This JobSync Data Processing Agreement and its Annexes (“DPA”) is governed by and hereby attached to the Master Service Agreement, Terms of Service, Statement of Work, Order Form, or any other agreement (“Agreement”) executed by and between JobSync, LLC (“JobSync”), and you, a customer, client, partner, user, or individual (“Client”).

  1. JobSync is the developer and operator of a cloud-based SaaS solution enabling enterprises and organizations to automate and optimize the execution of various talent acquisition and related activities, all as agreed to by the Parties in the applicable Order or other documents that are incorporated into the Agreement (collectively the “Service(s)).

  2. The Services may require JobSync to Process Personal Data (as such terms are defined below) on Client’s behalf, which Client discloses to JobSync only for the limited and specified purposes set forth herein, and subject to the terms and conditions of this DPA.

  3. This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement.

  4. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

  5. This DPA may be updated from time to time to address changes in the various Laws as set forth below or that may come into force in the future.

The Parties desire to achieve compliance with the EU, UK, Swiss, US, and other data protection laws including local data protection laws and agree to the following:

Any other term, capitalized or not, not otherwise defined herein shall have the meaning set forth in the Agreement or applicable Law. Any reference to any of the Laws including but not limited to CCPA, GDPR, Swiss SCC, UK Data Protection Laws, VCDP means the version as amended. References to GDPR in this DPA shall mean either GDPR or UK GDPR depending on the applicable Law.

  1. DEFINITIONS

    1. “Adequate Country” is a country that received an adequacy decision from the European Commission.

    2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, , including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect as well as all regulations promulgated thereunder from time to time.

    3. “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto.

    4. “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.

    5. “Client Data” means Client Data (as defined in the Agreement) and any Personal Data processed by JobSync in the course of its Services provision to Client, all as detailed in Annex I attached herein.

    6. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law, the CPA, the VCDPA and the CTDPA. The terms “Business”, “Business Purpose”, “Consumer”, “Contractor”, “Cross-contextual Advertising”, “Service Provider”, “Sale”, “Sell” and“Share”, “Targeted Advertising”, “Third-Party Business”, shall have the same meaning as ascribed to them in the US Data Protection Laws. “Data Subject” shall also mean and refer to (under this DPA) a “Consumer”, as such term defined in the US Data Protection Laws, and “Personal Data” shall include “Personal Information” under this DPA.

    7. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the US Data Protection Laws) as may be amended or superseded from time to time.

    8. “EEA” means the European Economic Area.

    9. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

    10. “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.

    11. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data. Any Personal Data Breach will comprise a Security Incident.

    12. “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of  Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found hereStandard Contractual Clauses.

    13. “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

    14. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.

    15. “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to JobSync Processing of Client Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA

    16. “UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.

    17. “UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).

    18. “UK Standard Contractual Clauses” or “UK SCC” means the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO”), Parliament or Secretary of State.

    19. “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.

    20. Any other term, capitalized or not, not otherwise defined herein shall have the meaning set forth in the Agreement or applicable Law. Any reference to any of the Laws including but not limited to CCPA, GDPR, Swiss SCC, UK Data Protection Laws, VCDP means the version as amended. References to GDPR in this DPA shall mean either GDPR or UK GDPR depending on the applicable Law.

  2. ROLES AND DETAILS OF PROCESSING

    1. The Parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Client Data, and according to the applicable Data Protection Laws, JobSync is acting as a Data Processor, or Service Provider and Client is acting as a Data Controller or Business.

    2. Each Party shall be individually and separately responsible for complying with the obligations that apply to such Party under applicable Data Protection Law.

    3. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.

    4. Additional US Data Protection Laws specifications are further detailed in Annex VII.

  3. REPRESENTATIONS AND WARRANTIES

    1. JobSync represents and warrants that it shall Process Client Data, on behalf of the Client, solely for the purpose of providing the Service, all in accordance with Client’s written instructions under the Agreement and this DPA. Notwithstanding the above, in the event JobSync is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Client Data other than as instructed by Client, JobSync shall make its best efforts to inform the Client of such requirement prior to Processing such Client Data, unless prohibited under applicable law.

    2. JobSync shall provide reasonable cooperation and assistance to the Client in ensuring compliance with its obligation to carry out data protection impact assessments.

    3. Where applicable, JobSync shall assist the Client in ensuring that Client Data Processed is accurate and up to date, by informing the Client without delay if it becomes aware of the fact that the Client Data it is processing is inaccurate or has become outdated.

    4. JobSync shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Client Data; and (ii) that persons authorized to Process the Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    5. Notwithstanding the above, in any event that the Israeli Law applies, the Parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.

    6. If the EU Data Protection Law or the CCPA do not apply to the Client, then Client must abide by any other Data Protection Law and data security laws and regulations that are applicable to it, and at a minimum Client shall: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow JobSync to lawfully collect, handle, retain, process and use the processed data within the scope of the Services; (ii) substantiate the legal basis and legitimize, pursuant to applicable law, any and all Personal Data or personally identifiable information transferred through the Services; (iii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Law.

  4. ​DATA SUBJECTS RIGHTS AND REQUEST

    1. It is agreed that where JobSync receives a request from a Data Subject or an applicable authority in respect of Client Data, where applicable, JobSync will notify the Client of such request promptly and direct the Data Subject or the applicable authority to the Client in order to enable the Client to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
      Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

  5. SUB-PROCESSING

    1. The Client acknowledges that JobSync may transfer Client Data to and otherwise interact with third-party data Processors (“Sub-Processor”). The Client hereby authorizes JobSync to engage and appoint such Sub-Processors as listed in Annex III, to Process Client Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. JobSync may continue to use those Sub-Processors already engaged by JobSync, as listed in Annex III, or to engage an additional or replace an existing Sub-Processors to Process Client Data, subject to the provision of a thirty (30) days prior notice of its intention to do so to the Client. In case the Client has not objected to the adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Client. In the event the Client objects to the adding or replacing of a Sub-Processor, within such notice period, JobSync may, under JobSync’ sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.

    2. JobSync shall, where it engages any Sub-Processor, impose, through a legally binding contract between JobSync and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. JobSync shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.

    3. JobSync shall remain responsible to the Client for the performance of the Sub-Processor’s obligations in accordance with this DPA. JobSync shall notify the Client of any failure by the Sub-Processor to fulfill its contractual obligations.

  6. TECHNICAL AND ORGANIZATIONAL MEASURES

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the Parties, JobSync hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Client Data as required under Data Protection Laws to ensure lawful Processing of Client Data and safeguard Client Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.

    2. The Parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.

    3. The security measures implemented and maintained by JobSync are further detailed in Annex II.

  7. SECURITY INCIDENT

    1. JobSync will notify the Client without undue delay (and in any event within 24 hours) upon becoming aware of any Security Incident involving the Client Data. JobSync’ notification regarding or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by JobSync of any fault or liability with respect to the Security Incident.

    2. JobSync will: (i) take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Client and provide the Client with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident;  (iii) notify the Client in writing of any request, inspection, audit or investigation by a Supervisory Authority or other authority; (iv) keep the Client informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Client and assist Client with its obligation to notify the affected individuals in the case of a Security Incident.

  8. AUDIT RIGHTS

    1. JobSync shall maintain accurate written records of any and all the Processing activities of any Client Data carried out under this DPA and shall make such records available to the Client and applicable Supervisory Authorities upon written request. Such records provided shall be considered JobSync’ Confidential Information and shall be subject to confidentiality obligations.

      1. Except for in the case of a Security Incident, Client will be limited to make such requests no more than once per year.

    2. Client may audit JobSync compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an annual audit conducted by a third-party auditor (e.g., ISO27001/ISO27701 certification, SOC2 certificate) or a comparable certification or other security certification of an audit conducted by a third-party auditor, within twelve (12) months as of the date of Client’s request.

    3. Alternatively, in the event the records and documentation provided subject to Section 8.1 and 8.2 above are not sufficient for the purpose of demonstrating compliance, or an audit has not been completed by a third-party auditor, JobSync shall make available, solely upon prior reasonable written request, and no more than once per calendar year, to a reputable auditor nominated by the Client, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Client Data (“Audit”) in accordance with the terms and conditions hereunder.

      1. The auditor shall be subject to standard confidentiality obligations (including towards third-parties).

      2. JobSync may object to an auditor appointed by the Client in the event JobSync reasonably believes the auditor is not suitably qualified or is a competitor of JobSync.

      3. JobSync may object to an auditor appointed by the Client in the event JobSync reasonably believes that the auditor is not suitably qualified or independent, is a competitor of JobSync or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from JobSync.

      4. Client shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to JobSync’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.

      5. Any on-site inspection requires a written advance notice of 30 days, does not include access to any remote worker site or home office, and is limited to ordinary business hours and has to be undertaken in a way so it minimizes any impact of JobSync’s business operations.

    4. Nothing in this DPA will require JobSync to either disclose to Client or its third-party auditor, or to allow Client or its third-party auditor to access: (i) any data of any other JobSync’ customer; (ii) JobSync’ internal accounting or financial information; (iii) any trade secret of a JobSync or its Affiliates; (iv) any information that, in JobSync’ reasonable opinion, could compromise the security of any JobSync’ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third-party; or (v) any information that Client or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligations under the Data Protection Laws.

  9. CROSS BORDER PERSONAL DATA TRANSFERS

    1. Where the GDPR, UK GDPR or the Swiss FADP is applicable, and the Processing of Client Data by JobSync (or by a Sub-Processor) includes transfer of Client Data (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Client Data under is in place.

    2. When Client and JobSync, or JobSync and or its Sub-Processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:

      1. transfer of Client Data from the EEA the terms set forth in Annex IV shall apply.

      2. transfer of Client Data from the UK, the terms set forth in Annex V shall apply; and

      3. transfer of Client Data from Switzerland, the terms set forth in Annex VI shall apply.

  10. TERM, TERMINATION AND CONFLICT

    1. This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as JobSync Processes Client Data.

    2. JobSync shall be entitled to terminate this DPA or cease the Processing of Client Data in the event that Processing of Client Data under the Client’s instructions or this DPA infringe applicable legal requirements, provided Client did not cure such infringement within ten (10) days from receiving applicable notice from JobSync. Alternatively, JobSync may, in its sole discretion, suspend the Processing of the Client Data until such infringement is cured without terminating the DPA.

    3. Following the termination of this DPA, JobSync shall, at the choice of the Client, delete all Client Data Processed on behalf of the Client and certify to the Client that it has done so, or, return all Client Data to the Client and delete existing copies, unless applicable law or regulatory requirements requires that JobSync continue to store Client Data. Until the Client Data is deleted or returned, the Parties shall continue to ensure compliance with this DPA. Client’s choice shall be provided in writing to JobSync, following the effect of termination.

    4. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the Parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

ANNEX I

DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Personal Data as required under the Data Protection Laws.

A. List of Parties

Data exporter:

Name: The Client, as defined in the Agreement

Address: The Client’s address, as set out in the Order

Contact person’s name, position and contact details: The Client’s contact details, as set out in the Order and/or as set out in the Client’s JobSync Account

Activities relevant to the data transferred under these Clauses: Processing of  Personal Data in connection with Client’s use of the Services under the Agreement.

Role (controller/processor): Controller

Data importer:

Name: JobSync, LLC

Address: 5501 Merchants View Sq, #205, Haymarket VA 20169

Contact person’s name, position and contact details: JobSync’s contact details, as set out in the Order and/or as set out in the Client’s JobSync Account

Activities relevant to the data transferred under these Clauses: Processing of  Personal Data in connection with Client’s use of the Services under the Agreement.

Role (controller/processor): Processor

B.  Description of Transfer

Categories of Data Subjects:

Client employees, Client’s customers, any data subject which are uploaded to the Service by Client or at Client’s direction and as defined in the Order.

Categories of Personal Data processed:

Credentials, contact information, authentication and security credentials.

Special Categories of Personal Data:

Data revealing racial or ethnic origin and trade union membership.

Nature of the processing:

Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.

Purpose(s) of Processing:

To provide the Service.

Retention Period:

For as long as is necessary to provide the Service by JobSync; provided there is no legal obligation to retain the Personal Data past termination or unless otherwise requested by the Client.

Process Frequency:

Continuous basis

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES

This Annex includes a Description of the technical and organizational measures implemented by JobSync, to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

The security objectives of the Client are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):

  • Availability

Information and associated assets should be accessible to authorized users when required. The computer network must be resilient. JobSync must detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.

  • Confidentiality

Ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.

  • Integrity

Safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.

  1. Data Security Measures. JobSync will maintain technical and organizational controls that ensure proper security methods are used to prevent any unauthorized use, disclosure of, or access to Client Data that are no less rigorous than accepted industry practices as set forth in the AICPA SOC2 framework and Trust Services Criteria and shall ensure that all such safeguards, including the manner in which Client Data is created, collected, accessed, received, used, stored, processed, disposed of, and disclosed, comply with Applicable Data Protection Laws, as well as the terms and conditions of the Agreement. Without limiting JobSync’s obligation under the preceding sentence, JobSync’s safeguards for the protection of Client Data shall include the following data security controls on all systems, networks and devices that contain Client Data or access Client’s systems:

    1. Written Information Security Program. JobSync will implement and maintain a comprehensive written information security program, procedures, and practices that comply with this DPA and include appropriate administrative, technical, and physical safeguards in compliance with Applicable Data Protection Laws and that adhere to industry best standards. Such information security program must be reasonably designed to: (i) ensure the security, integrity, availability, and confidentiality of Client Data and Personal Information; (ii) address any anticipated or reasonably likely threats or hazards to the privacy, security, availability, and/or integrity of Client Data and Personal Information; (iii) prevent any Security Incident; and (iv) ensure the proper disposal of Personal Information.

  2. Access Controls. JobSync will implement measures to: (A) abide by the “principle of least privilege,” pursuant to which access to Client Data by JobSync personnel will be designed to be solely on a need-to-know basis; and (B) promptly terminate the access of JobSync personnel to Client Data when such access is no longer required for performance under the Agreement.

    1. Systems. With respect to its systems, JobSync shall implement and maintain, at a minimum, the following authentication protocols:

      1. All access to systems, applications, or other network resources that provides the ability to access Client Data shall be controlled by an authentication method involving a minimum of a unique user ID/password combination.

      2. Where possible, privileged users and administrators must use multi-factor authentication.

      3. System stored passwords may never be stored in clear text.

      4. All passwords must be complex and not easy to guess or crack. Effectiveness of authentication must be tested on a regular basis to ensure that unauthorized authentication is not easily permitted.

      5. Where possible, remote network access must be secured by multi-factor authentication.

      6. All activity performed under a User ID is the responsibility of the individual assigned to that User ID. Users shall not share their User ID/password with others or allow other employees to use their User ID/password to perform actions.

      7. Use of generic user accounts shall not be permitted.

    2. Client Assets. With respect to access to Client Data, systems, and equipment (“Client Assets”), JobSync shall implement and maintain at a minimum the following protocols:

      1. Logical or network access to infrastructure housing Client Assets must be restricted and access allowed based on a “need to know” basis.

      2. Requests to access Client Assets must be documented and approved only based on a business need.

      3. JobSync must review and limit user access to Client Assets on a periodic basis.

    3. Logging. Security relevant events, including, but not limited to, login failures, use of privileged accounts, changes to access models or file permissions, modification to installed software or the operating system, changes to user permissions, or privileges or use of any privileged system function, shall be logged on all systems and reviewed on no less than a weekly basis for suspicious activity. Security logs shall be retained for a minimum of 90 calendar days. Access to security logs shall be restricted to authorized persons.

  3. Vulnerability Management. JobSync will use reasonable measures to: (A) periodically use automated vulnerability scanning tools to scan JobSync’s systems for vulnerabilities; and (B) implement patch management and software update tools as made available by the providers of those tools. JobSync will conduct periodic internal and external Penetration Testing of systems that store or process Client Data to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities shall be addressed as part of JobSync’s vulnerability management process.

    1. Non-Intrusive Scans. At its own expense, Client may periodically perform Non-Intrusive Scans of the systems on which any data or information that is provided or made available to JobSync by Client or obtained by JobSync in the performance of this Agreement – including, but not be limited to, Client Data – is held using a third-party commercially-available security testing tool to provide a vulnerability assessment report.

    2. Penetration Testing. At least once a year and at JobSync’s sole cost and expense, JobSync will engage an independent third-party to conduct Penetration Testing on JobSync’s systems on which Client Data is held. Such Penetration Testing will evaluate the security controls of the application, host, and network layers used to provide any applicable products and services in accordance with industry standard methodologies.

  4. Security Segmentation. JobSync will use reasonable measures designed to monitor, detect, and restrict the flow of information on a multilayered basis using tools such as firewalls, proxies, and network-based intrusion detection systems. JobSync shall use industry standard firewalls to segregate trusted from untrusted networks. JobSync must test the effectiveness of its network segmentation on a periodic basis and promptly disable any unneeded network services.

  5. Encryption. JobSync, and all JobSync affiliates and subcontractors, must encrypt Client Data in transit and at rest using industry standard encryption tools – including without limitation, data used for purposes of backup and authentication. JobSync must have in place encryption key management practices to ensure the confidentiality of Client Data. Keys must be protected from unauthorized use, disclosure, alteration, and destruction. If a private key is compromised, all associated certificates must be revoked.

  6. Physical Safeguards.  JobSync will maintain physical access controls designed to secure the JobSync-managed physical premises where the relevant JobSync computing environment used to process any Client Data is located, including an access control system that enables JobSync to control physical access to each JobSync facility. JobSync shall reasonably protect physical locations in which any Client Data is stored, or Client-owned equipment is located from physical dangers, including but not limited to: physical intrusion, unlawful and unauthorized physical access; heating, ventilation, or air conditioning problems; power failures or outages (i.e., uninterrupted power service expected); fire; theft; and natural disasters (reasonable protection).

  7. JobControl

    1. JobSync will ensure all Employees, customers, vendors and applicable processors are all signed on binding agreements all of which include applicable data provisions and data security obligations. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures and breaking or not complying with such shall result in disciplinary actions.

    2. JobSync agrees that it maintains adequate training programs to ensure that its employees and any others acting on its behalf are aware of and adhere to its information security program. JobSync shall exercise necessary and appropriate supervision over its employees and contractors to maintain appropriate confidentiality and security of Client Assets.

ANNEX III

LIST OF SUB-PROCESSORS

JobSync uses Sub-Processors to assist in the delivery of the Service and we engage Sub-Processors to assist with our data processing activities. A list of our Sub-Processors and our purpose for engaging them is located below and is incorporated into this DPA.

Sub-Processor Name  |  Processing region  |  Description of the processing

Amazon Web Services (AWS), Inc. | Region: EU/US  | Description: Hosting, web infrastructure, website security.

Cloudflare, Inc | Region: EU/US  | Description: Used as a web infrastructure and website security, providing content delivery network services, DDoS mitigation, internet security, and distributed domain name server services

Google LLC | Region: EU/US  | Description: Hosting & Internal Communication

Microsoft Azure| Region:  EU/US  | Description: Hosting

OpenAI, LLC | Region: US  | Description: Used for JobSync AI Products

Rackspace | Region: US  | Description: Web infrastructure, website security

SalesForce, Inc. | Region: US  | Description: Client Support ticketing

Slack Technologies, LLC | Region: US  | Description: Internal communication tool for Support.

Twilio | Region: US  | Description: Used to support email and SMS Functionality

ANNEX IV

EU INTERNATIONAL TRANSFERS AND SCC 
  1. The Parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Client Data from the EEA to other countries that are not deemed as Adequate Countries.

  2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Client as the Controller of the Client Data and JobSync is the Processor of the Client Data.

  3. The Parties agree that for the purpose of transfer of Personal Data between Client (as Data Exporter) and JobSync (as Data Importer), the following shall apply:

    1. Clause 7 of the Standard Contractual Clauses shall not be applicable.

    2. In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.

    3. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

    4. In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Client is established (where applicable).

    5. In Clause 18(b) the Parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.

  4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:

    1. “Data Exporter“: Client

    2. “Data Importer“: JobSync

    3. Roles: (A) With respect to Module Two: (i) Data Exporter is a Controller and (ii) the Data Importer is a Processor.

    4. Data Exporter and Data Importer Contact details: As detailed in the Agreement and Order.

    5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

  5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:

    1. The purpose of the Processing, nature of the Processing, categories of Data Subjects, categories of Personal Data and the Parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.

    2. The frequency of the transfer and the retention period of the Personal Data is as described in Annex I (Details of Processing) of this DPA.

    3. The sub-processor which Personal Data is transferred to are listed in Annex III.

  1. Annex I.C of the Standard Contractual Clauses shall be completed as follows:the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.

  2. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.

  3. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.

ANNEX V

UK INTERNATIONAL TRANSFERS AND SCC
  1. The Parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Client Data from the UK to other countries that are not deemed as Adequate Countries.

  2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Client Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from Controller to Processor or from a Processor to its Sub-Processors.

  3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.

  4. Amendments to the UK Standard Contractual Clauses:

    1. Part 1: Tables

      1.  Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above. 

      2.  Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.

      3. Table 3 Appendix Information:

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

  1. Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither Party”.

ANNEX VI

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

  • The term ’Member State’ will be interpreted in such a way as to allow Data Subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.

  • The clauses in the DPA protect the Client Data of legal entities until the entry into force of the upcoming revised FDPA.

  • All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.

  • References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).

  • In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

  • The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

ANNEX VII

US DATA PROTECTION LAWS ADDENDUM

This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws. All terms used but not defined in this US Data Protection Laws Addendum shall have the meaning set forth in the DPA.

  1. CCPA Specifications:

    1. For the purpose of the CCPA, Client is the Business and JobSync is the Service Provider.

    2. JobSync shall Process Client Data on behalf of the Client as a Service Provider under the CCPA and shall not: (i) Sell or Share the Client Data; (ii) retain, use or disclose the Client Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Client Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.

    3. if, and to the extent applicable, JobSync shall assist Client in respect of a Consumer request to limit the use of its Sensitive Personal Information (“SPI”) or Sensitive Data (as applicable) by JobSync.

    4. JobSync certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Client Data.

    5. Notwithstanding the above, the process of sharing the Personal Information by the Client with advertisers may be considered a Sale under the CCPA. The Client is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Client’s sole responsibility and liability to determine whether the sharing or transferring of Personal Information of Consumers during the course of or after the completion of the Services constitutes a Sale of Personal Information and it is also the Client’s responsibility to comply with the applicable CCPA requirements in this regard, including providing a “Do Not Sell” signal for end users who have exercised their right to opt out, where applicable.

  2. US Applicable States Specifications:

    1. For the purpose of this US Addendum Applicable States” shall mean Virginia, California, Colorado, and Connecticut.

    2. JobSync agrees to notify the Client if JobSync makes a determination that it can no longer meet its obligations under this US Addendum or US Data Protection Law.

    3. JobSync shall provide information necessary to enable Client to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, JobSync is responsible for only the measures allocated to it.

    4. JobSync shall provide assistance and procures that its subcontractors will provide assistance, as Client may reasonably request, where and to the extent applicable, in connection with any obligation by Client to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s respective obligation. JobSync acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for Processing the Client Data.

    5. Each Party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The Parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. JobSync technical measures are detailed in the DPA and Annexes above.

    6. The Processing instructions, including the nature of Processing, purpose of Processing, the duration of Processing, the type of Personal Data and categories of Data Subjects, are set forth in Annex I above.

    7. In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Client’s consent, JobSync my alternately, in response to Client’s on premise audit request, initiate a third-party auditor to verify JobSync’ compliance with its obligations under this US Data Protection Laws. During such audit, JobSync will make available to the third-party auditor all information necessary to demonstrate such compliance.

    8. Each Party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable US Data Protection Law.

  3. When Processing Client Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws, JobSync shall ensure it complies with applicable laws and shall be liable for such Processing activities.