JobLeopardAI Data Processing Addendum

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses (collectively, the “DPA”), sets forth the parties’ obligations with respect to the processing of Personal Data in connection with the Service, and is incorporated into and forms part of the terms and conditions of the Master Service Agreement or any other agreement under which JobLeopardAI, Inc. (“JobLeopardAI”) provides services to the party identified as the customer in the Agreement or the Order Form(s) (“Customer”).

Due to the nature of the Service, JobLeopardAI may process Personal Data as a Processor and/or Controller in the performance of the Service. Therefore, JobLeopardAI’s responsibilities under this DPA will depend on whether JobLeopardAI is acting as a Processor or Controller under Data Protection Laws.

Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Permitted Affiliates.  For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Permitted Affiliates. Any capitalized terms used but not defined in this DPA shall have the meaning set forth in the Agreement.

  1. Definitions

1.1   Affiliate” means any entity under the control of a party where “control” means ownership of or right to control greater than 50% of the voting securities of such entity.

1.2   Controller” means an entity that, alone or jointly with others, determines the purposes and means of processing Personal Data, and include a “Business” as defined under the CCPA.

1.3   Data Protection Laws” means, as applicable to a party’s processing of Personal Data under the Agreement: (i) European Data Protection Laws; and (iii) US State Privacy Laws.

1.4   Data Subject” means an identified or identifiable natural person, and includes a “Consumer” as defined under the CCPA.

1.5   Europe” means, for the purposes of this DPA, the European Economic Area (“EEA”) and its Member States, Switzerland and the United Kingdom.

1.6   European Data Protection Laws” means all data protection and privacy laws and regulations enacted in Europe, including: (i) Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws“); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA“);and (iv) all applicable national data protection and privacy laws made under or pursuant to (i), (ii), or (iii); in each case, as may be amended, superseded or replaced from time to time.

1.7   Permitted Affiliate” means any Affiliate of Customer which: (i) is subject to Data Protection Laws; (ii) is permitted to use the services provided by JobLeopardAI pursuant to the Agreement; and (iii) has not signed its own Order Form or Agreement with JobLeopardAI and is not a “Customer” as defined under the Agreement.

1.8   Personal Data” means any information which is protected as “personal data”, “personally identifiable information”, or “personal information” under Data Protection Laws.

1.9   Processor” means an entity that processes Personal Data on behalf of the Controller, and includes a “Service Provider” as defined under the CCPA.

1.10  Security Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.11  Sub-processor” means any third party Processor engaged by JobLeopardAI to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.  Sub-processors may include third parties or JobLeopardAI Affiliates but shall exclude any JobLeopardAI employee, independent contractor or consultant.

1.12  US State Privacy Laws” means (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq., and any implementing regulations relating to the same (together, the “CCPA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Data Privacy Act; (v) the Utah Consumer Privacy Act; and (vi) any other US state privacy laws that are modelled on or equivalent to (i)-(v); in each case when effective and as amended, replaced or superseded from time to time.

1.13  The terms “process” (including “processing”, “processes”, “processed” and other variations thereof) and “sale” (including “sell”, “selling”, “sold” and other variations thereof) shall have the meanings given to them under applicable Data Protection Laws.

  1. Scope and Applicability of this DPA

2.1       Scope. This DPA applies where and only to the extent that either party processes Personal Data that is subject to Data Protection Laws in connection with the Service provided by JobLeopardAI to Customer pursuant to the Agreement.

2.2       Role of the Parties. The parties acknowledge and agree that:

  1. a) Customer is a Controller of Customer Profiles and JobLeopardAI shall process Customer Profiles only as a Processor on behalf of Customer; and
  2. b) each party is a Controller of JobLeopardAI Profiles and shall process JobLeopardAI Profiles in accordance with the Agreement (including this DPA) and applicable Data Protection Laws.

3      Customer Obligations

3.1       Customer Obligations. Customer shall ensure that it: (i) complies with applicable Data Protection Laws in respect of its use of the Service and any processing instructions it issues to JobLeopardAI; (ii) has an appropriate legal basis to process Personal Data and makes available to Data Subjects a privacy statement that fulfils the requirements of applicable Data Protection Laws; and (iii) has the right to transfer or make available Customer Profiles to JobLeopardAI and for providing all notice and obtaining all consents necessary under applicable Data Protection Laws for JobLeopardAI to lawfully process Customer Profiles for the purposes contemplated by the Agreement (including this DPA).

  1. 3. Processing of Customer Profiles

3.1       Scope of this Section. The terms contained in this Section 3 (Customer Profiles) apply to the extent that JobLeopardAI processes any Customer Profiles on behalf of Customer in connection with the provision of the Service, as further described in Annex A of this DPA.

3.2       Processing Instructions.  JobLeopardAI shall only process Customer Profiles for the purposes described in the Agreement (including this DPA) and only in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement sets out the Customer’s complete and final instructions to JobLeopardAI in relation to the processing of Customer Profiles and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. JobLeopardAI shall notify Customer in writing, unless prohibited from doing so under applicable laws, if it becomes aware or believes that any data processing instruction from Customer violates Data Protection Laws.

3.3       No Sale or Sharing. JobLeopardAI shall not (i) retain, use, or disclose Customer Profiles for any purpose, including a commercial purpose, other than for the specific purposes described in the Agreement (including this DPA); (ii) sell Customer Profiles or share Customer Profiles for the purposes of targeted or cross-context behavioral advertising (as defined under applicable US State Privacy Laws); (iii) combine Customer Profiles with information received from another source; or (iv) retain, use, or disclose Customer Profiles outside of the parties’ direct business relationship; in each case except as necessary to provide the Service or as permitted by applicable law. JobLeopardAI will notify Customer if it can no longer meet its obligations under applicable Data Protection Laws.

3.4       Sub-processing. Customer agrees that JobLeopardAI may engage Sub-processors to process Customer Profiles on Customer’s behalf for the purposes of providing the Service. The list of Sub-processors currently engaged by JobLeopardAI available here: https://JobLeopardAI.jobs/sub-processors-list/ (“Sub-processor List”). JobLeopardAI shall provide Customer with a mechanism to subscribe to notifications of new Sub-processors, to which Customer may subscribe, and if Customer subscribes, JobLeopardAI shall notify Customer if it makes any changes to its Sub-processor List at least 10 days prior to any such change.

3.5       Sub-processor Obligations.  JobLeopardAI will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Profiles as this DPA and to the extent applicable to the nature of the services provided by such Sub-processor. JobLeopardAI will remain responsible for any acts or omissions of its Sub-processors that cause JobLeopardAI to breach any of its obligations under this DPA. For the purposes of Clause 9 of the Standard Contractual Clauses, Customer acknowledges that JobLeopardAI may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality obligations but JobLeopardAI shall use reasonable efforts to provide Customer with all information it reasonably can in connection with Sub-processor agreements upon request.

3.6       Objection to Sub-processors. Customer may object in writing to JobLeopardAI’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying JobLeopardAI promptly in writing within 5 calendar days of receipt of any notice provided by JobLeopardAI in accordance with Section 3.4. In the event Customer objects to a Sub-processor, the parties shall discuss Customer concerns in good faith with a view to achieving a commercially reasonable resolution.  If no such resolution can be reached, JobLeopardAI will, at its sole discretion, either (i) not appoint Sub-processor; or (ii) permit Customer to suspend or terminate the affected Service (without prejudice to any fees incurred by Customer prior to suspension or termination).

3.7       Auditing. JobLeopardAI shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that are necessary to confirm JobLeopardAI’s compliance with this DPA provided that Customer shall not exercise this right more than once per calendar year. Where required by Data Protection Laws or upon instruction from a data protection authority, JobLeopardAI shall allow Customer or another auditor mutually approved by the parties to audit JobLeopardAI’s compliance with this DPA and inspect JobLeopardAI’s facilities, equipment, documents and electronic data relating to the processing of the Customer Profiles by JobLeopardAI, provided that: (i) Customer shall provide at least thirty (30) days’ prior written notice to JobLeopardAI; (ii) such additional audit enquiries shall not unreasonably impact JobLeopardAI’s regular operations; and (iii) such additional audit enquiries shall be conducted at Customer’s expense. Customer and JobLeopardAI shall mutually agree upon the scope, timing and duration of any audit. Where applicable, the parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing JobLeopardAI to comply with the audit measures described in this Section 3.7.

3.8       Confidentiality. JobLeopardAI shall ensure that any person authorized by JobLeopardAI to process Customer Profiles shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

3.9       Security Measures. JobLeopardAI shall implement appropriate technical and organizational security measures to protect Customer Profiles from Security Breaches and preserve the security and confidentiality of Customer Profiles in accordance in accordance with the JobLeopardAI security standards described at https://JobLeopardAI.jobs/security-measures/ (“Security Measures”). JobLeopardAI may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

3.10      Security Breach Notification.  Upon becoming aware of a Security Breach affecting Customer Profiles, JobLeopardAI shall notify Customer without undue delay and provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer.

3.11      Data Subject Requests. JobLeopardAI shall promptly notify Customer if it receives any request or correspondence directly from a Data Subject in connection with the processing of Customer Profiles and shall not respond directly to any such request or correspondence except where good faith efforts to contact and involve Customer have failed and/or where a failure to respond may result in liability for JobLeopardAI under applicable Data Protection Laws.

3.12      Data Protection Impact Assessments. Where required under applicable Data Protection Laws, and to the extent Customer does not already have access to the relevant information, JobLeopardAI shall provide Customer with reasonably requested information regarding JobLeopardAI’s processing of Customer Profiles to enable Customer to carry out a data protection impact assessment (or similar assessment) and to engage in prior consultations with data protection regulators.

3.13      Deletion on Termination. Upon termination or expiry of the Agreement, JobLeopardAI shall delete all Customer Profiles (including copies) in its possession or control as soon as reasonably practicable, except to the extent JobLeopardAI is required by applicable law to retain some or all Customer Profiles, and Customer Profiles archived in back-up systems, which Customer Profiles JobLeopardAI shall securely isolate and protect from any further processing and delete in accordance with applicable law and its deletion practices.

  1. Processing of JobLeopardAI Profiles

4.1       Scope of this Section. The terms contained in this Section 4 (JobLeopardAI Profiles) apply to the extent that JobLeopardAI shares JobLeopardAI Profiles with Customer in connection with the provision of the Crowd Service, as further described in Annex A of this DPA.

4.2       Purpose Limitation. Customer shall process JobLeopardAI Profiles only for the purposes described in Annex A and (if applicable) consistent with any consents given by the Data Subjects (the “Permitted Purpose”). If Customer wishes to process JobLeopardAI Profiles for a new or different purpose other than the Permitted Purpose (“Alternative Purpose”), it may do so provided it does all such acts and things as are necessary to ensure that its proposed processing of JobLeopardAI Profiles for the Alternative Purpose fulfils the requirements of Data Protection Laws (including by obtaining any consents from Data Subjects, where necessary). Except as may be expressly stated in the applicable Order Form, permitted in writing by JobLeopardAI or where required or necessary under applicable law, Customer will not sell, disclose, or share JobLeopardAI Profiles (or any part or derivative thereof) with any third party (except for Customer’s Processors or Permitted Affiliates).

4.3       Compliance with law. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a Controller and neither party shall be responsible for the other party’s compliance with Data Protection Laws.  In particular, each party shall be individually responsible for ensuring that its processing of JobLeopardAI Profiles is lawful, fair and transparent. JobLeopardAI shall be responsible for complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws in order to disclose JobLeopardAI Profiles to Customer to process such Customer Profiles for the Permitted Purpose.

4.4       Correspondence. Each party shall promptly inform the other if it receives any request, complaint or correspondence (“Correspondence”) from a Data Subject, data protection regulator or other third party where the Correspondence relates to the processing of JobLeopardAI Profiles conducted by the other party. The parties shall, on request, provide each other with all reasonable and timely assistance and co-operation (at their own expense) to enable the other party to respond to Correspondence.

  1. International Transfers

5.1       Processing Locations.  Customer acknowledges and agrees that JobLeopardAI may transfer and process Customer Profiles to and in the United States and other locations in which JobLeopardAI, its Affiliates or its Sub-processors maintain data processing operations.  JobLeopardAI shall at all times ensure such transfers are made in compliance with the requirements of applicable Data Protection Laws and this DPA.

5.2       Cross Border Transfers. If either party’s processing of Personal Data in connection with the Agreement involves a transfer of Personal Data that is subject to European Data Protection Laws to a country or territory outside Europe that is not deemed adequate under European Data Protection Laws, the parties agree to comply with the relevant cross border transfer mechanism set out in Annex C.

  1. Miscellaneous

6.1   Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.  If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA.

6.2   Customer acknowledges that JobLeopardAI may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, a European data protection authority, or any other US or European judicial or regulatory body upon their request.

6.3   Notwithstanding anything to the contrary in the Agreement, JobLeopardAI may periodically make modifications to this DPA as may be required to comply with Data Protection Laws. In the event that JobLeopardAI is required to update or modify this DPA to comply with new requirements under Data Protection Laws, JobLeopardAI will publish the updated DPA at least 5 days in advance of the effective date of such updates or modifications.

6.4   This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.