LAST REVISION: Jun 2024
This Data Processing Addendum (“DPA”) supplements and is incorporated into the agreement referencing this DPA (“Agreement”) entered into by WECP Talent Analytics Inc., a Delaware corporation, and WECP Private Limited, a company registered under Indian law (together with their Affiliates, “WECP”) and the customer entering into that Agreement (“Customer”) (WECP and Customer being the “parties” under this DPA). This DPA applies to the extent WECP processes personal data in connection with Customer’s use of the Services under the Agreement.
“Data Protection Laws” means all data protection and privacy laws applicable to a party in its respective role with respect to personal data under the Agreement, including, where each is applicable:
(i) the California Consumer Privacy Act of 2018, as may be amended, including as amended by the California Privacy Right Act (“CCPA”);
(ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”);
(iii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018;
(iv) the Swiss Federal Data Protection Act of 19 June 1992 and its ordinances;
(v) the laws of India governing protection and/or privacy of personal data or personal information; and
(vi) the laws of any state of the United States governing protection and/or privacy of personal data or personal information.
“SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently available at: Standard Contractual Clauses - International Transfers.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data that is personal data transmitted, stored, or otherwise processed by WECP.
“Services” means as defined in the Agreement.
“Sub-processor” means any other processor engaged by WECP to process personal data in connection with the Services.
“UK Addendum” means the UK Addendum to the SCCs, issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, currently available at: UK Addendum to the SCCs.
Terms Defined by Law: As used in this DPA, the terms “controller,” “data subject,” “natural person,” “personal data,” “processing” (and derivatives thereof), “processor” and their equivalent terms used in applicable Data Protection Laws, will each have the meaning given to it by applicable Data Protection Laws or, if not defined by applicable Data Protection Laws, each will have the meaning given to it by the GDPR.
Equivalent Terms: Where the CCPA or other Data Protection Laws that use the following terms apply to this DPA, references in this DPA to: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; and “personal data” includes “Personal Information,” in each case as the latter is defined by the CCPA or the applicable Data Protection Law.
Capitalized Terms: Capitalized terms not defined in this DPA will have the same meaning as in the Agreement.
2.1. Controller and Processor.
The parties acknowledge and agree that: (a) Customer will determine the purposes and means of the processing of personal data; (b) WECP will process personal data on behalf of Customer. To the extent applicable, for the purposes of GDPR, UK GDPR, and other Data Protection Laws using these terms, Customer is the “controller” of personal data and WECP is the “processor” of personal data on behalf of Customer. To the extent applicable, for the purposes of the CCPA, Customer is a "business" and WECP is the "service provider.”
2.2. Scope of DPA.
This DPA applies to, and references to personal data within this DPA refer to, personal data of which Customer is the controller and WECP is the processor.
Schedule 1 (Details of Processing) of this DPA sets forth details of WECP’s processing of personal data.
4.1. Customer Instructions.
(a) WECP will process personal data only: (i) in accordance with Customer’s documented, reasonable, and lawful instructions; or (ii) as otherwise agreed upon by the parties or as required by applicable law, and if required by law, WECP will notify Customer in writing of that legal requirement before processing unless the law prohibits this on important grounds of public interest.
(b) The parties agree that the Agreement (including this DPA) and the performance of WECP’s obligations thereunder set out Customer’s instructions to WECP for the processing of personal data and that processing outside the scope of the Agreement, if any, requires prior written agreement of the parties.
(c) WECP will immediately inform Customer if, in WECP’s opinion, processing instructions given by Customer infringe on applicable Data Protection Laws.
4.2. Purpose Limitation.
WECP will process personal data only for the purpose of providing the Services to Customer as described in the Agreement unless it receives further instructions from Customer.
5.1. Technical and Organizational Measures.
WECP will implement at least the technical and organizational measures described at the following webpage (“Technical and Organizational Measures”) to ensure the security of personal data, which includes protecting personal data against Security Incidents: WECP Technical and Organizational Measures.
5.2. Technical and Organizational Measures Assessment and Updates.
In assessing the appropriate level of personal data security, the parties will take account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks involved for the data subjects. The parties acknowledge and agree that Technical and Organizational Measures are subject to technical progress and development such that WECP may occasionally update or modify its Technical and Organizational Measures, provided that any update and/or modification does not materially diminish the overall security of the Services or the protection afforded to personal data.
5.3. Confidentiality of Processing.
WECP will grant access to personal data to its personnel only to the extent necessary for implementing, managing, or monitoring the Services provided to Customer. WECP will ensure that its personnel authorized to process personal data have committed themselves to maintaining confidentiality or are under an appropriate statutory obligation of confidentiality with respect to personal data.
The Services are not intended for the processing of sensitive data, sensitive personal information, or special categories of personal data (as each is defined by applicable Data Protection Laws). Customer will not provide (or cause to be provided) any sensitive data, sensitive personal information, or special categories of personal data to WECP for processing under the Agreement, unless the parties otherwise agree in writing.
7.1. Compliance With Data Protection Laws.
Each party will comply with and be able to demonstrate its compliance with all Data Protection Laws applicable to that party in its performance under this DPA.
7.2. Inquiry Response.
WECP will deal promptly and adequately with inquiries from Customer about the processing of personal data.
7.3. Audit Rights.
WECP will maintain and make available to Customer information reasonably necessary to demonstrate WECP’s compliance with this DPA. To the extent permitted by applicable Data Protection Laws, Customer may conduct an audit of processing under this DPA by itself or through an independent auditor (subject to reasonable confidentiality obligations) and Customer’s request, WECP will permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are reasonable indications of WECP’s non-compliance with this DPA. Any audit under this DPA may be conducted upon at least 30 days prior written notice to WECP, at Customer’s sole expense, and during normal business hours. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls.
7.4. Audit Terms.
Customer may request an audit of processing activities conducted under this DPA, upon at least 30 days prior written notice to WECP. The parties will mutually agree in advance on the reasonable scope of any audit, including but not limited to, the audit start date, scope, duration, and applicable security controls. Audits will be conducted at Customer’s sole expense and during normal business hours. Any audits conducted in accordance with the SCC’s will be subject to the audit terms of this DPA.
8.1. General Authorization.
WECP has Customer’s general authorization to engage the Sub-processors listed on WECP’s Sub-processor page, available at: WECP Sub-processor List.
8.2. Sub-processor Changes.
If WECP replaces or adds new Sub-processors, WECP will make commercially reasonable efforts to provide Customer with notice of the replacement or addition at least 30 days prior to, but will in any case provide notice at least 10 days prior to, the Sub-processor addition or replacement. WECP will provide notice by maintaining an updated list of Sub-processors on WECP’s Sub-processor page noted above and also by email if Customer subscribes to receive updates by email via the Sub-processor page noted above.
8.3. Sub-processor Objections.
Customer may object to the appointment or replacement of a Sub-processor prior to the appointment or replacement, provided that the objection is in writing and based on reasonable grounds related to data protection. If Customer objects to the appointment of a new Sub-processor, WECP and Customer will discuss commercially reasonable alternative solutions in good faith. If WECP and Customer cannot reach a resolution within 30 days after the date WECP receives Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to WECP, without prejudice to fees owed for the time period unaffected by the discontinuation. If Customer does not raise an objection prior to WECP replacing or adding a Sub-processor, Customer will be deemed to have authorized the new Sub-processor.
8.4. Sub-processor Obligations.
Where WECP engages Sub-processors, it will do so by way of a contract which imposes on the Sub-processor, in substance, personal data protection obligations at least as protective of personal data as those imposed on WECP under this DPA.
8.5. Responsibility for Sub-processors.
WECP will be responsible for each Sub-processor's compliance with the obligations of this DPA and with applicable Data Protection Laws. WECP will remain fully responsible to Customer for the performance of WECP's obligations under the Agreement, notwithstanding WECP's engagement of any Sub-processor.
9.1. Transfer of Data.
WECP may transfer and process Customer personal data to and in the United States, India, and anywhere else in the world where WECP, its Affiliates, or its Sub-processors maintain data processing operations. WECP will transfer personal data solely in performance of its obligations under the Agreement.
9.2. Transfer Mechanism; SCCs.
If WECP transfers personal data to or through the Services, either directly or by onward transfer, from the European Economic Area or Switzerland to the United States or any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection to personal data, then that transfer will be governed by and made pursuant to the SCCs.
9.3. SCC Schedule.
Schedule 2 to this DPA sets forth certain details of WECP’s processing of personal data in accordance with the SCCs, if and to the extent the SCCs apply.
10.1. Notification of Data Subject Requests.
WECP will promptly notify Customer of any request it receives from a data subject. WECP will not respond to the request itself except as reasonably appropriate (for example, to confirm receipt or direct the data subject to contact Customer) or as may be legally required or authorized by Customer.
10.2. Assistance.
WECP will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing, and in accordance with Customer’s lawful instructions.
10.3. Assessments and Consultations.
Taking into account the nature of the processing and the information available to WECP in each case, WECP will assist Customer in complying with any of Customer’s obligations required by applicable Data Protection Laws with respect to the following: (a) the obligation to carry out an assessment of the impact of WECP’s processing of personal data; (b) the obligation to consult with regulatory authorities that may be required; and (c) the obligation to ensure that personal data is accurate and up to date.
10.4. Where WECP is a Controller.
For clarity, nothing in the DPA will restrict or prevent WECP from responding to a data subject or data protection authority requests in relation to personal data for which WECP is a controller (as opposed to the processor).
11.1. Security Incident Notification.
If WECP becomes aware of a Security Incident, WECP will notify Customer without undue delay, and in any case, within seventy-two (72) hours after becoming aware of the Security Incident. WECP may send notification of a Security Incident by any notification means set forth in the Agreement or, in any case, by email to the administrator contact that Customer designates in Customer’s account within the Services.
11.2. Notification Details.
WECP’s notification of a Security Incident will at least contain a description of: (a) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects and records concerned; (b) the details of a contact point where more information concerning the Security Incident can be obtained; and (c) the likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects. If, and to the extent, WECP is not reasonably able to provide all the information at the same time, WECP’s initial notification will contain the information then available and it will provide further information without undue delay as it becomes available.
11.3. Reporting Assistance.
WECP will provide reasonable assistance to Customer in the event Customer is required by applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
11.4. Mitigation.
WECP will take reasonable steps to investigate and, as necessary, address and mitigate an actual or threatened Security Incident. WECP’s notification or addressing of, or response to, a Security Incident will not be construed as an acknowledgment by WECP of any fault or liability with respect to the Security Incident.
Following termination of the Agreement, WECP will, at the choice of Customer, delete or return to Customer all personal data processed by WECP, except to the extent applicable law requires the retention of any personal data. If Customer does not notify WECP of Customer's preferred choice within 30 days following termination of the Agreement, WECP will delete Customer’s data in accordance with WECP’s standard data deletion cycle. Until the personal data is deleted or returned, it will remain subject to the terms of this DPA.
13.1. Governing Law.
This DPA will be governed by, and construed in accordance with, the governing law of the Agreement, and any dispute between WECP and Customer will be subject to the exclusive jurisdiction of the forum set forth in the Agreement unless otherwise required by applicable Data Protection Laws.
13.2. Term.
This DPA will remain in effect for as long as WECP processes personal data on behalf of Customer.
13.3. Order of Precedence.
In the event of any conflict or inconsistency between this DPA and any other part of the Agreement, the provisions of first the SCCs and then of this DPA will prevail over any provisions of any documents of the Agreement to the contrary.
13.4. Agreement Unchanged.
Except for any modifications to the Agreement as may be made by this DPA, the Agreement remains unchanged and in full force and effect.
13.5. No Third-Party Beneficiaries.
No one other than the parties to this DPA and their successors and permitted assigns will have any right to enforce any terms of this DPA, but without prejudice to the rights available to data subjects under applicable Data Protection Laws or this DPA (including the SCCs).
14.1. California. Where WECP’s processing of personal data is subject to the CCPA as personal information under the CCPA, the following terms will apply to supplement the DPA and will control over any conflicting provisions of the DPA:
(a) Each party will comply with its obligations under the CCPA.
(b) Any data subject rights and WECP’s obligations with respect to those data subject rights, as described in this DPA, also apply to Consumer rights under the CCPA.
(c) The parties intend for WECP’s provision of the Services and the exercise of its rights under the Agreement or as permitted by the CCPA to constitute a “business purpose” under the CCPA.
(d) WECP will not “sell” or “share” personal information, as each term is defined by the CCPA.
(e) WECP will not retain, use, or disclose personal information outside of the direct business relationship between WECP and Customer.
(f) WECP will not combine personal information controlled by Customer with personal information WECP receives from other customers, except as permitted by the Agreement or applicable Data Protection Laws.
(g) WECP will take steps to ensure that Sub-processors or any other person engaged by WECP to assist in the processing of personal information are “Service Providers” under the CCPA, and WECP will enter into a written agreement with each service provider obligating the service provider to the applicable requirements under the CCPA.
(h) WECP will notify Customer if WECP makes a determination that it can no longer meet its obligations under the CCPA.
(i) Customer will have the right, upon notice to WECP, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information and to help ensure that WECP uses the personal information in a manner consistent with Customer’s obligations under the CCPA.
14.2. United Kingdom.
Where WECP’s processing of personal data is subject to UK GDPR, the UK Addendum to the SCCs included with this DPA will apply.
1. Categories of Data Subjects.
The categories of data subjects whose personal data may be processed are:
(a) Customer’s employees and contractors;
(b) Candidates for employment invited to use the Services by Customer; and
(c) Other persons designated by Customer to use the Services in connection with Customer’s use under the Agreement.
2. Categories of Personal Data Processed.
WECP may process the following categories of personal data in providing the Services:
(a) Identifiers: Including first and last name, username, email address, business title, contact information, password, country, and photograph if using certain features that provide for photographs.
(b) Internet or other electronic network activity information: Technical data to the extent relating to a data subject in the form of IP address and the features accessed and interactions taken with respect to the Services.
(c) Results: Results of a data subject's ranking, performance, or scoring to the extent they relate to a data subject in connection with the use of features of the Services.
(d) Provided data: Any other personal data that a data subject provides to WECP when signing up for, using, or requesting support for the Services or that Customer requests the data subject provide or WECP collect in connection with Customer’s use of the Services (such as personal data Customer requests of a data subject in connection with an assessment).
3. Sensitive Data.
WECP does not intentionally, and the parties do not anticipate that WECP will, collect or process any “special categories of personal data” or “sensitive personal information” (as each is defined by applicable Data Protection Laws) in connection with the use or provision of the Services.
4. Nature of Processing.
WECP will process personal data in connection with the provision of WECP Services as set forth in the Agreement.
5. Frequency and Duration of Processing.
Personal data is processed on a continuous basis until the data is deleted or returned to Customer in accordance with the Agreement.
1. Module 2 (Controller to Processor).
For transfers of personal data where the SCCs apply, the SCCs will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
The “data exporter” is Customer; and
The “data importer” is WECP.
Module Two (Controller to Processor) of the SCCs will apply as set forth throughout the SCCs where Customer is a controller of personal data and WECP is the processor of personal data.
2. Specific Clauses.
The following clauses of the SCCs will apply as set forth below:
In Clause 7 of the SCCs, the Docking Clause will apply.
In Clause 9 of the SCCs, Option 2 (general written authorization) will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 8.2 (Sub-processor Changes) of this DPA.
In Clause 11 of the SCCs, the optional language will not apply.
In Clause 17 of the SCCs, the SCCs will be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they will be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The parties agree that this will be the law of Ireland.
In Clause 18(b) of SCCs, the parties agree that the courts of the EU Member State for resolution of disputes arising from the SCCs will be the courts of Ireland.
3. Appendix to SCCs.
The Annexes to this DPA set forth information that populates the corresponding Annex to the SCCs.
Data Exporter: Customer
(i) Contact Information: The email address(es) designated by Customer as the administrator of Customer’s account within the Services.
(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Exporter is deemed to have signed the SCCs incorporated herein, including their Annexes.
(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.
Data Importer:
WECP Talent Analytics Inc. and WECP Private Limited
(i) Contact Information: WECP at dpo@wecreateproblems.com
(ii) Signature and Date: By entering into the Agreement, as of the Effective Date of the Agreement, Data Importer is deemed to have signed the SCCs incorporated herein, including their Annexes.
(iii) Role: As set forth in Section 2 (Roles of the Parties) of this DPA.
The technical and organizational measures are as described in the DPA.
The controller has authorized the use of the following sub-processors: As authorized by the DPA.
Where WECP’s processing of personal data is subject to Data Protection Laws of the United Kingdom (including the UK GDPR and Data Protection Act of 2018), the SCC terms above in this Schedule will apply, as supplemented or modified by the UK Addendum, as follows:
Table 1: Parties. In Table 1 of the UK Addendum: The party details are as set forth in the foregoing Annex I to the SCCs.
Table 2: Selected SCCs, Modules, and Selected Clauses. In Table 2 of the UK Addendum: The version of the Approved EU SCCs (as defined by the UK Addendum) which this UK Addendum is appended to, detailed below, including the Appendix Information: The SCCs made part of the agreement between the parties hereto.
Table 3: Appendix Information. In Table 3 of the UK Addendum:
(i) The list of parties is set forth in the foregoing Annex I to the SCCs;
(ii) The description of the transfer is set forth in the foregoing Annex I to the SCCs;
(iii) The technical and organizational measures are set forth in the foregoing Annex II of the SCCs; and
(iv) The list of sub-processors is set forth in the foregoing Annex III to the SCCs.
Table 4: Ending this Addendum when the Approved Addendum Changes. In Table 4 of the UK Addendum: The option “neither party” will be deemed selected.
The SCCs are deemed amended as set forth in Part 2 of the UK Addendum.