Data Processing Addendum (DPA)
This Data Processing Addendum (this “DPA“) is made as of the last date set forth on the signature page hereto (the “Effective Date”) by and between Worksuite Inc., a corporation organized and existing under the laws of the State of Delaware, U.S.A. (“Worksuite“), and the entity or person set forth on the signature page hereto (“Customer“), pursuant to the Agreement (as defined below). This DPA has been pre-signed on behalf of Worksuite. This DPA will be void ab initio, with no force or effect, if the entity or person signing this DPA is not a party to an effective Agreement (as defined below) directly with Worksuite. Worksuite and Customer are sometimes referred to herein individually as a “party” or together as the “parties“.
This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is processed by Worksuite under the Agreement.
1.1 For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
(a) “Agreement” means the Terms of Service or SaaS Provider Agreement, as applicable, between the parties, in each case providing for the provision by Worksuite to Customer of the services described therein.
(b) “EEA” means the European Economic Area (including the United Kingdom).
(c) “EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive“), including any applicable national implementations of it; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) (as amended, replaced or superseded).
(d) “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
(e) “Processor” means an entity which processes Personal Data on behalf of the Controller. (f) “Personal Data” means any information relating to an identified or identifiable natural person.
(g) “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce.
(h) “Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).
(i) “Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
(j) “Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof), (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords; (f) date of birth; (g) criminal history; (h) mother’s maiden name; and (i) any other information that falls within the definition of “special categories of data” under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.
2. Relationship with Agreement
2.1 Except as amended by this DPA, the Agreement will remain in full force and effect. 2.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. 2.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
3. Applicability of this DPA
3.1 Part A (being Sections 4 to 6 as well as Annexes A and B of this DPA), shall apply to the processing of Personal Data under the Agreement from the Effective Date above.
3.2 Part B (being Sections 7 to 10) shall apply to the processing of Personal Data by Worksuite falling within the scope of the GDPR from and including 25 May 2018.
3.3 Part C (being Section 11) and those provisions of Part B expressly incorporated into Annex C shall apply to the processing of Personal Data by Worksuite falling within the scope of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”) and the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq.) (“VCDPA”), in each case, as updated, amended or replaced from time to time.
3.4 With respect to the processing of Personal Data falling within the scope of Part B:
(a) the terms of Part B shall apply in addition to, and not in substitution of, the terms in Part A; and
(b) to the extent there is any conflict between the provisions in Part A and Part B, the provisions in Part B shall take priority from and including 25 May 2018.
3.5 Notwithstanding anything in this DPA, Worksuite will have the right to collect, extract, compile, synthesize and analyse aggregated, non-personally identifiable data or information (data or information that does not identify Customer or any other entity or natural person as the source thereof) resulting from Customer’s use or operation of the Services (“Service Data”) including, by way of example and without limitation, information relating to volumes, types, skills, on boarding percentages, performance ratings, or any other information regarding talent Customer, its end users generate using the Services. To the extent any Service Data is collected or generated by Worksuite, such data will be solely owned by Worksuite and may be used by Worksuite for any lawful business purpose without a duty of accounting to Customer or its recipients. For the avoidance of doubt, this DPA will not apply to Service Data.
Part A: General data protection obligations
4. Roles and responsibilities
4.1 Parties’ Roles. Customer, as Controller, appoints Worksuite as a Processor to process the Personal Data described in Annex A on Customer’s behalf.
4.2 Purpose Limitation. Worksuite shall process the Personal Data for the purposes described in Annex A and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this DPA sets out Customer’s complete instructions to Worksuite in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the parties.
4.3 Sensitive Data. For the avoidance of doubt, Sensitive Data is not required by Worksuite to use the Services. Controller is solely responsible for the amount of Personal Data collected and stored within Worksuite and represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit us, our affiliates and sub-processors, to execute their rights or perform their obligations under this DPA. We shall promptly inform you, if in our opinion, any of the instructions regarding the processing of Customer data provided by you, breach any applicable data protection laws.
4.4 Description of Processing. A description of the nature and purposes of the processing, the types of Personal Data, categories of data subjects, and the duration of the processing are set out further in Annex A.
4.5 Compliance. Customer shall be responsible for ensuring that:
(a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation, in its use of the Services and its own processing of Personal Data (except as otherwise required by applicable law); and
(b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Worksuite for processing in accordance with the terms of the Agreement and this DPA.
5.1 Security. Worksuite shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
5.2 Security Exhibit. The technical and organizational security measures which Worksuite shall have in place under the Agreement are set out at Annex B to this DPA.
6. International transfers
6.1 International Transfers. To the extent that Worksuite processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection (within the meaning of EU Data Protection Legislation) by virtue of Worksuite’s self-certification to the Privacy Shield. Worksuite shall agree to apply the Privacy Shield Principles when processing (or causing to be processed) any EEA or Swiss Personal Data under this Agreement.
6.2 Privacy Shield Notifications. Worksuite agrees to notify Customer without undue delay if its self certification to the Privacy Shield is withdrawn, terminated, revoked, or otherwise invalidated. In such a case, the parties shall cooperate in good faith to put in place such alternative data export mechanisms as are required under EU Data Protection Legislation to ensure an adequate level of protection for the Personal Data.
Part B: GDPR Obligations from 25 May 2018
7. Additional security
7.1 Confidentiality of processing. Worksuite shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
7.2 Security Incidents. Upon becoming aware of a Security Incident, Worksuite shall notify Customer without undue delay and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under EU Data Protection Legislation. Worksuite shall take appropriate and commercially reasonable steps to mitigate the effects of such a Security Incident on the Personal Data under this Agreement.
8.1 Sub-processors. Customer agrees that Worksuite may engage Worksuite affiliates and third party sub processors (collectively, “Sub-processors“) to process the Personal Data on Worksuite’s behalf. The Sub-processors currently engaged by Worksuite and authorized by Customer are available at https://worksuite.com/sub-processors/ . Customer shall be notified by Worksuite in advance of any new Sub-processor being appointed by changes to this website.
8.2 Objection to Sub-processors. Customer may object in writing to the appointment of an additional Sub-processor within five (5) calendar days after receipt of Worksuite’s notice in accordance with the mechanism set out at Section 8.1 above. In the event that Customer objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Worksuite will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected Worksuite service in accordance with the termination provisions of the Agreement.
8.3 Sub-processor obligations. Where a Sub-processor is engaged by Worksuite as described in this Section 8, Worksuite shall:
(a) restrict the Sub-processor’s access to Personal Data only to what is necessary to perform the subcontracted services;
(b) impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA; and
(c) remain liable for any breach of the DPA caused by a Sub-processor.
9.1 Cooperation and data subjects’ rights. Worksuite shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to requests from a data subject seeking to exercise their rights under EU Data Protection Legislation. In the event that such request is made directly to Worksuite, Worksuite shall promptly inform Customer of the same.
9.2 Data Protection Impact Assessments. Worksuite shall, to the extent required by EU Data Protection Legislation and at Customer’s expense, taking into account the nature of the processing and the information available to Worksuite, provide Customer with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Legislation.
10. Deletion / return of data
10.1 Deletion or return of data: Upon termination or expiry of the Agreement, Worksuite shall at Customer’s election, delete or return to Customer the Personal Data (including copies) in Worksuite’s possession, save to the extent that Worksuite is required by any applicable law to retain some or all of the Personal Data.
Part C: CCPA and VCDPA Obligations
11. The Parties acknowledge and agree that the processing of personal information or personal data that is subject to the CCPA or VCDPA shall be carried out in accordance with the terms set forth in Annex C.
SIGNED by the parties or their duly authorized representatives:
Customer Legal Name: ____________________________
Worksuite Tenant URL: _________________
DESCRIPTION OF PROCESSING
Nature and purposes of processing
Worksuite is a US headquartered provider of cloud-based talent management tools and related services. These services will consist primarily of allowing the Customer to onboard and manage its talent, collecting information in talent profiles containing such content as are determined by the Customer in its sole discretion.
Otherwise, the data processing will involve any such processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties
Categories of data subjects
The personal data transferred concern any data subject who is a talent which the Customer instructs Worksuite to deliver and manage.
Categories of data
The personal data transferred concern the following categories of data for the data subjects:
- Talent identification information (first and last name), contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title); and • Any other personal data that the Customer chooses to include within the talent profile using Worksuite’s services.
The extent of personal data transferred to Worksuite for processing is determined and controlled by the Customer in its sole discretion. As such, Worksuite has no control over the volume and sensitivity of personal data processed through its service by the Customer.
Duration of processing
The personal data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
WORKSUITE SECURITY MEASURES
1. Network-Level Controls
(a) Worksuite or its hosting provider will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data.
(b) Worksuite or its hosting provider will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.
(c) Worksuite or its hosting provider will assess network-level vulnerabilities and address critical vulnerabilities within 30 days.
(d) Worksuite or its hosting provider will employ change management standards for network/infrastructure components handling Personal Data.
2. Hosting Level Controls
(a) Worksuite or its hosting provider will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, Worksuite will implement access control processes and restrict access to operating system configurations based on the least privilege principle.
(b) Worksuite or its hosting provider will perform patch management on systems that host or handle Personal Data. Worksuite will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.
(c) Worksuite or its hosting provider will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.
(d) Worksuite or its hosting provider will, at a minimum, assess system-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.
(e) Worksuite or its hosting provider will employ a comprehensive antivirus or endpoint security solution for endpoints which handle Personal Data.
(f) Worksuite or its hosting provider will ensure physical servers will be protected with appropriate physical security mechanisms, including but not limited to badged access, locked cages, secure perimeter, cameras, alarms, and enforced user provisioning controls.
3. Application-Level Controls
(a) Worksuite will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.
(b) Worksuite will regularly perform patch management on applications that host or handle Personal Data. Worksuite will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.
(c) Worksuite will, at a minimum, assess application-level vulnerabilities on a monthly basis and address critical vulnerabilities within 30 days.
(d) Worksuite will perform code reviews for applications that host or handle Personal Data. (e) Worksuite will employ change management standards for applications hosting or handling Personal Data.
4. Compliance Controls
(a) Worksuite will make a good faith effort to operate within the parameters of Worksuite’s then-current Information Security Policy.
(b) Notwithstanding any of the foregoing, Worksuite will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.
United States Privacy Law Annex
This United States Privacy Law Annex (“Annex”) supplements the DPA and includes additional information required by the CCPA and the VCDPA, in each case, as updated, amended or replaced from time to time. Any terms not defined in this Annex shall have the meanings set forth in the DPA and/or the Agreement.
1.1 For purposes of this Section A, the terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.
1.2 All references to “Personal Data,” “Controller,” “Processor,” and “Data Subject” in the DPA shall be deemed to be references to “Personal Information,” “Business,” “Service Provider,” and “Consumer,” respectively, as defined in the CCPA.
2.1 The Parties acknowledge and agree that Worksuite is a Service Provider for the purposes of the CCPA (to the extent it applies) and Worksuite is receiving Personal Information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.
2.2 Customer is only disclosing Personal Information to Worksuite for the limited and specified purposes described in Annex A to this DPA.
2.3 Worksuite shall not Sell or Share Personal Information provided by Customer under the Agreement.
2.4 Worksuite shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services to Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.
2.5 Worksuite shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship between Customer and Worksuite.
2.6 Worksuite shall notify Customer if it makes a determination that it can no longer meet its obligations under the CCPA.
2.7 Worksuite will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
2.8 Worksuite shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Personal Information provided by Customer under the Agreement the level of privacy protection required by CCPA.
2.9 Worksuite shall only engage a new subcontractor to assist Worksuite in providing the Services to Customer under the Agreement in accordance with Section 8.1 of the DPA, including, without limitation, by entering into a written contract with the subcontractor that requires such subcontractor to observe all of the applicable requirements set forth in the CCPA.
3. Consumer Rights
3.1 Worksuite shall assist Customer in responding to Verifiable Consumer Requests to exercise the Consumer’s rights under the CCPA as set forth in Section 9 of the DPA.
4. Audit Rights
4.1 Worksuite shall allow Customer to conduct inspections or audits to the extent permitted by applicable laws.
1.1 For purposes of this Section B, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the VCDPA.
1.2 All references to “Data Subject” in this DPA shall be deemed to be references to “Consumer” as defined in the VCDPA.
2.1 The Parties acknowledge and agree Worksuite is a Processor for the purposes of the VCDPA (to extent it applies).
2.2 The nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Consumers are described in Annex A to this DPA.
2.3 Worksuite shall adhere to Customer’s instructions with respect to the Processing of Personal Data and shall assist Customer in meeting its obligations under the VCDPA by:
2.3.1 Assisting Customer in responding to Consumer rights requests under the VCDPA as set forth in Section 9 of the DPA;
2.3.1 Complying with Annex B of the DPA with respect to Personal Data provided by Customer;
2.3.2 In the event of a Security Incident, providing information sufficient to enable Customer to meet its obligations pursuant to Va. Code § 18.2-186.6; and
2.3.3 Providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by VCDPA.
2.4 Worksuite shall maintain the confidentiality of Personal Data provided by Customer and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing;
2.5 Upon Customer’s written request, Worksuite shall delete or return all Personal Data provided by Customer in accordance with Section 10 of the DPA.
2.6 Worksuite shall only engage a new subcontractor to assist Worksuite in providing the Services to Customer under the Agreement in accordance with Section 8.1 of the DPA, including, without limitation, by entering into a written contract with the subcontractor that requires such subcontractor to observe all of the applicable requirements of a Processor set forth in the VCDPA.
3. Audit Rights
Upon Customer’s written request at reasonable intervals, Worksuite shall (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Worksuite’s compliance with its obligations under the VCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA.