Effective Date: February 29, 2024
The terms of this Data Protection Addendum (“DPA”) apply to any agreement (the “Agreement”) for the provision of services by Radancy to Client (“Services”) in which this DPA has been incorporated by reference.
This DPA sets forth certain duties and obligations of the parties with respect to the protection, security, processing, and privacy of personal data provided or made available to Radancy by Client that Radancy processes on Client’s behalf as part of the Services. This DPA shall supplement (and not supersede) the Agreement and shall take precedence solely to the extent of any conflict between this DPA and the Agreement. The following obligations shall only apply to the extent required by any law or regulation relating to the processing of Personal Data (“Privacy Laws”), if applicable.
1. Data Processing and Protection
1.1. Roles. Client is the Controller and Radancy is the Processor with regard to the Processing of Personal Data under this DPA. For purposes of this DPA, “Process” or “processing” means the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction of Personal Data, whether by automated means or otherwise.
1.2. Compliance with Law. Each party will comply with the Privacy Laws applicable to that party’s processing of Personal Data. “Personal Data” means any information owned or controlled by Client, that is provided to Radancy in connection with the performance of Services received under this DPA that identifies, directly or indirectly, an individual or relates to an identifiable individual (a “Data Subject”).
1.3. Client’s Processing of Personal Data. Client shall (a) give adequate notice and make all appropriate disclosures to Data Subjects regarding Client’s use and disclosure and Radancy’s Processing of Personal Data, (b) obtain all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Personal Data to Radancy, and (c) give Radancy instructions regarding the Processing of Personal Data for Client, in all cases, in accordance with all applicable laws, rules, and regulations, including the Privacy Laws. Client is solely liable and responsible for the accuracy, quality, and legality of Personal Data. Client shall notify Radancy of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Personal Data that would impact Radancy’s ability to comply with the Agreement, or Privacy Laws.
1.4. Radancy’s Processing of Personal Data. Radancy will process Personal Data (i) on Client’s behalf, (ii) in order to perform the Services (including to improve the Services) and (iii) in accordance with Client’s instructions as documented in the Agreement and as described in the attached Annex I (Description of Transfer). Radancy may anonymize, de-identify and/or aggregate Personal Data in accordance with any applicable Privacy Laws and use such anonymized, de-identified and/or aggregated data to improve its services and offerings and otherwise for its own legitimate business purposes.
1.5. Confidentiality. Radancy will ensure that persons authorized to process Personal Data have committed to maintain its confidentiality or are under an appropriate statutory obligation of confidentiality.
1.6. Security. Radancy will implement, maintain, monitor and, where necessary, update during the term of the Agreement a comprehensive written information security program that contains appropriate administrative, technical, and physical safeguards to protect Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Annex II (the “Security Measures”). Radancy’s Security Measures will include those set forth in the Security Documentation and will be aligned to the ISO/IEC 27001 standard for information security management. Radancy regularly monitors compliance with these measures and annually performs a SOC 2 Type II compliance audit. Radancy shall provide Client with a copy of any ISO/IEC 27001 or SOC 2 Type II audit report obtained by Radancy upon request. Radancy will not materially decrease the overall Security Measures of the Services during a Services term.
1.7. Security Incident. Radancy will notify Client without undue delay whenever Radancy learns that there has been a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Radancy under this DPA (“Security Incident”), unless notification is prohibited by applicable law or Radancy is otherwise instructed by law enforcement or a regulatory authority. Upon Client’s request and taking into account the nature of processing and the information available to Radancy, Radancy will take reasonable steps to assist the Client in complying with the Client’s notification obligations regarding Security Incidents as required by applicable law.
1.8. Requests from Individuals. Radancy will promptly notify Client in writing, unless specifically prohibited by applicable law, if Radancy receives any requests from an individual to exercise his/her rights under applicable Privacy Law. Radancy will not respond to any such request except to redirect individual to Client and/or inform individual that his/her request was redirected to Client unless expressly authorized to do so by Client. Radancy will cooperate with Client with respect to any action taken relating to an individual’s request and will seek to implement appropriate processes (including technical and organizational measures) to assist Client in responding to such requests. Client shall be responsible for any reasonable costs arising from Radancy’s provision of such assistance.
1.9. Sensitive Data. Client will not provide (or cause to be provided) any Sensitive Data to Radancy for processing under the Agreement or this DPA, and Radancy will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data. “Sensitive Data” has the meaning given in any applicable Privacy Law.
1.10. Audit. Client may provide to Radancy a security assessment questionnaire related to Services, which Radancy will accurately and promptly complete. The questionnaire may include questions seeking verification of compliance with the terms and conditions of this DPA. If, after the original security questionnaire assessment, Client determines that further assessment is warranted, Client may request, no more than annually and with thirty (30) days’ prior written notice, at Client’s cost, an assessment related to Services provided with a scope to be mutually agreed upon. During such a review, Client may examine policies, procedures and other materials related to specific Services performed, to the extent that such review does not compromise confidentiality obligations to any other clients or customers of Radancy.
1.11. Regulatory Investigations. Upon notice to Radancy, Radancy will assist and support Client in the event of an investigation by any law enforcement body or regulator, including a data protection or similar authority, if and to the extent that such investigation relates to Personal Data handled by Radancy on behalf of Client in accordance with this DPA. Such assistance will be at Client’s sole expense.
1.12. Return or Disposal. At Client’s discretion, Radancy will destroy or return all Personal Data to Client after the end of the provision of services, unless applicable law requires storage of the Personal Data by Radancy. Notwithstanding the foregoing, to the extent it is not commercially reasonable for Radancy to remove Personal Data from archive or other backup media, Radancy may retain Personal Data on such media in accordance with its backup or other disaster recovery procedures.
1.13. Assistance. At Client’s reasonable request and taking into account the nature of the processing and information available to Radancy, Radancy will take reasonable steps to assist Client: with meeting its compliance obligations regarding carrying out privacy and data protection impact assessments. Radancy reserves the right to charge a reasonable fee to Client for such requested assistance.
1.14. California Consumer Privacy Act (“CCPA”) Provisions. This Section solely applies (i) where Client is subject to the CCPA, and (ii) to the Personal Data of California residents.
- 1.14.1. Legal compliance. Radancy will provide California residents with the same data protection rights under CCPA as provided by Client. Radancy will notify Client in writing if Radancy determines that it can no longer meet its obligations under the CCPA, and Client has the right, upon providing notice to Radancy, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including where Radancy has notified Client that it can no longer meet its CCPA obligations.
- 1.14.2. Restriction on processing. In no event may Radancy: (a) disclose Personal Data to a third party for monetary or other valuable consideration or disclose Personal Data to a third party for “cross-context behavioral advertising” (as defined by the CCPA); (b) disclose Personal Data to any third party for the commercial benefit of Radancy or any third party; (c) retain, use, or disclose Personal Data outside of its direct business relationship with Client or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by applicable laws; or (d) combine Personal Data with personal information that Radancy receives from, or on behalf of, other persons, or collects from its own interaction with the individual, except as permitted under the CCPA. Radancy certifies that it understands and will comply with the foregoing restrictions.
2. Data Transfers
Except to the extent a transfer is covered by a decision adopted by a competent authority with jurisdiction over the transfer declaring that a jurisdiction meets an adequate level of protection of Personal Data, including the Data Privacy Framework (each, an “Adequacy Decision”), the 2021 EU Standard Contractual Clauses (Module 2 Controller to Processor) attached hereto as Schedule 1 (the “EU SCCs”) will apply to any transfer of Personal Data that is subject to (1) to the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”) to Radancy outside of the European Economic Area (“EEA”); (2) the Swiss Federal Act on Data Protection (“FADP”) to Radancy outside of Switzerland; and (3) the Privacy Law of the United Kingdom (including section 3 of the UK Data Protection Act 2018 (“UK GDPR”)) to a Data Importer located in a country outside the United Kingdom.
- 2.1.1. All references in the EU SCCs to “EU,” “Union” or “Member State” will be interpreted as references to Switzerland;
- 2.1.2. All references to EU law will be interpreted as references to the relevant Swiss law;
- 2.1.3. For the purpose of Clause 17 of the EU SCCs, the EU SCCs will be governed by Swiss law; and
- 2.1.4. For the purpose of Annex I.C of the EU SCCs, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
2.2. Where the transfer relates to Personal Data governed by UK Privacy Laws, the parties agree that:
- 2.2.1. The provisions of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022 (the “UK SCCs Addendum”), including Part 2 “Mandatory Clauses,” are hereby incorporated into this DPA and shall apply in full;
- 2.2.2. Table 1 of the UK SCCs Addendum is completed with the names of the parties, their roles, and details as set out in the attached Annex I.A to the EU SCCs;
- 2.2.3. Tables 2 and 3 of the UK SCCs Addendum are completed by Module 2 of the EU SCCs appended to this DPA, including the information set out in the Annexes of the EU SCCs; and
- 2.2.4. For the purposes of Table 4 of the UK SCCs Addendum, neither party may end the UK SCCs Addendum.
3. Data Privacy Framework
To the extent the transfer to Radancy in the United States is covered by Radancy’s Data Privacy Framework certification, Radancy represents (i) that it has certified to the U.S. Department of Commerce that it complies with the Data Privacy Framework, as may be amended from time to time, except that Radancy will not be responsible for providing notice and choice and responding to requests for access and enforcement other than as set out in this DPA; (ii) that it will maintain its certification from the Data Privacy Framework for the duration of this DPA; and (iii) that it will downstream all of its applicable Data Privacy Framework obligations to Sub-processors by entering into appropriate onward transfer agreements with any Sub-processor.
4. Sub-Processors
4.1. Appointment of Sub-processors. Client acknowledges and agrees that Radancy may engage third-party Sub-processors in connection with the provision of the Services. Radancy has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
4.2. List of Current Sub-processors. Radancy’s current list of Sub-processors for the Services is available at www.radancy.com/gdpr (“Sub-processor List”), which Client hereby approves and authorizes. Radancy may engage additional Sub-processors as Radancy considers reasonably appropriate for the Processing of Personal Data in accordance with this DPA, provided that Radancy shall notify Client of the addition or replacement of Sub-processors by making modifications to the Sub-processor List. Client shall be responsible for periodically checking the Sub-processor List to remain informed of Radancy’s current list of Sub-processors.
4.3. Objection Right for New Sub-processors. Client may object to Radancy’s use of a new Sub-processor by notifying Radancy promptly in writing within fifteen (15) business days after receipt of Radancy’s updated the Sub-processor List, giving reasons for Client’s objection. Client’s failure to object within such fifteen (15) business day period shall be deemed Client’s waiver of its right to object to Radancy’s use of a new Sub-processor added to the Sub-processor List. In the event Client objects to a new Sub-processor, Radancy will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If Radancy is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Radancy without the use of the objected-to new Sub-processor by providing written notice to Radancy.
4.4. Liability. Radancy shall be liable for the acts and omissions of its Sub-processors to the same extent Radancy would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
5. Conflicts
To the extent there is any conflict between Sections 1, 3, 4, and 5 of this DPA and the terms of EU SCCs or UK SCCs Addendum (where applicable), the terms of the EU SCCs or UK SCCs Addendum will prevail. To the extent the terms of the DPA conflict with any Agreement between the parties with regard to the processing of Personal Data, the terms of the DPA will prevail.
6. Adverse Changes
In the event that this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either party’s obligations under the Privacy Laws applicable to each party, the parties will negotiate in good faith upon an appropriate amendment to this DPA.
Annex I – Description of Transfer
Data Subjects
The personal data transferred concern the following categories of data subjects (please specify):
Prospective and current employees and other workers as well as related persons looking for job opportunities with clients; client’s employees or third parties that are client authorized users of the Services or who are otherwise involved in the receipt of such Services.
Categories of Data
The personal data transferred concern the following categories of data subjects (please specify):
- First and last name
- Business contact information (company, email, phone, business address)
- Personal contact information (email, phone, address)
- Employment information (title, position, employer, professional life data (including employment history))
- User role; ID Data (e.g., administrator, recruiter)
- Personal life data (language, profile photo, links to social media accounts)
- Localization data (location, time zone)
- Technical usage and telecommunications data as well as telecommunications metadata (e.g., IP address, browser history, information regarding the used devices, operating system, and browser)
- Communication and calendar information (e.g., text or emails sent to candidates)
- Information regarding application forms, CVs, credentials, or qualifications for client job opportunities
- Information regarding application forms, CVs, credentials, or qualifications for client job opportunities
- Name, address and website of client
- Data analytics on services performance
- Communication regarding support queries
- Video and voice recordings
Sensitive Data (if applicable)
The personal data transferred concern the following sensitive data (please specify):
N/A Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions for sensitive data:
See the security measures of Annex II.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Continuous
Nature of the processing
The personal data transferred will be subject to the following basic processing activities (please specify):
Collecting, reviewing, analyzing, and storing Personal Data to provide the Services as described in the Agreement.
Purpose(s) of the data transfer and further processing
Talent acquisition services; As necessary for the provision of the Services that are described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The term of the Agreement or as permitted by applicable law and for a period of time thereafter in the production environment and in the back-up environments unless the Personal Data is deleted prior to the termination or expiration of the Agreement contract per client’s instructions.
For transfers to processors, also specify subject matter, nature and duration of the processing
For the purpose of providing the Services to Client for the duration of the Agreement unless the Personal Data is deleted prior to the termination or expiration of the Agreement contract per client’s instructions.
Annex II – Security Measures
For the purpose of providing the Services to Client for the duration of the Agreement unless the Personal Data is deleted prior to the
Technical and Organisational Measures Including Technical and Organisational Measures To Secure The Data
Processor has implemented and will maintain a written information security program (the “Security Program”). The Security Program includes industry-standard best practices designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. At a minimum, Processor’s Security Program does and will continue to consist of:
1. Organizational and Administrative Measures
- Policies and Procedures. Processor’s Security Program consists of policies, procedures, and controls governing the processing, storage, transmission, and security of Personal Data.
- Oversight. Processor has appointed one or more Employees to oversee and be accountable for its Security Program (e.g., Chief Security Officer).
- Background Checks. Processor performs background screening on all Employees who have access to Personal Data.
- Confidentiality. All Employees are subject to confidentiality obligations.
- Training. Processor maintains a security awareness program that includes appropriate training of Employees on the Security Program. Training is conducted at the time of hire and periodically throughout employment.
- Industry Standards. Processor has established and will maintain sufficient controls to meet the objectives stated in ISO 27001, ISO 27018, SSAE 18 / SOC 1 and SOC 2 Type 2, or equivalent standards.
- Penetration Tests. Processor, or a Sub-Processor on its behalf, performs a penetration test of the Services annually. Upon completion of the penetration test, Processor uses reasonable efforts to promptly address any deficiencies identified in the test.
- Monitoring and Updating. Processor regularly, and no less than annually, evaluates the effectiveness and adequacy of its Security Program and updates its Security Program as required to respond to findings generated by such regular reviews or new Services or security risks; provided, however, that while Processor may update its Security Program, it may not materially reduce the commitments, protections, or overall level of service.
2. Physical Security Measures
- Limited Access. Processor limits access to its facilities, machines, devices, and other media to only those Employees with a legitimate business need for such access. When an Employee no longer has a business need for the access privileges assigned to him/her, the privileges are promptly revoked, even if the Employee continues to be an Employee.
- Access Controls. Processor maintains access restrictions and monitoring to its facilities, systems, machines, and devices, such as perimeter deterrents (e.g., fences and cages), card or biometric access systems, sign-in and registration, identity verification, multi-zone security, on-site guards, video surveillance, and intrusion detection.
- Asset Management. Processor maintains an inventory of all machines, devices, and other media on which Personal Data is stored.
3. Technical Security Measures
- Anti-virus and Anti-Malware Protection. Processor has anti-virus and anti-malware protections in place to help avoid malicious software gaining unauthorized access to Personal Data. Such protections include up-to-date anti-virus software and regular deployment of patches and security updates.
- Logging. Processor logs, or enables Client to log, access and use of systems containing Personal Data, registering user ID, time, authorization granted or denied, and relevant activity. Processor’s logging including logs of inputs, modifications, and deletion of Personal Data on its systems, to the extent technically feasible.
- Firewall. Processor separates its external and internal network through firewalls.
- Encryption. Processor encrypts Personal Data at rest and in transit with current industry accepted standards.
- Destruction. When required to delete or destroy Personal Data, Processor does so such that the Personal Data cannot be retrieved or reconstituted.
4. System Access Controls and Management
- Limited Access. Processor limits access to its systems to only those Employees with a legitimate business need for such access. Such access privileges are differentiated and related to each individual’s role and responsibilities. When an Employee no longer has a business need for the access privileges assigned to him/her, the privileges are promptly revoked, even if the Employee continues to be an Employee.
- Unique IDs. Processor provides all Employees with a need to access its systems with a unique identifier (user ID) that is used to authenticate access to Processor’s systems.
- Passwords. Processor maintains a password policy that prohibits sharing of passwords, requires passwords to be changed regularly, requires storage of passwords in encrypted form.
- Separation Controls. Processor maintains technical controls to ensure (i) separation of Controller’s Personal Data at all times and (ii) limited access to Controller’s Personal Data to those with a legitimate business need to access it.
5. Sub-Processor Management
- Diligence and Oversight. Processor maintains a Sub-Processor risk management program that (i) assesses all Sub-Processors for appropriate security safeguards before Processor engages the Sub-Processor and (ii) assesses Sub-Processors’ compliance with such measures. “Sub-processor” means a natural or legal person, public authority, agency, or entity that is engaged by Radancy to Process Personal Data.
- Contracts. Processor ensures that its Sub-Processors agree via contract to security measures that are no less stringent than those imposed herein.
6. Incident Management
- Incident Response. Processor has an incident response policy and procedure that all Employees are required to follow.
- Recordkeeping. Processor maintains a record of Data Privacy Breaches that includes a description of the Data Privacy Breach; the time period; the consequences; the name(s) of Processor resource(s) responding to the Data Privacy Breach; whether the Data Privacy Breach was reported to individuals, regulators, or others and, if so, to whom; the steps Processor took to mitigate the Data Privacy Breach; and the steps Processor took to mitigate the risk of a similar Data Privacy Breach.
7. Business Continuity
- Emergency and Contingency Planning. Processor maintains emergency and contingency plans for the facilities in which its systems that Process Personal Data are located.
- Contracts. Processor maintains redundant storage for Personal Data, and its procedures for recovering Personal Data are designed to attempt to reconstruct Personal Data in its original or last-replicated state from before the time it was lost or destroyed.
Schedule 1 – EU Standard Contractual Clauses Module 2
See document.