This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Customer Agreement, or other written or electronic agreement (“Agreement”) between Eqtble, Inc. (“eqtble”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA shall apply where eqtble Processes Customer Personal Data (as defined below) on behalf of Customer in connection with providing the eqtble Product to Customer where such Processing is subject to the Data Protection Laws (as defined below). This DPA shall be effective for the term of the Agreement.
1.1. For the purposes of this DPA:
1.1.1. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable a “Business” as defined under the CCPA;
1.1.2. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA, in respect of which Customer is the Controller;
1.1.3. “CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act (“CPRA”) when the CPRA takes effect, together with any applicable implementing regulations;
1.1.4. “Data Protection Laws” means all applicable laws relating to data protection and privacy including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018 and applicable privacy laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;
1.1.5 “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;
1.1.5. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
1.1.6. “Personal Data”, “Data Subject”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;
1.1.7. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined under the CCPA; and
1.1.8. “UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Processing of Customer Personal Data
2.1. The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and eqtble is the Processor of that data. eqtble will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions. eqtble is hereby instructed to Process Customer Personal Data to the extent necessary to enable eqtble to provide the eqtble Product in accordance with the Agreement. A description of Processing is set forth in Schedule 1. If applicable laws preclude eqtble from complying with Customer’s instructions, eqtble will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
2.2. To the extent eqtble’s Processing of Customer Personal Data is subject to the CCPA, eqtble shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the eqtble Product, or as otherwise permitted by the CCPA; (2) combine Customer Personal Data with Personal Data eqtble receives from other customers or individuals (except as permitted by the CCPA); or (3) sell Customer Personal Data. eqtble shall notify Customer if it determines that it cannot meet its obligations under the CPRA. Upon receiving written notice from Customer that eqtble has Processed Customer Personal Data without authorization, eqtble will stop and remediate such Processing. eqtble certifies that it understands and will comply with the restrictions contained in this Section 2.2.
2.3. Each of Customer and eqtble will comply with their respective obligations under the Data Protection Laws
3. Confidentiality and Security
3.1. eqtble will require eqtble’s personnel who access the Customer Personal Data to commit to protect the confidentiality of the data.
3.2. eqtble will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data as described at https://security.eqtble.com/.
3.3. eqtble will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligation to implement security measures to protect Customer Personal Data under Article 32 of the GDPR.
4.1. Customer agrees that eqtble may engage sub-Processors to process Customer Personal Data on Customer's behalf. The sub-processors currently engaged by eqtble and authorized by Customer are available on Schedule 3. eqtble will inform Customer of any intended changes concerning the addition or replacement of any sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
4.2. eqtble will impose on the sub-Processors substantially the same obligations that apply to eqtble under this DPA. Where any of its sub-Processors fails to fulfil its data protection obligations, eqtble will be liable to Customer for the performance of its sub-Processors’ obligations.
4.3. The parties agree that the copies of the Sub-processor agreements that must be provided by eqtble to Customer pursuant to Clause 9(c) of the EU SCCs and Clause 5(j) of the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs, removed by eqtble beforehand; and, that such copies will be provided by eqtble, in a manner to be determined in its discretion, only upon Customer’s written request.
5. Data Subject Rights
5.1. eqtble will provide Customer with assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights. eqtble shall not respond to such requests without Customer’s prior written consent and written instructions. Customer shall be solely responsible for responding to such requests.
6. Personal Data Breaches
6.1. eqtble will notify Customer without undue delay after it becomes aware of any Personal Data Breach affecting any Customer Personal Data. At Customer’s request, eqtble will promptly provide the Customer with all reasonable assistance necessary to enable Customer to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.
7. Data Protection Impact Assessment; Prior Consultation
7.1. eqtble will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if Customer is required to engage in such activities under Data Protection Laws, and solely to the extent that such assistance is necessary and relates to the Processing by the eqtble of the Customer Personal Data, taking into account the nature of the Processing and the information available to the eqtble.
8. Return or Deletion of Customer Personal Data
8.1. eqtble will return or delete, at Customer’s choice, Customer Personal Data to Customer after the end of Customer’s use of the eqtble Product relating to the Processing, and delete existing copies unless the applicable law of the European Union, its Member States or the United Kingdom requires storage of the data. The parties agree that certification of deletion of Customer Personal Data as described in Clause 8.5 of the EU SCCs and Clause 12(1) of the UK SCCs, if applicable, shall be provided only upon Customer’s request. Notwithstanding the foregoing, eqtble may retain Customer Personal Data to the extent and for the period required by applicable laws provided that eqtble maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
9.1. eqtble will provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within eqtble’s control and eqtble is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. The parties agree that the audits described in the EU and UK SCCs, if applicable, shall be performed in accordance with this Section 9. eqtble will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws.
10.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
10.2. Customer acknowledges that the eqtble is reliant on Customer for direction as to the extent to which eqtble is entitled to Process Customer Personal Data on behalf of Customer in performance of the eqtble Product. Consequently the eqtble will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by the eqtble in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.
11. General Provisions
11.1. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.
Details of Processing
1. Categories of Data Subjects. This DPA applies to the Processing of Customer Personal Data relating to Customer’s employees, job applicants, contractors, and other authorized users (“Employees”).
2. Types of Personal Data. Customer Personal Data includes human resources data, the extent of which is determined and controlled by the Customer in its sole discretion, such as names, job titles, phone numbers, email addresses, device identifiers and internet activity data, demographic information, employment and education histories, and any other Personal Data that may be transmitted through the eqtble Product by Customer’s Employees.
3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by eqtble is the provision of the eqtble Product to the Customer. Customer Personal Data will be subject to those Processing activities which eqtble needs to perform in order to provide the eqtble Product pursuant to the Agreement.
4. Purpose of the Processing. Customer Personal Data will be Processed by eqtble for purposes of providing the eqtble Product as set out in the Agreement.
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 8 of the DPA.