Data Processing Agreement

This Data Processing Agreement is an addendum to the Terms of Service listed at https://www.sovren.com/policies-and-agreements/terms-of-service/. This Data Processing Agreement (DPA) between Recipient and Provider shall apply to all Processing of Recipient Personal Data by Provider using the Service.

1.      Definitions

1.1     Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.2     Recipient Personal Data means the Personal Data which Provider is processing as Processor or Subprocessor, as the case may be, on behalf of Recipient in order to provide the Services. Recipient Personal Data includes both (a) Personal Data controlled by Recipient as Controller AND (b) Personal Data Recipient is Processing on behalf of itself or Other Controllers as Processor, as the case may be.

1.3     Agreements means this Data Processing Agreement, the Terms of Service located at https://www.sovren.com/policies-and-agreements/terms-of-service/ including all other documents and agreements refenced therein, and, if applicable, the Standard Contractual Clauses located at https://www.sovren.com/policies-and-agreements/standard-contractual-clauses/.

1.4     PII and Personally Identifiable Information mean Personal Data as defined herein.

1.5     Data Subject is the identified or identifiable natural person to which the Personal Data relates.

1.6     Data Protection Laws means the GDPR and all Member State data protection laws and regulations.

1.7     EU Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC) as published by the Danish Data Protection Agency in January 2020 and approved by the European Data Protection Board (EDPB), and as posted at https://www.sovren.com/policies-and-agreements/standard-contractual-clauses/.

1.8     GDPR means the General Data Protection Regulation 2016/679.

1.9     Member State means a country that is a member of the European Union or the European Economic Area.

1.10   Other Controller means any entity other than Recipient that is Controller of the Recipient Personal Data, such as Recipient’s affiliated companies or Recipient’s Client’s, their customers or affiliated companies.

1.11   Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’), which information is subject to the GDPR or the laws of non-EU EEA countries that have formally adopted the GDPR; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.12   Personal Data Breach means a suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.13   Process or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.14   Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

1.15   Service(s) means the services provided by Provider as agreed in the Agreements.

1.16   Subprocessor means any subcontractor engaged by Provider for the Processing of Recipient Personal Data in accordance with Section 8.1.

1.17   Supervisory Authority means an independent public authority which is established by a Member State pursuant to the GDPR.

1.18   Provider Affiliates means companies which are controlled by Provider, which control Provider or which are under common control with Provider. “To control” or “to be controlled” means to hold, directly or indirectly, more than 50% of the respective shares with voting rights.

1.19   CCPA means the California Consumer Privacy Act (the “CCPA”)

1.20   Consumer means a natural person who is a California resident, however identified, including by any unique identifier, as defined under CCPA. In this agreement, Data Subject is synonymous with Consumer when the CCPA applies.

2.      Processing

2.1   This DPA applies if and to the extent Provider is Processing Recipient Personal Data. Recipient appoints Provider as Processor to process such Recipient Personal Data. For purposes of this DPA, Recipient (along with any Other Controllers) is the Controller, and Provider is the Processor.

2.2   Processing Details:
(a) The nature, purposes and subject matter of the Processing: processing of resumes and jobs to extract, classify, summarize and report data; optionally, matching, scoring and ranking of jobs and resumes in any direction; optionally, geocoding of the candidate address from a parsed resume; optionally, searching on a subset of candidate data;
(b) The duration of the Processing is: for the duration of this Agreement.
(c) Categories of Data Subjects: employees, contractors, candidates, and potential candidates of Controller or Other Controllers.
(d) Types of Recipient Personal Data: Personal Data in résumés, including contact information and personal information as described in https://www.sovren.com/technical-specs/latest/rest-api/resume-parser/api/?h=Value.ResumeData.ResumeMetadata.ReservedData.

2.3   Provider will Process Recipient Personal Data for the sole purpose of providing the Services according to Recipient’s written instructions as defined in this section. The initial scope of Recipient’s instructions for the Processing of Recipient Personal Data is defined by the Agreements including, in particular, this DPA. Recipient shall provide further instructions that the Provider has to comply with, as described in the succeeding paragraph of this Section 2.3. In case Provider does not accommodate an instruction, Recipient may terminate the affected part of the Service by providing Provider with a written notice. If Provider believes an instruction violates the Data Protection Laws, Provider will inform Recipient without undue delay. 

By using the Service’s API, each such individual use constituting a transaction, Recipient authorizes Provider to process the data supplied in each such transaction using the configuration and parameters supplied in each such transaction.

2.4   Recipient shall serve as a single point of contact for Provider. Similarly, Provider will serve as a single point of contact for Recipient and is solely responsible for the internal coordination, review and submission of instructions or requests from Recipient to any Subprocessors.

2.5   Provider will comply with all Data Protection Laws in respect of the Services applicable to Processors and is responsible for the lawfulness of Provider’s Processing of Recipient Personal Data.

2.6   Processor does not collect or store Personal Data on Data Subjects, nor buy, sell or rent such information.

3.      Technical and Organizational Measures

3.1   Provider will implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk. The appropriateness of the measures is subject to technical progress and further development. Provider shall regularly monitor its compliance with the respective technical and organizational measures and will verify this monitoring upon Recipient’s request. At minimum, recipient and Provider agree upon these measures:

• Provider will not store or retain any known personal data
• Any data stored by the Provider will only be stored pursuant to an API call to the Services by the Recipient instructing the Provider to do so, and that only data that has had all known personal data expunged (i.e., anonymized by removing the known personal data) shall be stored
• All processing of data by the Provider shall be accomplished in real time, in the context of each individual web service transaction in which the Recipient has submitted data for processing with instructions as embodied in such API call, and that such processing is to be performed only by software and never by humans
• All known personal data shall be returned to the Recipient by the Provider in the synchronous webservice response to a Recipient web service request, and not retained or stored by the Provider, and that therefore the Recipient shall be solely responsible for responding to Data Subjects’ requests to modify, obtain or delete their personal data, and that Recipient agrees that Provider cannot ever restore, retrieve, or make available personal data since it never retained any, as further described in Section 7

3.2   If changes to the technical and organizational measures agreed by the parties in writing or to the manner in which Provider implements these technical and organizational measures are required by Recipient, such changes shall be implemented by the Provider following Recipient’s instructions, unless Provider cannot or will not do so, in which case Provider shall notify Recipient accordingly and Recipient may elect to cease all use of the Services.

3.3   Provider provides Recipient with sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects.

4.      Data Subject Rights and Requests

4.1   To the extent permitted by law, Provider will inform Recipient without undue delay of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to Provider regarding Recipient Personal Data. If Recipient is obliged to provide information regarding Recipient Personal Data to Other Controllers or third parties (e.g. Data Subjects or the Supervisory Authority), Provider shall assist Recipient in doing so by providing all required information that is in its possession. If Recipient or Other Controllers are obliged to provide information about the processing of Recipient Personal Data to a Data Subject, Provider shall assist Recipient in making the required information available to the extent that Provider has such information.

4.2   If a Data Subject brings a claim directly against Recipient for damages suffered due to Provider’s breach of this DPA or Data Protection Laws with regard to the processing of Recipient Personal Data, Provider will indemnify Recipient for any cost, charge, damages, expenses or loss arising from such a claim, provided that Recipient has notified Provider about the claim and is giving the Provider the possibility to cooperate with Recipient in the defense and settlement of the claim.

5.      Third Party Requests and Confidentiality

5.1   Provider will not disclose Recipient Personal Data to any third party, unless authorized by Recipient or required by mandatory law. If a government or Supervisory Authority demands access to Recipient Personal Data, Provider will notify Recipient prior to disclosure unless prohibited by law. If Provider is prohibited from notifying Recipient, Provider will take appropriate steps to challenge the prohibition through judicial action or other means (e.g., if the U.S. government serves a national security order on Provider to obtain Recipient Personal Data). Because Provider does not store, and will not store, known Personal Data, there is no store of Personal Data that Provider maintains that could be used in satisfaction of such requests.

5.2   Provider shall require all of its personnel authorized to process Recipient Personal Data, if any, to commit themselves to confidentiality and not Process such Recipient Personal Data for any other purposes, except on instructions from Recipient and/or Other Controllers or unless required by applicable law. Such an obligation of confidentiality shall include annual security and privacy training and continue indefinitely. Provider shall demonstrate its compliance with this obligation by providing sufficient proof to Recipient upon Recipient’s written request. Provider’s Services do not use human effort to process data ever in any sense whatsoever, and no known Personal Data is ever stored. Therefore, no Provider personnel have ever been authorized to process Recipient Personal Data, nor will be.

6.      Information and Audit

6.1   The Provider is obliged to provide information in writing about the processing of Recipient Personal Data, including but not limited to the technical and organizational measures implemented and any Subprocessors engaged.

6.2   Provider shall allow for and contribute to audits, including inspections, conducted by Recipient and/or Other Controllers and the respective Supervisory Authorities or another auditor legally mandated by Recipient and/or Other Controllers to demonstrate compliance with Provider’s obligations set out in this DPA and the Data Protection Laws applicable to Provider in the performance of the Services. Provider may provide proof of the adherence to an approved code of conduct or an approved certification mechanism, or otherwise provide information, such as confirmation of a SOC 2 audit opinion, to Recipient which may be used as an element to demonstrate compliance with Provider’s obligations. Recipient or Other Controllers may reasonably assure itself of Provider’s compliance at any of Provider's business premises involved in the Processing of Recipient Personal Data, during Provider's normal business hours, after prior notification. Provider will provide Recipient and/or Other Controllers access to Recipient Personal Data , if any, keeping in mind that Provider has stated herein that it does not store and will not store any known Personal Data, and/or access to any of its business premises involved in the Processing of Recipient Personal Data. To the extent Recipient is mandating another auditor, such other auditor shall not be a direct competitor of Provider with regard to the Services and shall be bound to confidentiality.

6.3   Upon Recipient’s request, Provider shall provide information on the material terms of the contracts in relation to the implementation of the data privacy obligations by Provider’s approved Subprocessors set out in Section 8.1, including, if necessary, by means of granting access to the relevant contract documents. Provider shall ensure that any audit and information rights towards Providers Subprocessors also apply directly to Recipient and/or Other Controllers as well as the respective Supervisory Authorities.

7.      Return or Deletion of Recipient Personal Data

Provider does not store or retain Data Subject Personal Data. Recipient acknowledges that it is Recipient’s sole responsibility to store, edit and delete Data Subject Personal Data and to respond to requests by Data Subjects to view, edit, delete or otherwise interact with their Personal Data since Provider retains no such Personal Data.

8.      Subprocessors

8.1   Recipient hereby explicitly approves the engagement of the Subprocessors listed in EXHIBIT 1. Recipient’s use of any feature or API which requires use of a Subprocessor, is to be construed as Recipient’s consent to such subprocessing. Provider will notify Recipient in advance of any changes to Subprocessors at least 30 days in advance unless such notice period is practically or legally infeasible. Recipient shall not unreasonably object to any intended change. However, an objection from Recipient that is based on any Other Controllers’ objection of the respective Subprocessor shall always be considered as reasonable grounds to object. If Recipient objects to the appointment of a new Subprocessor, Recipient must immediately cease using the optional API call that would otherwise engage the services of the Subprocessor.

8.2   Provider shall impose the same data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor Processing any Recipient Personal Data and ensure that the relevant obligations.

8.3   Provider remains responsible for its Subprocessors and liable for their acts and omissions as for its own acts and omissions and any references to Provider’s obligations, acts and omissions in this DPA shall be construed as referring also to the Provider’s Subprocessors.

9.      Transborder Data Processing

9.1   Provider makes available processing nodes physically located in various locations. Recipient may request a processing node within the EU and will be provided credentials and a URL endpoint that will process data only within the EU (with the possible exception of the optional geocoding subprocessors, as described in section 8). Sovren does not transfer Personal Data for processing outside of the processing node to which it is sent. Thus, data sent to the EU node for processing of Personal Data will always be processed only within the EU, and no EU Standard Contractual Clauses are necessary to comply with the GDPR. However, in the case that Recipient chooses to send EU Data Subject’s Personal Data to the Services for processing at a node outside the EU, then the Standard Contractual Clauses will apply. Sovren’s Standard Contractual Clauses are found online at https://www.sovren.com/policies-and-agreements/standard-contractual-clauses/. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.

10.      Personal Data Breach

10.1   Provider will inform Recipient without undue delay of any suspected non-compliance with applicable Data Protection Laws or relevant contractual terms or in case of serious disruptions to operations or any other irregularities in the processing of the Recipient Personal Data. Provider will promptly investigate and rectify any non-compliance as soon as possible and upon Recipient’s request, provide Recipient with all information requested with regard to the suspected non-compliance.

10.2   Provider will notify Recipient without undue delay (and in no event later than 72 hours) after becoming aware of a Personal Data Breach in respect of the Services. Provider will promptly investigate the Personal Data Breach and will provide Recipient with reasonable assistance to satisfy any legal obligations (including obligations to notify Supervisory Authorities or Data Subjects) of Recipient and/or Other Controllers in relation to the Personal Data Breach, as set out in Section 11.1.

11.      Assistance and Records

11.1   Taking into account the nature of Processing, Provider will assist Recipient by appropriate technical and organizational measures in the fulfillment of Recipient’s and/or Other Controllers’ obligation to comply with the rights of Data Subjects and in ensuring compliance with Recipient’s and/or Other Controllers’ obligations relating to the security of processing, the notification of a Personal Data Breach and the data protection impact assessment, taking into account the information available to Provider.

11.2   Provider will maintain an up-to-date record of the name and contact details of each Subprocessor of the Recipient Personal Data and, where applicable, the Subprocessors’ representative and data protection officer.

12.      General

12.1   Whenever this DPA is referring to written form, electronic form such as email shall be sufficient.

12.2   Recipient and Provider agree that this DPA is part of the Agreement and is governed by its terms and conditions, unless otherwise required by applicable law. In case of conflict, the order of precedence in respect of the Processing of Recipient Personal Data shall be: Exhibits to this DPA, this DPA and then the Agreement. Where EU Standard Contractual Clauses are an integral part of this Agreement as set out in Section 9.1, the EU Standard Contractual Clauses shall prevail.

12.3   If an amendment to this DPA, including its Exhibits, is required in order to comply with applicable law or comply with requirements set out by Recipient’s Clients, Recipient will provide an amendment to this DPA with the required changes to Provider. Both parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by Recipient’s Client. In case Provider is not able to accommodate the requested changes, Recipient may terminate all or part of the Agreements and this DPA with thirty (30) days’ written notice, and if it does so, must cease all use of the Service.

12.4   This DPA shall not restrict any applicable Data Protection Laws. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.

12.5   Provider guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Provider and Provider agrees that it shall be responsible for all costs associated with its compliance of such obligations.

EXHIBIT 1