Data Processing Addendum

Last updated: January 5, 2022

This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Customer Agreement, or other written or electronic agreement (“Agreement”) between Eqtble, Inc. (“eqtble”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA shall apply where eqtble Processes Customer Personal Data (as defined below) on behalf of Customer in connection with providing the eqtble Product to Customer where such Processing is subject to the Data Protection Laws (as defined below). This DPA shall be effective for the term of the Agreement.

1. Definitions

1.1. For the purposes of this DPA:

1.1.1. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable a “Business” as defined under the CCPA;

1.1.2. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA, in respect of which Customer is the Controller;

1.1.3. “CCPA” means the California Consumer Privacy Act, including as modified by the California Privacy Rights Act (“CPRA”) when the CPRA takes effect, together with any applicable implementing regulations;

1.1.4. “Data Protection Laws” means all applicable laws relating to data protection and privacy including without limitation, the CCPA, the GDPR and member state laws implementing the GDPR, the United Kingdom’s Data Protection Act 2018 and applicable privacy laws of any other jurisdiction, each as amended, repealed, consolidated or replaced from time to time;

1.1.5 “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;

1.1.5. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

1.1.6. “Personal Data”, “Data Subject”, “Personal Data Breach” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;

1.1.7. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined under the CCPA; and

1.1.8. “UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.

1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

2.1. The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and eqtble is the Processor of that data. eqtble will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions. eqtble is hereby instructed to Process Customer Personal Data to the extent necessary to enable eqtble to provide the eqtble Product in accordance with the Agreement. A description of Processing is set forth in Schedule 1. If applicable laws preclude eqtble from complying with Customer’s instructions, eqtble will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

2.2. To the extent eqtble’s Processing of Customer Personal Data is subject to the CCPA, eqtble shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the eqtble Product, or as otherwise permitted by the CCPA; (2) combine Customer Personal Data with Personal Data eqtble receives from other customers or individuals (except as permitted by the CCPA); or (3) sell Customer Personal Data. eqtble shall notify Customer if it determines that it cannot meet its obligations under the CPRA. Upon receiving written notice from Customer that eqtble has Processed Customer Personal Data without authorization, eqtble will stop and remediate such Processing. eqtble certifies that it understands and will comply with the restrictions contained in this Section 2.2.

2.3. Each of Customer and eqtble will comply with their respective obligations under the Data Protection Laws

2.4. With respect to Customer Personal Data originating from the European Economic Area (“EEA”) that is transferred from Customer to eqtble in the United States, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and eqtble as the “data importer.”

For purposes of the EU SCCs the parties agree that:

In Clause 7, the optional docking clause will not apply;

In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 4.1 of this DPA;

In Clause 11, the optional language will not apply;

For the purposes of Clause 15(1)(a), eqtble shall notify Customer (only) and not the Data Subject(s) in case of government access requests and Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary;

In Clause 17, the EU SCCs shall be governed by the laws of Ireland;

In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

In Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller, and eqtble is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Services pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;

In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes eqtble’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Services); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) eqtble uses sub-Processors to support the provision of the Services.

In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to eqtble. Unless and until Customer communicates a competent supervisory authority to eqtble, the competent supervisory authority shall be the Irish Data Protection Commission.

In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described at https://security.eqtble.com/.

If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection, the parties agree to rely on the EU SCCs as implemented above with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection.

With respect to transfers from Customer to eqtble of Customer Personal Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the UK SCCs: (i) Customer is the “data exporter”, and eqtble is the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Schedule 1 to this DPA; and (vi) for Appendix 2 to the UK SCCs, the security measures are as described at https://security.eqtble.com/. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until such time as the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. If the Information Commissioner’s Office approves the EU SCCs for transfers from the UK, the parties agree to adopt the EU SCCS as the mechanism to legitimize such transfers. Where necessary, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Personal Data in compliance with Data Protection Laws.

3. Confidentiality and Security

3.1. eqtble will require eqtble’s personnel who access the Customer Personal Data to commit to protect the confidentiality of the data.

3.2. eqtble will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data as described at https://security.eqtble.com/.

3.3. eqtble will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligation to implement security measures to protect Customer Personal Data under Article 32 of the GDPR.

4. Sub-Processing

4.1. Customer agrees that eqtble may engage sub-Processors to process Customer Personal Data on Customer's behalf. The sub-processors currently engaged by eqtble and authorized by Customer are available on Schedule 3. eqtble will inform Customer of any intended changes concerning the addition or replacement of any sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

4.2. eqtble will impose on the sub-Processors substantially the same obligations that apply to eqtble under this DPA. Where any of its sub-Processors fails to fulfil its data protection obligations, eqtble will be liable to Customer for the performance of its sub-Processors’ obligations.

4.3. The parties agree that the copies of the Sub-processor agreements that must be provided by eqtble to Customer pursuant to Clause 9(c) of the EU SCCs and Clause 5(j) of the UK SCCs, if applicable, may have commercial information or clauses unrelated to the EU or UK SCCs, removed by eqtble beforehand; and, that such copies will be provided by eqtble, in a manner to be determined in its discretion, only upon Customer’s written request.

5. Data Subject Rights

5.1. eqtble will provide Customer with assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights. eqtble shall not respond to such requests without Customer’s prior written consent and written instructions. Customer shall be solely responsible for responding to such requests.

6. Personal Data Breaches

6.1. eqtble will notify Customer without undue delay after it becomes aware of any Personal Data Breach affecting any Customer Personal Data. At Customer’s request, eqtble will promptly provide the Customer with all reasonable assistance necessary to enable Customer to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.

7. Data Protection Impact Assessment; Prior Consultation

7.1. eqtble will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if Customer is required to engage in such activities under Data Protection Laws, and solely to the extent that such assistance is necessary and relates to the Processing by the eqtble of the Customer Personal Data, taking into account the nature of the Processing and the information available to the eqtble.

8. Return or Deletion of Customer Personal Data

8.1. eqtble will return or delete, at Customer’s choice, Customer Personal Data to Customer after the end of Customer’s use of the eqtble Product relating to the Processing, and delete existing copies unless the applicable law of the European Union, its Member States or the United Kingdom requires storage of the data. The parties agree that certification of deletion of Customer Personal Data as described in Clause 8.5 of the EU SCCs and Clause 12(1) of the UK SCCs, if applicable, shall be provided only upon Customer’s request. Notwithstanding the foregoing, eqtble may retain Customer Personal Data to the extent and for the period required by applicable laws provided that eqtble maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

9. Information

9.1. eqtble will provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within eqtble’s control and eqtble is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. The parties agree that the audits described in the EU and UK SCCs, if applicable, shall be performed in accordance with this Section 9. eqtble will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws.

10. Liability

10.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

10.2. Customer acknowledges that the eqtble is reliant on Customer for direction as to the extent to which eqtble is entitled to Process Customer Personal Data on behalf of Customer in performance of the eqtble Product.  Consequently the eqtble will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by the eqtble in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

11. General Provisions

11.1. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.

SCHEDULE 1

Details of Processing

1. Categories of Data Subjects. This DPA applies to the Processing of Customer Personal Data relating to Customer’s employees, job applicants, contractors, and other authorized users (“Employees”).

2. Types of Personal Data. Customer Personal Data includes human resources data, the extent of which is determined and controlled by the Customer in its sole discretion, such as names, job titles, phone numbers, email addresses, device identifiers and internet activity data, demographic information, employment and education histories, and any other Personal Data that may be transmitted through the eqtble Product by Customer’s Employees.

3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by eqtble is the provision of the eqtble Product to the Customer. Customer Personal Data will be subject to those Processing activities which eqtble needs to perform in order to provide the eqtble Product pursuant to the Agreement.

4. Purpose of the Processing. Customer Personal Data will be Processed by eqtble for purposes of providing the eqtble Product as set out in the Agreement.

5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 8 of the DPA.