Log In
(443) 569-8262
Book Demo

Data Processing Addendum

This Data Processing Addendum (the “DPA”) is entered into by and between Crelate and the Client specified in the Purchase Form or Master Services Agreement (“Client”). Crelate and Client are collectively referred to as the “Parties” and each a “Party”.

This DPA supplements the Master Services Agreement and Additional Product Terms, as updated from time to time, between Crelate and Client, or other agreement between Crelate and Client governing Client’s use of Crelate’s services (the “Agreement”). The terms capitalized but not defined in this DPA shall have the meaning assigned to them in the Agreement. In providing the Services (as defined in the Agreement) to Client pursuant to the Agreement, Crelate may Process Personal Data, and the parties agree to comply with the following provisions with respect to any of Client’s Personal Data.

DEFINITIONS

  • Client Account Data – means Personal Data that relates to the Client’s relationship with Crelate, including to access Client’s account and billing information, identity verification, maintain, or improve performance of the Services, provide support, investigate and prevent system abuse, or fulfill legal obligations.
  • EEA – means the European Economic Area, consisting of all EU Member States plus Iceland, Liechtenstein, and Norway.
  • Client’s Personal Data – means the Personal Data contained in the Client Content or any Personal Data which is submitted by or on behalf of the Client to the Services.
  • Data Controller – means the entity which determines the purposes and means of the Processing of Client’s Personal Data.
  • Data Subject means People or as defined in and subject to Data Protection Laws Law.
  • Data Processor means the entity which Processes Client’s Personal Data on behalf of the Data Controller, including as applicable any ‘Service Provider’ as that term is defined by the CCPA.
  • Data Protection Laws means applicable data protection or privacy laws and regulations directly applicable to a party’s Processing of Personal Data under the Agreement, including the GDPR, UK Addendum, and US Data Protection Law.
  • GDPR means Regulation (EU) 2016/679, the General Data Protection Regulation.
  • Personal Data Breach means a breach of Crelate’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client’s Personal Data.
  • Processing, Process, Processes, Processed means any operation or operations which are performed upon Client’s Personal Data, whether or not by automatic means, such as collection, compilation, use, disclosure, duplication, organization, storage, alteration, transfer, transmission, combination, redaction, erasure, or destruction.
  • Standard Contractual Clauses – means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).
  • Sub-Processor means any Processor engaged by Crelate to Process Client’s Personal Data on Crelate’s behalf while providing the Services.
  • UK Addendum means the International Data Transfer Addendum (Version B1.0) issued by the Information Commissioner’s Office under section 119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
  • US Data Protection Law means all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2018 (CCPA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

1.      SCOPE AND ROLES OF THE PARTIES

  • Scope of Processing. This DPA applies exclusively to Crelate’s Processing of Client’s Personal Data in providing the Services under the Agreement to Client and to which Data Protection Laws apply.
  • Client as a Controller of Client’s Personal Data and Crelate as the Processor. Crelate processes Client’s Personal Data in connection with the Services on behalf of Client as a Data Processor or a Sub-Processor on behalf of Client, where the Client in turn processes Client’s Personal Data as a Data Controller or Data Processor respectively.
  • Crelate as a Controller of Client Account Data. The parties acknowledge that, regarding the processing of Client Account Data, Client is a controller and Crelate is an independent controller, not a joint controller with Client. Intercom will process Client Account Data as a controller (a) in order to manage the relationship with Client; (b) carry out Crelate’s core business operations; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) identity verification; (e) to comply with Crelate’s legal or regulatory obligations; and (f) as otherwise permitted under Data Protection Laws and in accordance with this DPA, the Agreement, and the Privacy Policy.

2.      PROCESSING OF PERSONAL DATA

  • Personal Data Processing by Client. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirements to provide notice to Data Subjects of the use of Crelate as Data Processor. The Client’s instructions for the Processing of Client’s Personal Data shall comply with Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Client’s Personal Data and the means by which Client acquired Client’s Personal Data. Client agrees that its use of the Services will not violate the rights of any Data Subject (e.g., a Data Subject that has opted-out from sales or other disclosures of Client Personal Data, to the extent applicable under the CCPA or any other applicable Data Protection Law). Further, Client will ensure that Crelate’s Processing of Client’s Personal Data, when done in accordance with Client’s instructions, will not cause Crelate to violate any applicable Data Protection Law.
  • Personal Data Processing by Crelate. Client appoints Crelate as a processor to Process Client’s Personal Data on behalf of, and in accordance with, Client’s instructions (i) as set forth in the Agreement, this DPA, and as otherwise necessary to provide the Services to Client (which may include investigating security incidents, and detecting and preventing exploits or abuse); (ii) Processing initiated by Client in its use of the Services; (iii) as necessary to comply with applicable law, including Data Protection Laws; and (iv) Processing to comply with other documented, reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement (collectively “Permitted Purposes”).

This DPA and the Agreement are the Client’s complete and final instructions at the time of signature of the Agreement to Client for the Processing of Client’s Personal Data. Any additional or alternate instructions must be agreed upon separately provided it is consistent with the terms of the Agreement.

  • Lawfulness of Instructions. Client will ensure and warrant that its instructions comply with Data Protection Laws. Client acknowledges that Crelate is neither responsible for determining which laws are applicable to Client’s business nor whether Crelate’s Services meet or will meet the requirements of such laws. Client will ensure that Crelate’s processing of Client Personal Data, when done in accordance with Client’s instructions, will not cause Crelate to violate any applicable law, including Data Protection Laws. Crelate will inform Client if it becomes aware, or reasonably believes, that Client’s instructions violate applicable law, including Data Protection Legislation.
  • Details of the Processing. The subject-matter of Processing of Client’s Personal Data is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are further detailed in Schedule 1 to this DPA.
  • Client shall be responsible for ensuring that: a) all such notices have been given, and all such authorizations have been obtained, as required under Data Protection Laws, for Crelate (and its Sub-processors) to process Client Personal Data as contemplated by the Agreement and this DPA; b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Data Protection Laws; and c) it has, and will continue to have, the right to transfer, or provide access to, Client Personal Data to Crelate for processing in accordance with the terms of the Agreement and this DPA.
  • EU-U.S. Data Privacy Framework. Crelate participates in and certifies compliance with the EU-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework, together, the “Data Privacy Framework”. As required by the Data Privacy Framework, Crelate will (i) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) notify Client if Crelate makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) upon notice, take reasonable and appropriate steps to remediate unauthorized processing.

3.      RIGHTS OF DATA SUBJECT

  • Crelate provides Client with a number of self-service features via the Services, including the ability to manage requests, delete, obtain a copy of, or restrict use of Client Personal Data. Client may use such self-service features to assist in complying with its obligations under Data Protection Laws with respect to responding to Third Party Requests from data subjects via the Services.

Upon Client’s written request, Crelate shall, taking into account the nature of the processing, provide reasonable assistance to Client where possible and at Client’s cost and expense, to enable Client to respond to requests from a data subject seeking to exercise their rights under Data Protection Laws.

In the event that such request is made directly to Crelate, Data Subject has provided information to identify the Client, and if Crelate can, through reasonable means, verify the Client as the controller of the Client’s Personal Data of a data subject, and unless Crelate is explicitly prohibited by law from notifying Client of the request, Crelate shall promptly inform Client of the same. As between the Parties, Client shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Client Personal Data.

  • In the event that either party receives (a) any request from a data subject to exercise any of its rights under Data Protection Law or (b) any Third Party Request relating to the processing of Client Account Data or Client Personal Data conducted by the other party, such party will promptly inform the other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Data Protection Laws.

4.      SECURITY AND CONFIDENTIALITY

 

  • Crelate Personnel. Client’s Personal Data is considered Confidential Information of Client (as defined in the Agreement). Crelate may disclose Client’s Personal Data to its employees, subcontractors, agents, directors, officers, and financial and legal advisors, but only to the extent such individuals require access to Client’s Personal Data to perform the Services. Crelate shall ensure its personnel engaged in the Processing of Client’s Personal Data are informed of the confidential nature of the Client’s Personal Data, have received appropriate training regarding their responsibilities, and have agreed to confidentiality agreements with equivalent confidentiality terms to the ones set out in the Agreement.
  • Security Measures. Crelate has implemented and documented appropriate administrative, technical, and physical measures to protect Client’s Personal Data against accidental or unlawful destruction, alteration, unauthorized disclosure or access. Crelate is committed to ensuring that such measures are appropriate to the nature of the Personal Data, to the harm that may result from such unauthorized or unlawful processing or accidental or unlawful loss, destruction, or damage (in particular to the rights and freedoms of Data Subjects) and shall have regard for the state of technological development and the costs of implementation. Crelate may change its technical and organizational measures at any time without notice. Crelate shall, in relation to the Client’s Personal Data, (a) take and document, as appropriate, reasonable measures required pursuant to Article 32 of the GDPR in relation to the security of Crelate and the platforms used to provide the Services as described in the Agreement. Client is solely responsible for its use of the Services, including (a) backing up Client Content and Client’s Personal Data; (b) making appropriate configuration and use of the Services to ensure a level of security is appropriate to the risk in respect of Client Content and Client’s Personal Data; and (c) securing the account authentication credentials, as well as systems and devices Client uses to access the Services.
  • Personal Data Breach. Crelate will promptly and thoroughly investigate all allegations of unauthorized access to, use, or disclosure of Client’s Personal Data. Crelate will notify without any undue delay Client after becoming aware of any Personal Data Breach. To the extent legally permissible, Crelate shall provide Client with reasonable information in its possession (or in stages, as it becomes available) about the Personal Data Breach to assist the Client with its obligations under Data Protection Laws. Any such notification shall not be interpreted or construed as an admission of fault or liability by Crelate.

5.      SUB-PROCESSORS

  • Authorized Sub-Processors. Client understands that effective operation of the Services may require the transfer of Client Personal Data to Crelate Affiliates, or to Crelate’s Sub-processors, see Schedule 3.

Client hereby authorizes the transfer of Client Personal Data to locations outside Europe (Crelate’s primary processing facilities are in the United States of America), including to Crelate Affiliates and Sub-processors, subject to continued compliance with this DPA throughout the duration of the Agreement.

Client hereby generally authorizes and agrees that Crelate may engage Sub-Processors in accordance with this Section 5 to provide Services on its behalf. Crelate shall either (i) provide Client with a list of all such Sub-Processors (initially attached here as Schedule 3 to this DPA) or (ii) list such Sub-Processors via a Client-accessible website.

  • Sub-Processor Obligations. Where Crelate utilizes any Sub-Processor as described in herein:
  1. Crelate will restrict the Sub-Processor’s access to Client’s Personal Data only to what is necessary to maintain the Services offerings, and Crelate will prohibit the Sub-Processor from accessing Client’s Personal Data for any other purpose;
  2. Crelate will evaluate the security, privacy, and confidentiality practices of a Sub-Processor prior to selection to establish that it is capable of providing the level of protection of Client’s Personal Data required by this DPA;
  3. Crelate will enter into a written agreement with the Sub-Processor that contains data protection obligations equivalent to those in this DPA; and
  4. Crelate will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause Crelate to breach any of Crelate’s obligations under this DPA.
  • Notification of changes to Sub-processors. Crelate may, by giving reasonable notice to the Client, add to or change the Sub-processor List. Crelate will notify Client if it intends to add or replace Sub-processors from the Sub-Processor List at least 10 days prior to any such changes. If Client objects to the appointment of an additional Sub-processor within fifteen (15) calendar days of such notice on reasonable grounds relating to the protection of the Client Personal Data, then Crelate will work in good faith with Customer to find an alternative solution. If the parties are unable to find such a solution, Client may terminate the Agreement at no additional cost.

6.       Assessments and AUDITS

6.1   Assessments. Crelate shall, to the extent required by Data Protection Laws, provide Client with reasonable assistance (at Client’s cost and expense) with data protection impact assessments or prior consultations with data protection authorities that Client is required to carry out under such legislation.

6.2   Auditor Access. Upon reasonable request from Client, Crelate will make available to Client and/or its appropriately qualified third-party representatives (together, the “Auditor”), access to reasonably requested documentation evidencing Crelate’s compliance with its obligations under this DPA in the form of the relevant audits or certifications listed in Crelate’s Security Policy. For purposes of this section, the parties intend that sufficient evidence of compliance shall include, unless expressly deemed insufficient by Data Protection Law, (i) certification by a third party, as to compliance with ISO 27001 or other standards implemented by Crelate; or (ii) an audit or attestation report of an independent third party.

6.3   Third-Party Auditor. Where the Auditor is a third-party, Crelate may object in writing to such Auditor, if in Crelate’s reasonable opinion, the Auditor is not suitably qualified or is a competitor of Crelate. Any such objection by Crelate will require Client to either appoint another Auditor or conduct the audit itself. Any expenses incurred by an Auditor in connection with any review of reports or an audit shall be borne exclusively by the Auditor.

6.4   Audits. The parties intend to rely on the provision of 6.1 to demonstrate Crelate’s compliance with this DPA and the provisions of Article 28 of the GDPR. When required under Data Protection Laws, and if Crelate’s compliance with the terms of this DPA cannot be demonstrated by means that are less burdensome on Crelate, Crelate will allow, at Client’s cost and expense, including without limitation, the costs and expenses of Crelate (billed at Crelate’s standard then current Professional Services hourly rates), for and contribute to audits, including inspections, conducted by the Auditor. The start date, duration and scope of an audit must be mutually agreed in advance by both parties. Such an audit shall be carried out during Crelate’s normal business hours and may not be carried out more than once a year (unless otherwise required under Data Protection Laws or by a regulatory authority). Client will give a reasonable advance notice of at least thirty (30) days of any audit to be conducted (such notice may be reduced to 15 working days in case an audit is requested by any relevant regulatory authority) and Client will make reasonable endeavors to avoid causing any damage or disruption to Crelate premises, equipment, and business in the course of such audit.

6.5   Audit and Auditor Obligations. Any audit personnel shall commit themselves to confidentiality by executing written confidentiality obligations and they may only access information that is strictly relevant to Client Personal Data and Crelate’s Services being provided to the Client and which excludes any information relating to the provision of services to other Crelate clients. Any direct security and penetration tests will be subject to express prior written authorization by Crelate and will require compliance with the then current relevant Crelate policies. Client must promptly disclose to Crelate any written report created, and any findings of non-compliance discovered, as a result of the audit.

7.      INTERNATIONAL TRANSFER

  • Acknowledgment of data transfer. Customer acknowledges that Crelate and its Sub-processors may transfer and process Client Personal Data to and in the United States of America and other locations in which Crelate, its agents, vendors, contractors, or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor List.
  • Transfers of Personal Data. If, in the performance of the Services, Crelate is transferring Client’s Personal Data out of the EEA, Switzerland, or the UK, then such transfer will only take place if (i) the recipient is recognized by the European Commission (or in the case of transfers from Switzerland, the competent authority in Switzerland) as providing an adequate level of protection for personal data (a “Restricted Transfer’); or (ii) the transfer is covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data. For the purposes of such Restricted Transfers from Client to Crelate, the parties rely on Crelate’s certification under the EU-U.S Data Privacy Framework, and the UK-US Data Privacy Framework (together, the “DPF”) operated by the U.S. Department of Commerce. To the extent that the DPF is invalidated or ceases to be an appropriate safeguard under Article 46 GDPR for transfers to the United States, then, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

In relation to transfers of Client Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

  1. Module Two (Controller-to-Processor) will apply where Crelate acts as Customer’s data processor; Module Three (Processor-to-Processor) will apply where Crelate acts as Customer sub-processor. For each Module, where applicable;
  2. Clause 7 (Docking clause), the optional docking clause will apply;
  3. Clause 9, Option 2 will apply and the time period for written notice of Sub-Processor List changes will be as set forth in Section 6 of this DPA;
  4. Clause 11, the optional clause will not apply;
  5. Clause 17, Option 1 will apply, the EU SCCs will be governed by Irish law;
  6. Clause 18, disputes will be resolved before the courts of Dublin, Ireland;
  7. Annex I of the EU SCCs is completed with the information set out in Schedule 1 of this DPA; and the Irish Data Protection Commission (‘DPC’) will be the competent supervisory authority;
  8. Annex II of the EU SCCs is completed with the information set out in Schedule 2 of this DPA; and
  9. Annex III of the EU SCCs is completed with the information in the Sub-Processors List in Schedule 3 of this DPA.

In relation to transfers of Client Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

  1. Module One will apply;
  2. in Clause 7 (Docking clause), the optional docking clause will apply;
  3. in Clause 11, the optional language will not apply;
  4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  5. in Clause 18, disputes shall be resolved before the courts of Ireland;
  6. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
  7. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA;
  • UK International Data Transfer Agreement. Where a Restricted Transfer is made from the UK to the United States, the UK Addendum is incorporated into this DPA and completed with:
  1. In Table 1, the Parties’ details and key contact information is located in Annex II;
  2. In Table 2, information about the version of the approved, modules, and selected clauses which this Addendum is appended to is located in Annex I;
  3. In the Table 3, the list of Parties is located in Annex II, the description of the transfer is located in Annex II, the technical and organizational measures are located in Annex III, and the list of sub-processors is located the Sub-Processor List;
  4. In Table 4, both the importer or exporter are selected.
  • Alternative Transfer Mechanism. To the extent that Crelate adopts an alternative data export mechanism (including any new version of or successor to the DPF or Standard Contractual Clauses adopted pursuant to Data Protection Laws) (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall upon notice to Client and an opportunity to object, apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws applicable to Europe and extends to territories to which Client Personal Data and Client Account Data is transferred).

8.      DELETION OF PERSONAL DATA

8.1   Upon termination or expiration of this Agreement, Crelate with delete all Client Personal Data in its possession or control as soon as reasonably practical and within a maximum of 180 days of termination of expiry of the Agreement, save that this requirement will not apply to the extent that Crelate is required by applicable law to retain some or all of the Client Personal Data, or to Client Personal Data it has archived in logs or in back-up systems, which Crelate will securely isolate and protect from any further processing, except to the extent required by applicable law.

9.      CALIFORNIA ADDITIONAL TERMS (only if applicable)

9.1   The definition of Data Protection Laws includes the CCPA. As defined under the CCPA and for purposes of this CCPA Addendum, Crelate is a Service Provider, and Client is a Business. Client appoints Crelate as Service Provider to process and store the Personal Information of prospective employees, employees, or independent contractors for the purpose of providing the Services in accordance with the Agreement, which includes the following business purposes under the CCPA:

A.      Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.

B.      Debugging to identify and repair errors that impair existing intended functionality.

C.      Performing services on behalf of the business, including maintaining or servicing accounts, providing Client service, processing or fulfilling orders and transactions, verifying Client information, processing payments, providing analytic services, providing storage, or providing similar services on behalf of the business.

D.      Undertaking internal research for technological development and demonstration.

  • Each Party is responsible for compliance with their obligations under the CCPA. Client will ensure that Client has provided notice and has obtained (or shall obtain) all consents and rights necessary under the CCPA for Crelate to process and store Personal Information for the Services. Client may take reasonable and appropriate steps, at Client’s cost, to ensure that Crelate is complying with CCPA obligations with respect to the Personal Information processed under the Agreement.
  • Crelate will direct People to submit privacy rights requests under the CCPA to Client or promptly forward requests that Crelate receives to Client for review and determination of the response. If necessary, Crelate will use reasonable efforts to assist Client with carrying out the response or enable Client to comply with the privacy rights request under the CCPA. If Client receives any correspondence, inquiry, or complaint from a Consumer, the California Attorney General, the California Privacy Protection Agency or other regulator in connection with processing of the Personal Information under this Agreement. Client will provide Crelate with a copy of the communication, if Client is permitted to do so under the law. Crelate will provide reasonable assistance as necessary for Client’s response.

9.4   Crelate will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a legitimate business purpose. Crelate agrees not to (a) sell (as defined by the CCPA) Client’s Personal Data or Client’s People Personal Data; (b) retain, use, or disclose Client’s Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose People’s Personal Data outside of the scope of the Agreement. Crelate understands its obligations under the applicable Data Protection Laws and will comply with them.

10. LIABILITY

10.1           Each party’s liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

11. Miscellaneous

11.1           This DPA, including the EU SCCs, may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and same agreement. In the event of a conflict or inconsistency between the Agreement, this DPA and the EU SCCs, the terms of the EU SCCs will prevail.

 

  • The parties agree that this DPA shall replace and supersede any prior data processing addendum that Intercom and Customer may have previously entered into in connection with the Services.
  • In the event (and to the extent only) of a conflict (whether actual or perceived) among Data Protection Laws, the parties (or relevant party as the case may be) shall comply with the more onerous requirement or standard which shall, in the event of a dispute in that regard, be solely determined by Crelate.
  • Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 1 (Scope) Crelate reserves the right to make any modification to this DPA as may be required to comply with Data Protection Laws.
  • Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

SCHEDULE 1 – Annex 1

DESCRIPTION OF THE PROCESSING/TRANSFER

  1. List of Parties
Data Exporter Name The party identified as Client in the Agreement
Address As set forth in the Agreement
Contact Person’s name, position, and contact details As set forth in the Agreement
Activities relevant to the data transferred under these Clauses. See below
Signature and Date This Annex I shall automatically be deemed executed when the Agreement is executed by Customer.
Role Controller

 

Data Importer Name Crelate, Inc.
Address As set forth in the Agreement
Contact Person’s name, position, and contact details Crelate Security and Privacy Team – [email protected]
Activities relevant to the data transferred under these Clauses. See below
Signature and Date This Annex I shall automatically be deemed executed when the Agreement is executed by Crelate.
Role Processor

 

  1. Details of the Processing

Crelate will Process Client’s Personal Data as necessary to provide the Services under the Agreement. Crelate will Process Client’s Personal Data as a Data Processor in accordance with the Client’s instructions set forth in this DPA.

 

Categories of Data Subjects whose personal data is transferred Module 1
Controller to Controller
Client’s Authorized Users or contact persons of the Client prospects, customers, candidates, business partners and vendors. 

Module 2 and 3
Controller to Processor and Processor to Processor

Client’s Authorized Users and People.

 
Categories of Personal Data transferred Module 1
Controller to Controller
Client Account Data which includes Personal Data, such as name and contact information as well as Client billing address. 

Module 2 and 3
Controller to Processor and Processor to Processor

Any Client Personal Data processed by Crelate in connection with the Services and which could constitute any type of Personal Data included without limitation, resumes, documents, emails, record data, username, password, email address, IP address as well as attribute data, website page view data, usage and click data.

 
Sensitive data transferred (if applicable) Human Resources Data
Frequency of the transfer Continuously through the duration of the Agreement.
Nature and purpose(s) of the data transfer and Processing Module 1
Controller to Controller
Crelate will Process Client’s Personal Data as long as required (a) to provide the Services to Client; (b) for Crelate’s lawful and legitimate business needs; or (c) in accordance with applicable law or regulation. Client Account Data will be stored in accordance with the Crelate Privacy Policy. 

Module 2 and 3
Controller to Processor and Processor to Processor

Client Personal Data will be subject to the following basic processing activities: Crelate provides a talent platform to facilitate recruiting, hiring, onboarding, interactions and engagement between the Client Authorized Users, and People. Crelate will process personal data as necessary to provide the Services under the Agreement. Crelate does not sell Client Personal Data and does not share Authorized Users or People data with third parties for compensation or for those third parties’ own business interests.

 
Retention period (or, if not possible to determine, the criterial used to determine the period) Module 1
Controller to Controller
Client Account Data will be processed to manage the account, including to access Client’s account and billing information, for identity verification, to maintain or improve the performance of the Services, to provide support, to investigate and prevent system abuse, or to fulfill legal obligations. 

Module 2 and 3
Controller to Processor and Processor to Processor

Upon termination or expiration of this Agreement, Crelate with delete all Client Personal Data in its possession or control as soon as reasonably practical and within a maximum of 180 days of termination of expiry of the Agreement, save that this requirement will not apply to the extent that Crelate is required by applicable law to retain some or all of the Client Personal Data, or to Client Personal Data it has archived in logs or in back-up systems, which Crelate will securely isolate and protect from any further processing, except to the extent required by applicable law.

 
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing Module 2 and 3
Controller to Processor and Processor to ProcessorCrelate will restrict the onward sub-processor’s access to Client Personal Data only to what is necessary to provide the Services, and Crelate will prohibit the sub-processor from processing the Client Personal Data for any other purpose.

 

Crelate imposes contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Client Personal Data to the standard required by Applicable Data Protection Legislation.

 
Identify the competent supervisory authority/ies in accordance with Clause 13 As set forth in this DPA

 

SCHEDULE 2

TECHNICAL AND Organizational MEASURES INCLUDING TECHNICAL AND Organizational MEASURES TO ENSURE THE SECURITY OF THE DATA

Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks to the rights and freedoms of the Data Subjects, Crelate defines and implements the appropriate technical and organizational measures to help ensure a level of security of the Client’s Personal Data that Crelate Processes on behalf of the Client which are adapted to the risk.

Further details of Crelate’s technical and organizational security measures to protect Client Account Data, Client Personal Data, and Client Content are available here.

The Crelate Security Policy will serve as Annex II to the Standard Contractual Clauses.

SCHEDULE 3

AUTHORIZED SUB-PROCESSORS

In Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 5. 3 (Notification of Sub-processor Changes) of this DPA.

The current list of Sub-Processors is available here: (the “Sub-Processor List”), the Sub-Processor List will serve as Annex III to the Standard Contractual Clauses.

 

Company Location Description
Microsoft Azure United States Cloud Hosting
DataDog United States Server and Performance Monitoring
Cloudflare United States, Global WAF and CDN
Mailgun United States Email Communication Services
Plivo United States SMS Communication Services
Dropbox Sign United States eSignature Processing
rChilli United States Resume Parsing Services
People Data Labs United States Data Enrichment Services
Intercom United States Client Support

 

Crelate Recruiting

[email protected]
(443) 569-8262
PO Box 843
Bothell WA 98041

Facebook-square Twitter Youtube Instagram Linkedin

Product

About Us

Technology

Customers

By Industry

© 2024 Crelate – All Rights Reserved

Scroll to Top