Customer data processing agreement
Introduction
This DPA between Customer, and if applicable, Customer’s Affiliates, and TestFounder contains the legal terms and conditions that apply to the processing of personal data of the Customer, by any of the Services.
1. Scope
This DPA between Customer, and if applicable, Customer’s Affiliates, and TestFounder contains the legal terms and conditions that apply to the processing of End User Data, which may include personal data, by any of the Services.
2. Definitions
Insofar as not already defined in the Agreement, the following definitions apply throughout this DPA:
“Agreement” means TestFounder’s Terms of Service, the applicable service level agreement, other instructions and policies and applicable ordering documents, unless a separate agreement governing (the use of the) Services exists between the parties.
“Data Protection Laws” means data protection laws applicable to TestFounder in its processing of Customer Personal Data under this DPA, including, where applicable, the GDPR and the CCPA.
“DPA” means this Customer Data Processing Agreement.
“Customer Personal Data” means Customer data that may be accessed or collected by the Services during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Services. Customer Personal Data may include confidential data and personal data, such as Customer developed tests uploaded by you as part of your use of the Services, the analyzing, screening, assessing, scoring, rating, asserting, evaluation or otherwise qualifying the output of an individual Candidate generated by the Services, hiring outcomes, communications directly between Customer and Candidates, as well as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.
“GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data.
“Information Security Measures” the technical and organizational measures for ensuring the security of the processing, as described in the TestFounder Security measures.
“Security Incident” means any unauthorized access to any Customer Personal Data stored on TestFounder’s equipment or in TestFounder’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Personal Data that compromises the privacy, security or confidentiality of such Customer Personal Data.
Terms used in this DPA that are specifically defined in the GDPR shall have the same meaning as outlined in the GDPR. Terms used in this DPA that are not specifically defined in the GDPR shall have the same meaning as outlined in the Agreement.
3. Responsibilities of processing personal data as a processor
3.1. To the extent TestFounder processes personal data on behalf of Customer as a processor (as defined by applicable Data Protection Laws), TestFounder shall do so only on documented instructions from Customer according to this DPA and the Agreement, to operate the Services, and as permitted or required by applicable law. Such instructions may include the configuration of the Product by the Customer. TestFounder shall immediately inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
3.2. Insofar as TestFounder processes personal data as a processor as defined by applicable Data Protection Laws, the following shall apply:
- Processing required by law In the event TestFounder is required by applicable law to process Customer Personal Data, TestFounder will carry out such processing and notify Customer of such legal requirement, unless such notification is prohibited by applicable law, giving Customer the ability to issue revised instructions or to cease using the Services.
- Compliance with applicable data protection laws TestFounder will process Customer Personal Data following applicable Data Protection Laws and will make available to Customers upon request the information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and other applicable Data Protection Laws.
- Data subject requests TestFounder shall provide reasonable assistance to Customer to comply with its obligations concerning data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to TestFounder. If TestFounder or any sub-processor receives a request or a complaint from a data subject or its representative regarding Customer Personal Data, including requests regarding the data subject’s rights under applicable Data Protection Laws, TestFounder will forward the request without undue delay to Customer for handling.
- Data protection impact assessment Upon Customer’s written request, TestFounder shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services. TestFounder shall also provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under applicable Data Protection Laws.
- Authorized personnel
TestFounder shall ensure that authorized personnel who process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, except where required by applicable law, TestFounder will not share Customer Personal Data with third parties other than with authorized sub-processors.
- Sub-processors The customer authorizes TestFounder to engage the sub-processors (identified at Appendix 1 to this agreement) to process Customer Personal Data. In the event TestFounder engages any new sub-processor, it will:
- Cross-border transfers If Customer Personal Data is transferred outside of the European Economic Area or Switzerland, TestFounder will comply with the European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Customer Personal Data from the European Economic Area and Switzerland. Data transfers will be subject to appropriate safeguards as described in Article 46 of the GDPR. The Standard Contractual Clauses as adopted by the European Commission on 4 June 2021, together with its annexes, are incorporated herein by reference and made a part hereof. As a result of the Schrems II decision, TestFounder has implemented adequate supplementary technical and organizational security measures. These measures are described in the Information Security Measures. Execution of this DPA shall constitute execution of the Standard Contractual Clauses. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Safeguarding confidentiality and security of personal data TestFounder has implemented practices and policies to maintain appropriate organizational, physical and technical measures to safeguard the confidentiality and security of Customer Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the rights and freedoms of natural persons, including as appropriate:
- Incident response plan TestFounder shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident.
- Security incident In the event of a Security Incident affecting Customer Personal Data, TestFounder will, without undue delay: (a) inform the Customer of the Security Incident; (b) investigate and provide the Customer with available detailed information about the Security Incident; and (c) take reasonable steps to mitigate the effects and minimize any damage resulting from the Security Incident as required by applicable Data Protection Laws.
- Audit TestFounder shall make available to Customer, upon written request, subject to appropriate confidentiality obligations, a summary copy of applicable third-party audit report(s) or certifications it maintains for its Services (e.g. ISO 27001 or SOC2 Type II standard), so that the Customer can verify TestFounder’s compliance with this DPA, the audit standards against which it has been assessed, and the standards specified in the Security Measures.
- Retention and deletion TestFounder shall process and retain Customer Personal Data no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, TestFounder shall: (i) delete Customer Personal Data that is no longer necessary to carry out any of the purposes under this DPA or the Agreement; or (ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable the Customer Personal Data, where reasonably possible. This section does not pertain to the personal data of data subjects outside of Customers, such as that of output or test results of an individual Candidate generated by the Platform.
4. Details of customer personal data being processed
Subject matter The subject matter of the Processing under this DPA is Customer Personal Data. Any candidate's data is explicitly excluded from the subject matter of this DPA.Duration TestFounder may Process Customer Personal Data under this DPA until the termination or expiration of the Agreement.Purpose The purpose of the Processing of Customer Personal Data under this DPA is to enable TestFounder to deliver the Services and perform its obligations as outlined in the Agreement (including this DPA) or as otherwise agreed by the Parties in mutually executed written form.Nature of the processing To provide Services as described in the Agreement, TestFounder will Process Customer Personal Data upon the instruction of the Customer and following the terms of this DPA, including all applicable Addenda, and the Agreement.Categories of data subjects Customer determines the categories and extent of any Customer Personal Data that it discloses to TestFounder, which may include without limitation Customer Personal Data relating to the following categories of data subjects:Categories of personal data The customer determines the categories of any personal data that it discloses to TestFounder, which may include without limitation Customer Personal Data relating to the following categories:Sensitive data transferred (if applicable) When processing personal data, primarily with forensic investigations Product of which the purpose is to identify the underlying data, TestFounder may process sensitive personal data. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.Frequency The transfer of information between the Parties to facilitate TestFounder’ Processing on behalf of Customer will occur as needed until the termination of the Agreement.5. Processing of end-user data
Customers can configure the Services to share and transfer Customer Personal Data. Customer acknowledges, agrees and grants to TestFounder the right, to the extent permitted by applicable law, to process and retain data, including personal data, relating to a security event, that is shared or transferred by Customer, for the legitimate interest of operating, providing, maintaining, developing, and improving security technologies and services, including for purposes compatible with providing such services.
6. Compliance with laws
The parties shall process personal data following applicable Data Protection Laws. Customer represents and warrants that its use of the Services, its authorization for TestFounder’s access to and any related submission of data, including any Customer Personal Data, to TestFounder, complies with all applicable laws, including those related to data privacy, data security, electronic communication and the export of technical, personal or sensitive data.
7. PCI Compliance
TestFounder is not a payment processor and as such is not subject to compliance with PCI standards. However, TestFounder acknowledges that credit card information may be provided by Customer during the performance or use of the Services and therefore TestFounder shall use information data security controls that are compliant with PCI standards.
8. Limitation of liability
This DPA does not modify TestFounder’s liability, whether in contract, tort or under any other theory of liability, towards the Customer based on other terms in force between the Customer and TestFounder.
9. Conflict of terms
In the event of a conflict between the terms of this DPA and other terms in force between the Customer and TestFounder, the terms of this DPA shall prevail about data processing activities.
Appendix 1 to DPA: List of subprocessors
Subprocessor | Purpose | Country |
---|
Amazon Web Services Inc. | Cloud and Data Infrastructure service provider to store customer and candidate data | Ireland (DPA in place) |
Hubspot | Customer Data for customer communication (email and chat). Data is limited to name, email, address, page visits, title). No test or assessment data is stored. | USA (DPA in place) |
Zendesk | Customer support infrastructure. Personal data is only transmitted to a limited, clearly defined extent (e-mail address, first and last name). No test or assessment data is stored. | USA (DPA in place) |
Churnzero | Customer support infrastructure. Personal data is only transmitted to a limited, clearly defined extent (e-mail address, first and last name). No test or assessment data is stored. | EU (DPA in place) |
Brevo | Email address and name data only to send emails from the application to customers and candidates | France (DPA in place) |
Vimeo | Candidate and customer data for video services (data is limited to video data). No test or assessment data is stored. | USA (DPA in place)
|