Effective Jan 25, 2024
Version: 2.0

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of and is supplemental to the written agreement (“Agreement”) between HireVue, Inc. (“HireVue” or “Company”) and the HireVue customer party thereto (herein, referred to as “Customer”, but may also be referred to in the Agreement or other relevant transaction document(s) as “Client,” “Buyer” or comparable term, without distinction) pursuant to which HireVue provides and Customer purchases a subscription to access and use HireVue’s cloud-hosted and related services as further described in the Agreement (collectively, “Services”). For purposes of this DPA, references to HireVue shall include HireVue and its affiliates. The terms and conditions of this DPA shall be binding on the parties by mutual execution of the applicable transaction document (i.e., Agreement or Ordering Document) which includes reference to this DPA and as of the effective date of such Ordering Document (“DPA Effective Date”).

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

   1.1 For the purposes of this DPA:

   1. 1. “CCPA/CPRA” means, respectively, the California Consumer Privacy Act as amended by the California Privacy Rights Act, including the applicable regulations and any subsequent supplements, amendments, or replacements to the same.

      2. “Data Protection Laws” means all applicable laws and regulations related to privacy, security, protection and the handling of Personal Data, including without limitation, as applicable, European Area Data Protection Law, CCPA/CPRA or equivalent other State laws.

      3. “EEA” means the European Economic Area.

      4. “European Area” means European Union, European Economic Area, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).

      5. “European Area Data Protection Law” means, as applicable, the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (collectively “UK Data Protection Law”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); (iv) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law); or (v) any other applicable law relating to the data protection, security, or privacy of individuals that applies in the European Area.

      6. "Personal Data” shall have the meaning set forth in the applicable Data Protection Laws (e.g., any data that relates to an identified or identifiable natural person) or as otherwise referenced therein (e.g., personal information, personally identifiable information). For the sake of clarity, Personal Data does not include information that has been de-identified or aggregated such that the individual is no longer identifiable.

      7. The terms: “aggregate”, “Business”, “Business Purpose”, “Commercial Purpose”, “controller”, “deidentified”, “household”, “processor”, “pseudonymize”, “Service Provider”, “processing”, “Sell”, “Share”, “special categories of data” and “Data Subject” have the meanings given to them in the applicable Data Protection Laws.

      8. “Model Clauses” means (i) the agreement pursuant to the European Commission’s Implementing Decision of 2021/914 published on 4 June 2021 and as adopted by the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) on standard contractual clauses (“SCCs”) for the transfer of personal data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and any replacement, amendment or restatement of the foregoing issued by the European Commission (the “EU Model Clauses”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto .

      9. “Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of Personal Data; provided a Security Incident will not include (i) unsuccessful attempts or activities that do not compromise the security of Personal Data, including, without limitation, pings, port scans, denial of service attacks, network attacks on firewall or networked systems, or unsuccessful login attempts or (ii) incidental disclosure or incidental access to Personal Data where no reasonable suspicion exists that such disclosure or access involves theft, or is fraudulent, criminal or malicious in nature, unless such incidental disclosure or incidental access triggers a notification obligation under applicable Data Protection Law.

      10. “Third Country” means a country that, where required by applicable Data Protection Laws, has not received an adequacy decision from an applicable authority relating to cross-border data transfers, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.

    

2. Applicability of the DPA

2.1 This DPA will apply to the extent that HireVue processes Personal Data in the course of providing the Services. The details of the processing, including the specific Business Purposes for which HireVue is processing Personal Data, are further described in Appendix 1 hereto.

3. Roles and Responsibilities

3.1 Roles of the Parties. As between HireVue and Customer, Customer is generally the Controller and Business (collectively for purposes of this DPA, herein referred to as “Controller”) for the Personal Data that is provided to HireVue for processing under the Agreement and HireVue shall process the Personal Data as a Processor and Service Provider (collectively for purposes of this DPA, herein referred to as “Processor”) on behalf of Customer .

3.2 Controller Obligations. Controller shall be responsible for:

1. 1. 1. Complying with all Data Protection Laws in respect of its disclosure of or providing access to the Personal Data, and any processing instructions it issues to Processor;

      2. Ensuring it has the right to receive, collect, transfer, or provide access to, the Personal Data to Processor for processing pursuant to the Agreement and this DPA;

      3. Ensuring that it shall not disclose (nor permit any Data Subject to disclose) any special categories of data to Processor for processing absent Processor’s express written request to do so; and

      4. Ensuring that all notices and consents are obtained from Data Subjects as necessary to meet Controller’s compliance obligations with applicable Data Protection Laws, including without limitation, ensuring template consent and notice statements provided by HireVue for Customer’s consideration are approved by Customer to meet such obligations.

3.3 Processor Obligations. Processor shall be responsible for:

1. 1. Complying with applicable Data Protection Laws in respect of its processing of Personal Data, in conformance with any processing instructions it receives from Controller.

   2. Retaining, using, disclosing, or otherwise processing the Personal Data only for the purposes described in the Agreement and the Business Purpose specified in Appendix 1 and in accordance with the lawful, documented instructions of Controller (including the instructions of any of Customer’s authorized users accessing the Services on Customer's behalf), as set out in the Agreement, this DPA or otherwise in writing.

   3. Ensuring it shall not Sell or Share Controller’s Personal Data, nor use, retain, disclose, or otherwise process Controller’s Personal Data outside of its business relationship with Controller or for any other Business Purpose or Commercial Purpose except as required by law.

   4. Informing Controller if Processor determines that it is no longer able to meet its obligations under Data Protection Laws or where in Processor’s reasonable opinion, any of Controller’s instructions infringes any Data Protection Laws.

   5. Controller reserves the right to take reasonable and appropriate steps to: (i) ensure Processor’s processing of Personal Data is consistent with Controller’s obligations under Data Protection Law; and (ii) discontinue and remediate unauthorized use of Personal Data.

   6. Ensuring it will not combine Personal Data which it Processes on Controller’s behalf, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with any individual, provided that Processor may combine Personal Data to perform any Business Purpose permitted or required under the Agreement to perform the Services.

   7. Processor may pseudonymize Personal Data and to the extent such data is capable of being re-identified it shall remain protected as Personal Data hereunder; and Personal Data which has been pseudonymized, and is not reasonably expected to be re-identified, is deemed de-identified. Processor agrees that any pseudonymized or aggregated data used for Processor’s internal purposes (i.e., other than Processing) is conditioned upon Processor’s commitment to not re-identify such data and further commitment that in no event shall any such data be published unless pseudonymized in a manner that does not identify, and cannot be re-identified to, Customer or any individual Data Subject.

4. Security

4.1 Security. Processor shall implement appropriate technical and organisational measures to protect the Personal Data as set forth in Appendix 2.

4.2 Security Incidents. Upon becoming aware of a Security Incident, Processor shall notify Controller without undue delay and shall provide reasonable information and cooperation to Controller so that Controller can fulfill any data breach reporting obligations it may have under the Data Protection Laws. Processor shall further take such reasonably necessary measures or actions to minimize the impact of the Security Incident and shall keep Controller informed of all material developments in connection with the Security Incident.

5. Sub-processing

5.1 Sub-processors. Controller agrees that Processor may engage Processor’s affiliates and sub-processors (“Sub-processors”) to process Personal Data on Processor's behalf provided that:

1. 1. 1. Processor shall maintain an up to date list of Sub-processors at https://www.hirevue.com/legal which it shall update with details of any change in Sub-processors prior to any such change and shall notify Controller in advance of such change via Customer’s subscription to such URL or otherwise through Controller’s customer account with Processor;

      2. Processor acknowledges that such Sub-processors are required to protect the Personal Data to the standard required by the Data Protection Laws; and

      3. Processor remains liable for any breach of this DPA caused by a Sub-processor.

5.2 Objection to Sub-processors. Controller may object to Processor's appointment or replacement of a Sub-processor as permitted by applicable Data Protection Laws and in such event, the parties shall cooperate in good faith to reach a resolution. If resolution cannot be reached, then Processor, at its discretion, will either not appoint or replace the Subprocessor; and if neither of the foregoing are feasible, then Controller may suspend provision of Personal Data to HireVue solely with respect to the Services that utilize the objectionable Sub-processor.

6. International Transfers

6.1 European Area Personal Data Transfers. Processor may process and transfer Personal Data originating from the European Area in and to the United States and Third Countries where its affiliates and its Sub-processors have operations. All data transfers and processing of Personal Data originating from the European Area shall be made in compliance with the applicable European Area Data Protection Law, and if Processor or Sub-processor are in a Third Country, then Model Clauses, Module Two (“Controller to Processor”) shall apply as to such transfer. If Model Clauses apply, it is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. To the extent Controller adopts an alternative data transfer mechanism (including any new version or replacement to the Model Clauses adopted pursuant to Data Protection Laws) for the transfer of Personal Data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall upon notice to Processor apply instead (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Law and extends to the Third Countries to which Personal Data is transferred). In the event that Processor (and/or Sub-processors) are self-certified under the Data Privacy Framework (DPF), such certification has been deemed adequate under European Area Data Protection Law for processors in the United States and the Model Clauses shall not apply.

6.1.1 EEA Personal Data Transfers. For the purposes of the descriptions in the Model Clauses relating to EEA Personal Data Transfers: (i) Processor agrees that it is the “data importer” and Controller is the “data exporter”; (ii) Appendix 1- Details of Processing and Appendix 2 – Information Security Policy of this DPA shall form Annex I and Annex II of the Model Clauses, respectively, if applicable; (iii) Annex III of the Model Clauses shall be subject to General Authorization; and (iv) The Model Clauses shall be governed by the laws of Ireland.

6.1.2 Swiss Personal Data Transfers. Where Personal Data transfers are subject to the Swiss DPA: (i) References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA; (ii) References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”; (iii) Appendix 1- Details of Processing and Appendix 2 – Information Security Policy of this DPA shall describe the applicable requirements for Annex I-III of the Model Clauses.

6.1.3 UK Personal Data Transfers. Where Personal Data transfers are subject to the UK Data Protection Law, each party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, attached to and incorporated by reference as Appendix 3, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.

6.2 Other Country Transfers. For Personal Data transfers subject to other Data Protection Laws and require the use of SCC’s (or other measures) to transfer Personal Data to Third Countries, the parties agree to implement the same as soon as practicable and document such requirements for implementation.

6.3 Onward Transfers. In connection with the provision of the Services to Controller, Processor may receive from or transfer and process Personal Data to Sub-processors located in Third Countries provided that its Sub-processors take measures to adequately protect such Personal Data consistent with Data Protection Laws. Such measures may include to the extent available and applicable under such laws, any of the following:

6.3.1 Adequacy. Processing in a country, a territory, or one or more specified sectors that are considered under Data Protection Laws as providing an adequate level of data protection;

6.3.2 SCC’s. The parties’ agreement to enter into and comply with the Standard Contractual Clauses in Appendix 1 and Appendix 2 and any successors or amendments to such clauses or such other applicable contractual terms adopted and approved under Data Protection Laws.

6.3.3 BCR’s. Processing in compliance with Binding Corporate Rules (“BCR’s”) in accordance with Data Protection Laws; or

6.3.4 Other Approved Transfer Mechanisms. Implementing any other data transfer mechanisms or certifications approved under Data Protection Laws, including, as applicable, the DPF.

To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.

7. Cooperation

7.1 End User rights. Processor shall provide reasonable assistance to Controller, insofar as this is possible, to enable Controller to respond to requests from Data Subjects seeking to exercise their rights under the Data Protection Laws. In the event such request is made directly to Processor, Processor shall promptly inform Controller of the same.

7.2 Data protection impact assessments. Processor shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfill Controller's obligation under the Data Protection Law to carry out data protection impact assessments and prior consultations with supervisory authorities.

7.3 Security and Processor’s third-party audits. Processor shall on a commercially reasonable basis, in addition to its obligations under Clause 4.1 above, regularly undergo third party audits against an industry standard (such as ISO 27001, SSAE 16, or SOC 2) for its Services. Upon written request, Processor shall provide as available a summary copy of its most recent audit report(s) to Controller in the form Processor provides to other customers. Disclosure of any such audit report shall be subject to Processor's confidentiality terms.

7.4 Controller audits. While it is the parties' intention ordinarily to rely on the provision of the security reports and information at 7.3 above to verify Processor's compliance with this DPA, Processor shall permit Customer (or its appointed third-party auditors) to carry out an audit of its processing of Personal Data under the Agreement following a Security Incident suffered by Processor, or upon the lawful instruction of a data protection authority. Controller must give Processor reasonable prior notice of such intention to audit, conduct its audit during normal business hours, take all reasonable measures to prevent unnecessary disruption to Processor's operations and be subject to Processor's standard confidentiality and security terms. The audit must also be reasonable in scope and duration, and to the extent practicable, Controller will rely on Processor’s security reports and information provided under 7.3 above in lieu of an independent audit of such covered controls.

8. Law Enforcement Request

8.1 Authority Request. If Processor becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all of Controller’s Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Personal Data to such Authority, Processor shall: (1) promptly, without undue delay, notify Controller of such Authority’s data access request, to the extent legally permissible; (2) inform the Authority that any and all requests or demands for access to Personal Data should be notified to or served upon Controller in writing; and (3) not provide the Authority with access to Personal Data unless and until authorized by Controller. In the event Processor is under a legal prohibition or a mandatory legal compulsion that prevents it from complying with (1)-(3) in full, Processor shall use reasonable and lawful efforts to challenge such prohibition or compulsion (and Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request). If Processor makes a disclosure of Personal Data to an Authority (whether with Controller’s authorization or due to a mandatory legal compulsion) Processor shall use best efforts to only disclose such Personal Data to the extent Processor determines it is legally required to do so and in accordance with applicable lawful process.

8.2 Imminent Risk. Clause 8.1 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Personal Data, Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Processor shall notify Controller as soon as possible following such Authority’s access and provide Controller with full details of the same, unless and to the extent Processor is legally prohibited from doing so.

8.3 Authority Requests. Processor shall use good faith efforts to not knowingly disclose Personal Data to an Authority in excess of a request (e.g., a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society). Processor shall have in place, maintain and comply with a process governing Personal Data access requests from Authorities which at minimum prohibits: (1) disclosure in excess of requested information (e.g., massive, disproportionate or indiscriminate disclosure of Personal Data) relating to data subjects in the EEA and the United Kingdom; and (2) disclosure of Personal Data relating to data subjects in the EEA and the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Data.

8.4 Interception Policy. Processor shall have in place and maintain in accordance with good industry practice measures to protect Personal Data from interception. This includes complying with industry best practices of having in place and maintaining network protection to deny attackers the ability to intercept data and the use encryption of Personal Data whilst in transit to deny attackers the ability to read Personal Data.

9. Return/Deletion of Data

9.1 Return or deletion of Personal Data. Upon termination or expiry of the Agreement, Processor shall delete or return to Controller the Personal Data (including copies) in Processor's possession in accordance with the terms of the Agreement and this DPA. This requirement shall not apply to the extent that Processor is required by applicable law to retain some or all of the Personal Data or to Personal Data archived on backup systems, provided the same remains protected under confidentiality obligations and subject to Data Protection Laws.

10. Miscellaneous

10.1 Any claims brought under this DPA shall be subject to the Agreement.

10.2 If there is a conflict between this DPA and the Agreement as to Personal Data, the DPA will control. In the event of a direct conflict between the Agreement and/or DPA and the Model Clauses or the SCCs, the Model Clauses or the SCCs, as applicable, shall control.

Appendix 1 –

Details of Processing and Transfer

1. Data Exporter

   Company Name	Address	Contact name, position, and contact information	Role
   Customer information as included in the Agreement or applicable Ordering Document			Controller

    

2. Data Importer

   Company Name	Address	Contact name, position, and contact information		Role
   HireVue, Inc. 10876 S. River Front Parkway, Suite 500 South Jordan, UT Attn: Naziol Scott (nscott@hirevue.com)				Processor

    

3. Activities relevant to the data transferred under these Clauses

   The activities relevant to the data transferred are the Services more fully described in the Agreement and applicable ordering documents.

4. Processing Information

   Categories of Data Subjects whose Personal Data is transferred	Job Candidates and/or Employees of Customer and, if applicable, its affiliates
   Categories of Personal Data transferred	Contact Information such as: name email address telephone number
   	Application Data, as applicable based on Services scoped: video and/or audio interview recording Resume/CV data Answers to job-related questions
   	Automatically collected data: IP address
   	Note: Special Categories of Personal Data may be transferred (optional, dependent on specific Services, and not with continuous frequency) and may include: race/gender/ethnic origin
   Sensitive Personal Data transferred	See Note above
   Frequency of the transfer	Continuous (Except for Special Categories – See Note above)
   Nature of the processing	The nature of the processing is to enable use of Processor’s cloud-hosted and related services as more fully described in the Agreement and accompanying Ordering Documents.
   Purpose of the data transfer and further processing
   For processing involving California consumers, please select the Business Purpose(s) for processing Personal Data	☐ N/A ☒ Improving or building the quality of the Services. ☒ Preventing, detecting, or investigating data security incidents or protecting against malicious, deceptive, fraudulent or illegal activity. ☐ Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards. ☒ Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
   	☒ Debugging to identify and repair errors that impair existing intended functionality. ☐ Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. ☒ Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. ☐ Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers. ☒ Undertaking internal research for technological development and demonstration. ☒ Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
   Period for which the Personal Data will be retained or criteria used to determine that period	During the term of the Agreement, the period for which the personal data will be retained is subject to Controller’s designated retention and deletion periods. Once the contract expires or terminates, the retention and deletion periods are more fully described in the Agreement, DPA, and accompanying Ordering Documents.
   Subprocessor transfers –subject matter, nature, and duration of processing	The subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying Ordering Documents.

5. Signatures

   Signatures	The Parties agree that to the extent required and applicable as set forth herein, the Model Clauses and the UK Transfer Addendum are incorporated by reference and that by executing the DPA, each party is deemed to have executed the Model Clauses and the UK Transfer Addendum.

   Processing operations

6. EEA, Swiss and UK Model Clause Information:

   SCC Clause	GDPR	Swiss DPA	UK Data Protection Law
   Module in Operation Module Two (Controller to Processor)
   Clause 7-Docking Clause	An entity that is not a party to these clauses may, with the agreement of the parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A
   Clause 9(a)- Use of Sub-processors	GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
   Clause 11 (Redress)	Optional language in Clause 11 shall not apply
   Clause 17-Governing Law	These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.	These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland.	These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales.

   Clause 18 –Choice of Forum and Jurisdiction	(b) The parties agree that those shall be the courts of Ireland.	The parties agree that those shall be the competent courts of Switzerland.	The parties agree that those shall be the competent courts of England and Wales.
   Annex 1A- List of Parties	The name, address, and contact person’s name, position, and contact details, and each party’s role in processing personal data are provided in Section 1, 2, and 3 above
   Annex 1B –Description of Transfer	This information can be found in Section 4 above.   To the extent applicable, the descriptions of safeguards applied to the special categories of Personal Data can be found in Appendix 2 to the DPA.
   Clause 13 and Annex 1C –Competent Supervisory Authority	Identify the competent supervisory authority/ies in accordance with Clause 13:   Irish Data Protection Commissioner	Identify the competent supervisory authority/ies in accordance with Clause 13:   FDPIC	Identify the competent supervisory authority/ies in accordance with Clause 13:   UK Informational Commissioner
   Annex II –Technical and Organizational Measures	The description of technical and organization measures designed to ensure the security of Personal Data is described more fully in Appendix 2 to the DPA.
   Annex II –Technical and Organizational Measures –Subprocessors
   Annex III – List of Subprocessors	https://www.hirevue.com/legal
   Ending the UK Transfer Addendum when the Approved Addendum changes	N/A	N/A	Which Parties may end this Addendum as set out in Section 19: ☒ Importer ☒ Exporter [ ] Neither Party

    

Appendix 2 – Information Security Policy

1. 1. Information Security Policies and Standards

      The Data Importer will implement appropriate security requirements for staff and all subcontractors, Service Providers, or agents who have access to Personal Data. These are designed to:

      • Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);

      • Prevent Personal Data processing systems being used without authorization (logical access control);

      • Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);

      • Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);

      • Ensure that Personal Data are Processed solely in accordance with the Instructions (control of instructions); and

      • Ensure that Personal Data are protected against accidental destruction or loss (availability control).

        These rules are kept up to date, and revised whenever relevant changes are made to the information system that uses or houses Personal Data, or to how that system is organized.

   2. Physical Security

      The Data Importer will maintain commercially reasonable security systems at all Data Importer sites at which an information system that uses or houses Personal Data is located. The Data Importer reasonably restricts access to such Personal Data appropriately.

      Physical access control has been implemented for all data centers. Unauthorized access is prohibited 24×7 through onsite staff and security camera monitoring. Data Centre physical security is audited by an independent firm.

      Surveillance cameras are installed and an appropriate level of monitoring is implemented.

   3. Organizational Security

      When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of Personal Data stored on them.

      Data Importer implemented security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.

      All Personal Data security incidents are managed in accordance with appropriate incident response procedures.

      All sensitive data transmitted by Service Provider are encrypted while in transit and when stored on Data Importer information systems.

   4. Network Security

      The Data Importer maintains network security using commercially available measures and industry standard techniques, including intrusion detection systems and access control lists.

   5. Access Control

      Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.

      User administration procedures define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms.

      All employees of the Data Importer are assigned unique user IDs.

      Access rights are implemented adhering to a “least privilege” based approach.

      The Data Importer implements commercially reasonable security measures to create and protect passwords.

   6. Virus and Malware Controls

      The Data Importer installs and maintains appropriate anti-virus and malware protection software on the system.

   7. Personnel

      The Data Importer implements a security awareness program to train personnel about their security obligations. This program includes training about security practices and security incident reporting.

      Service Provider has clearly defined roles and responsibilities for the employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.

   8. Disaster Recovery

The Data Importer implements appropriate disaster recovery and business resumption plans. Data Importer reviews both business continuity plan and risk assessment regularly. Business continuity plans are being tested and updated regularly to ensure that they are up to date and effective.