Effective as of: October 1, 2023
This Data Processing Addendum (“DPA”) supplements and is incorporated into the agreement referencing this DPA (“Agreement”) entered into by the applicable EdMyst entity (together with its Affiliates, “EdMyst”) and the customer entering into that Agreement (“Customer”) (EdMyst and Customer being the “parties” under this DPA). This DPA applies if and to the extent EdMyst processes personal data in connection with Customer’s use of the Services under the Agreement.
1. Definitions
2. Roles of the Parties
3. Description of Processing
Schedule 1 (Details of Processing) of this DPA sets forth details of EdMyst’s processing of personal data.
4. Obligations of the Parties
4.1. Customer Instructions.
4.1.1. EdMyst will process personal data only: (i) in accordance with Customer’s documented, reasonable, and lawful instructions; or (iii) as otherwise agreed upon by the parties or as required by applicable law and, if required by law, EdMyst will notify Customer in writing of that legal requirement before processing unless the law prohibits this on important grounds of public interest.
4.1.2. The parties agree that the Agreement (including this DPA) and the performance of EdMyst’s obligations thereunder sets out Customer’s instructions to EdMyst for the processing of personal data and that processing outside the scope of the Agreement, if any, requires prior written agreement of the parties.
4.1.3. EdMyst will immediately inform Customer if, in EdMyst’s opinion, processing instructions given by Customer infringe on applicable Data Protection Laws.
4.2. Purpose Limitation. EdMyst will process personal data only for the purpose of providing the Services to Customer as described in the Agreement, unless it receives further instructions from Customer.
5. Security of Processing
5.1. Technical and Organization Measures. EdMyst will implement at least the technical and organizational measures described in the Addendum (“Technical and Organizational Measures”) to ensure the security of personal data, which includes protecting personal data against Security Incidents.
5.2. Technical and Organizational Measures Assessment and Updates. In assessing the appropriate level of personal data security, the parties will take account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects. The parties acknowledge and agree that Technical and Organizational Measures are subject to technical progress and development such that EdMyst may occasionally update or modify its Technical and Organizational Measures, provided that any update and/or modification does not materially diminish the overall security of the Services or the protection afforded to personal data.
5.3. Confidentiality of Processing. EdMyst will grant access to personal data to its personnel only to the extent necessary for implementing, managing, or monitoring the Services provided to Customer. EdMyst will ensure that its personnel authorized to process personal data have committed themselves to maintaining confidentiality or are under an appropriate statutory obligation of confidentiality with respect to personal data.
6. Sensitive Data
The Services are not intended for the processing of sensitive data, sensitive personal information, or special categories of personal data (as each is defined by applicable Data Protection Laws). Customer will not provide (or cause to be provided) any sensitive data, sensitive personal information, or special categories of personal data to EdMyst for processing under the Agreement, unless the parties otherwise agree in writing.
7. Documentation and Compliance
7.1. Compliance With Data Protection Laws. Each party will comply with and be able to demonstrate its compliance with all Data Protection Laws applicable to that party in its performance under this DPA.
7.2. Inquiry Response. EdMyst will deal promptly and adequately with inquiries from Customer about the processing of personal data.
7.3. Audit Rights. EdMyst will maintain and make available to Customer information reasonably necessary to demonstrate EdMyst’s compliance with this DPA. To the extent permitted by applicable Data Protection Laws, Customer may conduct an audit of processing under this DPA by itself or through an independent auditor (subject to reasonable confidentiality obligations) and Customer’s request, EdMyst will permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are reasonable indications of EdMyst’s non-compliance with this DPA. Any audit under this DPA may be conducted upon at least 30 days prior written notice to EdMyst, at Customer’s sole expense, and during normal business hours. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls.
7.4. Audit Terms. Customer may request an audit of processing activities conducted under this DPA, upon at least 30 days prior written notice to EdMyst. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls. Audits will be conducted at Customer’s sole expense and during normal business hours. Any audits conducted in accordance with the SCC’s will be subject to the audit terms of this DPA.
8. Sub-processors
8.1. General Authorization. EdMyst has Customer’s general authorization to engage the Sub-processors listed on EdMyst’s Sub-processor page, available at:
www.edmyst.com/about-us/sub-processor-list
8.2. Sub-processor Changes. If EdMyst replaces or adds new Sub-processors, EdMyst will make commercially reasonable efforts to provide Customer with notice of the replacement or addition at least 30 days prior to, but will in any case provide notice at least 10 days prior to, the Sub-processor addition or replacement. EdMyst will provide notice by maintaining an updated list of Sub-processors on EdMyst’s Sub-processor page noted above and also by email if Customer subscribes to receive updates by email via the page noted above.
8.3. Sub-processor Objections. Customer may object to the appointment or replacement of a Sub-processor prior to the appointment or replacement, provided that the objection is in writing and based on reasonable grounds related to data protection. If Customer objects to the appointment of a new Sub-processor, EdMyst and Customer will discuss commercially reasonable alternative solutions in good faith. If the EdMyst and Customer cannot reach a resolution within 30 days after the date EdMyst receives Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to EdMyst, without prejudice to fees owed for the time period unaffected by the discontinuation. If Customer does not raise an objection prior to EdMyst replacing or adding a Sub-processor, Customer will be deemed to have authorized the new Sub-processor.
8.4. Sub-processor Obligations. Where EdMyst engages Sub-processors, it will do so by way of a contract which imposes on the Sub-processor, in substance, personal data protection obligations at least as protective of personal data as those imposed on EdMyst under this DPA. EdMyst will be responsible each Sub-processor's compliance with the obligations of this DPA and with applicable Data Protection Laws.
8.5. Sub-processor Responsibility. EdMyst will remain fully responsible to Customer for the performance of the Sub-processor’s obligations in accordance with its contract with EdMyst.
9. International Transfers
9.1. Transfer of Data. EdMyst may transfer and process Customer personal data to and in the United States and anywhere else in the world where EdMyst, its Affiliates, or its Sub-processors maintain data processing operations. EdMyst will transfer personal data solely in performance of its obligations under the Agreement.
9.2. Transfer Mechanism; SCCs. If EdMyst transfers personal data to or through the Services, either directly or by onward transfer, from the European Economic Area or Switzerland to the United States or any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection to personal data, then that transfer will be governed by and made pursuant to the SCCs.
9.3. SCC Schedule. Schedule 2 to this DPA sets forth certain details of EdMyst’s processing of personal data in accordance with the SCCs, if and to the extent the SCCs apply.
10. Assistance to Customer
10.1. Notification of Data Subject Requests. EdMyst will promptly notify Customer of any request it receives from a data subject. EdMyst will not respond to the request itself except as reasonably appropriate (for example, to confirm receipt or direct the data subject to contact Customer) or as may be legally required or authorized by Customer.
10.2. Assistance. EdMyst will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing, and in accordance with Customer’s lawful instructions.
10.3. Assessments and Consultations. Taking into account the nature of the processing and the information available to EdMyst in each case, EdMyst will assist Customer in complying with any of Customer’s obligations required by applicable Data Protection Laws with respect to the following: (a) the obligation to carry out an assessment of the impact of EdMyst’s processing of personal data; (b) the obligation to consult with regulatory authorities that may be required; and (c) the obligation to ensure that personal data is accurate and up to date.
10.4. Where EdMyst is a Controller. For clarity, nothing in the DPA will restrict or prevent EdMyst from responding to a data subject or data protection authority requests in relation to personal data for which EdMyst is a controller (as opposed to the processor).
11. Security Incidents
11.1. Security Incident Notification. If EdMyst becomes aware of a Security Incident, EdMyst will notify Customer without undue delay, and in any case, within seventy-two (72) hours after becoming aware of the Security Incident. EdMyst may send notification of a Security Incident by any notification means set forth in the Agreement or, in any case, by email to the administrator contact that Customer designates in Customer’s account within the Services.
11.2. Notification Details. EdMyst’s notification of a Security Incident will at least contain a description of:
11.2.1. the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects and records concerned;
11.2.2. the details of a contact point where more information concerning the Security Incident can be obtained; and
11.2.3. the likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects.
If, and to the extent, EdMyst is not reasonably able to provide all the information at the same time, EdMyst’s initial notification will contain the information then available and it will provide further information without undue delay as it becomes available.
11.3. Reporting Assistance. EdMyst will provide reasonable assistance to Customer in the event Customer is required by applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
11.4. Mitigation. EdMyst will take reasonable steps to investigate and, as necessary, address and mitigate an actual or threatened Security Incident. EdMyst’s notification or addressing of, or response to, a Security Incident will not be construed as an acknowledgment by EdMyst of any fault or liability with respect to the Security Incident.
12. Return or Deletion of Personal Data
Following termination of the Agreement, EdMyst will, at the choice of Customer, delete or return to Customer all personal data processed by EdMyst, except to the extent applicable law requires the retention of any personal data. In the event Customer does not notify EdMyst of their preferred choice within 30 days following termination of the Agreement, EdMyst will dispose of Customer’s data in accordance with EdMyst’s standard data purge cycle. Until the personal data is deleted or returned, it will remain subject to the terms of this DPA.
13. Relationship to Agreement
13.1. Governing Law. This DPA will be governed by, and construed in accordance with, the governing law of the Agreement, and any dispute between the EdMyst and Customer will be subject to the exclusive jurisdiction of the forum set forth on the Agreement, unless otherwise required by applicable Data Protection Laws.
13.2. Term. This DPA will remain in effect for as long as EdMyst processes personal data on behalf of Customer.
13.3. Order of Precedence. In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, the provisions of first the SCCs and then of this DPA will prevail over any provisions of any documents of the Agreement to the contrary.
13.4. Agreement Unchanged. Except for any modifications to the Agreement as may be made by this DPA, the Agreement remains unchanged and in full force and effect.
13.5. No Third-Party Beneficiaries. No one other than the parties to this DPA and their successors and permitted assigns will have any right to enforce any terms of this DPA, but without prejudice to the rights available to data subjects under applicable Data Protection Laws or this DPA (including the SCCs).
14. Jurisdiction-Specific Terms
14.1. California. Where EdMyst’s processing of personal data is subject to the CCPA as personal information under the CCPA, the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:
14.1.1. Each party will comply with its obligations under the CCPA.
14.1.2. Any data subject rights and EdMyst’s obligations with respect to those data subject rights, as described in this DPA, also apply to Consumer rights under the CCPA.
14.1.3. The parties intend for EdMyst’s provision of the Services and the exercise of its rights under the Agreement or as permitted by the CCPA to constitute a “business purpose” under the CCPA.
14.1.4. EdMyst will not “sell” or “share” personal information, as each term is defined by the CCPA.
14.1.5. EdMyst will not retain, use, or disclose personal information outside of the direct business relationship between EdMyst and Customer.
14.1.6. EdMyst will not combine personal information controlled by Customer with personal information EdMyst receives from other customers, except as may permitted by the Agreement or applicable Data Protection Laws.
14.1.7. EdMyst will take steps to ensure that Sub-processors or any other person engaged by EdMyst to assist in the processing of personal information are “Service Providers” under the CCPA, and EdMyst will enter into a written agreement with each service provider obligating the service provider to the applicable requirements under the CCPA.
14.1.8. EdMyst will notify Customer if EdMyst makes a determination that it can no longer meet its obligations under the CCPA.
14.1.9. Customer will have the right, upon notice to EdMyst, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information and to help to ensure that EdMyst uses the personal information in a manner consistent with Customer’s obligations under the CCPA.
14.2. United Kingdom. Where EdMyst’s processing of personal data is subject to UK GDPR, the UK Addendum to the SCCs included with this DPA will apply.
SCHEDULE 1
DETAILS OF PROCESSING
1. Categories of Data Subjects. |
The categories of data subjects whose personal data may be processed are: (a) Customer’s employees and contractors (b) Candidates for employment invited to use the Services by Customer (c) Other persons designated by Customer to use the Services in connection with Customer’s use under the Agreement |
2. Categories of Personal Data Processed. |
EdMyst may process the following categories of personal data in providing the Services: (a) Identifiers: Including first and last name, username, email address, business title, contact information, EdMyst password, country, and photograph if using certain features that provide for photographs. (b) Internet or other electronic network activity information: Technical data to the extent relating to a data subject in the form of IP address and the features accessed and interactions taken with respect to the Services. (c) Results: Results of a Candidates’ ranking or scoring to the extent they relate to a data subject in connection with use of features of the Services. (d) Provided data: Any other personal data that a data subject provides to EdMyst when signing up for, using, or requesting support for the Services or that Customer requests the data subject provide in connection with Customer’s use of the Services (such as personal data Customer requests of a Candidate in connection with an assessment). |
3. Sensitive Data. | EdMyst does not intentionally, and the parties do not anticipate that EdMyst will, collect or process any “special categories of personal data” or “sensitive personal information” (as each is defined by applicable Data Protection Laws) in connection with the use or provision of the Services. |
4. Nature of Processing | EdMyst will process personal data in connection with the provision of EdMyst Services as set forth in the Agreement. |
5. Frequency and Duration of Processing | Personal data is processed on a continuous basis until the data is deleted or returned to Customer in accordance with the Agreement. |
SCHEDULE 1
DETAILS OF STANDARD CONTRACTUAL CLAUSES
1. Module 2 (Controller to Processor). For transfers of personal data where the SCCs apply, the SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
1. The “data exporter” is Customer; and
The “data importer” is EdMyst
2. Module Two (Controller to Processor) of the SCCs will apply as set forth throughout the SCCs where Customer is a controller of personal data and EdMyst is the processor of personal data.
2. Specific Clauses. The following clauses of the SCCs will apply as set forth below:
1. In Clause 7 of the SCCs, the Docking Clause will apply.
2. In Clause 9 of the SCCs, Option 2 (general written authorization) will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 8.2 (Sub-processor Changes) of this DPA.
3. In Clause 11 of the SCCs, the optional language will not apply.
4. In Clause 17 of the SCCs, the SCCs will be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they will be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The parties agree that this will be the law of Ireland.
5. In Clause 18(b) of SCCs, the parties agree that the courts of the EU Member State for resolution of disputes arising from the SCCs will be the courts of Ireland.
3. Appendix to SCCs. The Annexes to this DPA set forth information that populates the corresponding Annex to the SCCs.
ANNEX I
A. LIST OF THE PARTIES:
Data Exporter: Customer
(i) Contact Information: The email address(es) designated by Customer as the administrator of Customer’s account within the Services.
(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Exporter is deemed to have signed the SCCs incorporated herein, including their Annexes.
(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.
Data Importer: Interviewstreet, Inc. d/b/a EdMyst
(i) Contact Information: EdMyst at legal@edmyst.com
(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Importer is deemed to have signed the SCCs incorporated herein, including their Annexes.
(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.
B. DESCRIPTION OF TRANSFER
The transfer of personal data is as described in Schedule 1 of this DPA.
C. SUPERVISORY AUTHORITY
(i) As applicable to the SCCs, the supervisory authority will be: (A) if Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer's compliance with the GDPR; or (B) if Customer is not established in an EU Member State but is within the extra-territorial scope of the GDPR, then (1) if Customer has appointed a representative, the supervisory authority of the EU Member State in which Customer's representative is established, or (2) if Customer has not appointed a representative, the supervisory authority of the EU Member State in which the data subjects are predominantly located.
(ii) With respect to personal data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority will be the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES
The technical and organizational measures are as described in the DPA.
ANNEX III: LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors: As authorized by the DPA.
UK ADDENDUM PROVISIONS
Where EdMyst’s processing of personal data is subject to Data Protection Laws of the United Kingdom (including the UK GDPR and Data Protection Act of 2018), the SCC terms above in this Schedule will apply, as supplemented or modified by the UK Addendum, as follows:
Part 1 (Tables)
1. Table 1: Parties. In Table 1 of the UK Addendum:
The party details are as set forth in the foregoing Annex I to the SCCs.
2. Table 2: Selected SCCs, Modules, and Selected Clauses. In Table 2 of the UK Addendum:
The version of the Approved EU SCCs (as defined by the UK Addendum) which this UK Addendum is appended to, detailed below, including the Appendix Information: The SCCs made part of the agreement between the parties hereto.
3. Table 3: Appendix Information. In Table 3 of the UK Addendum:
(i) The list of parties is set forth in the foregoing Annex I to the SCCs;
(ii) The description of the transfer is set forth in the foregoing Annex I to the SCCs;
(iii) The technical and organizational measures are set forth in the foregoing Annex II of the SCCs; and
(iv) The list of sub-processors is set forth in the foregoing Annex III to the SCCs.
4. Table 4: Ending this Addendum when the Approved Addendum Changes. In Table 4 of the UK Addendum:
The option “neither party” will be deemed selected.
Part 2 (Mandatory Clauses)
The SCCs are deemed amended as set forth in Part 2 of the UK Addendum.