Data Processing Agreement
Eddy HR, LLC EU/UK Data Processing Agreement
DPA Background
This EU/UK Data Processing Agreement (“DPA”) supplements our online Platform License and Terms of Service and Privacy Policy (together and individually, the “Agreement”) with clients (“Client” or “you”) insofar as they relate to processing of personal data subject to the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”) and United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) (collectively, when applicable, the “GDPR”).To the extent it conflicts with our Terms of Service or our Privacy Policy, this DPA will control.Capitalized terms used in this DPA shall have the same meaning set forth for those terms in the GDPR, unless a different meaning is specified herein.
Eddy HR, LLC (“Eddy,” “we,” or “us”) is a software as a service provider.As such, we act as a “Processor” under the GDPR.As one of our clients, you control the means and purposes for the processing of the data you gather using our services (the “Services”), and thus, you are a Controller under the GDPR.Unless otherwise agreed between us in writing, those items the GDPR requires of Processors will be our responsibility, and those items required of Controllers will be your responsibility.Specifically, the parties agree as follows:
How to Execute this DPA
We have adopted this DPA and made it effective through the Agreement into which our Clients enter with us.No further execution of the DPA is necessary by you or Eddy.That includes the signature lines for Annex I.A of the Standard Contractual Clauses attached to this DPA.The Agreement incorporates both this DPA and the attached Standard Contractual Clauses, so no further signature of either document is required.
Our GDPR Obligations
When you use the Services, you may obtain Personal Data about your job applicants, prospects, employees, marketplace partners, customers, vendors, suppliers, or other individuals with whom you interact, or about whom you gather personal data (“Your Personal Data”), using the Services (collectively and individually, “Your Data Subjects”). That Personal Data may be subject to the protections of the GDPR.For purposes of clarity, the parties agree that Your Personal Data does not include information which does not relate to an identified or identifiable individual or to personal information or data rendered anonymous in such a manner that the individual is not or no longer identifiable (“Anonymized Data”). As outlined in our Privacy Policy, we retain all rights in Anonymized Data to use it for all legal purposes.
Each party agrees that it will act in full compliance with the requirements of the GDPR and agrees to indemnify, defend and hold harmless the other party from and against any losses, liabilities, damages, settlements, or other damages arising out of or relating to its own acts and omissions that do not comply with the requirements of the GDPR.This duty to indemnify, defend, and hold harmless is, where applicable, limited to fines that may be imposed by a governing authority and any and all reasonable attorneys’ fees and court costs.
Acknowledging that certain of your obligations as a Controller must be passed along to any company or individual that Processes the Personal Data of Your Data Subjects, we agree to perform the following functions and to facilitate your compliance with the GDPR in the following ways:
1. Right of Access by Data Subject and Communication with Authorities and Your Data Subjects
To assist you in your obligations as a Controller, we will implement the necessary technical and organizational measures to allow you to (1) respond to any request by any individual to exercise his or her rights under the GDPR, and (2) respond to correspondence, inquiries, or complaints from entitled third parties such as individuals, regulators, courts, and other authorities in connection with the processing of Personal Data.If any such requests or correspondence is received directly by us, we will forward you the request or correspondence and will wait for further direction from you before taking action.We will not communicate with authorities or Your Data Subjects without receiving your advance permission, except as required by applicable law.Upon documented request from you, we will correct, supplement, modify or delete any of Your Personal Data, except as required by applicable law.
2. Use Limitation
We will not use or Process any of Your Personal Data for any purpose other than the purpose set forth in the Agreement, except to respond to document requests from you regarding Your Personal Data.In no event will we Process or transfer any of Your Personal Data for our own purposes or for the purposes of any third party.In addition, we will delete all Your Personal Data from our systems thirty (30) days after termination of the Agreement, except as may be required by applicable law.Certain of Your Personal Data is subject to the laws of various jurisdictions regarding archiving of employment-related data.To comply with that broad array of laws, and to allow us to facilitate the restarting of clients who may have terminated their agreement with us, we keep the employment-related data for a period of seven years, unless a client requests us to delete that data, in which case we will delete the data within thirty (30) days after receipt of the request.You also agree that you will not Process any Personal Data of any Data Subject for any purpose other than the purposes for which you have consent from the Data Subject.
3. International Transfers of Data
To the extent your transfer of Your Personal Data to us involves a transfer out of the EU or UK, upon your entering into this DPA as provided above, we will comply with the transfer mechanisms attached hereto as Exhibit A (EU Standard Contractual Clauses) and Exhibit B (UK Transfer Addendum) (collectively the “Transfer Mechanisms”).
In the event of any conflict between the Transfer Mechanisms and this DPA, the Transfer Mechanisms control and supersede.If the EU, UK ICO, or courts thereof decide that the Transfer Mechanisms are insufficient protection for citizens of the EU and UK, respectively, then the parties will work in good faith together to determine how a new valid method can be implemented to meet any new requirements.
Wewill not Process or transfer any of Your Personal Data originating from the European Economic Area or the UK in any country or territory that has been determined to offer an inadequate level of data protection unless it has first obtained your consent or ensured that a valid transfer mechanism similar to, but not less restricting than the Transfer Mechanisms is in place with respect to such country or territory.
4. Processing Confidentiality and Agreements by Agents
We will keep Your Personal Data strictly confidential and will ensure that any of our employees, vendors, or other agents “Our Agents” who have access to Your Personal Data (1) are informed of and subject to this strict duty of confidentiality; (2) Process only such of Your Personal Data as is strictly necessary to perform our obligations under the Agreement; and (3) not to permit any person to Process Your Personal Data who is not subject to the foregoing duties.We accept responsibility for the conduct of Our Agents in this regard, including their acts, errors and omissions.
5. Disposition of Your Personal Data Upon Request or Termination
At your request, at termination of the Agreement, whichever is sooner, we will delete or return to you all Your Personal Data, including any of Your Personal Data subcontracted to a third party for Processing, except as required by applicable law.At that time, with respect to Your Personal Data that we are required by applicable law to retain, we will isolate and protect Your Personal Data from further Processing, except as required by applicable law.We will use commercially reasonable efforts to ensure that any of our subprocessors who are in possession of Your Personal Data also comply with this provision. Notwithstanding the foregoing, certain of Your Personal Information is subject to the laws of various jurisdictions regarding archiving of employment-related data.To comply with that broad array of laws, and to allow us to facilitate the restarting of clients who may have terminated their agreement with us, we keep the employment-related data for a period of seven years, unless a client requests us to delete that data.
6. Security Incidents and Security
We will at all times make commercially reasonable efforts to ensure that Your Personal Data is adequately protected in accordance with the requirements of the GDPR.To this end, we will implement appropriate technical and organizational measures to protect Your Personal Data from security incidents.These measures are described in Exhibit C to this DPA.
When we become aware of any security incident, which consists of the unpermitted, accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of Your Personal Data, we will inform you without any undue delay, and in no event longer than 48 business hours after we discover the security incident.We will cooperate reasonably with you and provide you the information you need in order to fulfil your data breach obligations under the GDPR.We will also take other further measures and actions that are necessary to remedy or mitigate the effects of the security incident, and we will keep you informed of every material development connected with the security incident.Except as required by law, we will not take action to notify Your Data Subjects of any security incident.
7. Subprocessors
In the course of providing our Services, we may contract with third-party processors (“Subprocessor”) to perform a portion of the Services.We have included as Exhibit D a list of the Subprocessors we currently use.We will not add any additional Subprocessors without informing you of such Subprocessors and giving you an opportunity to object to the use of such Subprocessors. Your execution of the Agreement and your continued use of our Services constitutes your authorization for our use of our Subprocessors. This authorization constitutes your general authorization to the subprocessing by us for purposes of Clause 9(a), option 2 of the Standard Contractual Clauses. We will impose the same data protection obligations upon each of our Subprocessors that we agree to in this DPA.
For the avoidance of doubt, the approval requirements as set out in this subsection will not apply in cases where we subcontract ancillary services to third parties without having access to Your Personal Data.Such ancillary services are not considered data processing.
8. Audits, Requests from Law Enforcement, and Impact Assessment
In certain instances, you as a Controller are required to submit to an audit to show that you are complying with the provisions of the GDPR.In any such instance, we will cooperate fully with such audit and to maintain a reasonable record of processing activities that we carry out on your behalf.After reasonable notice, we will allow you or your auditors to audit our compliance with this DPA, to include communication with our staff and access to our systems and information; provided you conduct your audit during normal business hours, make reasonable efforts to minimize the disruption to our business, and give use reasonable prior written notice if not prohibited by law.
If we are requested by law enforcement to disclose any of Your Personal Data, we will, unless prohibited by law, inform you of the request, attempt to re-direct the law enforcement agency to contact you directly, and only provide such information as required by law.
If you believe that our processing of Your Personal Data is likely to result in a high risk to the data protection rights and freedoms of citizens of the EU or UK, we will assist you in a reasonable and timely manner to conduct a data protection impact assessment, which may include consulting with the relevant data protection authority.
Your Obligations
As a Controller under the GDPR, you are required to carry out certain responsibilities and to comply with certain requirements.For example, and without intending to limit your obligations, you are required to comply with the privacy and confidentiality provisions of the GDPR, just as we are.You are also required to ensure that the consent of Data Subjects is obtained and that processing of Your Personal Data is otherwise justified under the GDPR.We acknowledge that in doing so, you are required to ensure that your Processors also comply with certain requirements, and we will reasonably cooperate with your requests in this regard.However, if you make requests of us that go beyond our obligations set forth in the “Our GDPR Obligations” section of this DPA, we will comply with your requests at your expense.
EXHIBIT A
Details of the EU Standard Contractual Clauses (Module 2: Controller to Processor)
When applicable, the parties fully incorporate the EU Standard Contractual Clauses under Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 into the DPA agreed by the parties, including the following options:
- Module 2 applies to the parties’ relationship.
- The parties’ signature to this DPA and the EU Standard Contractual Clauses is presumed.
- Clause 7 (Docking Clause) does not apply.
- For Clause 9(a), Option 2 applies. “ten (10) business days” replaces [Specify time period].
- The option under Clause 11 (Redress) does not apply.
- For Clause 13(a), the data exporter is considered established in an EU Member State.
- For Clause 17, Option 1 applies. Ireland law governs.
- For Clause 18(b) the courts of Ireland have jurisdiction.
- The information required under Annex 1.A is included in the Agreement.
- The information required under Annex 1.B is included in Appendix 1 to this Exhibit A.
- For Annex 1.C, the Data Protection Commissioner in Ireland is the competent supervisory authority.
- The information required under Annex II is included as Exhibit C to this DPA.
- The information required under Annex III is included as Exhibit D to this DPA.
APPENDIX 1 TO EXHIBIT A
This Appendix forms part of the EU Standard Contractual Clauses.
Categories of Data subject Whose Personal Data is Transferred
- Prospects, customers, business partners and vendors of data exporter (who are natural persons)
- Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of data exporter (who are natural persons)
- Data exporter’s Users authorized by data exporter to use the Services
Categories of Personal Data Transferred
The Personal Data transferred include, but not limited to, the following categories of data:
- First, Middle, and Last Name
- Title
- Position
- Employer
- Payroll information
- Contact Information (Company, email, phone, physical home address)
- ID Data
- Professional Life data
- Personal Life data
- Connection data
- Localization data
Sensitive Data Transferred
The Personal Data transferred include, but not limited to, the following sensitive data:
- Data exporter may submit sensitive data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Frequency of Transfer
Continuous basis.
Nature of Processing
The personal data transferred will be subject to the following basic processing activities (please specify):
- The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
Purpose of the Data Transfer and Further Processing
The purpose of the data transfer and processing is: (1) data importer’s performance of the agreed-upon Services; (2) accomplish the data importer’s business purpose; (3) improve the data importer’s Services; (4) comply with the GDPR; and (5) comply with any further instructions of the data exporter.
Period for Which Personal Data Will Be Retained
See Section 1.5 of the DPA.
Subject Matter, Nature, and Duration of Processing by Subprocessors
See Section 1.5 and Exhibit D to the DPA.
EXHIBIT B
Details of the UK Transfer Addendum
This Exhibit B forms part of the DPA and supplements the EU Standard Contractual Clauses, pursuant to the International Commissioner’s Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.
Part 1 is as follows:
- The information required on Table 1 is found in the parties’ Agreement.
- The information required on Table 2 is found on Exhibit A.
- The information required on Table 3 is found on Exhibit A.
- Table 4 is Data importer.
Part 2 is as follows:
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Exhibit C
Technical and Organizational Measures
The technical and organizational measures we take are outlined on our website at
https://eddyhr.com/security/. Those measures are periodically updated to ensure we are following current standards in data security.
EXHIBIT D
List of SubProcessors
This list shows each subprocessor, the services provided to Vendor, and the location of the Processing (country).
- Amazon (Data storage and infrastructure) — USA
- Aircall (Phone services) — USA
- CrowdStrike (Observability platform for data security) — USA
- CheckHQ (Data storage and payroll processing) — USA
- Drata (Security and Compliance) — USA
- Dropbox Sign (Data storage and processing) — USA
- Embrace.io (Observability platform for mobile app) — USA
- Glassdoor (Data storage and processing) — USA
- Hubspot (E-mail marketing, CRM, web forms to capture leads) — USA
- Indeed (Data storage and processing) — USA
- JobTarget (Data storage and processing) — USA
- LinkedIn (Data storage and processing) — USA
- New Relic (Observability platform for usage data) — USA
- Neverbounce (Data storage and email processing) — USA
- Nylas (Data storage and email processing) — USA
- Rb2b (Marketing services) — USA
- Seamless.ai (Data storage and processing) — USA
- Snowflake (Data storage and processing) — USA
- Stripe (PCI compliance and payment processing) — USA
- Talent.com (Data storage and processing) — USA; Canada; European Economic Area
- ZipRecruiter (Data storage and processing) — USA
---------------------------------------------------
1 Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
2 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
3 This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.