Data Processing Agreement

Last Updated: September 24, 2021

This Data Processing Agreement (DPA) is an addendum to the Uptomic Service Terms. It shall apply to all Processing of Customer’s Personal Data by Uptomic using the Uptomic Services.

1. Definitions

1.1        Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.2        Customer Personal Data means the Personal Data which Uptomic is processing as Processor or Subprocessor on behalf of Customer to provide the Services. Customer Personal Data includes both (a) Personal Data controlled by Customer as Controller AND (b) Personal Data Customer is Processing on behalf of itself or Other Controllers as Processor.

1.3        Agreements means this Data Processing Agreement, the Service Terms including all other documents and agreements referenced therein, and, if applicable, the Standard Contractual Clauses.

1.4        PII and Personally Identifiable Information mean Personal Data as defined herein.

1.5        Data Subject is the identified or identifiable natural person to which the Personal Data relates.

1.6        Data Protection Laws means the GDPR and all Member State data protection laws and regulations.

1.7        EU Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC) as published by the Danish Data Protection Agency in January 2020 and approved by the European Data Protection Board (EDPB).

1.8       GDPR means the General Data Protection Regulation 2016/679.

1.9        Member State means a country that is a member of the European Union or the European Economic Area.

1.10    Other Controller means any entity other than Customer that is Controller of the Customer Personal Data, such as Customer’s affiliated companies or Customer’s Client’s, their customers or affiliated companies.

1.11    Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’), which information is subject to the GDPR or the laws of non-EU EEA countries that have formally adopted the GDPR; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.12    Personal Data Breach means a suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.13.    Process or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.14    Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.15    Service(s) means the services provided by Uptomic as agreed in the Agreements.

1.16    Subprocessor means any subcontractor engaged by Uptomic for the Processing of Customer Personal Data in accordance with Section 8.1.

1.17    Supervisory Authority means an independent public authority which is established by a Member State pursuant to the GDPR.

1.18    Uptomic Affiliates means companies which are controlled by Uptomic, which control Uptomic or which are under common control with Uptomic. “To control” or “to be controlled” means to hold, directly or indirectly, more than 50% of the respective shares with voting rights.

1.19    CCPA means the California Consumer Privacy Act (the “CCPA”)

1.20    Consumer means a natural person who is a California resident, however identified, including by any unique identifier, as defined under CCPA. In this agreement, Data Subject is synonymous with Consumer when the CCPA applies.

2. Processing

2.1    This DPA applies if and to the extent Uptomic is Processing Customer Personal Data. Customer appoints Uptomic as Processor to process such Customer Personal Data. For purposes of this DPA, Customer (along with any Other Controllers) is the Controller, and Uptomic is the Processor.

2.2.    Processing Details:

(a) The nature, purposes, and subject matter of the Processing: processing of CVs and jobs to extract, classify, summarize, and format data.

(b) The duration of the Processing is: for the duration of this Agreement.

(c) Categories of Data Subjects: employees, contractors, candidates, and potential candidates of Controller or Other Controllers.

(d) Types of Customer Personal Data: Personal Data in CVs, including contact information and personal information such as:

  1. All phone numbers found in the CV.
  2. All names found in the CV.
  3. All email addresses found in the CV.
  4. All personal URLs found in the CV.

2.3    Uptomic will process customer personal data for the sole purpose of providing the Services according to Customer's written instructions as defined in this section. The initial scope of Customer’s instructions for the Processing of Customer Personal Data is defined by the Agreements including this DPA. Customer shall provide further instructions that the Uptomic must comply with, as described in the succeeding paragraph of this section. In case Uptomic does not accommodate an instruction, Customer may terminate the affected part of the Service by providing Uptomic with a written notice. If Uptomic believes an instruction violates the Data Protection Laws, Uptomic will inform Customer without undue delay.

2.4   By using the Service, each such individual use constituting a transaction, Customer authorizes Uptomic to process the data supplied in each such transaction using the configuration and parameters supplied in each such transaction.

2.5    Customer shall serve as a single point of contact for Uptomic. Similarly, Uptomic will serve as a single point of contact for Customer and is solely responsible for the internal coordination, review and submission of instructions or requests from Customer to any Subprocessors.

2.6    Uptomic will comply with all Data Protection Laws in respect of the Services applicable to Processors and is responsible for the lawfulness of Uptomic's Processing of Customer Personal Data.

2.7    Uptomic does not collect or store Personal Data on Data Subjects, nor buy, sell or rent such information.

3. Technical and Organizational Measures

3.1    Uptomic will implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk. The appropriateness of the measures is subject to technical progress and further development. Uptomic shall regularly monitor its compliance with the respective technical and organizational measures and will verify this monitoring upon Customer's request. At minimum, Customer and Uptomic agree upon these measures:

3.2    Uptomic will not store or retain any known personal data.

3.3    Any data stored by the Uptomic will only be stored pursuant to a Service call to the Services by the Customer instructing Uptomic to do so, and that only data that has had all known personal data expunged (i.e., anonymized by removing the known personal data) shall be stored

3.4    All processing of data by Uptomic shall be accomplished in real time, in the context of each individual web service transaction in which the Customer has submitted data for processing with instructions as embodied in such Service call, and that such processing is to be performed only by software and never by humans.

3.5    All known personal data shall be returned to the Customer by Uptomic in the Service response to a Customer service request, and not retained or stored by the Uptomic, and that therefore the Customer shall be solely responsible for responding to Data Subjects’ requests to modify, obtain or delete their personal data, and that Customer agrees that Uptomic cannot ever restore, retrieve, or make available personal data since it never retained any, as further described in Section 7

3.6    If changes to the technical and organizational measures agreed by the parties in writing or to the way Uptomic implements these technical and organizational measures are required by Customer, such changes shall be implemented by Uptomic following Customer's instructions, unless Uptomic cannot or will not do so, in which case Uptomic shall notify Customer accordingly and Customer may elect to cease all use of the Services.

3.7    Uptomic provides Customer with sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects, as described in GDPR Compliance Analysis.

4. Data Subject Rights and Requests

4.1    To the extent permitted by law, Uptomic will inform Customer without undue delay of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Uptomic regarding Customer Personal Data. If Customer is obliged to provide information regarding CustomerPersonal Data to Other Controllers or third parties (e.g. Data Subjects or the Supervisory Authority), Uptomic shall assist Customer in doing so by providing all required information that is in its possession. If Customer or Other Controllers are obliged to provide information about the processing of Customer Personal Data to a Data Subject, Uptomic shall assist Customer in making the required information available to the extent that Uptomic has such information.

4.2    If a Data Subject brings a claim directly against Customer for damages suffered due to Uptomic's breach of this DPA or Data Protection Laws with regard to the processing of Customer Personal Data, Uptomic will indemnify Customer for any cost, charge, damages, expenses or loss arising from such a claim, provided that Customer has notified Uptomic about the claim and is giving the Uptomic the possibility to cooperate with Customer in the defence and settlement of the claim.

5. Third-Party Requests and Confidentiality

5.1    Uptomic will not disclose Customer Personal Data to any third party, unless authorized by Customer or required by mandatory law. If a government or Supervisory Authority demands access to Customer Personal Data, Uptomic will notify Customer prior to disclosure unless prohibited by law. If Uptomic is prohibited from notifying Customer, Uptomic will take appropriate steps to challenge the prohibition through judicial action or other means (e.g., if the Belgian government serves a national security order on Uptomic to obtain Customer Personal Data). Because Uptomic does not store, and will not store, known Personal Data, there is no store of Personal Data that Uptomic maintains that could be used in satisfaction of such requests.

5.2    Uptomic shall require all its personnel authorized to process Customer Personal Data, if any, to commit themselves to confidentiality and not Process such Customer Personal Data for any other purposes, except on instructions from Customer and/or Other Controllers or unless required by applicable law. Such an obligation of confidentiality shall include annual security and privacy training and continue indefinitely. Uptomic shall demonstrate its compliance with this obligation by providing sufficient proof to Customer upon written request. Uptomic's Services do not use human effort to process data ever in any sense whatsoever, and no known Personal Data is ever stored. Therefore, no Uptomic personnel have ever been authorized to process Customer Personal Data, nor will be.

6. Information and Audit

6.1   Uptomic is obliged to provide information in writing about the processing of Customer Personal Data, including but not limited to the technical and organizational measures implemented and any Subprocessors engaged.

6.2   Uptomic shall allow for and contribute to audits, including inspections, conducted by Customer and/or Other Controllers and the respective Supervisory Authorities or another auditor legally mandated by Customer and/or Other Controllers to demonstrate compliance with Uptomic's obligations set out in this DPA and the Data Protection Laws applicable to Uptomic in the performance of the Services. Uptomic may provide proof of the adherence to an approved code of conduct or an approved certification mechanism, or otherwise provide information, such as confirmation of a SOC 2 audit opinion, to Customer which may be used as an element to demonstrate compliance with Uptomic’s obligations. Customer or Other Controllers may reasonably assure itself of Uptomic’s compliance at any of Uptomic's business premises involved in the Processing of Customer Personal Data, during Uptomic's normal business hours, after prior notification. Uptomic will provide Customer and/or Other Controllers access to Customer Personal Data, if any, keeping in mind that Uptomic has stated herein that it does not store and will not store any known Personal Data, and/or access to any of its business premises involved in the Processing of Customer Personal Data. To the extent Customer is mandating another auditor, such other auditor shall not be a direct competitor of Uptomic about the Services and shall be bound to confidentiality.

6.3   Upon Customer’s request, Uptomic shall provide information on the material terms of the contracts in relation to the implementation of the data privacy obligations by Uptomic’s approved Subprocessors set out in Section 8.1, including, if necessary, by means of granting access to the relevant contract documents. Uptomic shall ensure that any audit and information rights towards Uptomic's Subprocessors also apply directly to Customer and/or Other Controllers as well as the respective Supervisory Authorities.

7. Return or Deletion of Customer Personal Data

7.1    Uptomic does not store or retain Data Subject Personal Data. Customer acknowledges that it is Customer's sole responsibility to store, edit and delete Data Subject Personal Data and to respond to requests by Data Subjects to view, edit, delete or otherwise interact with their Personal Data since Uptomic retains no such Personal Data.

8. Subprocessors

8.1    The engagement of Subprocessors (including Uptomic Affiliates) by Uptomic requires Customer’s explicit prior written approval. The fact that Customer has agreed to the involvement of a respective subcontractor regarding the provision of Services, cannot be considered as an approval for such subcontractor to Process Customer Personal Data as Subprocessor.

8.2    Customer hereby explicitly approves the engagement of the Subprocessors listed in Subprocessors. Uptomic will notify Customer in advance of any changes to Subprocessors at least 30 days in advance unless such notice period is practically or legally infeasible. Customer shall not unreasonably object to any intended change. However, an objection from Customer that is based on any Other Controllers’ objection of the respective Subprocessor shall always be considered as reasonable grounds to object. If Customer objects to the appointment of a new Subprocessor, Customer must immediately cease using the Services that would otherwise engage the services of the Subprocessor.

8.3    Uptomic shall impose the same data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor Processing any Customer Personal Data and ensure that the relevant obligations (including but not limited to the information and audit rights provided for in Section 6) can be directly enforced by Customer or Other Controllers against the Uptomic’s Subprocessors.

8.4    Uptomic remains responsible for its Subprocessors and liable for their acts and omissions as for its own acts and omissions and any references to Uptomic’s obligations, acts and omissions in this DPA shall be construed as referring also to the Uptomic’s Subprocessors.

9. Transborder Data Processing

9.1    Uptomic uses processing nodes physically located in EU. Uptomic does not transfer Personal Data for processing outside of EU, unless directed so by Customer. Thus, data sent to the EU node for processing of Personal Data will always be processed only within the EU, and no EU Standard Contractual Clauses are necessary to comply with the GDPR. However, in the case that Customer chooses to send EU Data Subject’s Personal Data to the Services for processing at a node outside the EU, then the Standard Contractual Clauses will apply. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.

10. Personal Data Breach

10.1   Uptomic will inform Customer without undue delay of any suspected non-compliance with applicable Data Protection Laws or relevant contractual terms or in case of serious disruptions to operations or any other irregularities in the processing of the Customer Personal Data. Uptomic will promptly investigate and rectify any non-compliance as soon as possible and upon Customer’s request, provide Customer with all information requested about the suspected non-compliance.

10.2   Uptomic will notify Customer without undue delay (and in no event later than 72 hours) after becoming aware of a Personal Data Breach in respect of the Services. Uptomic will promptly investigate the Personal Data Breach and will provide Customer with reasonable assistance to satisfy any legal obligations (including obligations to notify Supervisory Authorities or Data Subjects) of Customer and/or Other Controllers in relation to the Personal Data Breach, as set out in Section 11.1.

11. Assistance and Records

11.1    Taking into account the nature of Processing, Uptomic will assist Customer by appropriate technical and organizational measures in the fulfilment of Customer’s and/or Other Controllers’ obligation to comply with the rights of Data Subjects and in ensuring compliance with Customer’s and/or Other Controllers’ obligations relating to the security of processing, the notification of a Personal Data Breach and the data protection impact assessment, taking into account the information available to Uptomic.

11.2   Uptomic will maintain an up-to-date record of the name and contact details of each Subprocessor of the Customer Personal Data and, where applicable, the Subprocessors’ representative and data protection officer. Upon request, Uptomic will provide an up-to-date copy of this record to Customer.

12. General

12.1    Whenever this DPA is referring to written form, electronic form such as email shall be sufficient.

12.2   Customer and Uptomic agree that this DPA is part of the Agreement and is governed by its terms and conditions, unless otherwise required by applicable law. In case of conflict, the order of precedence in respect of the Processing of Customer Personal Data shall be: Exhibits to this DPA, this DPA and then the Agreement. Where EU Standard Contractual Clauses are an integral part of this Agreement as set out in Section 9.1, the EU Standard Contractual Clauses shall prevail.

12.3    If an amendment to this DPA, including its Exhibits, is required in order to comply with applicable law or comply with requirements set out by Customer, Uptomic will provide an amendment to this DPA with the required changes to Customer. Both parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by Customer. In case Uptomic is not able to accommodate the requested changes, Customer may terminate all or part of the Agreements and this DPA with thirty (30) days’ written notice, and if it does so, must cease all use of the Services.

12.4   This DPA shall not restrict any applicable Data Protection Laws. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.

12.5    Uptomic guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Uptomic and Uptomic agrees that it shall be responsible for all costs associated with its compliance of such obligations.