This Data Processing Addendum ("DPA") is incorporated into and forms part of the Agreement between Hireloop Inc. ("Hireloop") and the Customer ("Customer") for the provision of Services by Hireloop to the Customer. This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with EU data protection laws.

1. Definitions

For the purposes of this DPA:

• "Controller" means the entity which determines the purposes and means of the processing of Personal Data.

• "Processor" means the entity which processes Personal Data on behalf of the Controller.

• "Personal Data" means any information relating to an identified or identifiable natural person.

• "Customer Personal Data" means any Personal Data provided by or on behalf of the Customer through the use of the Services.

• "Data Protection Laws" means all laws and regulations protecting the privacy and personal data of individuals, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

• 
  

"Standard Contractual Clauses" means the standard data protection clauses adopted by the European Commission for the transfer of Personal Data to processors in non-EU/EEA countries.

2. Scope and Applicability

This DPA applies to the processing of Customer Personal Data by Hireloop in connection with the provision of the Services under the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail.

3. Roles and Responsibilities

The Customer acts as the Controller of Customer Personal Data, and Hireloop acts as the Processor. The Customer is responsible for ensuring that all necessary consents and notices have been provided, permitting Hireloop to process Customer Personal Data.

4. Processing of Personal Data

Hireloop shall process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Hireloop is subject. In such a case, Hireloop shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Hireloop shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II of this DPA.

5. Use of Subprocessors

Hireloop shall not engage any third party to process Customer Personal Data (a "Subprocessor") without the prior specific or general written authorization of the Customer. Hireloop maintains a list of Subprocessors at Hireloop's Subprocessor Page. Hireloop shall notify the Customer of any changes to this list at least 30 days in advance, providing the Customer with the opportunity to object.

Hireloop shall enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this DPA. Hireloop shall remain liable for the acts and omissions of its Subprocessors to the same extent Hireloop would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

6. Data Subject Rights

Taking into account the nature of the processing, Hireloop shall assist the Customer by implementing appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligations to respond to requests to exercise Data Subject rights under the GDPR. Hireloop shall promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law with respect to Customer Personal Data, and shall not respond to the Data Subject request itself, unless authorized to do so by the Customer.

7. Data Security

Hireloop shall ensure that it has implemented appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to, pseudonymization and encryption of Customer Personal Data, ensuring confidentiality, integrity, availability, and resilience of processing systems and services, and regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

8. Security Incident Notification

In the event of a Security Incident, Hireloop shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the Security Incident. Hireloop shall provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Security Incident under Data Protection Laws. Hireloop shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each such Security Incident.

9. International Data Transfers

Hireloop shall not transfer Customer Personal Data outside the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) transferring the Customer Personal Data to a recipient in a country that the European Commission has determined provides adequate protection for personal data, or to a recipient that has executed Standard Contractual Clauses adopted or approved by the European Commission.

10. Retention and Deletion

Upon termination or expiration of the Agreement, Hireloop shall, at the Customer’s election, delete or return to the Customer all Customer Personal Data (including copies) in its possession, save to the extent that Hireloop is required by applicable law to retain some or all of the Customer Personal Data. In such event, Hireloop shall extend the protections of this DPA to such Customer Personal Data and limit further processing to that required by the applicable law.

11. Audit Rights

Hireloop shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Such information and audit rights shall be exercised solely to extent required by Data Protection Laws.

12. Data Protection Impact Assessment and Prior Consultation

Hireloop shall, upon the Customer's request, provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, Hireloop.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the country or territory stipulated for this purpose in the Agreement, or if no such jurisdiction is stipulated, the laws of Ireland. Any disputes arising in connection with this DPA shall be brought before the courts of Ireland.