US Privacy Addendum

Last Modified: January 27, 2026

This US Privacy Addendum (the “US Privacy Addendum”) is incorporated into the agreement(s) under which Emissary Software LLC (“Emissary”) has agreed to provide Customer (“Customer”) (a) access to the Emissary System and (b) certain other specified services under the Agreement (the “Agreement”). This US Addendum is between Emissary and Customer (each a "Party" and collectively the "Parties"). By signing this US Addendum, Customer enters into this US Addendum on behalf of itself and in the name of its Affiliates.

  1. Definitions. Unless otherwise set out below, each capitalized term in this US Privacy Addendum shall have the meaning set out in the Agreement, and the following capitalized terms used in this US Privacy Addendum shall be defined as follows:
    1. Permitted Business Purposes” means:
      1. Helping to ensure security and integrity to the extent the use of the personal information is reasonably necessary and proportionate for these purposes.
      2. Debugging to identify and repair errors that impair existing intended functionality.
      3. Performing services on behalf of Emissary, including maintaining or servicing accounts, providing customer service, verifying Authorized Agents, processing payments, providing analytic services, providing storage, or providing similar services on behalf of Emissary.
      4. Undertaking internal research for technological development and demonstration.
      5. Undertaking activities to verify or maintain the quality or safety of the Services, and to improve, upgrade, or enhance the Services.
    2. Personal Information” shall be interpreted consistent with the applicable Privacy Laws and includes at a minimum “personal information” and “personal data” as defined in the Privacy Laws, as such information is provided by Customer to Emissary, collected by Emissary on behalf of Customer, processed by Emissary on behalf of Customer, or otherwise made available to Emissary pursuant to the
    3. “Privacy Laws” mean applicable United States statutes, regulations, or other laws pertaining to privacy and information security that are in effect or will come into effect during the term of the Agreement.
    4. “Services means the recruiting and HR communication services as more fully described and agreed upon by the parties pursuant to the Agreement.
    5. The terms “business,” “business purpose,” “consumer,” “controller,” “data subject,” “process” or “processing,” “processor,” “sale,” “service provider ,” “sharing,” “subprocessor,” and “verifiable consumer request” shall have the meanings given to those terms in the Privacy Laws.
  2. Order of Priority. This US Privacy Addendum is governed by the terms and conditions of the Agreement. To the extent there is a conflict between this US Privacy Addendum and the Agreement, the terms of this US Privacy Addendum shall prevail except that any limitations of liability set forth in the Agreement shall continue to apply.
  3. Roles of the Parties. The Parties agree that with regard to the processing of personal information under the Agreement:
    1. Customer or Customer Affiliate (as applicable) is the controller and business, and Emissary is a processor and service provider (and not a third party), processing Customer personal information on behalf of Customer. Customer retains control over the purposes and means of processing of personal information.
  4. Data Subjects.Customer may share personal information, directly or indirectly with Emissary including personal information relating to:
    1. Customer’s employees and independent contractors (including Authorised Agents).
    2. Potential job candidates and other individuals who send and receive messages through the System or otherwise interact with Customer.
    3. Other external users authorized by Customer to access the System, including Customer’s Affiliates’ employees and independent contractors.
  5. Types of personal informationCustomer may share personal information to the System in accordance with the terms of the Agreement, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of personal information:
    1. Basic contact and scheduling details including name, telephone number and email address.
    2. Application usage information.
    3. Content of communication between Users.
  6. Data Processing Purpose Limitation.
    1. Emissary shall process the personal information only for the timeframe permitted in the Agreement (unless otherwise agreed in writing).
    2. Emissary shall only use the personal information:
      1. To provide the Services;
      2. For the Permitted Business Purposes; and
      3. Pursuant to documented instructions of Customer (unless otherwise required by applicable law).
    3. The contents of the Agreement, and Customer’s or Customer Affiliate’s use of the features and functionality of the Services constitute Customer’s instructions to Emissary in relation to the processing of Customer personal information.
    4. If Emissary believes an instruction conflicts with applicable Privacy Laws Emissary shall promptly notify Customer and may suspend the affected processing until the infringing instruction is withdrawn or amended to render it lawful.
    5. Emissary agrees it shall not:
      1. Sell or share the personal information;
      2. Retain, use, or disclose the personal information outside of the direct business relationship between with Customer or for any purpose other than (i) providing the Services; (ii) performing the Permitted Business Purposes; or (iii) as otherwise expressly permitted by Privacy Laws.
      3. Combine personal information received from, or on behalf of Customer with personal information received from any other source, except for the Permitted Business Purposes or as otherwise expressly permitted by Privacy Laws.
  7. Required Disclosures and Consents. Customer is responsible for providing any required privacy notices and obtaining any required consents required under applicable Privacy Laws for Emissary to process the personal information as contemplated under the Agreement.
  8. Use of Subprocessors
    1. In addition to individual independent contractors engaged as part of its workforce, Customer consents to Emissary’s use of the subprocessors listed here (the “Subprocessor List”) to assist in the processing of Customer personal information for the purpose of providing the Services and for the Permitted Business Purposes.
    2. In order to receive prior notification of changes to the Subprocessor List, Customer may subscribe to the Supplier Notification List by sending an e-mail to subprocessor-updates@emissary.ai. If Customer subscribes to such notifications, Emissary will provide details of any change to the Subprocessor List as soon as reasonably practicable. Emissary will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
    3. Customer may reasonably object to Emissary’s use of a new subprocessor (e.g., where using such new subprocessor would weaken the protections for Customer personal information) by notifying Emissary in writing within five (5) business days after receipt of Emissary’s notice in accordance with the mechanism set out in this Section. Such notice shall explain the reasonable grounds for the objection. Where Customer objects to a new subprocessor on reasonable grounds prior to the deadline set forth above, Emissary will use reasonable efforts to make available to Customer a change in the Services to avoid the processing of Customer personal information by the objected-to new subprocessor. If Emissary is unable to make such a change within 30 business days from Emissary’s receipt of Customer’s notice, either Party may terminate, without penalty, the applicable portion of the Agreement or Order with respect only to those parts of the Services which cannot be provided by Emissary without the use of the objected-to new subprocessor (or the entire contract if partial termination is not feasible) by providing written notice to the other Party.
    4. All engagements with subprocessors shall be pursuant to a written contract binding the subprocessor to (i) a duty of confidentiality; (ii) compliance with the Privacy Laws.
  9. Confidentiality.. Emissary shall ensure that all persons processing personal information on its behalf is subject to a duty of confidentiality.
  10. De-Identified Data.If Emissary creates or processes de-identified data it shall:
    1. Ensure that the information cannot be reasonably re-identified;
    2. Publicly commit to maintaining the information in de-identified form;
    3. Not attempt to re-identification; and
    4. Require the same from any recipients.
  11. Sensitive Data. Customer shall not instruct Emissary to process any Sensitive Data (as defined under applicable Privacy Laws) unless specifically agreed upon in writing by Emissary.
  12. Children’s Data. Customer shall not, directly or indirectly, share the personal information of consumers under the age of 16 unless specifically agreed upon in writing by Emissary.
  13. Assistance.
    1. Assistance with Consumer Requests.Emissary shall:
      1. Assist Customer in responding to verifiable consumer requests;
      2. Provide access, correction, deletion, and portability support as required;
      3. Notify Customer if Emissary receives a request directly.
    2. Assistance with Data Protection Assessments. Emissary shall provide necessary information to enable Customer to conduct and document data protection assessments to the extent required under Privacy Laws.
    3. Assistance with Security. Emissary shall assist Customer through appropriate technical and organizational measures as required by Privacy Laws to protect against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Customer personal information (a “Breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for consumers. At a minimum, Emissary shall have in place the security measures set forth in here. Customer may monitor compliance with the Agreement through receipt, upon request, of a copy of Emissary’s most recent SOC 2, Type 2 report. Additionally, Emissary shall make available information reasonably necessary to demonstrate compliance and allow reasonable audits by Customer.
  14. Oversight. Emissary shall, upon the reasonable request of Customer:
    1. Make available to Customer all information in its possession necessary to demonstrate compliance with the obligations under this US Privacy Addendum and the Agreement.
    2. Allow Customer to take reasonable and appropriate steps to ensure that Emissary’s use of personal information is consistent with Emissary’s and Customer’s obligations under Privacy Laws.
    3. Allow Emissary to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
  15. Data Retention. Unless prohibited by applicable law, (a) upon Customer’s request and at Customer’s direction Emissary shall delete or return all personal information; and (b) If no such request is made Emissary shall delete all personal information (excluding the information of individuals acting as representatives of Customer) within ninety days from the date of termination of the Agreement unless retention of the personal information is required by law.
  16. Data Minimization and Purpose Limitation. Each Party shall limit the collection and processing of personal information to what is reasonably necessary to perform the Services. Each Party shall limit the processing of personal information to what is reasonably necessary and proportionate to fulfill the purposes stated in this US Privacy Addendum.
  17. Breach Notification. Emissary shall notify Customer without undue delay after becoming aware of any Breach involving Customer personal information.
  18. Consideration for Data Processing. Notwithstanding anything in the Agreement or any related order form or other document, the Parties acknowledge and agree that Customer’s provision of access to personal information is not part of and explicitly excluded from the exchange of consideration, or any other thing of value, between the parties.
  19. Cross-Context Behavioral Advertising, Data Combination, and Profiling.
    1. Emissary shall not use personal information for cross-context behavioral advertising or profiling without Customer’s written instruction.
    2. Emissary shall not combine personal information received from or on behalf of Emissary with personal information received from or on behalf of another person or collected from its own interactions with a consumer, except as expressly authorized by Emissary in writing or as permitted by applicable Privacy Laws.
    3. Emissary shall not engage in any form of profiling of consumers in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, unless explicitly instructed in writing by Customer and subject to applicable legal requirements and safeguards.
  20. Term and Survival. This Addendum survives termination of the Agreement for so long as Emissary retains Personal Information.
  21. Documented Instructions for Processing. Emissary shall process personal information only upon document instructions from Customer, including for the purpose of providing the Services, unless otherwise required by applicable law.
  22. State Privacy Law Compliance. The parties acknowledge that this US Privacy Addendum is intended to satisfy the requirements of all applicable United States privacy laws.
  23. Severability. If any provision of this US Privacy Addendum is found unenforceable, the remainder to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this US Privacy Addendum, and the remainder of this US Privacy Addendum shall be given effect, as if the parties had not included the severed provision.
  24. Review and Amendment. The parties agree to review and, if necessary, update this US Privacy Addendum in good faith to ensure continued compliance with applicable Privacy Laws.
  25. No Other Amendment to Agreement. Except as expressly set forth herein, the terms of the Agreement shall remain unmodified and in full force and effect.