This Data Processing Addendum (“Addendum”) supplements the Master Services Agreement (“MSA
”) between Customer (“Company
”) and Glide Holdings, Inc. d/b/a “Welcome” (“Welcome
”) (jointly with Company, “Parties
”) and reflects the Parties’ agreement with regard to the processing of Personal Data. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the MSA. Except as modified below, the terms of theMSA shall remain in full force and effect. In case of a conflict between provisions of this Addendum with provisions in the MSA, the provisions of this Addendum shall prevail.1. Definitions
1.1 “Data Controller”
means the entity which determines the purposes and means of the Processing of Personal Data.1.2 “Data Processor”
means the entity which Processes Protected Data on behalf of the Controller.1.3 “Data Protection Laws”
means all laws and regulations applicable to the Processing of Personal Data under the MSA, including any applicable laws and regulations of the European Union, the European Economic Area and their member states and the United Kingdom including GDPR and UK GDPR.1.4 “Data Subject”
means the identified or identifiable person to whom the Personal Data relates.1.5 “GDPR”
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and includes UK GDPR, as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.1.6 “Personal Data”
means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected in a similar way as personal data, personal information, or personally identifiable information under applicable Data Protection Laws).1.7 “Personal Data Breach”
means (i) a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.1.8 “Processing”
means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, access, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. For the purpose of this Addendum, and for the avoidance of doubt, remote access by Welcome to Company’s Protected Data is considered Processing.1.9 “Protected Data”
means Personal Data received from or on behalf of the Company. For the avoidance of doubt, “Protected Data” does not include Personal Data collected by Welcome directly from Data Subjects.1.10 “Regulatory Authority”
means any governmental, regulatory or supervisory authority, including any privacy or data protection commissioner or ombudsman, which is responsible for administering and/or enforcing Data Protection Laws.2. Processing of Personal Data
2.1 The parties acknowledge and agree that with regard to the Protected Data, Company shall be the Data Controller and Welcome shall be the Data Processor. Company shall (i) provide all required notices to, and obtain all required consents from, the Data Subjects prior to providing any Personal Data to Welcome, in accordance with Data Protection Laws and any applicable guidance issued or published by any relevant Regulatory Authority; (ii) retain appropriate records of the notices and consents described above, and promptly provide evidence of such notices and consents to Welcome upon Welcome’s request; and (iii) take all reasonable steps to ensure that the Protected Data is accurate and up-to-date.
2.2 The subject matter for Processing the Protected Data by Welcome is the performance of the services pursuant to the Main Agreement. Welcome shall not make any use of the Protected Data for any other purposes.
2.3 The types of Personal Data and categories of Data Subjects Processed are specified in Schedule 1 of this Addendum.
2.4 The Parties shall comply with all Data Protection Laws when performing their mutual obligations under the MSA.
2.5 Welcome shall not Process Protected Data other than on the Company’s instructions unless Processing is required by Data Protection Laws, in which case Welcome shall to the extent permitted by Data Protection Laws inform Company of that legal requirement before the relevant Processing of that Personal Data.3. Term
3.1 This Addendum shall commence on the date of its execution and shall continue in full force and effect until the termination or expiration of the MSA.
3.2 Notwithstanding clause 3.1, the Welcome’s obligations under clauses 4, 6, 7 and 9 (and any other clauses which by implication ought to survive) shall survive on the termination of this Addendum if and to the extent that the Welcome continues to Process (including by way of storage) any Protected Data.4. Confidentiality
4.1 Welcome shall ensure that its personnel engaged in the Processing of Protected Data are informed of the confidential nature of the Protected Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Welcome shall ensure that such confidentiality obligations survive the termination of employment of such personnel.
4.2 Welcome shall ensure that access to Protected Data is limited to those personnel performing services in accordance with the terms of the MSA.5. Sub-Processors
5.1 Subject to section 5.2 Welcome may subcontract any Processing activities those sub-processors already engaged by Welcome at the date of commencement of this Addendum and the Parties agree that Welcome may engage another data processor (or any replacement) to carry out any Processing activities in respect of the Protected Data at anytime and has the Company’s general authorization to do so. Any changes to the use of sub-processors by Welcome will be published on Welcome’s website athttps://www.heywelcome.com/gdpr/subprocessors. When changes to sub-processors are made by Welcome, it will inform the Company 7 days in advance of such changes taking effect.
5.2 Welcome will ensure that any sub-processor it engages to provide the services on its behalf in connection with the MSA does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective in respect of Personal Data than those imposed on Welcome in this Addendum (“Adequate Terms”). Welcome shall procure the performance by such sub-processor of the Adequate Terms and shall be liable to Company for any breach by such sub-processor of any of the Adequate Terms.6. International and Interprovincial Data Transfers:
6.1 For transfers from the EU, not including the UK: To the extent that Protected Data is Processed outside the EEA the terms of the transfer of such Protected Data from the EU shall be governed by the standard contractual clauses approved by the EU authorities under Data Protection Laws outlined in the Standard Contractual Clause, and such standard contractual clauses shall be hereby incorporated into this Addendum, if (and only if) such transfer would be prohibited by Data Protection Laws in the absence of the parties agreeing to such standard contractual clauses.
6.2 For transfers from the UK: To the extent that Protected Data is Processed outside the UK the terms of the transfer of such Protected Data from the UK shall be governed by the addendum agreement to the standard contractual clauses which has been approved by the UK authorities under Data Protection Laws outlined in the UK Addendum to EU Standard Contractual Clause, and such addendum to the standard contractual clauses shall be hereby incorporated into this Addendum, if (and only if) such transfer would be prohibited by Data Protection Laws in the absence of the parties agreeing to such addendum to the standard contractual clauses. 7. Security:
Taking into account the sensitivity of the Protected Data, the purposes for which the Protected Data will be used, the amount, quantity, distribution and format of the Protected Data, and the method or medium of storage, as well as the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing and the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Welcome shall in relation to the Protected Data implement appropriate physical, technical, administrative and organizational measures to protect the security, confidentiality, accuracy, integrity and availability of the Protected Data, including, as appropriate, the measures referred to in Article 32(1) of GDPR and those referenced in Welcome’s. In assessing the appropriate level of security, Welcome shall, in particular, take account of the sensitivity of the Personal Data and the risks that are presented by Processing, in particular those risks that may arise from a Personal Data Breach.8. Rights of Data Subjects
8.1 Welcome shall, to the extent legally permitted, promptly notify Company if it receives a request from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws, including (where applicable) any right of access and/or right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or right not to be subject to automated individual decision making (“Data Subject Request”).
8.2 Taking into account the nature of the Processing, Welcome shall assist Company by appropriate technical and organizational measures, insofar as practicable, to fulfill Company’s obligation to respond to a Data Subject Request under Data Protection Laws.
8.3 Welcome shall respond to a Data Subject Request directly only if Welcome is required to do so under Data Protection Laws. In addition, Welcome shall upon Company’s request provide commercially reasonable efforts to assist Company to respond to any Data Subject Request, to the extent Welcome is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.9. Personal Data Breach
9.1 Welcome shall notify Company without unreasonable delay upon Welcome or any sub-processor becoming aware of a Personal Data Breach affecting Protected Data, providing Company with sufficient information to allow Company to meet any obligations to create and maintain a record of the Personal Data Breach and to comply with any obligation(s) to report the Personal Data Breach to any relevant Regulatory Authority and/or notify Data Subjects of the Personal Data Breach under Data Protection Laws.
9.2 Welcome shall co-operate with Company and take such reasonably commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each and any such Personal Data Breach.10. Data Protection Impact Assessment and Prior Consultation:
Welcome shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with competent data privacy authorities, which Company reasonably considers to be required by Data Protection Laws, including (where applicable) article 35 or 36 of GDPR, in each case solely in relation to Processing of Protected Data, and taking into account the nature of the Processing and information available to the Welcome, in each case further provided that Company bears all costs associated with the assistance provided by Welcome.11. Audit Rights:
No more often than once every 12 months, Welcome shall make available to Company on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of the Protected Data, provided that Company bears all costs associated with such audits.12. Deletion or Return of Protected Data and Copies:
At the Company’s written request, and to the extent permitted by applicable laws, Welcome shall either securely delete or securely return all Protected Data to Company in such form as Company reasonably requests upon the earlier of (i) the termination of the MSA; or (ii) once Processing by Welcome of any Protected Data is no longer required for the purpose of Welcome’s performance of its obligations under the MSA. Notwithstanding anything to the contrary in the foregoing, Welcome shall be permitted to retain any archival and/or back-up data that is separately maintained for archival or back-up purposes.13. Severance:
Should any provision of this Addendum be invalid or unenforceable, the remainder of this Addendum shall remain valid and in force. To the greatest extent possible pursuant to applicable laws, the invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in such a manner as if the invalid or unenforceable provision was not part of the Addendum.14. Cooperation:
Company and Welcome acknowledge that laws relating to privacy and data protection are evolving and that amendment to the MSA and/or this DPA may be required to ensure compliance with such developments. The parties agree to take such action as is necessary to implement the standards and requirements of any applicable Data Protection Laws, including negotiating in good faith to amend the MSA and this DPA as necessary or prudent for compliance with such laws.
Schedule 1: Description of Services and Personal Data Processing
Description of Services:
Welcome’s Services as described in the MSA.
Subject-matter of Processing:
The subject matter of the MSA to the extent it involves the Processing of Protected Data by Welcome.Duration of Processing:
The duration of the MSA.
Nature and purpose of Processing:
The provision of the Services (as defined in the MSA) by Welcome to the Company.
Type of Personal Data:
First name, last name, email, title, compensation history, and such other employment information as may be relevant to the provision of the Services by Welcome to the Customer.
Categories of Data Subjects:
Company employees and candidates.
Subprocessors of the Welcome: