Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Emissary Subscription Agreement (the “Agreement”) under which Emissary Software LLC (“Emissary”) has agreed to provide the Customer (“Customer”) (a) access to the System and (b) certain other specified services under the Agreement. Except where the context requires otherwise, references in this DPA to the Agreement are to the Agreement as amended by, and including, this DPA.

This DPA is between Emissary and the Customer (each a "Party" and collectively the "Parties"). By signing this DPA, Customer enters into this DPA on behalf of itself and in the name of its Controller Affiliates.

1.1   Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:

"Controller", “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor” shall have the meanings ascribed to them in Data Protection Legislation. In the event of a conflict in the meanings of terms among the Data Protection Legislation, the Parties agree that only the meanings in applicable Data Protection Legislation will apply.

“Controller Affiliates” means any of Customer’s Affiliates that are permitted to use the System pursuant to the Agreement between Customer and Emissary if and only to the extent Emissary processes Customer Personal Data for which such Customer Affiliate(s) qualify as the Controller.

“Customer Personal Data” means any Personal Data processed by Emissary as a Processor on behalf of Customer which has been provided by Customer to Emissary, collected by Emissary on behalf of Customer, on behalf of Customer, or otherwise made available to Emissary pursuant to the Agreement.

“Data Protection Legislation” means, as binding on either party: (a) the EU GDPR; (b) the UK GDPR; (c) the UK Data Protection Act 2018; (d) any laws which implement any such laws; (e) any laws which replace, extend, re-enact, consolidate or amend any of the foregoing, and (f) any other legislation and regulatory requirements in force from time to time in the United Kingdom (“UK”) or the European Economic Area (“EEA”) which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

“EU GDPR” means the General Data Protection Regulation (EU) 2016/679.

“Lawful Transfer Mechanism” means such legally enforceable mechanism(s) for transfers of Personal Data to third countries as may be permitted under Data Protection Legislation from time to time.

“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Customer Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Customer Personal Data from the UK to a country outside of the UK which is not subject to adequacy regulations pursuant to Section 17A of the UK Data Protection Act 2018.

“Service” means the recruiting and HR communication services as more fully described and agreed upon by the parties pursuant to the Agreement.

“Standard Contractual Clauses” means (i) where the EU GDPR applies the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en, or such alternative clauses as may be approved by the European Commission from time to time (“EU SCCs”); and/or (ii) where the UK GDPR applies the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as revised by the Information Commissioner’s Office from time to time, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (the “UK Addendum”).

“Supervisory Authority” means a) in the United Kingdom, the Information Commissioner’s Office, or any other independent regulatory authority responsible for administering compliance with the Data Protection Legislation in the United Kingdom, and b) in the European Union, an independent regulatory authority which is established by an EU Member State pursuant to the EU GDPR.

“UK GDPR” has the meaning given to it in Section 3(10) (as supplemented by Section 205(4)) of the Data Protection Act 2018.

• 2.1    Order of Priority. To the extent there is a conflict between this DPA and the Agreement, the terms of this DPA shall prevail provided that the limitations of liability provisions set forth in the Agreement shall be applied to this DPA together with the Agreement.
• 2.2   Roles of the Parties. The parties agree that with regard to the processing of Customer Personal Data under the Agreement, Customer or Customer Affiliate (as applicable) is the Controller, and Emissary is a Processor Processing Customer Personal Data on behalf of Customer or Customer Affiliate (as applicable).
• 2.3   . Emissary will Process Customer Personal Data as necessary to provide the Service, and in accordance with Customer’s documented instructions. The contents of the Agreement, and Customer’s use of the System’s features and functionality, constitute the Customer’s instructions to Emissary in relation to the Processing of Customer Personal Data. Emissary will not Process Customer Personal Data for any other purpose unless required by UK, EU or EU Member State laws and in such a case, Emissary will inform Customer of that legal requirement before Processing unless that law prohibits the provision of such information. Emissary will immediately inform Customer if, in Emissary’s opinion, an instruction conflicts with the requirements of applicable Data Protection Legislation and shall be entitled to cease Processing Customer Personal Data until the infringing instruction is (a) withdrawn, or (b) amended to render it lawful.

• 2.4   Details of the Processing. The subject-matter of Processing of Customer Personal Data by Emissary is as described in Section 2.3. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under the Agreement are set out in the Description of Processing Activities at Schedule 1 to this DPA.
• 2.5    Required disclosures and consents.Where required by applicable Data Protection Legislation, Customer will ensure that it has (a) made/will make all necessary disclosures, and (b) obtained/will obtain all necessary consents, for the Processing of Customer Personal Data by Emissary in accordance with the Agreement and applicable law.

• 3.1 In addition to individual independent contractors engaged as part of Emissary’s workforce, Customer consents to Emissary’s use of the sub-processors listed at https://www.emissary.ai/subprocessors (the “Sub-Processor List”) to assist in the processing of Customer Personal Data for the purpose of providing the Service. Sub-processors will be obliged under a written contract to provide at least the same level of data protection as is required under this DPA (to the extent applicable to the Service provided by the sub-processor). Emissary will be liable to Customer for the acts and omissions of any sub-processor as if they were the acts and omissions of Emissary.
• 3.2 In order to receive prior notification of changes to the Sub-Processor List, Customer may subscribe to the Supplier Notification List by sending an e-mail to subprocessor-updates@emissary.ai. . If Customer subscribes to such notifications, Emissary will provide details of any change to the sub-processor List as soon as reasonably practicable. Emissary will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
• 3.3 3.3 Customer may reasonably object to Emissary’s use of a new sub-processor (e.g., where using such new sub-processor would weaken the protections for Customer Personal Data) by notifying Emissary, in writing, within five (5) business days after receipt of Emissary’s notice in accordance with the mechanism set out in Section 3.2. Such notice shall explain the reasonable grounds for the objection. Where Customer objects to a new sub-processor on reasonable grounds prior to the deadline set forth above, Emissary will use reasonable efforts to make available to Customer a change in the Service to avoid the Processing of Customer Personal Data by the objected-to new sub-processor. If Emissary is unable to make such a change within 30 business days from Emissary’s receipt of Customer’s notice, either party may terminate without penalty the applicable addendum to the Agreement between Customer and Emissary with respect only to those parts of the Service which cannot be provided by Emissary without the use of the objected-to new sub-processor (or the entire contract if partial termination is not feasible) by providing written notice to the other party.

• 4.1    Emissary Emissary shall assist Customer through appropriate technical and organizational measures as required by Data Protection Legislation to protect against a Personal Data Breach. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the Data Subjects. At a minimum, Emissary shall have in place the security measures set forth at https://www.emissary.ai/technical-organizational-measures.
• 4.2    Breach Notification. Emissary shall:
  
  
  1. Notify Customer without undue delay of becoming aware of a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet its obligations under Data Protection Legislation; and
  2. Take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
• 4.3    Personnel. Emissary will ensure that all personnel who have access to and/or Process Customer Personal Data have committed themselves to confidentiality.

• 5.1    Inspection and Audit Rights. Upon Customer’s request, Emissary will (a) make available to Customer all information reasonably necessary to demonstrate Emissary’s compliance with this DPA, and (b) subject to the provisions of Section 5.2 below, and only to the extent required under applicable Data Protection Legislation, allow an on-site inspection by Customer, or an independent auditor mandated by Customer (“Mandated Auditor”) of any premises where the Processing of Customer Personal Data takes place solely for the purpose of assessing compliance with this DPA, and will permit reasonable access to relevant records, processes, and systems for this purpose.
• 5.2    Conditions to Audit. The audit rights set out in Section 5.1 are subject to the following conditions: a) audits may only occur once per calendar year and during normal business hours, b) Customer shall reimburse Emissary for any time expended for any such on-site audits at Customer’s then-current rates, which shall be made available to Customer on request, c) before the commencement of any such on-site audit, Customer and Emissary shall mutually agree upon the scope, timing, and duration of the inspection, in addition to the reimbursement rates which shall be reasonable, taking into account the resources expended by Emissary;; d) Customer shall make (and ensure that each of its Mandated Auditors make) reasonable efforts to avoid causing any damage, injury, or disruption to Emissary’s premises, equipment, personnel, and business while its personnel are on those premises during such an audit, e) Customer and/or the Mandated Auditor will comply with Emissary’s standard safety, confidentiality, and security policies and procedures in conducting any audits and shall not have access to any third party information or data; and f) any records, data, or information accessed by Customer and/or the Mandated Auditor in the performance of any audit will be deemed to be the confidential information of Emissary, and may be used for no other reason than to assess Emissary’s compliance with the terms of this DPA. In connection with the foregoing, Emissary may require Customer and/or the Mandated Auditor to enter into a customary confidentiality agreement prior to the performance of any audit. Emissary may object to a Mandated Auditor if the auditor is, in Emissary’s reasonable opinion, not suitably qualified or independent, a competitor of Emissary, or otherwise manifestly unsuitable. Any such objection by Emissary will require Customer to appoint an alternative auditor or conduct the audit itself in accordance with the terms of this Section 5.2. Customer shall promptly notify Emissary with information regarding any non-compliance discovered during the course of an audit, and Emissary shall use commercially reasonable efforts to address any confirmed non-compliance.

• 6.1    Emissary shall:
  1. Assist Customer to fulfill its obligation to respond to requests from Data Subjects using appropriate technical and organizational measures, insofar as this is reasonably practicable, taking into account the nature of processing and the information available to Emissary.
  2. If Emissary receives a Data Subject request it shall (i) inform the Customer of such request in a timely fashion; and (ii) inform the Data Subject that it should submit the request directly to the business with whom the consumer has shared personal information.

• 7.1    Emissary shall provide necessary information to enable Customer to conduct and document data protection impact assessments and with any prior consultations to any Supervisory Authority (as applicable) to the extent required under Data Protection Legislation.

• 8.1   In connection with the Service, the parties anticipate that Emissary (and its sub-processors) may process outside the EEA, or the UK (as applicable), certain Customer Personal Data protected by applicable Data Protection Legislation in respect of which Customer (or a Controller Affiliate) is the Controller. The parties agree that when the transfer of Customer Personal Data protected by applicable Data Protection Legislation from the Customer (or a Controller Affiliate) to Emissary is a Restricted Transfer then it shall be subject to the appropriate Standard Contractual Clauses as set out in this Section 8.
•  8.2   Transfers from the EEA. In relation to Customer Personal Data that is protected by the EU GDPR, the EU SCCs will apply subject to the following:
  1. The parties acknowledge that by signing this DPA the EU SCCs are incorporated into and form an integral part of this DPA.
  2. In accordance with Section 1 of this DPA, Module Two of the EU SCCs shall apply for the purposes of transfers of Customer Personal Data under this Agreement. Modules One, Three, and Four of the EU SCCs shall not apply.
  3. The parties agree that the audits described in Clauses 8.9(c) and (d) of the EU SCCs, shall be carried out in accordance with the provisions of Section 5 of this DPA.
  4. In Clause 7, the optional docking clause will apply;
  5. The scope of instructions set out in Section 2.2 of this DPA shall apply for the purposes of Clause 8.1(a) of the EU SCCs.
  6. The parties agree that the certification of deletion of Personal Data described in Clauses 8.5 and 16(d) of the EU SCCs shall be provided by Emissary to Customer only upon Customer’s request.
  7. Pursuant to Clause 9(a) of the EU SCCs, Customer acknowledges and expressly agrees that Emissary may engage sub-processors in accordance with the process described in Sections 3 of this DPA.
  8. in Clause 9, Option 2 will apply, and the period for prior notice of sub-processor changes shall be as set out in Section 2 of this DPA;
  9. In Clause 11, the optional language will not apply;
  10. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
  11. In Clause 18(b) disputes shall be resolved by the courts of Ireland;
  12. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
  13. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA;
      
      

•  8.3   Transfers from the United Kingdom. In relation to Customer Personal Data that is protected by the UK GDPR, the UK Addendum will apply subject to the following:
  1. The parties acknowledge that by signing this DPA the UK Addendum is incorporated into and forms an integral part of this DPA.
  2. The Parties’ details in Table 1 shall be deemed completed with the information set out in Schedule 1 Part A to this DPA.
  3. The Key Contacts in Table 1 shall be the contacts identified in the Order Form.
  4. The parties agree that execution of this DPA shall constitute execution of the UK Addendum by both parties.
  5. The UK Addendum shall be deemed appended to the EU SCCs as amended by Section 8.2 of this DPA.
  6. The List of Parties in Table 3 shall be deemed completed with the information set out in Schedule 1 Part A to this DPA.
  7. The Description of Transfer in Table 3 shall be deemed completed with the information set out in Schedule 1 Part B to this DPA.
  8. The Technical and organisational measures in Table 3 shall be deemed completed with the information set out in Schedule 2 to this DPA.
  9. The list of Sub processors in Table 3 shall be deemed completed with the information set out in Section 3 to this DPA.
•  8.4   Customer agrees to accept any modifications to the Standard Contractual Clauses entered into between Emissary and Customer (where applicable) which are necessary to comply with applicable Data Protection Legislation. The parties agree that if the Standard Contractual Clauses are replaced, amended, or no longer recognized as valid under applicable Data Protection Legislation, or if a relevant Supervisory Authority requires either Party to adopt an alternative transfer solution, the Parties will work together in good faith to put an alternative Lawful Transfer Mechanism in place to ensure the processing continues to comply with applicable Data Protection Legislation.
•  8.5   In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
•  8.6   Onward Transfers. Customer authorizes Emissary to transfer Customer Personal Data to sub-processors engaged in accordance with Section 3 provided that, to the extent required under Data Protection Legislation, such transfers are effected by way of a Lawful Transfer Mechanism.

• 9.1    Upon Customer’s request and at Customer’s direction Emissary shall delete or return all Customer Personal Data. If no such request is made Emissary shall delete all Customer Personal Data (excluding any Personal Data which Emissary processes as a Controller) within ninety days from the data of termination of the Agreement unless retention of the personal data is required by UK, EU, or EU Member State law (in which case Emissary shall inform Customer of the applicable requirement).

• 10.1    Each party certifies that it understands the restrictions and obligations under Data Protection Legislation and will comply with Data Protection Legislation to the extent applicable. This DPA is in addition to, and does not relieve, remove, or replace, a Party’s obligations under Data Protection Legislation.

• 11.1    Notwithstanding anything to the contrary herein or in the Agreement, the terms of this DPA shall continue through the term of the Agreement or for so long as Emissary or its sub-processors have possession of or access to Customer Personal Data. Any provision of this DPA that expressly or by implication should continue on or after termination of the Agreement in order to protect Personal Data shall remain in full force and effect.

• 12.1    If any provision of this DPA shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this DPA, and the remainder of this DPA shall be given effect, as if the parties had not included the severed provision.

• 13.1    Except as expressly set forth herein, the terms of the Agreement shall remain unmodified and in full force and effect.