Data Processing Addendum

These terms were last updated on May 18, 2021.

This Data Processing Addendum is supplemental to and forms part of GoHire’s Terms of Service found on GoHire’s website at www.gohire.io/terms (“Agreement”), between GoHire Technologies Ltd (“GoHire”) and the customer entity that is party to the Agreement (“Data Controller”).

In consideration of the mutual rights and obligations adopted in this addendum and in further consideration of the mutual rights and obligations in the Agreement, GoHire and the Data Controller hereby agree as follows:

1. Definitions

1.1. In this addendum:

1.1.1. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures shall have the meanings set out in the Data Protection Legislation.

1.1.2. Data Protection Legislation: means all applicable data protection and privacy legislation in force from time to time in the UK including the Data Protection Act 2018 (and regulations made thereunder); the UK GDPR (which has the meaning given to it in the Data Protection Act 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.1.3. Protected Data means Personal Data received by GoHire from or on behalf of the Data Controller in connection with the Agreement, or in respect of applicants using GoHire’s website to apply for employment with or hire by the Data Controller.

2. Compliance with Data Protection Legislation

2.1. The parties agree that the Data Controller is a Controller and that GoHire is a Processor for the purposes of processing Protected Data pursuant to this addendum. GoHire shall process Protected Data in compliance with the obligations placed on it under Data Protection Legislation and this addendum. Should the determination in this clause change, then each party shall work together in good faith to make any changes which are necessary to this addendum. Part A of this addendum sets out the scope, nature and purpose of processing by GoHire, the duration of the processing and the types of Personal Data and categories of Data Subject.

2.2. The Data Controller shall ensure that all instructions given by it to GoHire in respect of Protected Data (including the terms of this addendum) shall at all times be in accordance with Data Protection Legislation. Without prejudice to the generality of the foregoing, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Protected Data to GoHire for the duration and purposes of this addendum.

3. Instructions

3.1. GoHire shall only process the Protected Data in accordance with this addendum (and not otherwise unless alternative processing instructions are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform the Data Controller of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). If GoHire believes that any instruction received by it from the Data Controller is likely to infringe the Data Protection Legislation it shall promptly inform the Data Controller.

4. Security

4.1. GoHire shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Protected Data and against accidental loss or destruction of, or damage to, Protected Data, which is appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it) so as to allow the Data Controller to comply with its obligations under the Data Protection Legislation.

5. Sub-processing and personnel

5.1. The Data Controller hereby provides its prior, general authorisation for GoHire to appoint processors to process the Protected Data, including initially those sub-processors set out in Part B, provided that GoHire:

5.2. shall ensure that the terms on which it appoints such processors comply with the Data Protection Legislation, and are consistent with the obligations imposed on GoHire in this

5.3. shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of GoHire;

5.4. shall inform the Data Controller of any intended changes concerning the addition or replacement of the processors, thereby giving the Data Controller the opportunity to object to such changes provided that if the Data Controller objects to the changes and cannot demonstrate, to GoHire’s reasonable satisfaction, that the objection is due to an actual or likely breach of the Data Protection Legislation, the Data Processor shall indemnify GoHire for any losses, damages, costs (including legal fees) and expenses suffered by GoHire in accommodating the objection.

5.5. GoHire shall ensure that all persons authorised by GoHire (or any authorised sub-processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.

6. Assistance

6.1. GoHire shall:

6.2. notify the Data Controller without undue delay if it receives from any Data Subject whose Personal Data forms part of the Protected Data any communication seeking to exercise rights conferred on the Data Subject by the Data Protection Legislation, or any complaint or any claim for compensation arising from or relating to the processing of the Protected Data;

6.3. provide such information and such assistance to the Data Controller as the Data Controller may reasonably require insofar as this is reasonably possible (taking into account the nature of the processing and the information available to GoHire), and at the Data Controller’s cost, to allow the Data Controller to comply with its obligations under the Data Protection Legislation, including to:

6.3.1 assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Articles 32 to 36 of the UK GDPR (and any similar obligations under applicable Data Protection Legislation);

6.3.2 assist the Data Controller (by appropriate technical and organisational measures), insofar as this is reasonably possible, for the fulfilment of the Data Controller’s obligations to respond to requests for exercising a Data Subjects’ rights under Chapter III of the UK GDPR (and any similar obligations under applicable Data Protection Legislation) in respect of any Protected Data.

7. International transfers

7.1. The Data Controller hereby provides its prior, general authorisation for GoHire to transfer Protected Data outside of the UK, provided that GoHire shall ensure that all such transfers are affected in accordance with the Data Protection Legislation. For these purposes, the Data Controller shall promptly comply with any reasonable request of GoHire, including any request to enter into standard data protection clauses adopted by the Information Commissioner from time to time (where the UK GDPR applies to the transfer.

8. Processing

8.1. GoHire shall keep or cause to be kept such information as is necessary to demonstrate compliance with its obligations under this addendum including full and accurate records relating to the processing of the Protected Data and shall, upon reasonable notice, make available to the Data Controller or grant to the Data Controller and its auditors and agents, a right of access to and to take copies of any information or records kept by GoHire pursuant to this paragraph.

9. Breach

9.1. GoHire shall notify the Data Controller without undue delay on becoming aware of any Personal Data Breach in respect of any Protected Data.

10. Deletion/return

10.1. GoHire shall on expiry or termination of the Agreement or otherwise on written notice from the Data Controller, promptly and securely delete the Protected Data (unless its continued storage by GoHire is required by law). This paragraph shall survive termination or expiry of the Agreement.

10.2. The Data Controller shall have the option at any time to pause their account rather than terminate it. In these circumstances, the Protected Data will not be deleted but will be retained on behalf of the Data Controller until the Agreement expires or is terminated.

Part A

Data processing details

Processing of the Protected Data by the Data Processor under this addendum shall be for the subject-matter, duration, nature and purposes and involve the types of personal data and categories of Data Subjects set out in this Part A.

1 Subject-matter of processing:

Provision of an online recruiting solution that distributes job advertisements, as described further in the Agreement

2 Duration of the processing:

Personal Data will be retained for twelve months unless the Data Controller has stipulated otherwise.

3 Nature and purpose of the processing:

The collection, recording, processing and erasure of the Protected Data to comply with the Data Processor’s obligations in the Agreement

4 Type of Personal Data:

Name, Email, Phone Number, IP Address, Resume/CV, Work History, and Responses to Screening Questions of applicants using GoHire’s website to apply for employment with or hire by the Data Controller

5 Categories of Data Subjects:

Website Visitors

Job Applicants

Trialists

Customers

Part B

List of Initial Approved Sub-processors

Third Party Service Purpose Country Website
Amazon Web Services Data hosting UK https://aws.amazon.com/
Intercom Customer Services Online live chat provider US https://www.intercom.com/
HubSpot Customer relationship management US https://www.hubspot.com/
Stripe Payment processing EU https://stripe.com/
Google Analytics Track website activity EU https://analytics.google.com/
Google Cloud API Integrate applications into the cloud EU https://cloud.google.com/apis/
Canny Customer relationship management US https://canny.io/

GoHire standard features