Last Updated: 11th July 2024
DATA PROCESSING AGREEMENT FOR SERVICE PROVIDERS
THIS AGREEMENT is BETWEEN:
Customer Full Legal Name:_________________________________________________
Customer Registered Address:
_______________________________________________________________________________
This Data Processing Agreement ("Agreement") is between Datalive Limited TA Allsorter, a limited liability company having its registered office at Westmoreland House, Westmoreland Park, Ranelagh, Dublin 6, Dublin, Ireland (“Allsorter”) and the party named above (“Customer”), each a “Party” and together the “Parties”. This Agreement is effective as of the later of the dates beneath the parties’ signatures below (the “Effective Date”).
For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows:
RECITALS
A. The Customer has engaged Allsorter to Process the Relevant Personal Data (as defined below) under the terms of a Master Services Agreement dated and executed by the Parties (the “MSA”) for the provision of effective CV automation software solutions (the “Services”).
B. Customer will use the Services under the terms of the MSA for the purposes of HR solutions.
C. This Agreement sets out the obligations of the Parties with respect to the Processing of the Relevant Personal Data.
1. Definitions and Interpretation
1.1 In this Agreement, unless the context otherwise requires:
“Agreement” means this data processing agreement.
“Controller” has the meaning given to it in the Data Protection Laws.
“Data Protection Authority” means a Supervisory Authority, as that term is defined in the Data Protection Laws.
“Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR.
“Data Protection Laws” means all applicable legislation relating to data protection and privacy, including the EU GDPR and related applicable data protection and privacy laws of the EEA member states, the UK GDPR and related applicable data protection laws of the United Kingdom, and/or the related applicable data protection laws of the United States, as the case may be, each as amended, repealed, consolidated or replaced from time to time, and any applicable guidance, rules, requirements and directions issued by a data protection authority in respect of such legislation.
“Data Subject” has the meaning given to it in the Data Protection Laws.
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time.
“GDPR” means the EU GDPR or the UK GDPR, whichever is relevant.
“Personal Data” has the meaning given to it in the Data Protection Laws.
“Personal Data Breach” has the meaning given to it in the Data Protection Laws.
“Personnel” means any current, former or prospective employee, consultant, temporary contractor, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.
“Process”, “Processing” or “Processed” each have the meanings given to them in the Data Protection Laws.
“Processor” has the meaning given to it in the Data Protection Laws.
“Relevant Personal Data” means the categories of Personal Data that are set out in Schedule1 and that are Processed under, or in connection with the provision of the Services.
“Subprocessor” means any party engaged by Service Provider to Process Relevant Personal Data. The Subprocessors approved as at the commencement of this Agreement are as set out in Schedule 1.
“Term” has the meaning given in the [MSA].
“UK GDPR” means the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
2. Subject Matter and Scope
2.1 This Agreement applies only to the Processing of Relevant Personal Data.
2.2 The purpose of this Agreement is to help ensure adequate protection of Relevant Personal Data as may be processed by Service Provider while providing Services under the MSA. To the extent that there is any conflict between this Agreement and the MSA in relation to that purpose, this Agreement shall govern.
3. Obligations of Service Provider
3.1 With respect to the Processing of Relevant Personal Data, Service Provider shall, and shall procure that each of its Personnel, agents and Subprocessors shall, comply with Data Protection Laws, to the extent applicable; and only Process Relevant Personal Data on behalf of and in accordance with Customer’s prior written instructions (including as set out in this Agreement and the MSA) and for no other purpose.
3.2 The Service Provider represents and warrants to the Customer that it shall implement appropriate technical and organisational measures (detailed in Schedule 2)to protect the Relevant Personal Data, in accordance with applicable Data Protection Laws. The Service Provider shall ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect the Relevant Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. The Service Provider shall perform internal inspections on a regular basis, to confirm that it is complying with its obligations under this Agreement and, where appropriate, the Service Provider shall amend its Processing activities to satisfy its obligations under this Agreement.
3.3 The Parties agree to promptly complete and execute a data transfer agreement substantially in the form of Controller-to-Processor Standard Contractual Clauses for the transfer of Relevant Personal Data from the European Union to Processors established in third countries and as approved for the purposes of Directive 95/46/EC (as amended, consolidated or replaced from time to time) and thereafter to comply with all of the conditions thereof.
3.4 The Parties hereby acknowledge and agree that the Customer is a Controller and the Service Provider is a Processor with respect to the Processing of the Relevant Personal Data. In addition to, and notwithstanding, any other right or obligation arising under this Agreement or the MSA, the Service Provider shall, in relation to such Processing:
(a) comply with the express instructions or directions of the Customer given from time to time in connection with the Processing of the Relevant Personal Data, and the requirements of any Data Protection Laws; and
(b) only Process the Relevant Personal Data strictly and solely: (i) to the extent necessary in connection with this Agreement, in particular as described in Schedule 1 below; and (ii) in accordance with the documented instructions received from the Customer from time to time. If at any point, the Service Provider becomes legally unable to comply with the Customer's instructions regarding the Processing of the Relevant Personal Data (whether as a result of a change in applicable law, or a change in the Customer's instructions), the Service Provider shall promptly:
(i) notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and
(ii) cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as the Customer issues new instructions with which the Service Provider is able to comply.
3.5 In addition, the Service Provider, and where applicable the Service Provider’s representative, shall, in relation to the Processing of the Relevant Personal Data:
(a) (i) create; (ii) keep up-to-date for the duration of the Processing; and (iii) maintain for seven years thereafter; complete and accurate records in writing (including in electronic form) of its Processing activities, including all categories of its Processing activities, in relation to the Relevant Personal Data, and disclose such records to the Customer, or any Data Protection Authority, promptly upon demand;
(b) ensure the Relevant Personal Data are kept confidential; (ii) take all reasonable steps to ensure the reliability and trustworthiness of the Service Provider’s Personnel and any Subprocessors, and (iii) ensure that all relevant Service Provider Personnel, and any relevant Subprocessors, have committed themselves to ensuring the confidentiality of all the Relevant Personal Data that they Process;
(c) (i) ensure that, in each instance in which it engages a Subprocessor to Process any Relevant Personal Data, it shall: (i) only appoint such Subprocessor in accordance with the process outlined in clause 3.7; (ii) keep the Customer informed if there is any change to the role or status of the Subprocessor; and (iii) enter into a binding written agreement with the Subprocessor that imposes on the Subprocessor the same obligations that apply to the Service Provider under this Agreement with respect to the Processing of the Relevant Personal Data;
(d) at the Customer’s request and expense, promptly provide the Customer with all reasonable technical and organisational assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights;
(e) at the Customer’s request and expense, promptly provide the Customer with all reasonable assistance necessary to enable the Customer to: (i) notify relevant breaches of the GDPR and/or any domestic Data Protection Lawsto the relevant Data Protection Authority and/or affected Data Subjects; (ii) conduct Data Protection Impact Assessments; and (iii) obtain any necessary authorisations from the Data Protection Authority, to the extent such breaches did not occur as a result of any error, omission or negligence on behalf of Service Provider or its Personnel;
(f) permanently and securely delete (or, at the election of the Customer, return) all Relevant Personal Data in the possession or control of Service Provider or any of its Subprocessors, within thirty (30) days after the end of the Term, unless the applicable legislation relating to data protection and privacy, including the EU GDPR and related applicable data protection and privacy laws of the EEA member states and/or the UK GDPR and related applicable data protection laws of the United Kingdom require otherwise; and procure that its Subprocessors shall do likewise;
(g) at the Customer’s request and expense, and to the extent Service Provider can do so taking into the account the nature and extent of the Processing and the Relevant Personal Data stored by Service Provider, Service Provider shall (i) promptly provide the Customer with all information reasonably necessary to enable the Customer to demonstrate compliance with its obligations pursuant to Data Protection Laws; and (ii) allow for and contribute to audits, including inspections, conducted by the Customer or an auditor appointed by the Customer; and
(h) notify the Customer promptly, and in any event within twenty-four (24) hours, of: (i) becoming aware of any Personal Data Breach affecting the Relevant Personal Data; (ii) becoming aware of any material breach of this Clause 3; or (iii) receipt of any correspondence or communication from any Data Subject, the Data Protection Authority or third party regarding the Processing of the Relevant Personal Data.
3.6 The Service Provider shall not, whether through action or omission, place the Customer in breach of any Data Protection Laws.
3.7 The Customer acknowledges and confirms its prior general consent to sub-contracting of the data processing by Allsorter to its vetted subprocessors, an up-to-date list of which is maintained by the Service Provider and available on request. Any sub-processors utilised by the Service Provider will comply with data protection terms which are substantially similar to the data protection obligations set out in this Agreement, including, but not limited to, standard contractual clauses where appropriate. As between the Data Controller and the Data Processor, the Data Processor shall remain fully liable for all acts or omissions of any data sub-processor appointed by it pursuant to this section.
3.8 The Service Provider shall remain primarily liable and responsible for the acts and omissions of its Personnel, agents and Subprocessors. All breaches of this Clause 3 by the Service Provider’s Personnel, agents or Subprocessors shall be deemed to be acts of the Service Provider. Nothing in this Agreement shall relieve the Service Provider of any liability for the acts or omissions of any Service Provider Personnel in relation to any Relevant Personal Data.
3.9 The Service Provider warrants that it will comply with the provisions of applicable Data Protection Legislation and shall:
(i) indemnify and hold harmless the Customer for any loss to the Customer (including indirect and consequential loss) arising from a breach by the Service Provider, its employees, agents or sub-contractors, of its obligations under this clause 3 or of Data Protection Laws.
(ii) indemnify and hold harmless the Customer from and against any data protection or privacy claims arising out of, or in connection with any breach of or any breach of Data Protection Laws or this Clause 3 by the Service Provider, its employees, agents and/or sub-contractors and hold the Customer harmless from and against any losses, damages, costs (including reasonable legal fees) and expenses incurred (including indirect or consequential loss) incurred by the Customer or awarded by a court of competent jurisdiction against the Customer or its affiliates as a result of or in connection with such a claim.
3.10 Nothing in this Agreement limits or excludes liability of either Party in respect of any claims for death or personal injury caused by negligence, fraud or any other liability which cannot be excluded or limited by law.
3.11 To the maximum extent permitted by applicable law, Service Provider will not have any liability to Customer for any loss of profits, loss of business, loss of data, loss of use, loss of goodwill, or for any indirect, special, incidental, punitive, or consequential damages of any kind however caused.
3.12 Subject to clause 3.10 and 3.11, in no event whatsoever shall the aggregate liability of Service Provider (whether arising for breach of contract, proprietary rights, indemnity, confidentiality obligations, misrepresentation (whether tortuous or statutory), tort (including negligence), breach of statutory duty, warranty, strict liability or any other legal theory howsoever arising) under or in connection with this Agreement exceed 100% of the Charges paid to Service Provider by Customer.
Customer acknowledges and agrees that Service Provider may collect and use anonymised data from provision of its Services relating to outcomes, usage data and other information. This data shall be irreversibly anonymised and shall therefore no longer be considered Relevant Personal Data under the Data Protection Laws.
4. Obligations of Customer
4.1 The Customer warrants that it complies with its obligations under applicable Data Protection Laws in respect of the Service Provider’s engagement to Process any Relevant Personal Data.
5. Termination
5.1 This Agreement shall terminate automatically upon the termination or expiry of the MSA. Notwithstanding termination of this Agreement, nor any other provision of this Agreement or the MSA, the Service Provider’s obligations under Clauses 3 and this Clause 5 shall continue in full force and effect for the duration of the period in which the Service Provider Processes any Relevant Personal Data.
5.2 The Customer shall be entitled to terminate this Agreement immediately by notice in writing to the Service Provider if:
(a) The Service Provider is in material or persistent breach of this Agreement, and such breach (if capable of being remedied) has not been remedied within ten (10) business days after having been notified of such breach by the Customer; or
(b) The Service Provider becomes insolvent, has a receiver, administrator or administrative receiver appointed over the whole or any part of its assets, enters into any arrangement with creditors, or has a winding up order or procedure.
6. Waiver
6.1 Failure by either Party to exercise or enforce any right available to that Party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of the Party’s rights under this Agreement.
7. Invalidity
7.1 If any term or provision of this Agreement is held by a court of competent jurisdiction to be illegal or unenforceable, in whole or part, the validity of the remaining provisions and of this Agreement shall remain unaffected. The same shall apply in the event that this Agreement is incomplete.
8. Entire Agreement
8.1 This Agreement forms the entire agreement and understanding between the Parties with respect to its subject matter, and supersedes all prior discussions, agreements and understandings, of any kind, whether written or oral, between the Parties with respect to the subject matter of this Agreement.
9. Variation
9.1 No amendment or modification of this Agreement shall be binding on the Parties unless made in writing, expressly referring to this Agreement, and signed by a duly authorised representative of each Party.
10. Notices
10.1 Any notice made in relation to this Agreement shall be made in writing and delivered by hand or sent by airmail, facsimile, or electronic mail with notice of receipt, sent to the contact address first written above or any other address, number, or email address as the intended recipient previously has designated. The notice shall be deemed to be made when the communication is actually received by the addressee.
11. Governing Law
11.1 This Agreement shall be governed by, and construed in accordance with, the laws of the Republic of Ireland and each Party irrevocably submits to the exclusive jurisdiction of the courts of the Republic of Ireland.
SIGNED by or on behalf of the Parties on the Effective Date.
Schedule 1: Data Processing Activities
Data Subjects
The Relevant Personal Data concern the following categories of Data Subjects:
- Candidate resumes/CVs
- Client personnel information added to cover sheets
Categories of Relevant Personal Data
The following Relevant Personal Data may be Processed by Service Provider:
- Information in a standard curriculum vitae/resume (e.g. name, address and other contact information including personal telephone numbers and email addresses, educational history, employment history, degree(s) and other qualifications, languages and other skills);
- Age/date of birth;
- Nationality and citizenship;
- Government-issued identification information, passport or visa information;
- Job title and role / function;
- salary and compensation data (including non-salary benefits, bonuses and incentives and other financial information);
- To the extent permitted or required by applicable law marital status, and family situation;
- Nationality and citizenship; and
- Employee records.
Special Categories of Data
It is not anticipated that any categories of Sensitive Personal Data will be Processed by Service Provider, especially if listed in the personal details section of the candidate’s resume/CV. It will not be extracted into the formatted document unless the user specifically copies it into the editing interface. If it is included in the work experience details as the job title, employer, etc., it will be brought across but can be deleted by the user.
Data Processing Operations
The Purposes for which the Relevant Personal Data are Processed are as follows:
- Provision of the Services;
- Identity verification;
- Enabling access to services on multiple devices and transfer of accounts to new devices;
- Enabling users to find other users on the Services;
- Monitoring, detecting and deterring unauthorised or fraudulent use of, or abuse of, the Services;
- Improving and/or optimising the Services;
- Providing customer support, and to responding to inquiries;
- Providing users with information regarding the Services like feature updates;
- Notifying users of any other important information regarding the Services;
- Aggregating anonymised statistical data regarding the Services; and
- Complying with applicable laws or legal obligations.
Subprocessors
Personal data retention
The Relevant Personal Data shall be retained as per the written instructions of the Customer at the time of the Agreement, with the retention period measured from the date it is imported into the Allsorter system. In case of no specific instructions, the Service Provider shall retain the Personal Data in the system for seven (7) days from the date it was uploaded into the system, after which it will be marked for deletion in the next automated deletion job.
Contact for data protection inquiries
Current DPO: Mr. J Brady
dataprotection@allsorter.com
Datalive Ltd.
NovaUCD
Belfield Innovation Park
Dublin 4, Dublin, Ireland
Schedule 2: Technical and Organisational Security Measures
These describe the technical and organisational measures taken by Allsorter to ensure an appropriate level of security of Personal Data, taking into account its role as a Data Processor.
(A) Controls to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
Technical and organisational measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services:
The Customer retains the original copy of the CV/resume and the Service Provider accesses a copy for processing so Personal data is not altered by the Service Provider. The Customer’s Personnel can reformat the CV/resume and then download or export an edited copy. In this flow, there is no possibility of accidental, unlawful or voluntary destruction or loss of Personal Data by the Service Provider since the Customer retains the original copy of the Personal Data.
- Appropriate measures are taken protect Personal Data against accidental or unlawful destruction, accidental loss, unauthorised access, alteration, transfer or processing outside the scope of data processing activities described in the data processing agreement (“DPA”). The measures are described in their respective sections below.
- These measures take into consideration the Service Provider’s role as a data processor, evaluation of potential risks and the sensitive nature of Personal Data.
- The measures ensure an adequate level of resilience of the data processing systems and centres.
- Allsorter employs a “data privacy and protection by design and default” approach.
(B) Control of physical access to premises and data processing centres
Technical and organisational measures to control physical access to premises and facilities, particularly to identify permitted Personnel at entry:
Allsorter staff works remotely, with the core platform architecture provided by AWS and the data stored in AWS data centres in the Republic of Ireland, so this is not applicable.
The space used for meetings is leased by Allsorter and has all the requisite physical security measures in place:
- Locked doors on all entrances / exits (e.g., electronic locks; physical locks; etc.)
- Presence of Personnel at the front desk during business hours
- Visitor logs
- Access control systems (e.g., access card security; etc.)
- CCTV systems
- Intruder alarm systems
- Fire alarms
(C) Control to ensure anonymisation and encryption of Personal Data
Technical and organisational security measures designed to ensure anonymisation and encryption of Personal Data:
- State-of-the art encryption applied to all personal data ‘in transit’
- State-of-the art encryption applied to all personally identifiable information ‘at rest’
- Secure anonymisation or deletion of Personal Data that are no longer required for lawful Processing purposes
- Access to Personal Data is controlled as per the measures outlined in section (E) below
- Data retention timespans are outlined in section (J) below
(D) Control of access to IT systems (data processing systems)
Technical and organisational security measures designed to ensure that users with access to the relevant IT systems are identified and authenticated:
- IT security systems requiring individual users to log in using unique user names
- IT security systems requiring the use of strong / complex passwords
- IT security systems requiring the use of multi-factor authentication
- Additional system log-in requirements for particular applications
- Automatic locking of IT terminals and devices after periods of non-use, with passwords required to ‘wake’ the terminal or device
- Regular audits of security procedures: Allsorter has been certified against the ISO27001 standard by a UKAS-accredited certification body. It has also been certified against the Cyber Essentials Plus standard.
- Training for employees regarding access to IT systems
(E) Control of access to Personal Data
Technical and organisational security measures designed to ensure that users with access to the Relevant Personal Data are identified and authenticated:
Personal Data is not accessed by Service Provider’s Personnel unless they are expressly requested by the Customer to help them reformat or anonymise a CV/resume that they are finding difficult to handle on the platform.
- ‘Read’ rights for systems containing Personal Data restricted to specified Personnel roles
- ‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles or profiles
- Logging of all attempts to access systems containing Personal Data
- System settings to ensure that only Personal Data necessary for each specific instance of processing is processed
- State-of-the art encryption on drives and media containing Personal Data
- Training for employees regarding data privacy
- Segregation of environments with personal data (Allsorter system)
(F) Control of disclosure of Personal Data
Technical and organisational measures to transport, transmit and communicate or store data on data media and for subsequent checking:
- Restrictions on transfer rights for systems containing Personal Data
- Secure data networks (e.g., encrypted VPNs, VPCs)
- Logging of all transfers of data across the network
- SSL encryption for all internet access portals
- Enforced encryption of all drives that are used to take data off the network (Policy exists for encryption, check-in and check-out of data; however, data is not transported on removable or physical media)
(G) Control of input mechanisms
Technical and organisational security measures to permit the recording and later analysis of information about when input to data systems (e.g., editing, adding, deleting, etc.) occurred and who was responsible for such input:
- Logging who inputs and exports resumes/CVs containing Personal Data
- ‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles
- Binding agreements in writing with all employees who Process Personal Data, imposing strict confidentiality obligations
- Regular reviews of compliance with the relevant agreements
(H) Control of workflows between Processors and Sub-Processors
Technical and organisational measures to segregate the responsibilities between Processors and Sub-Processors Processing the Relevant Personal Data:
- Binding agreements in writing governing the appointment and responsibilities of Sub-Processors with access to the Relevant Personal Data
- Working only with the Sub-Processors capable of appropriately protecting the privacy, confidentiality and security of Personal Data
- Regular reviews and assessments of compliance with the relevant agreements
(I) Control mechanisms to ensure availability and access to the Relevant Personal Data in the event of a physical or technical incident
Technical and organisational measures in place to ensure the physical and electronic availability and accessibility of the Relevant Personal Data:
- Documented incident response procedures that are periodically reviewed
- Documented business continuity plans and disaster recovery procedures
- Secure backup procedures in place, with full backups run regularly
- Disaster Recovery/Business Continuity Plan tests run periodically
- All physical, power and security requirements to store Personal Data are managed by AWS
- Uninterruptible power supplies at backup facilities
- Physical security of backup facilities (e.g., secure premises; security Personnel; etc.).
- Security alarm systems at backup facilities
- Electronic security of backup facilities (e.g., firewalls; antivirus software; etc.)
- Environmental controls at backup facilities (e.g., cooling; humidity controls; etc.)
- Fire protection at backup facilities (e.g., sprinkler systems; fireproof doors; etc.)
- Training for employees regarding backups and disaster recovery
(J) Control mechanisms for Personal Data retention
Data retention is enabled only for seven (7) days from the date the Personal Data is input to the system, with the flexibility to enable shorter data retention spans based on Allsorter’s agreement with the client. Once the data retention time elapses, it will be marked for deletion in the next automated deletion job.
(K) Control mechanisms to ensure separation of the Relevant Personal Data from other data
Technical and organisational measures to ensure that the Relevant Personal Data are stored and processed separately from other data:
- Logical separation of live or production data from backup data and development or test data
- Logical separation of storage containing Relevant Personal Data from systems containing other data
- Separation of Personnel with access to Production Personal Data from other Personnel
- Training for employees regarding data separation
(L) Control mechanisms to test, assess and evaluate technical measures for IT Security
Technical and organisational measures to ensure that the IT environments are secure:
- Use of firewalls/ACLs to control traffic
- End-point security (antivirus, firewalls, encryption, secure device policies, automatic security updates)
- Least privilege access model applied, with user access given on a need-to-know basis and based on business needs
- Periodic access review meetings
- Periodic IT security meetings
- Periodic penetration tests, both internal and external, with risks mitigated
- Periodic vulnerability scans, both internal and external, with vulnerabilities mitigated
- Security and governance programme with policies communicated to staff on onboarding and each time they are reviewed, assessed and evaluated
- Periodic reviews of the effectiveness of the security and governance programme and adjustments as needed
(M) Certification
Allsorter has been certified against the ISO27001 standard by a UKAS-accredited certification body. It has also been certified against the Cyber Essentials Plus standard.