This JobSync Data Processing Agreement, including its Addendums (collectively, the “DPA”), is incorporated by reference into and forms an integral part of the Main Subscription Agreement, Terms of Service, or any other agreement governing the use of JobSync’s Services (the “Agreement”) entered into by and between JobSync, LLC (“JobSync”) and the client executing the Agreement (“Client”).

Purpose and Application

A. JobSync provides a cloud-based SaaS platform to automate and optimize talent acquisition activities (the “Services”). The provision of these Services requires JobSync to Process Personal Data (as defined below) on Client’s behalf.

B. Client discloses Personal Data to JobSync solely for the limited and specified purposes set forth in the Agreement and this DPA.

C. In the event of any conflict or inconsistency between the terms of the Agreement and this DPA, this DPA shall take precedence strictly to the extent such conflict or inconsistency relates to the Processing of Personal Data.

D. JobSync may update this DPA from time to time to address changes in applicable data protection laws.

The Parties desire to ensure compliance with global privacy frameworks, including EU, UK, Swiss, US, and other applicable data protection laws, and therefore agree to the following:

1. Definitions

1.1. “Adequate Country” means a country or territory that is recognized under European Data Protection Laws as providing an adequate level of protection for Personal Data.

1.2 “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CPRA), and any binding regulations promulgated thereunder.

1.3. “Client Data” has the meaning assigned to it in the Agreement.

1.4. “Data Protection Laws” means all applicable privacy and data protection laws and regulations globally, including, where applicable, European Data Protection Laws, US Data Protection Laws, and Israeli Law, as may be amended or superseded from time to time.

1.5. “European Data Protection Laws” means, collectively: (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and the EU e-Privacy Directive (Directive 2002/58/EC); (ii) the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018; and (iii) the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”); and any national data protection laws made under or pursuant to the foregoing.

1.6. “Israeli Law” means the Israeli Privacy Protection Law, 5741-1981, and the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017.

1.7. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data or Personal Data. A “Personal Data Breach” constitutes a Security Incident.

1.8. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/914, as well as the UK International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018, and any necessary modifications required by the Swiss FADP.

1.9. “US Data Protection Laws” means all applicable federal and comprehensive state privacy laws in the United States, including, without limitation, the CCPA, the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), and any implementing regulations and amendments thereto.

1.10. Regulatory Roles and Mapping: The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, and “Supervisory Authority” shall have the same meanings as ascribed to them in European Data Protection Laws. For the purposes of US Data Protection Laws: (i) “Controller” shall include “Business”; (ii) “Processor” shall include “Service Provider” and “Contractor”; (iii) “Data Subject” shall include “Consumer”; and (iv) “Personal Data” shall include “Personal Information.”

1.11. US Processing Actions: The terms “Sale”, “Sell”, “Share”, “Targeted Advertising”, and “Cross-contextual Advertising” shall have the meanings ascribed to them in the applicable US Data Protection Laws.

1.12. Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the Agreement or applicable Data Protection Laws. Any reference to a specific law, statute, regulation, or document (including the Standard Contractual Clauses) refers to that enactment or document as amended, re-enacted, or replaced from time to time. Where context requires, references to the “GDPR” shall be construed to include the EU GDPR, the UK GDPR, and the Swiss FADP, as applicable to the relevant Processing activity.

2. Scope and Roles of the Parties

2.1. Roles. This DPA applies strictly to the Processing of Personal Data by JobSync to provide the Services. The Parties acknowledge and agree that for the purposes of this DPA and all applicable Data Protection Laws, Client is the Controller (or “Business”) and JobSync is the Processor (or “Service Provider” / “Contractor”).

2.2. Details of Processing. The agreed subject matter, the nature and purpose of the Processing, the duration of the Processing, the types of Personal Data, and the categories of Data Subjects are further described in Addendum a (Details of Processing) attached hereto. Additional specifications regarding US Data Protection Laws are detailed in Addendum C.

3. Instructions for Processing

3.1. Documented Instructions. JobSync shall Process Personal Data only in accordance with Client’s documented instructions. Client hereby instructs JobSync to Process Personal Data to provide the Services in accordance with the Agreement, this DPA, and as further specified via Client’s configuration and use of the Services. JobSync will comply with additional written instructions issued by Client only if they are legally permissible and consistent with the terms and scope of the Agreement.

3.2. Processing Restrictions. For the avoidance of doubt, JobSync will not: (a) “Sell” or “Share” Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than providing the Services; or (c) combine Personal Data with personal information that it receives from, or on behalf of, another person, except as otherwise strictly permitted by the Agreement or applicable Data Protection Laws.

4. Compliance with Laws

4.1. Mutual Obligations. Each Party will comply with its respective obligations related to the Processing of Personal Data under applicable Data Protection Laws. Client shall ensure that any instruction it issues to JobSync complies with applicable Data Protection Laws, and that it has obtained all necessary consents, rights, and authorizations to transfer the Personal Data to JobSync.

4.2. Notice of Unlawful Instructions. JobSync shall inform Client without undue delay if, in its reasonable opinion, an instruction issued by Client violates applicable European Data Protection Laws or other applicable Data Protection Laws.

5. Representations, Warranties, and Client Obligations

5.1. JobSync Obligations. JobSync represents and warrants that it shall Process Client Data solely for the purpose of providing the Services, in accordance with Client’s written instructions (which are exhaustively set forth in the Agreement, this DPA, and Client’s use of the Services). If JobSync is required by applicable Data Protection Laws to Process Client Data outside of these instructions, JobSync shall make best efforts to inform Client prior to such Processing, unless prohibited by law.

5.2. Personnel. JobSync shall take reasonable steps to ensure the reliability of its staff and any other persons acting under its supervision who may have access to Client Data, ensuring that such authorized persons have committed themselves to binding confidentiality obligations.

5.3. Client Obligations and Consents. Client represents and warrants that it has the lawful basis and authority to transfer Client Data to JobSync. Client shall: (i) obtain and maintain all authorizations, permissions, and informed consents necessary under applicable Data Protection Laws to allow JobSync to lawfully collect, Process, and retain the data; (ii) properly publish and abide by a privacy policy that complies with all applicable Data Protection Laws; and (iii) ensure its instructions to JobSync comply with Applicable Laws.

5.4. Compliance Assistance. JobSync shall provide reasonable cooperation and assistance to Client in ensuring compliance with Client’s obligations to carry out data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities, taking into account the nature of Processing and information available to JobSync.

6. Data Subject Rights

6.1. Forwarding Requests. If JobSync receives a request from a Data Subject or a Supervisory Authority directly concerning Client Data, JobSync will promptly notify Client and direct the Data Subject or authority to Client, enabling Client to respond directly. JobSync shall not respond to any such request without Client’s prior written consent, unless strictly required to do so by applicable law.

6.2. Assistance. JobSync shall provide commercially reasonable cooperation and assistance (including appropriate technical and organizational measures) to enable Client to fulfill its obligations to respond to Data Subject requests under Data Protection Laws.

7. Sub-Processing

7.1. Client acknowledges and generally authorizes JobSync to engage third-party Sub-Processors to Process Client Data. JobSync maintains a current list of approved Sub-Processors at JobSync.com/legal/subprocessors. (the “Sub-Processor List”).

7.2. Notice and Objection. JobSync will provide Client with a mechanism to subscribe to updates regarding new Sub-Processors. JobSync will provide at least thirty (30) days’ prior notice before authorizing any new Sub-Processor to Process Client Data. Client may object to the new Sub-Processor on reasonable data protection grounds within fourteen (14) days of such notice. If Client objects, JobSync may, in its sole discretion, suggest a different Sub-Processor or terminate the affected Services without penalty.

7.3. Sub-Processor Liability. JobSync shall enter into a legally binding contract with each Sub-Processor imposing data protection obligations no less protective than those set out in this DPA. JobSync remains fully responsible and liable to Client for the performance of the Sub-Processor’s obligations.

8. Technical and Organizational Measures

8.1. Taking into account the state of the art, the costs of implementation, and the nature and scope of the Processing, JobSync has implemented and will maintain appropriate physical, technical, and organizational measures consistent with industry standards designed to safeguard Client Data from unauthorized, unlawful, or accidental processing, access, disclosure, loss, alteration, or destruction. The specific security measures implemented and maintained by JobSync are further detailed in Addendum B (Technical and Organizational Measures). The Parties acknowledge that security requirements are constantly evolving, and JobSync will regularly evaluate and improve its security measures.

9. Security Incidents

9.1. Notification. JobSync will notify Client without undue delay, and in any event within forty-eight (48) hours, upon confirming any Security Incident involving Client Data. JobSync’s notification or response to a Security Incident shall not be construed as an acknowledgment of fault or liability.

9.2. Remediation and Cooperation. In the event of a Security Incident, JobSync will: (i) take necessary steps to remediate, investigate, and identify the cause of the incident; (ii) provide Client with reasonable assistance and information concerning the containment and mitigation of the Security Incident; and (iii) cooperate with Client to assist with Client’s obligation to notify affected individuals or Supervisory Authorities.

10. Audit Rights

10.1. Independent Certifications. JobSync maintains accurate written records of its Processing activities. Client may audit JobSync’s compliance with this DPA by requesting JobSync’s most recent third-party security certifications and audit reports (e.g., SOC 2 Type II, ISO 27001). Such reports are JobSync’s Confidential Information.

10.2. On-Site Audits. If the third-party reports provided under Section 10.1 are reasonably deemed insufficient to demonstrate compliance, JobSync shall allow for an audit by a reputable, independent auditor nominated by Client, limited to once per calendar year. Client shall bear all expenses related to the audit.

10.3. Audit Conditions. Any on-site inspection requires thirty (30) days’ advanced written notice, does not include access to remote worker sites or home offices, is limited to ordinary business hours, and must minimize disruption to JobSync’s operations. JobSync may object to any auditor that is a competitor or not suitably qualified.

10.4. Audit Restrictions. Nothing in this DPA will require JobSync to disclose or allow access to: (i) data of any other JobSync customer; (ii) internal accounting or financial information; (iii) JobSync trade secrets; or (iv) information that could compromise the security of JobSync’s systems.

11. Cross-Border Personal Data Transfers

11.1. Where the Processing of Client Data involves a transfer outside the EEA, the UK, or Switzerland to a country that is not an Adequate Country, such transfer shall strictly occur using appropriate safeguards approved by applicable Data Protection Laws. The Parties agree to rely on the Standard Contractual Clauses (SCCs) to facilitate these transfers, the operational mechanics of which are detailed in Addendum d (International Data Transfers).

12. Term, Termination, and Conflict

12.1. Term. This DPA shall remain in force until the Agreement terminates or for as long as JobSync Processes Client Data.

12.2. Right to Suspend/Terminate. JobSync may suspend the Processing of Client Data or terminate this DPA if Client’s instructions infringe applicable legal requirements and Client fails to cure such infringement within ten (10) days of receiving notice.

12.3. Deletion or Return. Following termination of the Agreement, JobSync shall, at the choice of Client, securely delete or return all Client Data, unless Applicable Laws require continued storage of the Client Data (or if such data is stored in automated, immutable backup archives, in which case the data remains subject to this DPA until permanently deleted).

12.4. Conflict. In the event of a conflict between the terms of this DPA and the Agreement, this DPA shall prevail strictly to the extent such conflict relates to the Processing of Client Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Addendum A Details of Processing

This Addendum includes certain details of the Processing of Personal Data as required by applicable Data Protection Laws (including serving as Annex I to the Standard Contractual Clauses).

A. List of Parties

• Data Exporter:
  • Name: The Client, as defined in the Agreement.
  • Address & Contact: As set forth in the applicable Order Form and/or the Client’s Admin Account.
  • Role: Controller (or “Business” under US Data Protection Laws).
  • Activities: Using the Services to optimize, automate, and manage talent acquisition, recruitment marketing, and hiring workflows, which involves the transfer of Personal Data to the Data Importer.
• Data Importer:
  • Name: JobSync, LLC.
  • Address: 1775 Tysons Blvd, 5th Floor, Tysons, VA 22102 USA. (Note: see flag below regarding this address).
  • Contact: JobSync Privacy & Security Team (privacy@jobsync.io or as otherwise designated).
  • Role: Processor (or “Service Provider” / “Contractor” under US Data Protection Laws).
  • Activities: Providing the cloud-based SaaS platform and related Services, which requires the Processing of Personal Data on behalf of the Data Exporter.

B. Description of Processing and Transfer

• • Subject Matter, Nature, and Purpose of Processing: The objective of Processing Personal Data by JobSync is the provision of the Services pursuant to the Agreement. This includes the collection, storage, organization, communication, transmission, hosting, and deletion of Personal Data to facilitate recruitment marketing, job distribution, application routing, and hiring process automation on behalf of Client.
  • Categories of Data Subjects:
    • End Users: Job applicants, candidates, and prospective talent whose information is processed through the JobSync platform or submitted via Publisher Sites.
    • Authorized Users: Client’s employees, recruiters, contractors, or agents authorized to access and use the JobSync platform.
  • Categories of Personal Data Processed:
    • Candidate Data: Contact information (name, email, phone number, address), professional and employment history, education, resumes/CVs, application questionnaire responses, and communication records.
    • User Data: Account credentials, authentication data, security logs, and business contact information for Client’s Authorized Users.

• Special Categories of Personal Data (Sensitive Data):

JobSync does not mandate the collection of Special Categories of Personal Data. However, Client may use the Services to collect such data (e.g., via custom application questionnaires or Equal Employment Opportunity (EEO) compliance surveys). This may include data revealing racial or ethnic origin, trade union membership, veteran status, or health/disability status, strictly to the extent explicitly requested and configured by Client.

• Frequency of Processing: Continuous, occurring on an ongoing basis to provide the Services.
• Duration and Retention Period: Personal Data will be Processed for the duration of the Agreement (including any transition periods), and will be retained, returned, or deleted in accordance with Section 12 of the DPA, unless otherwise required by applicable law.

Addendum B: Technical and Organizational Measures

This Addendum describes the technical and organizational security measures implemented by JobSync to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the Processing, as well as the risks for the rights and freedoms of natural persons.

1. Information Security Program

JobSync maintains a comprehensive Written Information Security Program (WISP) and Information Security Management System (ISMS) aligned with industry best practices, including the AICPA SOC 2 framework and ISO/IEC 27001 standards. This program is reasonably designed to ensure the confidentiality, integrity, and availability of Client Data and to protect against anticipated threats or unauthorized access.

2. Access Controls and Authentication

JobSync implements strict logical access controls to protect Client Data, including:

• Least Privilege: Access to systems and Client Data by JobSync personnel is restricted strictly on a “need-to-know” and “least privilege” basis.
• Authentication: All access to systems housing Client Data requires a unique user ID and complex password. The use of shared or generic administrative accounts is prohibited.
• Multi-Factor Authentication (MFA): MFA is strictly required for all remote network access and for all privileged users and administrators.
• Access Reviews & Termination: User access is reviewed on a periodic basis. Access for terminated personnel is revoked immediately.

3. Encryption and Cryptography

JobSync encrypts Client Data to protect it from unauthorized disclosure or modification:

• In Transit: All Client Data transmitted over public networks is encrypted using industry-standard protocols (e.g., TLS 1.2 or higher).
• At Rest: All Client Data stored within JobSync’s databases and backup repositories is encrypted at rest using strong encryption algorithms (e.g., AES-256).
• Key Management: JobSync maintains cryptographic key management practices that ensure the secure generation, storage, and rotation of encryption keys.

4. Vulnerability Management and Penetration Testing

JobSync actively manages infrastructure vulnerabilities to prevent exploitation:

• Scanning & Patching: JobSync utilizes automated vulnerability scanning tools and implements patch management procedures to apply software updates in a timely manner based on severity.
• Penetration Testing: At least annually, JobSync engages an independent, reputable third-party security firm to conduct network and application-layer penetration testing.
• Testing Reports: Upon written request, JobSync will provide Client with an executive summary of the most recent third-party penetration test (subject to confidentiality obligations).

5. Logging and Monitoring

JobSync maintains continuous monitoring and logging of its environments:

• Audit Logs: Security-relevant events (e.g., login failures, privileged account usage, changes to permissions) are actively logged.
• Retention and Review: Security logs are retained for a minimum of ninety (90) days and are reviewed regularly for suspicious, anomalous, or unauthorized activity. Access to these logs is strictly restricted.

6. Network Security and Segmentation

JobSync employs network security controls designed to restrict the flow of information on a multilayered basis, utilizing industry-standard firewalls, proxies, and intrusion detection/prevention systems (IDS/IPS) to segregate trusted environments from untrusted networks.

7. Physical Safeguards

JobSync utilizes Tier-1 cloud infrastructure providers (e.g., Amazon Web Services). JobSync relies on the physical security controls of these providers, which include 24/7 on-site security, biometric access controls, and robust environmental protections (e.g., redundant power, HVAC, fire suppression) to protect the physical servers housing Client Data.

8. Organizational Controls and Personnel Security

• Training: All JobSync personnel undergo mandatory security and privacy awareness training upon hire and at least annually thereafter.
• Confidentiality: All employees, contractors, and applicable Sub-Processors are bound by strict, written confidentiality agreements.
• Disciplinary Action: Failure to comply with JobSync’s security policies may result in disciplinary action, up to and including termination of employment or contract.

Addendum C: US State Privacy Laws

This Addendum applies strictly to the Processing of Personal Data subject to US Data Protection Laws, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the CPRA, the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), and the Texas Data Privacy and Security Act (TDPSA).

1. Roles of the Parties

For the purposes of US Data Protection Laws, Client is the “Business” or “Controller,” and JobSync is acting exclusively as a “Service Provider” or “Processor.” JobSync acknowledges and confirms that it does not receive any monetary goods, payments, or discounts in exchange for Processing the Client Data.

2. Core Processing Restrictions

JobSync shall Process Client Data solely on behalf of Client and for the specific business purposes set forth in the Agreement and Addendum A (Details of Processing). JobSync strictly shall not:

1. “Sell” or “Share” Client Data (as those terms are defined under US Data Protection Laws) or engage in Targeted or Cross-Contextual Behavioral Advertising using Client Data;
2. Retain, use, or disclose Client Data for any purpose (including any commercial purpose) other than for the specific Business Purposes specified in the Agreement;
3. Retain, use, or disclose Client Data outside of the direct business relationship between Client and JobSync;
4. Combine Client Data received from or on behalf of Client with Personal Data received from other sources, except as expressly permitted by US Data Protection Laws; or
5. Use Client Data to build or append consumer profiles for JobSync’s own commercial purposes, or to provide Cross-Contextual Behavioral Advertising on behalf of third parties.

3. Certification and Compliance

JobSync certifies that it understands the rules, requirements, and restrictions of this Addendum and US Data Protection Laws, and will comply with them. JobSync agrees to notify Client promptly if it makes a determination that it can no longer meet its obligations under applicable US Data Protection Laws.

4. Client Rights to Monitor and Remediate

Client retains the right, upon reasonable notice, to take reasonable and appropriate steps to ensure that JobSync uses Client Data in a manner consistent with Client’s obligations under US Data Protection Laws. Client further retains the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Client Data by JobSync. The audit provisions set forth in the main body of this DPA shall be the sole mechanism for exercising these rights.

5. Consumer Rights and Assessments

1. Consumer Requests: JobSync shall provide reasonable assistance to Client in fulfilling Client’s obligations to respond to Consumer requests exercising their rights under US Data Protection Laws (including requests to limit the use of Sensitive Personal Information).
2. Assessments: JobSync shall provide information reasonably necessary to enable Client to conduct and document any data protection impact assessments required by US Data Protection Laws, provided that JobSync is responsible only for the measures allocated to it as a Service Provider.

6. De-Identified Data

Where JobSync Processes de-identified data (as defined by applicable US Data Protection Laws) on behalf of Client, or creates de-identified data from Client Data as permitted by the Agreement, JobSync shall: (i) take reasonable measures to ensure the information cannot be associated with a Consumer or household; (ii) publicly commit to maintaining and using the information only in de-identified form; and (iii) not attempt to re-identify the information except for the sole purpose of determining whether its de-identification processes satisfy legal requirements.

7. Client Liability Regarding Candidate Advertising and Publisher Sites

Client acknowledges that the core functionality of the Services may involve Client directing JobSync to syndicate job postings, facilitate recruitment marketing campaigns, and route candidate information to third-party Publisher Sites, job boards, or ad networks. JobSync acts solely as a technological conduit executing Client’s distribution instructions. Client acknowledges that such downstream distribution or advertising enablement may be considered a “Sale” or “Share” of Personal Data under the CCPA or other US Data Protection Laws. Client is solely responsible and liable for determining whether its use of the Services to distribute data constitutes a Sale or Share, and for complying with all applicable legal requirements in this regard. This includes, without limitation, establishing a lawful basis, providing appropriate “Notice at Collection,” maintaining a “Do Not Sell/Share” mechanism, and handling Global Privacy Control (GPC) opt-out signals from Consumers prior to directing JobSync to transmit such data.

8. Subcontractor Flow-Down

In strict accordance with CCPA/CPRA requirements, JobSync shall ensure that any Sub-Processor (or “Sub-service Provider”) engaged to Process Client Data subject to this Addendum is bound by a written contract that imposes the exact same restrictions and obligations as set forth in this Addendum.

Addendum D  International Data Transfers

This Addendum provides the appropriate safeguards for the transfer of Personal Data originating from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to a third country not recognized as providing an adequate level of protection under applicable European Data Protection Laws.

1. Transfer Mechanisms

Where the Processing of Personal Data involves a restricted transfer outside of the EEA, the UK, or Switzerland, the Parties agree that the Standard Contractual Clauses (SCCs) are hereby incorporated by reference and shall apply as the lawful transfer mechanism, subject to the specific modifications set forth below. By entering into the Agreement and this DPA, the Parties are deemed to have signed the SCCs and their applicable Appendices.

2. EEA Transfers (EU SCCs)

For restricted transfers of Personal Data from the EEA, the EU SCCs shall apply and are completed as follows:

1. Module: Module Two (Controller to Processor) applies, where Client is the Data Exporter (Controller) and JobSync is the Data Importer (Processor).
2. Clause 7 (Docking Clause): The optional docking clause shall not apply.
3. Clause 9 (Use of Sub-Processors): Option 2 (General written authorization) applies. The method for appointing and the time period for prior notice of Sub-Processor changes shall be as set forth in Section 7 of the main DPA body.
4. Clause 11 (Redress): The optional language permitting Data Subjects to lodge a complaint with an independent dispute resolution body shall not apply.
5. Clause 17 (Governing Law): Option 1 applies. The SCCs shall be governed by the laws of the Republic of Ireland.
6. Clause 18 (Choice of Forum and Jurisdiction): The Parties choose the courts of the Republic of Ireland to resolve any dispute arising from the SCCs.
7. Annex Mappings: * Annex I.A (List of Parties): Completed as set forth in Addendum A (Details of Processing).
   1. Annex I.B (Description of Transfer): Completed as set forth in Addendum A (Details of Processing).
   2. Annex I.C (Supervisory Authority): The competent supervisory authority is the Irish Data Protection Commission (or the applicable Member State authority where Client is established).
   3. Annex II (Technical and Organizational Measures): Completed as set forth in Addendum B (Technical and Organizational Measures).
   4. Annex III (List of Sub-Processors): The authorized Sub-Processors are listed at JobSync’s designated URL JobSync.com/legal/subprocessors.

3. UK Transfers (UK Addendum)

For restricted transfers of Personal Data from the UK, the EU SCCs as modified by the UK International Data Transfer Addendum (the “UK Addendum”) issued by the Information Commissioner’s Office (ICO) shall apply. The UK Addendum is incorporated herein and completed as follows:

1. Part 1, Tables 1-3: The information required by Tables 1, 2, and 3 is deemed populated with the corresponding information from the Agreement, the DPA, and Section 2 of this Addendum D above.
2. Part 1, Table 4: For the purposes of Table 4, neither Party may end the UK Addendum when the ICO changes the Approved Addendum.

4. Swiss Transfers (Swiss Amendments)

For restricted transfers of Personal Data from Switzerland, the EU SCCs shall apply with the following supplementary modifications required by the Swiss Federal Act on Data Protection (FADP):

1. Definitions: References to the “GDPR” shall be understood as references to the Swiss FADP. The term “Member State” shall be interpreted in such a way as to allow Data Subjects in Switzerland to exercise their rights in their place of habitual residence (Switzerland).
2. Governing Law and Forum: References to the governing law and competent courts in Clauses 17 and 18 shall be interpreted as the laws of Switzerland and the competent courts of Switzerland.
3. Supervisory Authority: The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

5. Transfers from Other Jurisdictions

If the Processing of Personal Data involves a transfer originating from a jurisdiction not expressly addressed in Sections 2, 3, or 4 of this Addendum (including, but not limited to, Canada, Australia, Singapore, or Japan), the Parties agree that the robust data protection obligations, security controls, and sub-processor restrictions established in the main body of this DPA shall serve as the appropriate safeguards required by such local Data Protection Laws. If a specific local jurisdiction subsequently mandates the execution of a prescribed transfer mechanism or standard contractual clause, the Parties agree to negotiate in good faith to promptly incorporate such mechanism into this DPA.