Data Protection Agreement

Effective as of January 2024

This Data Processing Agreement (DPA) is established between Adaface and the Customer and, where relevant, Customer’s Affiliates. This DPA forms part of, and is governed by, the terms outlined in the Agreement.

1. Definitions

Terms not defined in this DPA shall carry the meanings ascribed to them in the Agreement.

"Agreement" refers to Adaface’s Terms of Service, including any applicable service level agreements, instructions, policies, and ordering documents, or any other applicable agreement governing the Services provided to the Customer by Adaface.

"Customer Personal Data" encompasses any data collected or accessed by Adaface Services on behalf of the Customer, including log data, session information, user and usage data, threat intelligence, and potentially malicious files. Customer Personal Data may include confidential and personal data, such as uploaded tests, assessments, candidate outputs, communications, IP addresses, and file-related metadata.

"Data Protection Laws" refers to all applicable laws governing data protection that are relevant to Adaface’s processing of Customer Personal Data under this DPA, including but not limited to GDPR and CCPA.

"DPA" refers to this Data Processing Agreement between Adaface and the Customer.

For terms that carry specific definitions under the GDPR, such as “Data Subject” or “Processing,” the GDPR’s definitions shall apply. All undefined terms shall be interpreted in line with the Agreement.

2. Scope

In providing the Services, Adaface processes Customer Personal Data solely to the extent necessary, as outlined in the documented instructions provided by the Customer through the Agreement, this DPA, and any subsequent updates. If Adaface deems any Customer instruction to be in breach of Data Protection Laws, Adaface will notify the Customer promptly.

3. Responsibilities of Processing Personal Data as a Processor

3.1. Processing Instructions

To the extent Adaface processes personal data on behalf of the Customer as a processor (as defined by applicable Data Protection Laws), Adaface shall do so only in accordance with documented instructions from the Customer as established in this DPA and the Agreement, for the operation and provision of the Services, and as permitted or required by applicable law. Such instructions may include the configuration of the Product by the Customer, which may affect the processing of Customer Personal Data. If Adaface believes that an instruction from the Customer infringes applicable Data Protection Laws, it will notify the Customer immediately.

3.2. Processing Required by Law

In the event that Adaface is required by applicable law to process Customer Personal Data in a way that is not expressly authorized by this DPA or the Agreement, Adaface will inform the Customer of such legal requirement before processing, unless that law prohibits this disclosure. This allows the Customer the opportunity to issue revised instructions or discontinue use of the Services in response.

3.3. Compliance with Applicable Data Protection Laws

Adaface will process Customer Personal Data in compliance with applicable Data Protection Laws and will, upon request, make available to the Customer any information reasonably necessary to demonstrate compliance with the obligations laid out in Article 28 of the GDPR and other applicable Data Protection Laws.

3.4. Data Subject Requests

Adaface shall provide reasonable assistance to the Customer to comply with its obligations related to data subject rights, as stipulated by applicable Data Protection Laws. Taking into account the nature of the processing and the information available to Adaface, if Adaface or any sub-processor receives a request from a data subject regarding their Customer Personal Data, Adaface will forward the request to the Customer, unless prohibited by applicable law.

3.5. Authorized Personnel

Adaface shall ensure that any personnel authorized to process Customer Personal Data are bound by confidentiality obligations or statutory duties of confidentiality. Adaface will ensure that only personnel who need access to Customer Personal Data to fulfill Adaface’s obligations under the Agreement and this DPA are granted such access. Except where required by law, Adaface will not share Customer Personal Data with third parties other than authorized sub-processors.

3.6. Retention and Deletion

Adaface shall retain Customer Personal Data no longer than necessary for the purposes outlined in this DPA or the Agreement. Upon termination of the Agreement, Adaface shall, upon the Customer’s written request, either delete or provide options to return, erase, or render the data unrecoverable. This obligation does not apply to non-Customer Personal Data, such as data on Candidate test results generated by the Services.

4. Details of Customer Data Being Processed

4.1. Subject Matter

The subject matter of the processing under this DPA is Customer Personal Data, which may include Customer-provided data but explicitly excludes any Candidate personal data.

4.2. Duration

Adaface may process Customer Personal Data under this DPA until the Agreement’s termination or expiration.

4.3. Purpose

The purpose of processing Customer Personal Data under this DPA is to enable Adaface to deliver the Services and fulfill obligations outlined in the Agreement.

4.4. Nature of Processing

To provide Services under the Agreement, Adaface will process Customer Personal Data upon documented instructions and in accordance with this DPA.

4.5. Categories of Data Subjects

Customer determines the scope and categories of Customer Personal Data disclosed to Adaface, which may include the following data subjects:

• Employees, contractors, consultants, and individuals associated with Customer or its clients and partners.
• Other individuals whose data is processed as part of Adaface Services.

4.6. Categories of Personal Data

Customer determines the categories of Customer Personal Data disclosed to Adaface, which may include:

• Identification and contact data (e.g., name, address, phone number, title, email).
• Employment details (e.g., job title, manager).
• Test answers and test results.
• IT information (e.g., IP addresses, online identifiers).
• Security event information collected by Services.
• Unstructured data provided by Customer for support services.

5. Sub-Processors

The Customer authorizes Adaface to engage sub-processors (listed in Appendix 1) for processing Customer Personal Data. In the event Adaface engages a new sub-processor, it will notify the Customer via the support portal at least seven (7) days prior, allowing the Customer the opportunity to object. If the Customer raises a reasonable objection to a new sub-processor, Adaface will make commercially reasonable efforts to offer alternative options that do not involve the sub-processor. Adaface remains liable for the sub-processor’s compliance with this DPA and is responsible for any actions or omissions of the sub-processor that cause Adaface to breach its obligations under this DPA.

6. Cross-Border Transfers

If Customer Personal Data is transferred outside the European Economic Area (EEA), Adaface shall ensure that such transfers are compliant with GDPR, using appropriate safeguards. Execution of this DPA constitutes agreement to the Standard Contractual Clauses (SCCs), incorporated herein by reference, for such data transfers.

7. Information Security Measures

Adaface has implemented a range of measures to protect Customer Personal Data. These include strong encryption, access control, network security, and an incident response plan, designed to safeguard data from unauthorized access, accidental loss, or malicious activity.

8. Data Protection Impact Assessment

Upon request, Adaface will provide reasonable cooperation to the Customer in performing data protection impact assessments (DPIAs) related to the Customer’s use of the Services.

9. Incident Response and Security Incidents

Adaface shall implement and maintain an incident response plan, detailing actions for containment, investigation, and remediation of any Security Incidents involving Customer Personal Data. In the event of a Security Incident, Adaface will notify the Customer without undue delay, investigate the incident, and provide relevant details to assist the Customer in meeting any legal obligations related to the incident. Adaface will take reasonable steps to mitigate the impact of any such Security Incident, as required by applicable Data Protection Laws.

10. Limitation of Liability

The limitations on liability set forth in the Agreement apply to any claims arising from or related to any breach of the terms in this DPA, whether such liability arises in contract, tort, or any other theory of liability. Each party’s liability, in aggregate, arising out of or related to this DPA, is subject to the liability cap and exclusions as specified in the Agreement. Notwithstanding the above, Adaface will be liable for any breach of this DPA caused by its sub-processors to the same extent it would be liable if performing the services of each sub-processor directly, subject to the Agreement’s limitations.

11. Term and Termination

The terms of this DPA shall remain effective throughout the term of the Agreement and shall terminate automatically upon the termination of the Agreement.

Appendix 1: List of Subprocessors