breach of the Data Protection Legislation, the Data Processor shall indemnify Applicantz for any losses, damages, costs (including legal fees) and expenses suffered by Applicantz in accommodating the objection.

5.5. Applicantz shall ensure that all persons authorized by Applicantz (or any authorized sub-processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.

6. Assistance

6.1. Applicantz shall:

6.2. notify the Data Controller without undue delay if it receives from any Data Subject whose Personal Data forms part of the Protected Data any communication seeking to exercise rights conferred on the Data Subject by the Data Protection Legislation, or any complaint or any claim for compensation arising from or relating to the processing of the Protected Data;

6.3. provide such information and such assistance to the Data Controller as the Data Controller may reasonably require insofar as this is reasonably possible (taking into account the nature of the processing and the information available to Applicantz), and at the Data Controller’s cost, to allow the Data Controller to comply with its obligations under the Data Protection Legislation, including to:

6.3.1 Assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32 to 36 of the UK GDPR (and any similar obligations under applicable Data Protection Legislation);

6.3.2 assist the Data Controller (by appropriate technical and organizational measures), insofar as this is reasonably possible, for the fulfillment of the Data Controller’s obligations to respond to requests for exercising a Data Subjects’ rights under Chapter III of the UK GDPR (and any similar obligations under applicable Data Protection Legislation) in respect of any Protected Data.

7. International transfers

7.1. The Data Controller hereby provides its prior, general authorization for Applicantz to transfer Protected Data outside of the UK, provided that Applicantz shall ensure that all such transfers are affected in accordance with the Data Protection Legislation. For these purposes, the Data Controller shall promptly comply with any reasonable request of Applicantz, including any request to enter into standard data protection clauses adopted by the Information Commissioner from time to time (where the UK GDPR applies to the transfer.

8. Processing

8.1. Applicantz shall keep or cause to be kept such information as is necessary to demonstrate compliance with its obligations under this addendum including full and accurate records relating to the processing of the Protected Data and shall, upon reasonable notice, make available to the Data Controller or grant to the Data Controller and its auditors and agents, a right of access to and to take copies of any information or records kept by Applicantz pursuant to this paragraph.

9. Breach

9.1. Applicantz shall notify the Data Controller without undue delay on becoming aware of any Personal Data Breach in respect of any Protected Data.

10. Deletion/return

10.1. Applicantz shall on expiry or termination of the Agreement or otherwise on written notice from the Data Controller, promptly and securely delete the Protected Data (unless its continued storage by Applicantz is required by law). This paragraph shall survive termination or expiry of the Agreement.

10.2. The Data Controller shall have the option at any time to pause their account rather than terminate it. In these circumstances, the Protected Data will not be deleted but will be retained on behalf of the Data Controller until the Agreement expires or is terminated.

Data processing details

Processing of the Protected Data by the Data Processor under this addendum shall be for the subject matter, duration, nature and purposes and involve the types of personal data and categories of Data Subjects set out in this Part A.

1 Subject-matter of processing:
Provision of an online recruiting solution that distributes job advertisements, as described further in the Agreement

2 Duration of the processing:
Personal Data will be retained for twelve months unless the Data Controller has stipulated otherwise.

3 Nature and purpose of the processing:
The collection, recording, processing and erasure of the Protected Data to comply with the Data Processor’s obligations in the Agreement

4 Type of Personal Data:
Name, Email, Phone Number, IP Address, Resume/CV, Work History, and Responses to Screening Questions of applicants using Applicantz website to apply for employment with or hire by the Data Controller.