SaaS Subscription Agreement
SAAS SUBSCRIPTION AGREEMENT
This SAAS Subscription Agreement (the “Agreement”) outlines the terms and conditions under which HIRINGBRANCH INC., formerly LearningBranch (the “Company”) agrees to provide services to the Customer identified and defined in the Order From referencing this Agreement and executed by such parties (the “Order Form”). This Agreement incorporates the Order Form by reference and is effective as of the effective date specified therein (the “Effective Date”).
Certain capitalized terms used herein are defined in Section 13 of this Agreement. Any capitalized terms used but not defined in this Agreement may be defined in the Order Form, and such definitions apply hereto.
THE COMPANY AND THE CUSTOMER HEREBY AGREE AS FOLLOWS:
- SAAS Services. Subject to the terms and conditions of this Agreement, and in exchange for the SAAS Fees, the Company will use commercially reasonable efforts to provide the SAAS Services to the Customer during the Term and in accordance with the Company’s support terms and service level availability policy, as may be updated by the Company from time to time.
- Professional Services. Subject to the terms and conditions of this Agreement, the Company will provide the Customer with the Professional Services expressly set out in an executed SOW, in exchange for the Professional Service Fees. The Services may be amended, modified or supplemented at any time and from time to time with mutual consent and in a written form satisfactory to the Company (a “Change Order”). The Company may from time to time engage third parties (each a “Subcontractor”), such as independent contractors, affiliates, service providers, licensees and agents, to perform any part of the Professional Services. The Company will: (a) remain directly responsible to the Customer for the acts or omissions of each Subcontractor; and (b) ensure that each Subcontractor is bound in writing to terms equally as protective of the Customer as the terms and conditions of this Agreement.
2. FEES AND PAYMENT TERMS
- SAAS Fees. The Customer will pay to the Company the SAAS Fees in the amounts, at the times and according to the terms set out in the Order Form. All SAAS Fees payable under this Agreement are exclusive of any and all taxes, withholdings and other levies and imposts applicable thereon (“Taxes”), and such Taxes will be invoiced together with the SAAS Fees. Subject to the Order Form, invoices for the SAAS Services are payable immediately upon delivery. The Company reserves the right to change the SAAS Fees upon at least sixty (60) days prior written notice to Customer (which may be sent by email), and which revised SAAS Fees will apply on the next billing period after the notice period. The SAAS Fees are non-refundable, except in the event of a termination of this Agreement for cause by the Customer (per Section 8.2), in which case any amounts paid in advance and unused as of the termination date (calculated on a pro-rata basis of the balance period between the termination date and the original Initial Term) may be refundable.
- Professional Service Fees. The Customer will pay to the Company the Professional Service Fees and Expenses in the amounts, at the times and according to the terms set out in each SOW. All Professional Service Fees payable under this Agreement are exclusive of any and all Taxes, and such Taxes will be invoiced together with the Fees. Subject to the applicable SOW, invoices for Professional Services are payable, without holdback or setoff, immediately upon delivery, except where such Professional Service Fees and/or Expenses invoiced are disputed by the Customer in good faith. Invoice disputes will not affect the undisputed portions of the Professional Service Fees and/or Expenses payable by the Customer. Except as expressly set out in the applicable SOW, all Professional Service Fees and Expenses paid to the Company are non-refundable.
- Failure of Payment. Interest will accrue on any amounts overdue and outstanding at a rate of eighteen percent (18%) per annum, calculated daily (whether for SAAS Services or Professional Services). Without limiting any other remedy available to the Company by law or equity, in the event that any of the Customer’s payment obligations are overdue and outstanding, the Company may, in its sole discretion and without affecting any other rights and remedies available: (a) terminate this Agreement immediately upon notice to the Customer; and/or (b) suspend its obligations to the Customer relating to the SAAS Services and/or the Professional Services (as may be applicable) until such time as all amounts due and owing under this Agreement are paid in full.
3. USE OF SAAS SERVICES
- Grant. Subject to the terms and conditions of this Agreement, the Company hereby grants to the Customer and its End Users a limited, non-exclusive, non-transferable, non-sub-licensable right to access and use the Service during the Term solely for the Customer’s internal business operations in accordance with the terms and conditions set forth in this Agreement.
- Accounts. The Customer must create: (a) a customer account in order to access and use the SAAS Services (the “Customer Account”); and (b) End User accounts for access and use of the SAAS Services by the Customer’s End Users (the “User Accounts”). Company reserves the right, in its sole discretion, to cancel or refuse registration of passwords it deems inappropriate. The Customer is responsible for: (i) all acts and omissions that occur in connection with the Customer Account and the User Accounts; (ii) maintaining the security of all log-in information in its possession and control; and (iii) obtaining the authorizations, licenses and consents, if and as required by any applicable law, to make the SAAS Services available to the End Users. User Accounts may not be shared or used by more than one person; provided that, upon request to the Company, User Account may be reassigned.
- Audit. The Company reserves the right to use the capabilities of the SAAS Services to audit the Customer’s use of the SAAS Services and compliance with this Agreement.
- Customer Responsibilities. The Customer is responsible for all its activities that occur in connection with the SAAS Services (including without limitation any User Accounts), and for its End Users’ compliance with this Agreement. Without limiting the foregoing, the Customer will: (a) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data, including ensuring that it has obtained any necessary consents, and made any necessary disclosures, to enable the Company to perform its obligations under this Agreement; (b) use commercially reasonable efforts to prevent unauthorized access to, or use of, the SAAS Services through User Accounts or otherwise, and notify the Company promptly of any such unauthorized access or use that it becomes aware of; (c) set up, maintain and operate in good repair and in accordance with any service specifications all Customer systems on or through which the SAAS Services are accessed or used, including without limitation modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Customer Systems”); (d) have sole responsibility for connectivity between the Customer Systems and the internet and the security of the Customer’s link to the SAAS Services; (e) provide all cooperation and assistance as the Company may reasonably request to enable the Company to exercise its rights and perform its obligations under this Agreement; and (f) comply with all applicable laws in accessing and using the SAAS Services.
- Restrictions. Except as expressly permitted by this Agreement, the Customer will not, nor will it allow any End User to, directly or indirectly: (a) copy, modify or create derivative works or improvements of the SAAS Services; (b) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer or otherwise make available the SAAS Services to any person; (c) reverse engineer, disassemble, decompile, decode, adapt or otherwise attempt to derive or gain access to the source code of the SAAS Services or any part thereof; (d) bypass or breach any security measures used by the SAAS Services; (e) input, upload, transmit or otherwise provide to or through the SAAS Services any information or materials that are unlawful or injurious, or contain, transmit or activate any virus, trojan horse, worm, backdoor, malware or other malicious computer code; (f) transmit, or otherwise export the SAAS Services or underlying information or technology; (g) damage, destroy, disrupt, disable, impair, interfere with or otherwise impede or harm in any manner the SAAS Services; (h) remove, delete, alter or obscure any trade-marks, specifications, warranties or disclaimers, or any copyright, trade-mark, patent or other intellectual property or proprietary rights notices from the SAAS Services; (i) access or use the SAAS Services in any manner or for any purpose that infringes, misappropriates or otherwise violates any Intellectual Property Rights or other rights of any third party, or that violates any applicable laws; (j) provide any usernames, passwords or other information which would permit access to the SAAS Services to any person who does not have authorized access from the Company; or (k) otherwise access or use the SAAS Services beyond the scope of the authorization expressly granted in this Agreement.
4. PROPRIETARY RIGHTS
- Rights Reserved. The Company is and will remain the sole and exclusive owner of the SAAS Services, the Professional Services and all Intellectual Property Rights therein. Except for the rights and licenses expressly granted in this Agreement, neither party grants to the other party any Intellectual Property Rights under this Agreement, and all such rights, title and interests are hereby retained and reserved.
- Customer Data. As between the Company and the Customer, the Customer is and will remain the sole and exclusive owner of all right, title and interest in and to all Customer Data and all Intellectual Property Rights therein. The Customer hereby irrevocably grants to the Company a limited, non-exclusive, worldwide, royalty-free license to use the Customer Data for the purpose of (a) providing the SAAS Services and the Professional Services (as may be applicable), (b) enforcing this Agreement, and (c) exercising its rights and performing its obligations herein. The Customer will not, nor will it permit any of its End Users to, submit any Customer Data in connection with the use of the Services that: (i) violates any applicable laws; or (ii) infringes any third party’s rights, including without limitation, Intellectual Property Rights.
- Anonymized Data. The Company may process and analyze Customer Data for the purpose of creating aggregated or anonymized data such as analytics in respect of the use of the SAAS Services (the “Anonymized Data”). The Company will own all right, title and interest to all Anonymized Data and all Intellectual Property Rights therein.
- Feedback. The Customer hereby grants to the Company a worldwide, royalty-free, transferable, sublicensable, irrevocable, perpetual, unrestricted license to use or incorporate into the SAAS Services any suggestions, enhancement requests, recommendations or other feedback provided by the Customer or its End Users relating to the SAAS Services. For certainty, the Company will have no obligation to modify the SAAS Services to implement any suggestions, recommendations or other feedback provided by the Customer or its End Users.
- Obligation. Receiving Party hereby acknowledges that the Disclosing Party’s Confidential Information is an asset of considerable value, the unauthorized use or disclosure of which would be damaging. Receiving Party will, during and subsequent to the Term: (a) keep the Confidential Information of the Disclosing Party confidential and use such Confidential Information solely for the purposes of exercising its rights and performing its obligations under this Agreement; (b) not directly, or indirectly, without authorization from the Disclosing Party reveal, report, publish, disclose or transfer such Confidential Information to any third party; (c) utilize procedures constituting a high degree of care to maintain the security of such Confidential Information and in no event less than a reasonable standard of care under the circumstances; and (d) disclose such Confidential Information to its employees and contractors, solely on a need-to-know basis as reasonably required under this Agreement, provided that, any access or disclosure to the Disclosing Party’s Confidential Information that is granted by the Receiving Party to its employees and contractors will first require the Receiving Party to enter into a written agreement with each such employee and contractor that contains confidentiality obligations and intellectual property ownership terms that are in content at least as protective as the provisions hereof. If a Receiving Party is required by law or court order to disclose any Confidential Information of the Disclosing Party, such Receiving Party will: (i) first notify the Disclosing Party of same in writing and without delay; and (ii) cooperate with the Disclosing Party, and use its own best efforts, to limit any such disclosure to the minimum disclosure necessary to comply with such law or court order.
- Return of Confidential Information. Subject to the terms of this Agreement, Receiving Party will return or irretrievably destroy the Confidential Information of the Disclosing Party within thirty (30) days after such request from the Disclosing Party. If requested by the Disclosing Party, the Receiving Party will provide a statutory declaration certifying the return or destruction (as applicable) within five (5) days thereafter.
- Injunctive Relief. Each party acknowledges and agrees that should it breach its obligations of non-disclosure under this Section 5, the other party may suffer harm which may not be adequately compensated by monetary damages. In such event, the non-breaching party may, in addition to any other remedy available in law or equity, seek specific performance and injunctive or other equitable relief without bond or proof of damages.
6. PERSONAL DATA PROTECTION & SECURITY
The Company will process any Personal Data received from the Customer and its End Users (i) to perform its obligations under this Agreement, and (ii) in accordance with reasonable security measures as are set out in the Data Processing Addendum attached hereto as Exhibit “B” (the “DPA”).
7. REPRESENTATIONS & WARRANTIES
- Mutual Representations and Warranties. Each party hereby represents and warrants to the other party that: (a) it is a business duly registered or incorporated, validly existing, and in good standing under the laws of its jurisdiction; (b) it has full right and authority to enter into, execute, and perform its obligations under this Agreement; (c) the execution, delivery, and performance of this Agreement constitutes a legal, valid, and binding agreement of such party; (d) it has taken commercially reasonable steps to ensure that it will at all times be in compliance with applicable laws, including the collection, use and disclosure of Personal Data relating to the SAAS Services and/or the Professional Services; and (e) the material it provides to the other party during the Term will not infringe, or constitute an infringement or misappropriation of, any Intellectual Property Rights of any third party.
- Company Representations and Warranties. The Company hereby represents and warrants to the Customer that: (a) it will perform any Professional Services in compliance with applicable laws and regulations and in a professional manner; and (b) any Professional Services will conform in all material respects to the applicable SOW.
8. TERM & TERMINATION
- Term. Unless terminated earlier pursuant to the terms and conditions of this Agreement, this Agreement will commence on the Effective Date and will remain in effect for a period of one (1) year (the “Initial Term”). Thereafter, the term of the Agreement will be automatically renewed for additional one (1) year renewal terms (any such subsequent renewal term referred to in this Agreement as a “Renewal Term”), unless either party gives written notice of non-renewal to the other party at least thirty (30) days prior to the end of the Initial Term or any Renewal Term. Collectively, the Initial Term and any subsequent Renewal Term will constitute the “Term”.
- Termination for Cause. Either party may terminate this Agreement immediately upon notice if the other party: (a) fails to correct a material breach of its obligations under this Agreement within thirty (30) days after receipt by such other party of written notification from the notifying party of such material breach, provided however, that a breach of the confidentiality obligations set forth in Section 5 will be grounds for immediate termination of this Agreement by written notice from the non-breaching party; or (b) files a bankruptcy petition, has a bona fide petition filed involuntarily against it, becomes insolvent, makes an assignment for the benefit of creditors, consents to the appointment of a trustee, or if bankruptcy reorganization or insolvency proceedings are instituted by or against the other party.
- Effect of Termination. Upon termination of this Agreement for any reason pursuant to this Section 8: (a) all SOWs in effect will immediately terminate; (b) the Company will deliver to the Customer a final statement of account and/or invoice for SAAS Fees, Professional Service Fees and Expenses accrued up to and including the date of termination; and (c) any provision of this Agreement that imposes an obligation after termination of this Agreement will survive the termination of this Agreement, including without limitation, Sections: 4, 5, 6 and 8 – 12 (inclusive). Termination or expiry of a SOW will not serve to terminate this Agreement.
Each party (the “Indemnitor”) will defend, indemnify and hold harmless the other party and their officers, directors, contractors, and employees (together, the “Indemnitees”) against and from any and all third party claims, demands, actions, causes of action, damage, loss, suits, proceedings, costs, liabilities, expenses and charges incurred or suffered by the Indemnitees as a result of or in connection with any material non-fulfillment or breach of any warranty or covenant, or any material misrepresentation, under this Agreement by the Indemnitor. This Section will survive termination of this Agreement for a period of three (3) years.
- EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES PROVIDED IN THIS AGREEMENT, THE SAAS SERVICES AND THE PROFESSIONAL SERVICES ARE PROVIDED “AS-IS”, AND THE COMPANY HEREBY DISCLAIMS ANY AND ALL GUARANTEES, REPRESENTATIONS, CONDITIONS AND WARRANTIES REGARDING THE SAAS SERVICES AND THE PROFESSIONAL SERVICES, WHETHER IMPLIED OR STATUTORY, ORAL OR OTHERWISE, ARISING UNDER ANY LAW OR OTHERWISE, INCLUDING WITHOUT LIMITATION, CONDITIONS AND WARRANTIES WITH RESPECT TO VALIDITY, ACCURACY, NON-INTERRUPTION, ERROR-FREE OPERATION, MERCHANTABILITY, QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE.
- FOR CERTAINTY, AND WITHOUT LIMITING THE FOREGOING, THE COMPANY IS NOT RESPONSIBLE FOR, AND HEREBY DISCLAIMS ANY LIABILITY IN CONNECTION WITH, THE RESULTS OF THE SAAS SERVICES AND THE PROFESSIONAL SERVICES, AND ANY RELIANCE ON SAME BY THE CUSTOMER OR ANY OTHER PERSON FOR HIRING DECISIONS, OUTCOMES OR OTHERWISE. EMPLOYMENT CANDIDATE ASSESSMENTS FACILITATED THROUGH THE SAAS SERVICES ARE FOR INFORMATION PURPOSES ONLY, AND THE CUSTOMER AGREES AND ACKNOWLEDGES THAT ANY HIRING DECISIONS ARE MADE AT THE CUSTOMER’S SOLE RISK AND LIABILITY.
- THIS SECTION WILL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW.
11. LIMITATION OF LIABILITY
THE COMPANY’S MAXIMUM LIABILITY TO THE CUSTOMER UNDER THIS AGREEMENT IS THE AGGREGATE AMOUNT OF SAAS FEES AND PROFESSIONAL SERVICE FEES PAID BY THE CUSTOMER TO THE COMPANY DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE OF CLAIM.
IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY FOR ANY INCIDENTAL, PUNITIVE, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF DATA, LOST SAVINGS, LOST OPPORTUNITY COSTS OR OTHER SIMILAR PECUNIARY LOSS), HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY (INCLUDING NEGLIGENCE) AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THIS SECTION WILL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW.
- Interpretation. Headings in this Agreement are for convenience of reference only. The contra proferentem rule of construction will not apply to this Agreement. “Including” (or includes) and words to the same or similar effect will be interpreted to mean “including without limitation” (or includes without limitation).
- Assignment. This Agreement will not be assigned by either party, whether voluntarily or involuntarily or by operation of law, in whole or in part, to any other entity without the prior written consent of the other party. Notwithstanding the foregoing, upon written notice to the other party, either party may assign this Agreement to a successor in interest upon a merger, acquisition, reorganization, Change of Control, or sale of all or virtually all of the assets of such party, and any such assignment will not require the consent of the other party, provided that: (a) such successor or assignee of this Agreement agrees in writing to be bound by this Agreement; and (b) the assigning party notifies the other party to this Agreement in writing immediately upon the consummation of such event. Any assignment in violation of this Section will be null and void from the beginning and will be deemed a material breach of this Agreement.
- Waiver and Amendment. Except as expressly provided herein, no modification, amendment or waiver of any provision of this Agreement will be effective unless in writing and signed by the parties hereto. No failure or delay by a party in exercising any right, power, or remedy under this Agreement, except as specifically provided herein, will operate as a waiver of any such right, power or remedy.
- Choice of Law. This Agreement will be governed by the laws of the Province of British Columbia and the laws of Canada applicable therein; provided that, to the extent required by applicable Data Protection Law (as defined in the DPA), the DPA specifically may be governed by the laws of a different jurisdiction. Subject to the foregoing, the provincial and federal courts located in Vancouver, British Columbia will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement, and each party hereby consents to the exclusive jurisdiction of such courts. Notwithstanding the foregoing, each party will be entitled to seek injunctive or other equitable relief in any jurisdiction with a reasonable connection to the subject matter of this Agreement. Each party also hereby waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement.
- Force Majeure. Except for payment obligations, neither party will be responsible for its failure to perform to the extent due to unforeseen circumstances or causes beyond its reasonable control, including but not limited to, acts of God, wars, terrorism, riots, embargoes, acts of civil or military authorities, fires, floods, accidents, or strikes, labour problems (other than those involving the employees of the affected party), computer, telecommunications, Internet service provider or hosting facility failures or delays involving hardware, software or power systems not within a party’s possession or reasonable control, provided that such party gives the other party prompt written notice of the failure to perform and the reason therefore and uses its reasonable efforts to limit the resulting delay in its performance.
- Notices. If any notice or other communication is required or permitted to be given to a party hereunder, such notice or communication will be in writing and: (a) personally delivered; or (b) transmitted by e-mail to the party’s last known email address. All such notices or other communications will be deemed to have been given and received upon confirmation of delivery.
- Currency. All monetary amounts under this Agreement are in United States Dollars, except where expressly provided otherwise.
- Independent Contractors. The parties are independent contractors. Neither party will be deemed to be an employee, agent, partner, joint venturer or legal representative of the other for any purpose and neither party will have any right, power or authority to create any obligation or responsibility on behalf of the other.
- Severability. In the event that any covenant, provision or restriction contained in this Agreement is found to be void or unenforceable (in whole or in part) by a court of competent jurisdiction, it will not affect or impair the validity of any other covenant, provisions or restrictions contained herein. Any covenants, provisions or restrictions found to be void or unenforceable are declared to be separate and distinct, and the remaining covenants, provisions and restrictions will remain in full force and effect.
- Counterparts. This Agreement, which includes the Order Form, may be executed electronically and in two or more counterparts, all of which, taken together, will be regarded as one and the same instrument.
- “Change of Control” means, with respect to either the Company or the Customer, a transaction in which the holders of the outstanding shares in the capital of the Company or the Customer (as applicable), as of immediately prior to such transaction, own less than fifty percent (50%) of the voting power of the surviving or resulting entity’s outstanding shares immediately after such transaction.
- “Confidential Information” means information that is not generally known to the public or that otherwise constitutes a trade secret under applicable law, including without limitation, technical information, know-how, technology, software applications and code, prototypes, ideas, inventions, methods, improvements, data, files, information relating to customer identities and other customer information; provided that, Confidential Information does not include any of the foregoing information that Receiving Party can demonstrate: (i) has entered into the public domain through no wrongful act or breach of any obligation of confidentiality by the Receiving Party; (ii) was in the lawful knowledge and possession of, or was independently developed by, the Receiving Party prior to the time it was disclosed to, or learned by, the Receiving Party hereunder as evidenced by written records; (iii) was rightfully received by Receiving Party from a third party without a breach of such third party’s obligations of confidentiality; or (iv) was approved in writing for release by the Disclosing Party. Confidential Information includes such information that was disclosed by the Disclosing Party to the Receiving Party prior to the Effective Date.
- “Customer Data” means information, data and other content, in any form or medium, that is collected, downloaded or otherwise received, directly or indirectly from the Customer or an End User by or through the SAAS Services.
- “Disclosing Party” means the party who discloses or otherwise divulges Confidential Information to the other party.
- “Expenses” has the meaning set out in a SOW.
- “Initial Term” has the meaning set out in Section 8.1.
- “Intellectual Property Rights” means any and all right, title and interest in and to any and all trade secrets, patents, copyrights, service marks, trademarks, know-how, trade names, rights in trade dress and packaging, moral rights, rights of privacy, publicity and similar rights of any type, continuations, or other registrations with respect to any of the foregoing, under the laws or regulations of any foreign or domestic governmental, regulatory, or judicial authority.
- “Personal Data” has the meaning set out in the DPA.
- “Receiving Party” means the party who receives or otherwise obtains Confidential Information from the Disclosing Party or from the Disclosing Party’s employees, agents, representatives, consultants, Customers, contractors or suppliers.
DATA PROCESSING ADDENDUM
This Data Processing Addendum ("DPA") is incorporated into the SAAS Subscription Agreement between HIRINGBRANCH INC. (the “Company”) and the Customer identified and defined therein (the “Agreement”) and is effective as of the effective date specified therein (the “Effective Date”).
THE COMPANY AND THE CUSTOMER HEREBY AGREE AS FOLLOWS:
- Any capitalized terms used but not defined in this DPA will have the meanings set out in the Agreement.
- “Data Controller” has the meaning set out in the GDPR.
- “Data Processor” has the meaning set out in the GDPR.
- “Data Protection Law” means all applicable laws and regulations on processing of Personal Data.
- “Data Subject” has the meaning set out in the GDPR.
- “Data Subject Request” means a request from or on behalf of a Data Subject relating to access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a Data Subject to the processing of its Personal Data.
- “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and all national legislation reflecting, implementing or supplementing the foregoing as updated, amended or replaced from time to time.
- “Personal Data” means any information relating to an identified or identifiable natural person which is provided by the Customer to the Company (directly or indirectly), and accessed, stored or otherwise processed by Company as a Data Processor as part of its provision of the Services to the Customer, and to which Data Protection Law applies.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data while being transmitted, stored or otherwise processed by the Company or by a sub-processor of the Company.
- “SAAS Services” has the meaning set out in the Agreement.
- “Services” means the SAAS Services and the Professional Services, as each is defined in the Agreement.
- “Standard Contractual Clauses” means the Standard Contractual Clauses (SCCs) approved by the European Commission and amended from time to time.
2. EUROPEAN DATA PROTECTION
- Application. This Section 2 applies to the extent that the GDPR governs any part of the processing of Personal Data under the Agreement.
- Processing of Personal Data.
- Roles and Responsibilities. For purposes of the provision of the SAAS Services, the Company is (or will comply with the obligations of) the Data Processor and the Customer is (or will comply with the obligations of) the Data Controller. The Customer grants a general authorization to the Company to appoint any third-party sub-processers to support the provision of the SAAS Services as a sub-processor.
- Company Processing Activities. The Company agrees that it will: (i) only process Personal Data to provide the Services in accordance with the Agreement and pursuant to the Customer’s instructions as set forth in this DPA; and (ii) take reasonable steps to ensure that only authorized personnel who are under written obligations of confidentiality have access to such Personal Data. The Company further agrees that it will comply with the privacy laws applicable to the Company in the provision of Services under the Agreement and this DPA.
- Customer Processing Activities. The Customer may from time to time in its use of the Services submit Personal Data to the Company. The Customer has sole responsibility for obtaining any necessary consents or providing any necessary notice and for doing such things required under applicable privacy laws to disclose Personal Data to the Company in connection with the Services.
- Details of Data Processing. Appendix 1 attached hereto sets out the duration, nature and purpose of the processing of Personal Data, as well as the categories of Personal Data and Data Subjects whose Personal Data may be processed by the Company in connection with the Services. Appendix 1 may be updated with mutual consent of the parties from time to time.
- Current Sub-processors. A list of the Company’s current sub-processors is attached hereto as Appendix 2. The Company may update Appendix 2 at any time, subject to Section 2.3(b) of this DPA.
- New Sub-processors. The Company will notify the Customer in writing at least ten (10) days in advance of the appointment of any new sub-processor, including the details of the sub-processing activity as set forth in Appendix 2, to be undertaken by the new sub-processor. If the Customer has an objection to any new sub-processor, it will notify the Company of such objection in writing, and the parties will seek to resolve the matter in good faith.
- Obligations of Sub-processors. The Company will take steps to require that any sub-processor it engages to provide services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on the Company in this DPA.
- Subject Access Requests. In the event that the Company receives a Data Subject Request from the Customer’s Data Subject, the Company: (a) will promptly notify the Customer and provide the Customer with a copy of the Data Subject Request; and (b) will not respond to such Data Subject Request without the Customer’s prior written consent, except to confirm that such request relates to the Customer to which the Customer hereby agrees.
- Assistance. The Company will provide reasonable assistance to the Customer as the Customer reasonably requests (taking into account the nature of processing and the information available to the Company) in relation to the Customer’s obligations with respect to: (a) data protection impact assessments (as such term is used in the GDPR); and (b) the Customer’s compliance with its obligations under the GDPR with respect to the security of Personal Data processing.
- Deletion or Return of Personal Data. Upon termination of the Agreement, the Company will, at the Customer's election, delete or return to Customer all Personal Data in its possession or control (including copies), except to the extent the Company is required by applicable law to retain some or all of the Personal Data.
- Inspections. The Company will make available to the Customer such information in its possession or control as the Customer may reasonably request to demonstrate the Company’s compliance with its obligations as a Data Processor under the GDPR. Any requests for on-site inspections must be reasonable and will be provided upon accounting for practicality, time and resources required. The Company and the Customer will agree on the scope, timing and duration of any on-site inspection, including with respect to any third-party inspector selected by the Customer. The costs of any on-site inspection will be borne by the Customer.
- Technical and Organizational Security Measures. The Company will implement appropriate technical and organizational security measures for the security of the Personal Data it processes, including but not limited to, security measures with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response and any other measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data. The security measures implemented will be appropriate to: (a) the size and scope of the Company’s business; and (b) the type of Personal Data that the Company processes. All connections to data processed by the Company are encrypted with industry standard AES-256 bit encryption. The SAAS Services are hosted and managed through Amazon Web Services (AWS).
- Data Transfers. To the extent that the GDPR requires application of any of the Standard Contractual Clauses with respect to any transfer of Personal Data (where no other alternative for such transfer exists), the parties will comply with the applicable Standard Contractual Clauses, which will be incorporated herein by reference. To the extent of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will govern.
- Notification of Breach. The Company will notify the Customer without undue delay after becoming aware of a Personal Data Breach. Where appropriate in respect of any Personal Data which has been the subject of a Personal Data Breach, the Company will provide reasonable assistance to Customer which may include assistance in notifying the relevant supervisory authority, a description of the nature and extent of the Personal Data Breach (e.g., number and categories of affected subjects; number and categories of records concerned), description of the likely consequences, and the measures taken or proposed to be taken to remediate or mitigate the possible adverse effects.
3. CANADIAN DATA PROTECTION
The Company takes steps to ensure that when it engages a sub-processor for Personal Data it enters into written contracts that require the sub-processor to provide a generally comparable level of protection as would be provided by the Company in order to prevent unauthorized use and disclosure of Personal Data. The Company implements the technical and organizational measures as set forth in Section 2.8 (Technical and Organizational Security Measures) of the DPA.
- Survival. This DPA will remain in full force and effect until the earlier of: (a) the termination of the Agreement (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); or (b) the parties agreeing in writing that this DPA is to be terminated.
- Governing Law. This DPA will be governed and construed in accordance with the governing law specified in the Agreement, except to the extent required otherwise by applicable Data Protection Law.
- Liability Limitation. For certainty, and to the maximum extent permitted under applicable law, the Company's aggregate liability to the Customer arising out of or relating to the DPA will be included as part of the same exclusion and limitation of liability as applies under the Agreement.
[END OF DATA PROCESSING ADDENDUM]
DETAILS OF DATA PROCESSING
- Data Controller (Exporter). The Customer that has engaged the Company to provide the Services under the Agreement.
- Data Processor (Importer). The Company that provides the Services to the Customer under the Agreement.
- Data Subjects. Personal Data that the Customer may provide to the Company under the Agreement may include, but is not limited to, Personal Data relating to the Customer’s employment candidates, employees, agents, contractors or advisors (who are natural persons).
- Duration. The Company will process Personal Data as outlined in Section 2.6 (Deletion or Return of Personal Data) of this DPA.
- Categories of Data. The Customer may submit Personal Data to the Company, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Personal contact information (email, phone, address)
- Location data
- Audio Recording
- Text Responses
- Profile Picture
- Special Categories of Data (if appropriate). The Customer may submit special categories of Personal Data to the Company which may include Personal Data pertaining to race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex, ideological views or activities, or information on social security measures or administrative or criminal proceedings and sanctions.
- Processing Operations. The Personal Data transferred will be used in order to provide the SAAS Services and any Professional Services (if applicable) to the Customer.