US Privacy Addendum

Last Modified: June 27, 2024

This US Privacy Addendum (the “US Addendum”) is incorporated into the agreement(s) under which Emissary Software LLC (“Emissary”) has agreed to provide Customer (“Customer”) (a) access to the Emissary System and (b) certain other specified services under the Agreement (the “Agreement”). This US Addendum is between Emissary and Customer (each a "Party" and collectively the "Parties"). By executing an Agreement or any Order Form Customer enters into this US Addendum on behalf of itself and in the name of its Affiliates.

1. Definitions. Unless otherwise set out below, each capitalized term in this US Addendum shall have the meaning set out in the Agreement, and the following capitalized terms used in this US Addendum shall be defined as follows:
   
   
   1. “Permitted Business Purposes” means:
      1. Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes.
      2. Debugging to identify and repair errors that impair existing intended functionality.
      3. Performing services on behalf of Emissary, including maintaining or servicing accounts, providing customer service, verifying Authorized Agents, processing payments, providing analytic services, providing storage, or providing similar services on behalf of Emissary.
      4. Undertaking internal research for technological development and demonstration.
      5. Undertaking activities to verify or maintain the quality or safety of the Service, and to improve, upgrade, or enhance the Service.
         
         
   2. “Personal Information” shall be interpreted consistent with the Privacy Laws and includes at a minimum “personal information” and “personal data” as defined in the Privacy Laws, as such information is provided by Customer to Emissary, collected by Emissary on behalf of Customer, processed by Emissary on behalf of Customer, or otherwise made available to Emissary pursuant to the Agreement. 
      
      
   3. “Privacy Laws” means applicable United States statutes, regulations, or other laws pertaining to privacy and information security that are in effect or will come into effect during the term of the Agreement.
      
      
   4. “Service” means the recruiting and HR communication services as more fully described and agreed upon by the parties pursuant to the Agreement.
      
      
   5. The terms “business,” “business purpose,” “consumer,” “controller,” “data subject,” “personal data”, “personal information” “process” or “processing,” “processor,” “sale,” “service provider,” “sub-processor,” “sharing,” and “verifiable consumer request” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect on the date executed by both parties. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
      
      
2. Order of Priority. To the extent there is a conflict between this US Addendum and the Agreement, the terms of this US Addendum shall prevail provided that the limitations of liability provisions set forth in the Agreement shall be applied to this US Addendum together with the Agreement.
   
   
3. Roles of the Parties. The parties agree that with regard to the processing of personal information under the Agreement, Customer or Customer Affiliate (as applicable) is the controller and business, and Emissary is a processor and a service provider (and not a third party or contractor), processing Customer personal information on behalf of Customer or Customer Affiliate (as applicable).
   
   
4. Data Subjects. Customer may submit personal information to the System, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, personal information relating to the following categories of Data Subjects:
   
   
   1. Customer’s employees and independent contractors (including Authorised Agents);
      
      
   2. Consumers and other Users who use the System to interact with the Customer;
      
      
   3. Other external users authorized by Customer to access the System, including Customer’s Affiliates’ employees and independent contractors.
      
      
5. Types of personal information. Customer may submit personal information to the System in accordance with the terms of the Agreement, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of personal information:
   
   
   1. Basic contact and scheduling details including name, telephone number and email address.
      
      
   2. Application usage information.
      
      
   3. Content of communication between Users.
      
      
6. Data Processing Purpose Limitation. The parties agree that:
   
   
   1. Emissary shall process the personal information only for the timeframe permitted in the Agreement (unless otherwise agreed in writing).
      
      
   2. Emissary shall only use the personal information:
      
      
      1. To provide the Service;
      2. For the Permitted Business Purposes; and
      3. Pursuant to the instructions of Customer (unless otherwise required by applicable law). The contents of the Agreement, and Customer’s or Customer Affiliate’s use of the features and functionality of the Service constitute Customer’s instructions to Emissary in relation to the processing of Customer personal information. Emissary will immediately inform Customer if, in Emissary’s opinion, an instruction conflicts with the requirements of Privacy Laws and shall be entitled to cease processing Customer personal information if an instruction conflicts with the requirements of Privacy Laws until the infringing instruction is (a) withdrawn, or (b) amended to render it lawful.
   3. Emissary agrees it shall not:
      
      
      1. Sell or share the personal information;
      2. Retain, use, or disclose the personal information outside of the direct business relationship between Emissary and Customer or for any business or commercial purpose other than (aa) to provide the Services; (bb) the Permitted Business Purposes; or (cc) as otherwise expressly permitted by Privacy Laws.
      3. Combine or update the personal information it receives from, or on behalf of Customer with personal information it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer except for the Permitted Business Purposes or as otherwise expressly permitted by Privacy Laws.
         
         
7. Required Disclosures and Consents. Where required by Privacy Law, Customer will ensure that it has (a) made/will make all necessary disclosures, and (b) obtained/will obtain all necessary consents, for the processing of Customer personal information by Emissary in accordance with the Agreement and applicable law.
   
   
8. Use of Sub-processors.
   
   
   1. In addition to individual independent contractors engaged as part of its workforce, Customer consents to Emissary’s use of the sub-processors listed at https://www.emissary.ai/subprocessors (the “Sub-processor List”) to assist in the processing of Customer personal information for the purpose of providing the Service and for the Permitted Business Purposes.
   2. In order to receive prior notification of changes to the Sub-processor List, Customer may subscribe to the Supplier Notification List by sending an e-mail to subprocessor-updates@emissary.ai. If Customer subscribes to such notifications, Emissary will provide details of any change to the Sub-processor List as soon as reasonably practicable. Emissary will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
   3. Customer may reasonably object to Emissary’s use of a new processor (e.g., where using such new Sub-Processor would weaken the protections for Customer personal information) by notifying Emissary, in writing, within five (5) business days after receipt of Emissary’s notice in accordance with the mechanism set out in this Section. Such notice shall explain the reasonable grounds for the objection. Where Customer objects to a new sub-processor on reasonable grounds prior to the deadline set forth above, Emissary will use reasonable efforts to make available to Customer a change in the Service to avoid the processing of Customer personal information by the objected-to new sub-processor. If Emissary is unable to make such a change within 30 business days from Emissary’s receipt of Customer’s notice, either Party may terminate, without penalty, the applicable addendum to the agreement between Customer and Emissary with respect only to those parts of the Service which cannot be provided by Emissary without the use of the objected-to new sub-processor (or the entire contract if partial termination is not feasible) by providing written notice to the other Party.
   4. All engagements with sub-processors shall be pursuant to a written contract binding the sub-processor to (i) a duty of confidentiality; (ii) compliance with the Privacy Laws.
      
      
9. De-Identified Data. If Emissary uses de-identified information it shall:
   
   
   1. Ensure that such information cannot be associated with consumer, household, device, or company, including, without limitation, any individual or corporate client of Customer; and
   2. Publicly commit to maintain and use the information in de-identified form;
   3. Not attempt to re-identify the information; and
   4. Contractually obligate any recipients of the information to comply with all such requirements of this section of the US Addendum and Privacy Laws.
      
      
10. Assistance with Consumer requests. Emissary shall:
    
    1. Assist Customer to fulfill its obligation to respond to consumer rights using appropriate technical and organizational measures, insofar as this is reasonably practicable, taking into account the nature of processing and the information available to Emissary.
    2. If Emissary receives a consumer request it shall (i) inform the Customer of such request in a timely fashion; and (ii) inform the consumer that it should submit the request directly to the business with whom the consumer has shared personal information.
       
       
11. Assistance with Data Protection Assessments. Emissary shall provide necessary information to enable Customer to conduct and document data protection assessments to the extent required under Privacy Laws.
    
    
12. Assistance with Security.
    
    
    1. Emissary shall assist Customer through appropriate technical and organizational measures as required by Privacy Laws to protect against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Customer personal information (a “Breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. At a minimum, Emissary shall have in place the security measures set forth at https://www.emissary.ai/technical-organizational-measures.
       
       
    2. Customer may monitor compliance with the Agreement through receipt, upon request, of a copy of Emissary’s most recent SOC 2, Type 2 report.
       
       
13. Breach Notification. Emissary shall:
    
    
    1. Notify Customer without undue delay of becoming aware of a Breach, providing Customer with sufficient information to allow Customer to meet its obligations under Privacy Laws; and
    2. Take commercially reasonable steps to assist in the investigation, mitigation and remediation of each such Breach.
14. Compliance with Privacy Laws.
    
    
    1. Emissary shall:
       
       
       1. Provide the same level of privacy protection as is required under the Privacy Laws;
       2. Make available to Customer all information necessary to demonstrate compliance with the Privacy Laws.
       3. Notify Customer if it makes a determination that it can no longer meet its obligations under the Privacy Laws.
    2. Emissary grants Customer the right, upon notice to take reasonable and appropriate steps to help ensure that Emissary uses the personal information transferred in a manner consistent with Customer’s obligations under the Privacy Laws; and to stop and remediate unauthorized use of personal information.
       
       
15. Data Retention. Unless prohibited by applicable law, (a) upon Customer’s request and at Customer’s direction Emissary shall delete or return all personal information; and (b) If no such request is made Emissary shall delete all personal information (excluding the information of individuals acting as representatives of Customer) within ninety days from the data of termination of the Agreement unless retention of the personal data is required by law.
    
    
16. Consideration for Data Processing. Notwithstanding anything in the Agreement or any related order form or other document, the Parties acknowledge and agree that Customer’s provision of access to personal information is not part of and explicitly excluded from the exchange of consideration, or any other thing of value, between the parties.
    
    
17. Compliance with Privacy Laws. By signing this US Addendum, each party certifies that it understands the restrictions and obligations under the Privacy Laws and will comply with the Privacy Laws to the extent applicable. This US Addendum is in addition to, and does not relieve, remove, or replace, a Party’s obligations under Privacy Laws.
    
    
18. Term and Termination. Notwithstanding anything to the contrary herein or in the Agreement, the terms of this US Addendum shall continue through the term of the Agreement or for so long as Emissary or its sub-processors have possession of or access to the personal information. Any provision of this US Addendum that expressly or by implication should continue on or after termination of the Agreement in order to protect personal information shall remain in full force and effect.
    
    
19. Severability. If any provision of this US Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this US Addendum, and the remainder of this US Addendum shall be given effect, as if the parties had not included the severed provision.
20. No Other Amendment to Agreement. Except as expressly set forth herein, the terms of the Agreement shall remain unmodified and in full force and effect.