MY CAREER DATA PROCESSING ADDENDUM
This MyCareer Data Processing Addendum (“DPA”) supplements and forms part of the MyCareer Terms of Service (the “Agreement”) between PAIRIN and Customer.
Except as expressly modified below, the terms of the Agreement shall remain in full force and effect. This DPA supersedes and replaces any privacy or data protection terms relating to the subject matter of this DPA that were previously entered into between PAIRIN and Customer from the effective date of the relevant Order referencing this DPA.
The following obligations shall apply to the extent required by Data Protection Laws with regard to the relevant Customer Personal Data, if applicable.
1. DEFINITIONS. Capitalized terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement.
1.1 “Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
1.2 “Customer” means the entity identified on the Order Form that is receiving the Services from PAIRIN and has agreed to the terms of the Agreement with PAIRIN.
1.3 “Customer Personal Data” means Personal Data contained in Customer Data.
1.4 “Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data, including, to the extent applicable, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, “CCPA”).
1.5 “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
1.6 “Personal Data” means information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.
1.7 “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
1.8 “Processor” means an entity that Processes Personal Data on behalf of a Controller.
1.9 “Security Incident” means a breach of PAIRIN’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in PAIRIN’s possession, custody, or control. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.10 “Subprocessor” means any Processor appointed by PAIRIN to Process Customer Personal Data on behalf of Customer under the Agreement.
2. PROCESSING OF CUSTOMER PERSONAL DATA.
2.1 Roles of the Parties; Compliance. As between Customer and PAIRIN, with regard to the Processing of Customer Personal Data under the Agreement, Customer is a Controller and PAIRIN is a Processor. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
2.2 Customer Instructions. PAIRIN will Process Customer Personal Data only in accordance with Customer’s documented instructions unless otherwise required by applicable law, in which case PAIRIN will inform Customer of such Processing unless notification is prohibited by applicable law. Customer hereby instructs PAIRIN to Process Customer Personal Data: (a) to provide the Services to Customer; (b) to perform its obligations and exercise its rights under the Agreement and this DPA; and (c) as necessary to prevent or address technical problems with the Services. PAIRIN will notify Customer if, in its opinion, an instruction of Customer infringes upon Data Protection Laws.
2.3 Customer Obligations. Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and PAIRIN’s Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to PAIRIN to permit the Processing of such Customer Personal Data by PAIRIN as set forth in this this DPA and the Agreement. Customer shall notify PAIRIN of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact PAIRIN’s ability to comply with the Agreement, this DPA, or Data Protection Laws.
2.4 Details of Processing. The nature of the Processing of Customer Personal Data involves those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and the DPA. The purpose of the Processing of Customer Personal Data includes: (a) helping to ensure security and integrity, to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes; (b) debugging to identify and repair errors that impair existing intended functionality; (c) performing the Services as described in the Agreement and carrying out the instructions set forth in Section 2.2; (d) undertaking internal research for technological development and demonstration; and (e) undertaking activities to verify or maintain the quality or safety of the Services, and to improve, upgrade, or enhance the Services. The type of Customer Personal Data subject to Processing may include name, contact information (email address, mailing address, phone number), resume/CV information (experience, education, job history, etc.), job interests, and other information provided by Customer or Users. The duration of the Processing of Customer Personal Data is for the term of the Agreement or as otherwise set forth in this DPA or the Agreement.
2.5 Processing Subject to the CCPA. As used in this Section, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. PAIRIN will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and PAIRIN; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from PAIRIN’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. PAIRIN hereby certifies that it understands the foregoing restrictions under this Section and will comply with them. The parties acknowledge that the Personal Information disclosed by Customer to PAIRIN is provided to PAIRIN only for the limited and specified purposes set forth in Section. PAIRIN will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that PAIRIN uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 8. PAIRIN will notify Customer if it makes a determination that PAIRIN can no longer meet its obligations under the CCPA. If PAIRIN notifies Customer of unauthorized use of Personal Information, including under the foregoing sentence, Customer will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with PAIRIN, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
2.6 De-identified Data. With respect to any de-identified data provided by Customer to PAIRIN, PAIRIN will comply with the obligations of Data Protection Laws, which may include: (i) taking necessary measures to ensure that such de-identified data cannot be associated with a Data Subject; (ii) publicly committing to maintaining and using de-identified data without attempting to re-identify the data; and (iii) contractually obligating any recipients of the de-identified data to comply with restrictions substantially similar to those set forth in this Section.
2.7 FERPA. Without limiting anything set forth in the Agreement or this DPA, to the extent that Customer Personal Data includes information that is protected under, or otherwise subject to, the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) and the Family Educational Rights and Privacy Act Regulations (34 CFR Part 99), as amended from time to time (“FERPA”) or other similar federal or state laws pertaining to the privacy and security of student information (collectively, “Student Privacy Laws“), Customer represents, warrants and covenants to PAIRIN that, as applicable, Customer has: (a) complied with the Directory Information (as such term is defined under FERPA) or similar exemption under the applicable Student Privacy Laws, including, without limitation, informing, as applicable, students or parents what information Customer deems to be Directory Information and that such Directory Information may be disclosed, and allowing, as applicable, students or parents a reasonable amount of time to request Customer not disclose Directory Information about such student, and, if applicable, Customer shall not provide PAIRIN any Directory Information for any student that has opted out of the disclosure of such student’s Directory Information; (b) complied with the School Official (as defined under FERPA) exemption or similar exemption under the applicable Student Privacy Laws, including, without limitation, in Customer’s annual notification of FERPA rights, defining “school official” to include service providers and defining “legitimate educational interest” to include services such as the type provided by PAIRIN; or (c) obtained all necessary written consent from, as applicable, students or parents to provide education records or other student information to PAIRIN to enable PAIRIN to provide the applicable Services. To the extent applicable to Customer Personal Data, and without limiting Customer’s obligations under the Agreement and this DPA, PAIRIN will comply with the applicable requirements of Student Privacy Laws in respect of such data.
3. CONFIDENTIALITY. PAIRIN will ensure that PAIRIN personnel with access to Customer Personal Data are subject to a duty of confidentiality with respect to such Customer Personal Data.
4. SECURITY.
4.1 PAIRIN Security Measures; Notification of Security Incident. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, PAIRIN shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk to Customer Personal Data and to protect against Security Incidents. Upon becoming aware of a confirmed Security Incident, PAIRIN will: (a) notify Customer of the Security Incident without undue delay; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, prevent a recurrence, and provide Customer with information available to PAIRIN that Customer may reasonably require to comply with its obligations under Data Protection Laws. PAIRIN’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by PAIRIN of any fault or liability with respect to the Security Incident.
4.2 Customer Responsibilities. Customer agrees that, without limitation of PAIRIN’s obligations under this Section 4, Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices Customer uses to access or connect to the Services, where applicable.
5. SUBPROCESSING. Subject to the requirements of this Section 5, Customer generally authorizes PAIRIN to engage Subprocessors as PAIRIN considers reasonably appropriate for the Processing of Customer Personal Data. A list of PAIRIN’s Subprocessors, including their functions and locations, is available upon Customer’s written request and may be updated by PAIRIN from time to time in accordance with this Section 5. PAIRIN will notify Customer of the addition or replacement of any Subprocessor at least ten (10) days prior to such engagement. Customer may object to such changes on reasonable data protection grounds by providing PAIRIN written notice of such objection within ten (10) days. Upon receiving such an objection, where practicable and at PAIRIN’s sole discretion PAIRIN will use commercially reasonable efforts to: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Customer in its objection and proceed to use the new Subprocessor. If PAIRIN informs Customer that such change or corrective steps cannot be made, Customer may, as its sole and exclusive remedy available under this Section 5, terminate the relevant portion of the Agreement involving the Services which require the use of the proposed Subprocessor by providing written notice to PAIRIN. When engaging any Subprocessor, PAIRIN will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA. PAIRIN shall be liable for the acts and omissions of the Subprocessor to the extent PAIRIN would be liable under the Agreement and this DPA.
6. DATA SUBJECT RIGHTS. PAIRIN will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Services, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, as necessary for Customer to fulfill its obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. PAIRIN reserves the right to charge Customer on a time and materials basis in the event that PAIRIN considers that such assistance is onerous, complex, frequent, or time consuming. If PAIRIN receives a request from a Data Subject under any Data Protection Laws with respect to Customer Personal Data, PAIRIN will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request.
7. ASSESSMENTS AND PRIOR CONSULTATIONS. In the event that Data Protection Laws require Customer to conduct a data protection or privacy impact assessment in connection with PAIRIN’s Processing of Customer Personal Data, following written request from Customer PAIRIN shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, taking into account the nature of PAIRIN’s Processing of Customer Personal Data and the information available to PAIRIN. PAIRIN reserves the right to charge Customer on a time and materials basis in the event that PAIRIN considers that such assistance is onerous, complex, frequent, or time consuming.
8. RELEVANT RECORDS AND AUDIT RIGHTS. Upon Customer’s reasonable written request during the Term, PAIRIN will make available to Customer information reasonably necessary to demonstrate PAIRIN’s compliance with this DPA in the form of PAIRIN’s then-most recent SOC 2 Type II or similar audit report (“Audit Reports”). If Customer requires information for its compliance with Data Protection Laws in addition to the information provided in the Audit Reports, at Customer’s sole expense and to the extent Customer is unable to access the additional information on its own, PAIRIN will allow for, cooperate with, and contribute to reasonable assessments by Customer or an auditor mandated by Customer (“Mandated Auditor”), provided that (a) Customer provides PAIRIN with reasonable advance written notice including the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of PAIRIN; (b) PAIRIN approves the Mandated Auditor in writing, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have an adverse impact on PAIRIN’s normal business operations; (d) Customer or any Mandated Auditor complies with PAIRIN’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; and (e) Customer may initiate such audit not more than once per calendar year unless otherwise required by a regulatory authority or Data Protection Laws. Customer will promptly notify PAIRIN of any non-compliance discovered during an audit and provide PAIRIN any reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a regulatory authority. The Audit Reports, any records, data, or information accessed by Customer or a Mandated Auditor in the performance of an audit, and the results of any such audit Confidential Information of PAIRIN under the Agreement and may be used by Customer solely for the purposes of meeting Customer’s audit requirements under Data Protection Laws to confirm that PAIRIN’s Processing of Customer Personal Data complies with this DPA.
9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Following termination or expiration of the Agreement, PAIRIN will delete Customer Personal Data in accordance with the terms of the Agreement unless retention thereof is required by law. Such retained Customer Personal Data will continue to be protected in accordance with this DPA and this DPA will, notwithstanding the earlier expiration or termination of the Agreement, remain in effect until, and automatically expire upon, PAIRIN’s deletion or return of all Customer Personal Data.
10. MODIFICATIONS TO DPA. Notwithstanding anything to the contrary in the Agreement, PAIRIN may modify this DPA if changes are necessary for compliance with Data Protection Laws or guidance issued by a regulatory authority. PAIRIN will notify Customer at least 30 days (or such other period as may be required for compliance with Data Protection Law or guidance of a regulatory authority) before such amendment will take effect. If Customer objects to any such amendment, Customer may terminate the Agreement by giving written notice to PAIRIN within 60 days of PAIRIN’s notice.
11. GENERAL TERMS. Any liabilities arising in connection with this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement in relation to the Processing of Customer Personal Data, this DPA will govern to the extent applicable. All notices to be provided under this DPA shall be provided in accordance with the Agreement, provided that any notices required to be provided by PAIRIN may be sent via email to Customer.
Last Updated: January 19, 2024