Legal – Data processing addendum | Greenhouse

Legal – Data processing addendum

Data processing addendum

Access and sign the Data processing addendum


THIS DATA PROCESSING ADDENDUM (DPA) is incorporated into, and is subject to the terms and conditions of, the Master Subscription Agreement or other written or electronic agreement (“Agreement”) between Greenhouse Software, Inc., a company whose registered office is at 228 Park Avenue S, PMB 14744, New York, NY 10003-1502 USA (“Greenhouse”); and ___________, whose registered office is at ______________________________________________________________ (“Controller”), governing Controller’s use of the Greenhouse software and services (the “Services”). All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement.

In the course of providing the Services to Controller, Greenhouse may process Personal Data (defined below) and the parties agree to comply with the following provisions with respect to any processing of Personal Data by Greenhouse as a processor to Controller.

NOW IT IS AGREED as follows:

1. Data Protection

1.1. Definitions: In this DPA, the following terms shall have the following meanings:

(a) “controller”, “processor”, “data subject”, “personal data”, “process”, and “processing” shall have the meanings given in European Data Protection Law;

(b) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, (i) European Data Protection Law; and (ii) the California Consumer Privacy Act (the “CCPA”), as amended by the California Privacy Rights Act of 2020;

(c) “Data Privacy Framework” means (as applicable) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors.

(d) “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as amended, superseded or replaced.

(e) “European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); and (v) the Swiss Federal Data Protection Act (the “Swiss DPA”); in each case as may be amended or superseded from time to time;

(f) “Personal Data” means information that identifies a person, such as a name or online identifier, that is uploaded into the Services by Controller or by third parties acting on Controller’s behalf, including job applicants. To the extent the CCPA applies to this DPA, Personal Data means “Personal Information,” as such term is defined in the CCPA, that is uploaded into the Services by Controller or by third parties acting on Controller’s behalf, including job applicants;

(g) “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner;

(h) “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed by Greenhouse under this DPA.

(i) “Standard Contractual Clauses” or “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;

(j) “Subprocessor” means any third-party processor engaged by Greenhouse to process any Personal Data in connection with the Services provided to Controller (but shall not include Greenhouse employees, contractors or consultants);

(k) “UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, as amended or updated from time to time.

1.2. Relationship of the parties: Greenhouse will process Personal Data on behalf of Controller, as further described in Annex I of this DPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. To the extent Greenhouse will process Personal Data that is subject to the CCPA, the Parties acknowledge and agree that Greenhouse will act as a “Service Provider,” as such term is defined in the CCPA, in its performance of its obligations pursuant to this DPA or the Agreement, and Greenhouse certifies that it understands and will comply with its processing obligations. Similarly, to the extent Controller directs Greenhouse to process Personal Data that is subject to the CCPA, the Parties acknowledge and agree that Controller will act as a “Business,” as such term is defined in the CCPA, in its performance of its obligations pursuant to this DPA or the Agreement.

1.3. Prohibited data: Controller shall not disclose (and shall not request any data subject to disclose) any special categories of Personal Data to Greenhouse for processing except where and to the extent expressly disclosed in Annex I.

1.4. Purpose limitation: Greenhouse shall process the Personal Data in accordance with Controller’s documented instructions and, for these purposes, Controller instructs Greenhouse to process Personal Data for the purposes described in Annex I (the “Permitted Purpose”), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. To the extent Greenhouse will process Personal Data that is subject to the CCPA, the Permitted Purpose is the “Business Purpose,” as such term is defined in the CCPA, and Greenhouse will retain, use or disclose the Personal Data only for such Business Purpose. In no event shall Greenhouse process the Personal Data for its own purposes or those of any third party. Greenhouse shall not “sell” or “share” the Personal Data, as such terms are defined by Applicable Data Protection Law, nor shall Greenhouse combine the Personal Data with personal data that Greenhouse receives from other sources, except as permitted by the Permitted Purpose or required by law(s) that are not incompatible with Applicable Data Protection Law. Greenhouse shall immediately inform Controller if it becomes aware that Controller’s processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Controller’s compliance with Applicable Data Protection Law).

1.5. Data Privacy Framework:

(a) Greenhouse is self-certified under the Data Privacy Framework, as administered by the U.S. Department of Commerce, in order to implement appropriate safeguards for transfers of Personal Data to the United States pursuant to Article 46 of the GDPR. To the extent the Data Privacy Framework can be used to lawfully transfer Personal Data to the United States, and for as long Greenhouse is self-certified to the Data Privacy Framework, Greenhouse will: (a) process such Personal Data only for the limited and specified purposes set out in the Agreement, including this DPA; (b) provide at least the same level of privacy protection to the Personal Data as is required by the Data Privacy Framework Principles; (c) promptly notify Controller if it makes a determination that it can no longer meet its obligation under (b) above, and in such event, to promptly take reasonable and appropriate steps to stop and remediate any processing until such time as the processing meets the level of protection as is required by the Data Privacy Framework Principles; and (d) at Controller’s sole election, to cease processing the Personal Data if, in Controller’s reasonable discretion, Greenhouse is not providing the same level of protection to the Personal Data as is required by the Data Privacy Framework Principles. Greenhouse intends to remain self-certified under the Data Privacy Framework as long as the Data Privacy Framework is recognized as a valid transfer mechanism under Applicable Data Protection Law. Details about Greenhouse’s self-certification to the Data Privacy Framework is available at: https://www.dataprivacyframewo....

(b) Controller acknowledges that Greenhouse may disclose this DPA and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, a relevant European supervisory authority or other public or regulatory authority, court or tribunal, upon their request.

(c) If Greenhouse is unable to comply with this Section 1.5, Section 1.6 shall apply.

(d) To the extent that the Data Privacy Framework is subsequently revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer of Personal Data, such as relying on the mechanism as described in Section 1.6.

1.6. Restricted transfers: The parties agree that to the extent the transfer of Personal Data from Controller to Greenhouse is a Restricted Transfer and European Data Protection Law requires that appropriate safeguards are put in place, such transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated by reference and form an integral part of this DPA as follows:

(a) in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module Two (controller to processor) will apply;

(ii) in Clause 7, the optional docking clause will apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Clause 1.9 of this DPA;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;

(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and

(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.

(b) in relation to Personal Data that is protected by the UK GDPR, the Standard Contractual Clauses: (i) shall apply as completed in accordance with paragraph (a) above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party”.

(c) in relation to transfers of Personal Data protected by the Swiss DPA, the Standard Contractual Clauses will also apply in accordance with paragraph (a) above, with the following modifications:

(i) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;

(ii) references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA;

(iii) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”;

(iv) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);

(v) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;

(vi) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;

(vii) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and

(viii) with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

(d) in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1.7. Onward transfers: Greenhouse shall not participate in (nor permit any Subprocessor to participate in) any other Restricted Transfers of Personal Data (whether as an exporter or an importer of the Personal Data) unless the Restricted Transfer is made in compliance with Applicable Data Protection Law and this DPA. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Personal Data.

1.8. Confidentiality of processing: Greenhouse shall ensure that any person that it authorises to process the Personal Data (including Greenhouse’s staff, agents and Subprocessors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Personal Data who is not under such a duty of confidentiality. Greenhouse shall ensure that all Authorised Persons process the Personal Data only as necessary for the Permitted Purpose.

1.9. Security: Greenhouse shall implement and maintain appropriate technical and organisational measures designed to protect the Personal Data from Security Incidents and to preserve the confidentiality of Personal Data in accordance with Annex II to this DPA (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and include as appropriate:

(a) the pseudonymisation and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Controller acknowledges that the Security Measures are subject to technical progress and development and that Greenhouse may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.

1.10. Subprocessing: Subject to Greenhouse complying with this Section 1.10, Controller agrees that Greenhouse may engage Subprocessors to process Personal Data on Controller’s behalf, including the Subprocessors listed in Annex III to this DPA. Greenhouse shall: (i) provide at least 30 days’ prior notice of the addition of any Subprocessor (including details of the processing it performs or will perform); (ii) impose data protection terms on any Subprocessor it appoints that protect the Personal Data, in substance, to the same standard provided for by this DPA, to the extent applicable to the nature of the services provided by such Subprocessor; and (iii) remain fully liable for any breach of this DPA that is caused by an act, error or omission of its Subprocessor. Controller may object in writing to Greenhouse’s appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Greenhouse promptly in writing within fifteen (15) days of receipt of the above notice from Greenhouse. In such case, the parties shall discuss Controller’s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, Greenhouse will not appoint the Subprocessor or Controller may elect to suspend or terminate the Agreement without penalty.

1.11. Cooperation and data subjects’ rights: Greenhouse shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Controller to enable Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Greenhouse, Greenhouse shall promptly act to ensure that the same is provided to Controller.

1.12. Data protection impact assessment: To the extent required under Applicable Data Protection Law, Greenhouse shall (considering the nature of the processing and the information available to Greenhouse) provide Controller with all such reasonably requested information regarding the Services to enable Controller to conduct a data protection impact assessment or prior consultations with data protection authorities in accordance with Applicable Data Protection Law. Greenhouse shall comply with the foregoing by: (i) complying with Section 1.16 (“Security reports and due diligence”); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Controller to comply with such obligations, upon request, providing additional reasonable assistance (at Controller’s expense).

1.13. Security Incidents: Upon becoming aware of a Security Incident, Greenhouse shall inform Controller without undue delay and shall provide all such timely information and cooperation as Controller may reasonably require in order for Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Greenhouse shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep Controller informed of all developments in connection with the Security Incident.

1.14. Deletion or return of Personal Data: Upon termination or expiry of the Agreement, Greenhouse shall (at Controller’s election) destroy or return to Controller all Personal Data (including all copies of the Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Greenhouse is required by any applicable law to retain some or all of the Personal Data, in which event Greenhouse shall isolate and protect the Personal Data from any further processing except to the extent required by such law until deletion is possible.

1.15. Audit rights: Greenhouse shall make available to Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections by Controller in order to assess compliance with this DPA. Controller acknowledges and agrees that it shall exercise its audit rights under this DPA, and any other audit rights granted by Applicable Data Protection Law, by instructing Greenhouse to comply with the audit measures described in Section 1.16 below.

1.16. Security reports and due diligence:

(a) Controller acknowledges that Greenhouse is regularly audited against ISO 27001, ISO 27701 and SSAE 18 SOC 2 standards by independent third-party auditors. Upon written request, Greenhouse shall supply to Controller a summary copy of its audit report(s), which reports shall be subject to the confidentiality provisions of the Agreement, so that Controller can verify Greenhouse’s compliance with audit standards against which it has been assessed and this DPA.

(b) In addition and upon Controller’s written request, Greenhouse shall respond to any reasonable requests for information made by Controller to confirm Greenhouse’s compliance with this DPA, including responses to information security, due diligence and audit questionnaires, by making additional information available regarding its information security program which Greenhouse generally makes available to its customers, provided that Controller shall not exercise this right more than once per year.

1.17. Miscellaneous: Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) where applicable, EU SCCs; then (b) this DPA; and then (c) the main body of the Agreement. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services. Notwithstanding anything to the contrary in the Agreement and without prejudice to Section 1.4 (“Purpose limitation”), Greenhouse may periodically make modifications to this DPA as may be required to comply with Applicable Data Protection Law.

By signing below, each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them, effective as of the date that both parties sign below (“Effective Date”).


Controller

By:

Name:

Title:

Date:

Greenhouse Software, Inc.

By:

Name:

Title:

Date:


Annex I

Data Processing Description

This Annex I forms part of the DPA and describes the processing that the Greenhouse will perform on behalf of the Controller.

A. LIST OF PARTIES

Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) / data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1.

Name:

The party identified as the “Controller” in the DPA.

Address:

The address for the Controller specified in the DPA.

Contact person’s name, position and contact details:

The contact as set out in the relevant order form.

Activities relevant to the data transferred under these Clauses:

Controller is a customer of Greenhouse’s that will provide personal data to Greenhouse in order to allow Greenhouse to provide services to Controller pursuant to a services agreement entered by and between the parties.

Signature and date:

This Annex shall be deemed executed by Controller when the DPA is executed by Controller.

Role (controller/processor):

Controller

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) / data importer(s), including any contact person with responsibility for data protection]

1.

Name:

Greenhouse Software, Inc.

Address:

228 Park Avenue S, PMB 14744, New York, NY 10003-1502

Contact person’s name, position and contact details:

Greenhouse Privacy Department, privacy@greenhouse.io

Activities relevant to the data transferred under these Clauses:

The processing activities that are necessary in order to provide Greenhouse’s software and services to the Controller, which shall include hosting, storage, providing customer service, enabling interview scheduling functionality, resume parsing, and performance analytics.

Signature and date:

This Annex shall be deemed executed by Greenhouse when Greenhouse executes the DPA.

Role (controller/processor):

Processor


B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Controller’s employees and job applicants, and any other individuals whose personal data are uploaded or transmitted via Greenhouse’s software application.

Categories of personal data transferred:

Personal data such as the name, email, mailing address, education, employment history, resume, etc. of data subjects mentioned above and other data in an electronic form provided to Greenhouse when using the services covered in the services agreement between Controller and Greenhouse.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

The processing may include sensitive data if such information is uploaded or transmitted via the software, at the sole discretion of the user of the software.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Personal data will be transferred continuously throughout the duration of the underlying agreement to purchase Greenhouse’s software and services.

Nature of the processing:

The personal data transferred will be subject to the processing activities that are necessary to provide Greenhouse’s software and services to Controller, including hosting, storage, providing access, enabling interview scheduling, and applying analytics.

Purpose(s) of the data transfer and further processing:

To provide Greenhouse’s software and services to Controller pursuant to a services agreement between the parties governing the provision of the software and services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the duration of the underlying agreement to purchase Greenhouse’s software and services, unless the personal data is deleted prior to the termination or expiration of that contract by Controller or by Greenhouse at Controller’s instruction.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Personal data is transferred to Greenhouse’s Subprocessors for the purpose of providing Greenhouse’s software and services to Controller for the duration of the underlying purchase agreement, unless the personal data is deleted prior to the termination or expiration of that contract by the Controller or by Greenhouse at the Controller’s instruction.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g., in accordance with Clause 13 SCCs)

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

Annex II

Technical and Organisational
Security Measures

Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data

Industry standard encryption technologies for personal data that is: (i) transmitted over public networks (i.e., the Internet) or when transmitted wirelessly; or (ii) at rest.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Organisational management and dedicated staff responsible for the development, implementation and maintenance of Greenhouse’s information security program.

Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for personal data, as described above.

Network security controls that provide for the use of stateful firewalls and layered DMZ architectures and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Incident / problem management procedures designed to allow Greenhouse to investigate, respond to, mitigate and notify of events related to Greenhouse’s technology and information assets.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Greenhouse’s organisation, monitoring and maintaining compliance with Greenhouse’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

Measures for user identification and authorisation

Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Greenhouse’s passwords that are assigned to its employees: (i) be at least ten (10) characters in length, (ii) not be stored in readable format on Greenhouse’s computer systems, (iii) must have defined complexity, and (iv) must have a history threshold to prevent reuse of recent passwords. Multi-factor authentication, where available, must always be used.

Measures for the protection of data during transmission

Industry standard encryption technologies for personal data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly.

Measures for the protection of data during storage

Industry standard encryption technologies for personal data that is at rest.

Measures for ensuring physical security of locations at which personal data are processed

Physical and environmental security of data center, server room facilities and other areas containing personal data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of Greenhouse facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

Measures for ensuring events logging

System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.

Measures for ensuring system configuration, including default configuration

Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Greenhouse’s possession.

Measures for internal IT and IT security governance and management

Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Greenhouse’s technology and information assets.

Measures for certification / assurance of processes and products

Organisational management and dedicated staff responsible for the development, implementation and maintenance of Greenhouse’s information security program.

Measures for ensuring data minimisation

Not applicable to Greenhouse. Greenhouse is processing the personal data on behalf of the Controller for the sole purpose of providing services to the Controller for the duration of the services agreement entered into between the Greenhouse and the Controller. The Controller has complete control over the collection, modification, and deletion of personal data (subject to the data retention section, below).

Measures for ensuring data quality

Not applicable to Greenhouse. Greenhouse is processing the personal data on behalf of Controller for the sole purpose of providing services to Controller for the duration of the services agreement entered into between Greenhouse and Controller. Greenhouse does not have the ability to monitor the quality of the personal data.

Measures for ensuring limited data retention

Controller is permitted to set its own retention rules per a dedicated feature within the application and can self-service delete the personal data it has collected at any point during the term of the underlying services agreement entered into between Greenhouse and Controller. All personal data in Controller’s account is automatically deleted ninety (90) days following expiration or termination of the services agreement, or earlier upon Controller request, subject to Greenhouse’s standard 30-day backup schedule.

Measures for ensuring accountability

Greenhouse takes responsibility for complying with the EU GDPR and the UK GDPR, at the highest management level and throughout the organisation. Greenhouse keeps evidence of the steps taken to comply with the EU GDPR and the UK GDPR. Greenhouse puts in place appropriate technical and organisational measures, such as: (i) adopting and implementing data protection policies (where proportionate), (ii) putting written contracts in place with organisations that process personal data on its behalf, (iii) maintaining documentation of its processing activities, (iv) implementing appropriate security measures, (v) recording and, where necessary, reporting personal data breaches, and (vi) carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests. Greenhouse reviews and updates its accountability measures at appropriate intervals.

Measures for allowing data portability and ensuring erasure

Greenhouse has in-app functionality to allow customers to create “Candidate Packets” for each job applicant containing all data about the job applicant that the customer configures to be captured. This can easily be downloaded in a CSV file format that can be sent to the data subject.

When a customer deletes data within the application, it is simultaneously deleted from Greenhouse’s database, subject to a 30-day backup retention period.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller (and, for transfers from a processor to a subprocessor, to the data exporter).

Greenhouse Self-Service Features

At all times during the term of the underlying services agreement, the Controller will have access to its own Greenhouse account and the ability to delete or modify any personal data stored therein. Any deletions or modifications by Controller will automatically be reflected in Greenhouse’s databases as well. In addition, Greenhouse has an in-application feature that will permit Controller to delete the entirety of an applicant’s profile with one click, and an additional feature that will allow Controller to download a portable file of an applicant’s personal data that can be easily sent to the applicant.

Annex III

Subprocessors

As at the Effective Date of this DPA, Controller has authorized the use of the following Subprocessors listed in Greenhouse's subprocessors in use page.