Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Jobilee Agreement (including any associated Order Form, Statement of Work, or Master Service Agreement entered into therewith) by and between Client and Andela (the “Agreement”). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

1. Definitions

  1. Controller,Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” will have the meanings given to them in the GDPR.
  2. Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), and all other data protection laws of the EEA including laws of the European Union (“EU”), the United Kingdom (“UK”) and Switzerland, each as applicable, and as may be amended or replaced from time to time.
  3. Data Subject Rights” means all rights granted to Data Subjects by Data Protection Laws, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making.
  4. “International Data Transfer” means any transfer of Client Personal Data from the EEA, UK or Switzerland to an international organization or to a country outside of the EEA, UK, or Switzerland, and includes any onward disclosure of Client Personal Data to another recipient within that country, as well as any onward transfer of Client Personal Data from the international organization or the country outside of the EEA, UK, or Switzerland to another country outside of the EEA, UK, or Switzerland.
  5. Client Personal Data” means any Personal Data that is subject to Data Protection Laws, for which Client or Third-Party Controller is the Controller, and which is Processed by Jobilee to provide the Services to Client.
  6. Personnel” means any natural person acting under the authority of Jobilee.
  7. Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data or otherwise subject to additional restrictions under Data Protection Laws.
  8. Standard Contractual Clauses” or “SCCs” mean the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.
  9. Sub-processor” means a Processor engaged by another Processor to carry out Processing on behalf of a Controller.
  10. Third-Party Controller” means a Controller for which Client is a Processor.
  11. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022), available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.

2. Scope and Applicability

  1. The DPA applies to Processing of Client Personal Data by Jobilee to provide the Services.
  2. The subject matter, nature, and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects are set out in Appendix I and the Agreement.
  3. Client is a Controller and appoints Jobilee as a Processor on behalf of Client. Client is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers.
  4. To the extent Client is a Processor on behalf of a Third-Party Controller, Client engages Jobilee as a Sub-processor to Process Client Personal Data on behalf of that Third-Party Controller.
  1. When Client is acting on behalf of Third-Party Controller(s), then Client:

(i) is the single point of contact for Jobilee;

(ii) must obtain all necessary authorizations from such Third-Party Controller(s);

(iii) undertakes to issue all instructions and exercise all rights on behalf of such Third-Party Controller(s); and (iv) is responsible for compliance with the requirements of Data Protection Laws applicable to Processors.

  1. Client acknowledges that Jobilee may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, and product development. Jobilee is the Controller for such Processing and will Process such data in accordance with Data Protection Laws

3. Duration of this DPA

  1. This DPA is effective for as long as Jobilee Processes Client Personal Data on behalf of Client.

4. Collecting, Processing and Subprocessing of Client Personal Data

Client Data Collection and Processing

  1. Client will comply with its obligations under the Data Protection Laws in respect of its collecting and processing of Client Personal Data and any processing instructions it issues to Jobilee. Client represents that it has all rights, consents, and authorizations necessary for Jobilee to process Client Personal Data pursuant to Data Protection Laws and the Agreement.
  2. Client authorizes Jobilee, in providing the Services, to Process Client Personal Data in accordance with applicable laws.
  3. Upon notice in writing to Client, Jobilee may terminate the Agreement if Jobilee has determined, or has reason to believe, that Client is not in compliance with Data Protection Laws as a Controller or Processor.

 Jobilee Data Processing

  1. Jobilee will comply with its obligations as a Processor under applicable Data Protection Laws and will process Client Personal Data to provide Services and in accordance with Client’s documented instructions. Client’s instructions are documented in this DPA and the Agreement. Client agrees that this DPA is its complete and final agreement with Jobilee in relation to the Processing or sub-processing of Client Personal Data.
  2. Jobilee will comply with documented instructions of Client related to Processing Client Personal Data. Unless prohibited by applicable law, Jobilee will inform Client if Jobilee is subject to a legal obligation that requires Jobilee to Process Client Personal Data in contravention of Client ’s documented instructions.
  3. Client may reasonably issue additional instructions as necessary to comply with Data Protection Laws. Jobilee may charge a reasonable fee to comply with any additional instructions.
  4. Upon notice in writing, Client may terminate the Agreement if Jobilee declines to follow Client’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in this DPA, to the extent such instructions are necessary to enable Jobilee to comply with Data Protection Laws.

 Sub-processing

  1. Client hereby authorizes Jobilee to engage Sub-processors, including its subsidiaries. A list of Jobilee’s current Sub-processors is available upon request to compliance@jobilee.co. Subject to any applicable disclaimers or limitations of liability, Jobilee remains responsible for the acts, errors, or omissions of its sub-processors to the extent applicable to Jobilee’s obligations under this DPA.
  2. Jobilee will enter into a written agreement with Sub-processors which imposes the same obligations as required by Data Protection Laws.
  3. Jobilee will inform Client prior to any intended change to Sub-processors. Client may object to the addition of a Sub-processor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following Jobilee’s notification of the intended change. Client and Jobilee will work together in good faith to address Client’s objection. If Jobilee chooses to retain the Sub-processor, Jobilee will inform Client at least thirty (30) days before authorizing the Sub-processor to Process Client Personal Data, and Client may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.

5. Technical and Organizational Security Measures

  1. Internal Data Security Measures by Jobilee
  2. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, prior to the commencement of any processing, Jobilee shall implement, establish and maintain commercially reasonable technical and organizational security measures. Jobilee shall present and document such technical and organizational security measures for review by Client. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Jobilee may, from time to time, modify such technical and organizational security measures, so long as such measures do not materially reduce the protection afforded to Client Personal Data, and are reasonably documented.

Measures by Client

  1. Client is responsible for using and configuring the Services to enable Client to comply with Data Protection Laws, including implementing Client’s own appropriate and adequate technical and organizational measures. Client shall provide Jobilee with a copy of such measures and notify Jobilee in writing of any modifications. If Jobilee Talents use Client devices, laptops, or computers, Client shall present and document all technical and organizational security measure for review by Jobilee. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Client may, from time to time, modify such technical and organizational security measures, so long as such measures are not reduced, and are appropriately documented.
  1. Personnel

Jobilee will take steps to ensure that all Personnel authorized by Jobilee to Process Client Personal Data are subject to an obligation of confidentiality.

  1. Prohibited Data

Client acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as financial or health information). Client represents and warrants that neither Client nor any entity acting for or on behalf of Client will submit to Jobilee any Client Personal Data which is regulated under the Health Insurance Portability and Accountability Act without a separate Business Associate Agreement. In such events, Jobilee will take reasonable and appropriate steps to notify Client of its receipt of any prohibited data.

6. Notification and Assistance

  1. Jobilee will notify Client without undue delay after Jobilee becomes aware of a Personal Data Breach involving Client Personal Data.
  2. Jobilee will provide information relating to the Personal Data Breach as reasonably requested by Client to the extent such information is available to Jobilee. Jobilee will use reasonable efforts to assist Client in mitigating, where commercially reasonable and technically feasible, the adverse effects of a Personal Data Breach.
  3. Taking into account the nature of the Processing, and the information available to Jobilee, Jobilee will assist Client, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Client ’s own obligations under Data Protection Laws to:(i) comply with requests to exercise Data Subject Rights; (ii) conduct data protection impact assessments and prior consultations with Supervisory Authorities; and (iii) notify a Personal Data Breach. Jobilee may charge a reasonable fee to Client for support services rendered in connection with this Section 6, which are not included in the description of the Services, and which are not attributable to failures on the part of Jobilee. If such support services reveal the failure of Jobilee to materially comply with its obligations under applicable Data Protection Laws or as otherwise set forth in this DPA, Jobilee and Client shall each bear their own costs related to assistance.
  4. Jobilee’s notification of or response to a Personal Data Breach pursuant to this Section 6 will not be construed as an acknowledgement by Jobilee of any fault or liability with respect to the such Personal Data Breach.

7. Deletion or Return

  1. Pursuant to the Agreement, Jobilee will delete or return Client Personal Data that in its possession and control as set forth in the Agreement except to the extent Jobilee is required by law to retain any Client Personal Data. Client may request return of Client Personal Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Jobilee will delete all remaining copies of Client Personal Data within thirty (30) days after returning Client Personal Data to Client. Jobilee will notify Client prior to deletion.

8. Cooperation, Supervision and Audit

  1. Request for Data Protection

Upon notice from data subjects or data protection authorities (including requests from individuals seeking to exercise their rights under Data Protection Laws) to the extent regarding the Processing of Client Personal Data by Jobilee pursuant to the Agreement, Jobilee will forward such requests to Client. Unless legally required to do so, Jobilee will not respond to such communication without Client’s authorization. If Jobilee is required to respond to any request, Jobilee will notify Client and provide Client with a copy of the request, unless legally prohibited from doing so.

  1. Client Requests

Jobilee will cooperate with Client, at Client’s sole cost and expense, to respond to any requests from individuals or data protection authorities relating to the processing of Client Personal Data under this DPA to the extent that Client may be unable to access relevant Client Personal Data.

Jobilee shall inform Client if Jobilee believes any instruction or request violates Data Protection Laws.

Client shall document immediately any oral instructions in text form.

  1. Audit Requests

Jobilee audits its Technical and Organizational Security Measures against data protection and information security standards on a regular basis. Such audits are conducted by Jobilee’s internal team or a designated third party as engaged by Jobilee. Upon written request and subject to the confidentiality provisions of the Agreement, Jobilee will make available to Client all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Client and performed by an independent auditor as agreed upon by Client and Jobilee.

Jobilee may request audits of Client’s Technical and Organizational Security Methods to ensure compliance with this DPA. Client will make available to Jobilee a summary of the most recent audit report and any other document reasonably required by Jobilee.

Either party requesting such audit information does so at their sole expense, and agrees to remunerate the other party of any costs associated with such audit requests.

Client’s request for an audit will not require Jobilee either to disclose to Client or its third-party auditor, or to allow Client or its third-party auditor to access:

Any data of any other client of Jobilee;

Jobilee’s internal accounting or financial information;

Any trade secrets of Jobilee or any client of Jobilee;

Any information that, in Jobilee’s reasonable opinion, could (i) compromise the security of Jobilee systems or premises; or (ii) cause Jobilee to breach its obligation under applicable law or its security and/or privacy obligations to any client or any third party; or

Any information that Client or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligation under Data Protection Laws.

9. International Data Transfers

  1. Jobilee may transfer and process Client Personal Data as requested by Client in other locations around the world where Jobilee and its Sub-processors maintain operations as necessary to provide Services.
  2. Client hereby authorizes Jobilee to perform International Data Transfers:

to any country subject to a valid adequacy decision of the EU Commission or the competent authorities, as appropriate;

to the extent authorized by Supervisory Authorities or by the competent authority on the basis of an organization’s binding corporate rules;

to any data importer with whom Jobilee has entered into SCCs.

  1. By signing this DPA, Client and Jobilee hereby agree to include the provisions of module two (Controller to Processor) and, to the extent Client is a Processor on behalf of a Third-Party Controller, module three (Processor to Sub-processor) of the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Client ; the “data importer” is Jobilee; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days;
  1. By signing this DPA, Client and Jobilee conclude the UK Addendum, which applies to International Data Transfers out of the UK in addition to the Standard Contractual Clauses.
  2. If Jobilee’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of Jobilee’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Client and Jobilee will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative SCCs are approved by the Supervisory Authorities or the new version of UK Addendum is approved, Jobilee reserves the right to amend the Agreement and this DPA by adding to or replacing, the SCCs or UK Addendum that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.

10. Notifications

  1. Client will send all notifications, requests, and instructions under this DPA to Jobilee via email to: compliance@jobilee.co.
  2. Jobilee will send all notifications under this DPA to Client’s contact indicated in the Agreement.

11. Limitations of Liability

  1. To the extent permitted by applicable law, where Jobilee has paid compensation, damages, or fines, Jobilee is entitled to claim back from Client that part of the compensation, damages, or fines, corresponding to Client ’s part of responsibility for the compensation, damages or fines.
  2. Parties agree that the total combined liability limit (including indemnifications of any kind) to one another shall be set as provided under the terms of the Agreement as executed between the Parties.

12. Miscellaneous

  1. Jobilee may modify the terms of this DPA as provided in the Agreement. Jobilee will notify Client of any such changes and effectiveness of such changes in accordance with this DPA or the Agreement. Changes to this DPA include, but are not limited to, the following circumstances:
  2. If required or ordered to do so by any supervisory, judicial, governmental, or regulatory entity.
  3. As required to implement or adhere to standard contractual clauses, various codes of conducts, policies, rules, procedures and any other mechanisms as required under Data Protection Laws.
  4. In the event of a conflict between the Agreement and this DPA with respect to the subject matter of this DPA, the terms of this DPA shall control to the extent of such conflict.
  5. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

APPENDIX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

  • Name: Client
  • Contact person’s name, position and contact details
  • Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.
  • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

  • Name: Jobilee Inc.
  • Address: Illinois Address
  • Contact person’s name, position and contact details: , General Counsel, compliance@jobilee.co
  • Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.
  • Role (controller/processor): Processor on behalf of data exporter, or Sub-processor on behalf of Third-Party Controller

 

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred:

Data subjects include Clients and the individuals about whom data is provided to Jobilee via the Services by (or at the direction of) Client.

Categories of Personal Data transferred:

Data relating to Clients or other individuals provided to Jobilee via the Services, by (or at the direction of) Clients. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Jobilee’s services, and demographic information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Sensitive data is pseudonymized.

  • None anticipated.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

  • On a continuous basis during the duration of the Services.

Nature of the processing:

  • The Personal Data will be processed and transferred as described in the Agreement.

Purpose(s) of the data transfer and further processing:

  • The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

  • Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

  • For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

 

C. COMPETENT SUPERVISORY AUTHORITY

Pursuant to Clause 13, the supervisory authority of the EEA country where (i) Client is established; or where (ii) the EU representative of Client is established; or where (iii) the data subjects whose personal data are transferred under the SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

APPENDIX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

  1. Confidentiality
  2. Electronic Access Control
  3. No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
  4. Internal Access Control (permissions for user rights of access to and amendment of data)
  5. No unauthorized Reading, Copying, Changes or Deletions of Data within the system as approvals are managed centrally, e.g., rights authorization concept, need-based rights of access, logging of system access events
  6. Isolation Control
  7. The isolated Processing of Personal Data, which is collected for differing purposes, e.g., multiple Client support, sandboxing;
  8. Employee Control
  9. Employees are bound by written confidentiality agreements
  10. Employees receive training on data privacy and data security
  11. Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
  12. The processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
  13. Integrity
  14. Data Transfer Control
  15. No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
  16. Data Entry Control
  17. Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
  18. Job Control
  19. Jobilee’s employees and contractors may only process Client and personal data strictly in accordance with the Agreement’s obligations and Client instructions.
  20. Availability and Resilience
  21. Availability Control
  22. Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
  23. Rapid Recovery
  24. Procedures for Regular Testing, Assessment and Evaluation
  25. Data Protection Management
  26. Incident Response Management;
  27. Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
  28. Order or Contract Control
  29. No third-party data processing as per Article 28 GDPR without corresponding instructions from Client, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls, duty of pre-evaluation, supervisory follow-up check.
Scroll to Top