This Data Processing Agreement (“DPA”) supplements the Master Services Agreement (“The MSA“) by and between Customer and any of Its Approved Affiliates (collectively, “Customer”) and Onboarded, Inc. (“Onboarded“). In the event of any conflict between the Agreement and the terms of this DPA, this DPA shall govern.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any applicable regulations.
“Customer Data” has the same meaning as in the MSA. Personal Data provided by Customer for purposes of obtaining Services under the Agreement.
“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as that term is defined by the CCPA.
“Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the CCPA, GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection 2020. For the avoidance of doubt, if the parties’ processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
“EU Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation or the Swiss Federal Act on Data Protection 2020.
“GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation.
“Personal Data” has the same meaning as in the MSA. It includes “personal data” as defined by the GDPR, “personal information” as defined by the CCPA, and “personally identifiable information” as defined by other applicable Data Privacy Laws. Personal Data does not include publicly available information excluded from the definition of “Personal Data” under applicable Data Privacy Laws. Further Personal Data does not include data exempted under applicable Data Privacy Laws, including but not limited to CCPA §§1798.145(d)-(f).
“Process”, “Processed” and/or “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to, Customer Data.
“Sell,” “Sale,” “Share,” or “Sharing” shall have the meaning set forth in the CCPA.
“Services” mean the services provided by Onboarded to Customer, as provided in the MSA.
“Standard Contractual Clauses” means the annex found in EU Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, incorporated herein by reference, completed as described in the “Data Transfers” section below.
“Subprocessor” means any Onboarded affiliate or subcontractor engaged by Onboarded for the Processing of Customer Data.
“UK Addendum” means the UK Addendum to the EU Standard Contractual Clauses.
“UK GDPR” means the UK General Data Protection Regulation, amended by the Data Protection Act 2018.
“UK Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the UK GDPR.
Customer agrees to determine the purposes and general means of Onboarded’s Processing of Customer Data in accordance with the Agreement. Onboarded will Process Customer Data, including Personal Data contained therein, for the purposes set forth in the Agreement, and in compliance with applicable law. Customer will not instruct Onboarded to Process Customer Data in violation of applicable law. Onboarded will inform Customer if, Onboarded discovers, in its opinion, an instruction from Customer infringes applicable law.
a. Compliance with Laws. Each party shall comply with all laws, whether state, federal, local or international, including Data Privacy Laws. Each party shall promptly notify the other party in writing if it is no longer able to meet its obligations under Data Privacy Laws applicable to this DPA.
b. Compliance with Data Controller Obligations. To the extent such party is acting as a Data Controller, each party shall independently fulfill all duties required of Data Controllers under Data Privacy Laws. Onboarded is a Data Controller with respect to Worker Data, other than Customer Data, that it Processes in connection with the Services.
c. No joint controllership. Unless otherwise agreed in writing, the parties acknowledge and agree that each is acting independently as a Data Controller with respect to Personal Data and the parties are not joint Controllers as defined in the General Data Protection Regulation and UK GDPR.
d. No CCPA Sale or Sharing. Neither party shall Sell or Share to a third party any Personal Data made available to it by the other party except to the extent such Personal Data or Sale or Sharing thereof is exempted from Data Privacy Laws. The parties agree that for the purposes of the CCPA, Onboarded acts as a service provider with regard to the Processing of Customer Data. Customer does not Sell or Share Customer Personal Data to Onboarded because Onboarded shall only use Customer Personal Data for the purposes specified in the Agreement.
e. Data Subject Requests. For the avoidance of doubt, to the extent the party is a Data Controller, each party shall have an independent obligation to respond to requests received from Data Subjects seeking to exercise their rights under applicable Data Privacy Laws, including, but not limited to, access and deletion requests made pursuant to the Data Privacy Laws. The recipient of the Data Subject request shall be responsible for responding to the Data Subject. If applicable, and to the extent legally permitted, each party shall provide the other party with reasonable cooperation and assistance in relation to the handling of a Data Subject’s request.
f. Disclosures and Consent. Each party shall comply with applicable Laws to provide legally required notices to Data Subjects regarding the purpose and nature of the Processing of Personal Data in connection with the Services. Customer shall ensure that Data Subjects have provided legally sufficient consent or other appropriate legal basis (including under the GDPR and all other applicable Data Privacy Laws), wherever such consent or other appropriate legal basis is necessary to enable Onboarded to perform the Services.
a. Ensure that the persons it authorizes to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Upon written request of Customer, assist Customer in the fulfillment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights with respect to Customer Data under Data Privacy Laws.
c. Promptly, and in any event within ten days, notify Customer of any third-party or Data Subject requests or complaints regarding the Processing of Customer Data. Customer agrees to, at Onboarded’s request, designate to Onboarded a single point of contact responsible for receiving and responding to such requests or complaints.
d. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Data.Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Customer Data, including complying with any obligation applicable to Onboarded under Data Privacy Laws to consult with a regulatory authority in relation to Onboarded’s Processing or proposed Processing of Customer Data.
a. Onboarded may subcontract the collection or other Processing of Customer Data in compliance with Data Privacy Law to provide the Services. Onboarded will impose contractual obligations on the Subprocessor that are at least the same level of protection as those imposed on Onboarded under this DPA and will remain liable for its Subprocessors’ performance to the same extent Onboarded is liable for its own performance, consistent with the limitations of liability set forth herein.
b. If GDPR is applicable to the Services,Onboarded shall notify Customer of any changes made to Subprocessors at least 10 days prior to any such change by sending an email to the email address designated by Customer to receive notifications. Customer may reasonably object to Onboarded’s use of a new Subprocessor by notifying Onboarded promptly in writing within ten (10) business days after Onboarded’s notice is sent pursuant to this DPA. Customer shall explain its reasonable grounds for objection. In the event Customer objects to a Subprocessor, the parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Onboarded will, at its sole discretion, either (i) not appoint the Subprocessor; or (ii) in the event that Onboarded cannot provide the services without such objected to Subprocessor, then Onboarded will permit Customer to terminate the Services. Onboarded may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services. In such instance, Onboarded shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to this Section.
a. Taking into account the nature of Processing and the information available to Onboarded, Onboarded shall implement technical and organizational measures, including the measures set forth in Annex II of the Appendix to this DPA, without prejudice to Onboarded’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Data.
b. Security Breach. Onboarded shall notify Customer promptly of any Security Breach of Customer Data and provide related information to Customer as set forth by Data Privacy Laws. Customer shall notify Onboarded promptly of any actual or suspected unauthorized access to Customer’s systems or compromise of Customer’s credentials used to access the Services. Taking into account the nature of Processing and the information available to Onboarded, the parties reasonably shall work together to address any such compromise, including taking steps to mitigate the effects of the Security Breach or system compromise and reduce the risk to Data Subjects whose Personal Data in the Customer Data was involved. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations. Nothing shall be construed to require Onboarded to violate, or delay compliance with, any legal obligation it may have with respect to a Security Breach or other security incidents generally.
For transfers of EU Personal Data to Onboarded for processing by Onboarded in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will use Module 2 of the Standard Contractual Clauses for Controller to Processor transfers, which are incorporated herein by reference. The annexes included in the Appendix to this Agreement shall apply as the annexes of the Standard Contractual Clauses.
In case of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail. Notwithstanding the foregoing, where the transfers contemplated under this Section 7 result in transfers of UK Personal Data to Onboarded for processing by Onboarded in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then (a) the Standard Contractual Clauses used for EU Personal Data shall also apply to transfers of UK Personal Data; (b) the UK Addendum shall be deemed executed between Customer and Onboarded; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
a. Reasonable Audits. If GDPR is applicable to the Services, Onboarded shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Onboarded provide it with documentation, data, and records (“Records”) no more than once annually relating to Onboarded’s compliance with this DPA with respect to Customer Data (an “Audit”). To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall provide Onboarded with fourteen (14) days prior written notice of its intention to conduct an Audit. Customer shall conduct its Audit in a manner that will result in minimal disruption to Onboarded’s business operations and shall not be entitled to receive data or information of other clients of Onboarded or any other confidential information of Onboarded that is not directly relevant for the authorized purposes of the Audit. If any material non-compliance is identified by an Audit, Onboarded shall take prompt action to correct such non-compliance. Any information that Customer receives under this Section is Confidential Information of Onboarded.
b. Limitations. For the avoidance of doubt, this provision does not grant Customer any right to conduct an on-site audit of Onboarded’s premises. Customer shall reimburse Onboarded for any time expended for an Audit at the Onboarded’s then-current reasonable rates, which shall be made available to Customer upon request. Nothing herein will require Onboarded to disclose or make available: (a) any data of any other customer of Onboarded; (b) access to systems; (c) Onboarded’s internal accounting or financial information; (d) any trade secret of Onboarded; (e) any information or access that, in Onboarded’s reasonable opinion, could (i) compromise the security of Onboarded systems or premises; or (ii) cause Onboarded to breach its obligations under applicable law or applicable contracts; or (f) any information sought for any reason other than the good faith fulfillment of Customer’s obligations under Applicable Law to audit compliance under this DPA.
Upon termination of the Services or on reasonable written request from Customer’s authorized representative Onboarded shall, at the choice of Customer, return or delete such Customer Data in accordance with its requirements under applicable Data Privacy Law, unless applicable law prevents Onboarded from returning or deleting all or part of the Customer Data. In such a case, Onboarded agrees to preserve the confidentiality of the Customer Data retained by it that it will only Process such Customer Data in order to comply with applicable law. Notwithstanding the foregoing, this provision will not require Onboarded to delete Customer Data from archival and back-up files except as provided by Onboarded’s internal data deletion practices or as required by applicable law. For avoidance of doubt, Onboarded may continue to Process Customer Data that has been anonymized or aggregated in a manner that does not identify individuals.
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.The provisions of this DPA shall survive the termination or expiration of the Agreement as long as either party continues to Process Personal Data in connection with the Agreement.
ANNEX I: LIST OF PARTIES
Data exporter(s):
Name: Customer
Role: Controller
Address: As specified in the Agreement.
Contact person’s name, position, and contact details: As specified in the Agreement or Applicable Order Form.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement. Signature and accession date: As specified in the Agreement.
Data importer(s):
Name: Onboarded, Inc.
Role: Processor/Controller
Address: 885 Tahoe Blvd, #D-6, Incline Village, NV 89451
Contract person’s name, position, and contact details: Matt Wu, DPO, matt@onboarded.com Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and accession date: As specified in the Agreement.
ANNEX II: DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is transferred
Data subjects include the individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. These individuals may include, without limitation, individuals who previously maintain Worker Profiles within the Onboarded Platform.
Categories of personal data transferred
Customer Data, including data relating to individuals about whom data is provided by the data exporter for the purposes of obtaining the Services. This data may include, for example:
a. Personal details, including information that identifies the data subject and their personal characteristics, such as name, address, contact details, and date of birth.
b. Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, and driving license details.
c. Employment details, including information relating to the employment of the data subject, such as employment and career history.
d. Education and training details, including information which relates to the education and any professional training of the data subject.
e. Background information, including information relating to criminal activity or sanctions.
f. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Customer Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement.
Nature of the processing
The data importer will process Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
Purpose(s) of the data transfer and further processing
The data importer will transfer Customer Data to provide, secure and monitor the Services in accordance with the Agreement, as well as comply with applicable law.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.
Competent Supervisory Authority
The supervisory authority of the member state in which the data subjects whose personal data is transferred in order to provide the Services shall act as competent supervisory authority.