Data Processing Agreement
Latest Update: October 1st, 2024
This Data Processing Addendum (“DPA“) supplements any associated services agreements or Order Forms (the “Agreement“) agreed between the Idalto entity you entered into the Agreement with (“Service Provider” or “Bryq”) and the party identified in the Agreement (“you“, or the “Company “) into which this DPA is incorporated by reference, (each of Bryq and the Company referred to as a “Party” and together the “Parties”.
WHEREAS
(A) In the context of the provision of its services to the Company, the Service Provider may access, collect, store and/or otherwise process, Personal Data of the Company.
(B) Pursuant to Article 28 of the GDPR, when a Data Controller engages a Data Processor, the relevant engagement must be made by means of a written agreement that sets forth certain obligations and sufficient guarantees on the part of the Data Processor as regards the confidentiality and security of Personal Data.
(C) This Data Processing Agreement sets out the framework for the Processing of Personal Data by the Service Provider on behalf of the Company. It defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other. The provisions of the Services Agreement apply in full to this Data Processing Agreement. In case provisions with regard to the processing of Personal Data are included in the Agreement, the provisions of this Data Processing Agreement prevail.
Now, therefore, the Parties agree as follows:
Article 1: Definitions
In this Data Processing Agreement, the following terms shall have the following meanings:
"Data Processing Agreement" means this written agreement, including its Annexes;
"Data Protection Laws" means all applicable privacy and data protection laws including the GDPR, UK GDPR, and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time;
"Data Subject", “Data Controller”, “Data Processor”, “Special categories of data” shall have the same meaning as in the GDPR;
“Data Transfer” shall mean any transfer of the Personal Data by the Service Provider to any party located outside the EU/EEA, which includes, among others, the sending, the giving access to and/or the storage of the Personal Data to equipment (such as servers and data centers) located outside the EU/EEA.
“GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data;
“Personal Data” means any information relating to an identified or identifiable natural person which is Processed within the scope of the Services Agreement and is described in Annex A of this Data Processing Agreement;
“Personal Data Breach” is defined as any breach of security in the electronic systems and/or the hard copy files of the Service Provider which may lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, including attacks to the Service Provider’s IT systems;
“Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processed” will have a corresponding meaning;
“Purpose of Processing” shall mean the reason for which the Personal Data are Processed, the goal to be achieved through the Processing;
“Services Agreement” shall mean the Bryq Terms of Service (as these are defined in the Services Order Form signed between the two parties) pursuant to which the Service Provider has undertaken to provide talent intelligence services through the Bryq platform;
“Sub-processor” means any third party engaged by the Service Provider, or its Sub-processor, to Process Personal Data on behalf of the Company;
“UK GDPR” means the UK’s version of the GDPR which has been amended and transposed into the UK law by way of the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).
“Notification Contacts” refers to the contact or contacts from each party, that are to be notified when required from this DPA. For Bryq, the notification contact is the DPO at dpo@bryq.com. For the Company, any notifications will go to all the Company’s users who are registered in the Bryq app with the role of “administrator”.
Article 2: Appointment of Service Provider
Pursuant to the provisions and requirements of the GDPR, the Company, which is the Data Controller of the Personal Data:
(i) appoints the Service Provider as Data Processor of the Personal Data and the Service Provider hereby accepts this appointment; and
(ii) assigns to the Service Provider and the Service Provider undertakes to collect, use, store, keep and otherwise Process the Personal Data only to the extent necessary for the provision of services to the Company under the Services Agreement and upon condition that the Service Provider Processes the Personal Data only on documented instructions from the Company and on behalf of the latter. The nature, subject-matter and Purposes of the Processing are defined in detail in Annex A of this Data Processing Agreement.
Article 3: Obligations of the Parties
3.1 The Company represents and warrants that it complies with the Data Protection Laws as regards the Processing of the Personal Data. The Company will indemnify and hold the Service Provider harmless against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
3.2 The Service Provider represents and warrants to the Company the following:
3.2.1 General obligations
The Service Provider shall (i) Process the Personal Data in conformity with the Data Protection Laws and according to the Company’s lawful and reasonable instructions, and (ii) shall not use the Personal Data for own advantage and benefit, including use for promotional activities, sale and/or access of the Personal Data by third parties (including affiliates of the Service Provider, unless the Service Provider has given prior written notice to the Company).
3.2.2 Security of the Personal Data
The Service Provider shall:
(i) ensure that any persons involved in the Processing of the Personal Data, including the Service Provider’s employees and sub-contractors, shall make binding commitments towards the Service Provider to maintain the confidentiality of the Personal Data.
(ii) take all appropriate technical and organisational measures necessary to ensure the security of the Personal Data. The minimum technical and organisational measures and certifications that the Service Provider is required to maintain throughout the provision of its services to the Company and throughout the term of the Services Agreement and the Data Processing Agreement are set forth in Annex B of this Data Processing Agreement.
3.2.3 Appointment of Sub-Processor
3.2.3.1 The Company hereby gives the Service Provider a general consent to engage Sub-processors for Processing of Personal Data on behalf of the Company. Service Provider shall make details of its Sub-processors available to the Company in Annex A. Where Service Provider intends to add a new Sub-processor it shall a notification of the change in writing to the email addresses of the Notification Contacts of the Company and make details of such new Sub-processor available on the Website at least 30 days (“Sub-processor Notice Period”) before transferring any personal data to a new Sub-processor. Company shall notify Service Provider during the Sub-processor Notice Period if it objects to the new Sub-processor. If the Company does not object to the Sub-processor during the Sub-processor Notice Period , the Company shall be deemed to have accepted the Sub-processor. If the Company has raised a reasonable objection to the new Sub-processor during the Sub-processor Notice Period, Service Provider may appoint another sub processor on an agreed basis to respond to such objection. During the Sub-processor Notice Period, the Service Provider shall not transfer any Personal Data to the Sub-processor.
3.2.3.2 The Service Provider shall enter into appropriate written agreements with all of its Sub-processors on terms substantially similar to this DPA, including without limitation the Company’s right to conduct audits at the Sub-processor in accordance with Section 3.2.6 below, or ensure that the Sub-processor will conduct audits using external auditors at least once per year. The Service Provider shall remain fully liable to the Company for the performance or non-performance of the Sub-processor’s obligations.
In case that the Sub-processor is established outside the EU/EEA, article 3.2.4 below shall apply.
3.2.4 Data Transfers outside the EU/EEA
The Service Provider shall not proceed to any Data Transfer, including any Data Transfer to any sub-contractor/sub-processor, unless the following conditions are cumulatively met: (i) the Company grants its prior authorisation on the Data Transfer; and (ii) the Data Transfer is based on appropriate safeguards under the provisions of the GDPR, such as the existence of an adequacy decision by the European Commission on the level of the data protection offered in the country of location of the sub-contractor/sub-processor or the execution with such party of the standard contractual clauses adopted by the European Commission.
For avoidance of doubt, prior authorisation under item (i) above shall be deemed granted when Sub-processor is mentioned in Schedule A, Section 4 of this Agreement.
3.2.5 Personal Data Breach
3.2.5.1 The Service Provider shall notify the Company within 48 hours as from the time that the Service Provider has become aware of any Personal Data Breach in the files, systems and/or networks of the Service Provider or of any of its sub-contractors. Said notification must be effected in writing to the email addresses of the Notification Contacts of the Company.
3.2.5.2 The Service Provider will, insofar as reasonable, provide all reasonable cooperation requested by Company in order for Company to comply with its legal obligations relating to the identified incident.
3.2.5.3 The Service Provider will, insofar as reasonable, assist Company with Company’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Articles 33(3) and 34(1) of the GDPR. Service Provider is never held to report a personal data breach with the Data Protection Authority and/or the Data Subject.
Service Provider will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or Data Subjects, as meant in Articles 33 and 34 of the GDPR.
The Company may request from the Service Provider to provide to the Company any other information that the latter deems necessary in order to comply with its obligation arising from the Data Protection Laws, including its obligation to notify the Personal Data Breach to the supervisory authority, to communicate the Personal Data Breach to the Data Subjects and to mitigate any further risks to the Data Subjects.
3.2.5.4 As soon as the Service Provider becomes aware of a Personal Data Breach in the files, systems and/or networks of the Service Provider or of any of its sub-contractors, it should immediately take all the appropriate actions to investigate the Personal Data Breach and should implement all necessary measures to efficiently address the Personal Data Breach, minimize any possible adverse effects and prevent or limit further breaches and dissemination of the Personal Data.
3.2.5.5 The Service Provider shall assist the Company in ensuring compliance with the Company’s obligations as a result of the Personal Data Breach in accordance with the Data Protection Laws, including the obligation to notify the incident to the supervisory authority, communicate the breach to the Data Subjects and mitigate the adverse effects of the Personal Data Breach.
3.2.5.6 The Service Provider shall ensure that its employees and sub-contractors keep the incident of the Personal Data Breach confidential.
3.2.5.7 In case of a Personal Data Breach that has occurred in the files, systems and/or networks of the Service Provider and/or of its sub-contractors, the Company is entitled to request from the Service Provider compensation for any direct damages, loss of profits and reputational damage arising from the Personal Data Breach, including any administrative fines imposed on the Company by the data protection authority or any other supervisory or regulatory authority.
3.2.6 Assistance for compliance with the GDPR
The Service Provider shall:
(i) assist the Company in ensuring compliance with the latter's obligations under the Data Protection Laws, taking into account the nature of the Processing carried out by the Service Provider and the information available to the Service Provider, especially the obligation of the Company to respond to the requests of the Data Subjects and the security of the Personal Data. For the purposes of this assistance, the Service Provider shall provide the Company with all necessary information, or shall proceed itself, following instructions from the Company, to provide access to, rectify or erase, the Personal Data that are the subject-matter of its Processing activities. In addition, the Service Provider shall immediately notify the Company if, in the Service Provider’s view, an instruction violates the Data Protection Laws.
(ii) notify and forward to the Company any requests filed by individuals to the Service Provider in relation to the Processing of the Personal Data and any complaints of said individuals, within five (5) working days from receipt.
(iii) shall make available to the Company all information necessary to demonstrate the Service Provider’s compliance with its obligations under the Data Protection Laws and under this Data Processing Agreement and shall allow the Company to carry out regular audits and inspections of its premises and IT systems, without any additional cost. Such audits will be carried out following the provision of reasonable written notice and not more than once in any twelve (12) month period, unless the Company is required to in order to fulfill its obligations of Data Protection Law or to comply with a decision imposed against the Company by a supervisory authority or a competent court of justice.
(iv) shall maintain a written record of Processing activities relating to the Personal Data Processing activities conducted for the provision of services by the Service Provider to the Company pursuant to the requirements of Article 30 of the GDPR.
(v) shall, within three (3) months from the expiry or the termination of this Data Processing Agreement, deliver to the Company in electronic copy or any other format determined by the Company, the entirety of the Personal Data in the Service Provider's possession and, following that, the Service Provider shall erase such data from its records. To this end, the Service Provider shall declare to the Company in writing and within the same time frame that the Service Provider has delivered all Personal Data to the Company and that it retains no other Personal Data or copies of the Personal Data in its files.
Article 4: Duration
The term of this Data Processing Agreement shall commence on the date of its execution and shall continue until the termination of the Services Agreement.
Article 5: Liability
5.1 In case of breach of this Data Processing Agreement or the Data Protection Laws attributed to malice or negligence of the Service Provider, the Company may terminate this Data Processing Agreement and/or claim any direct damages and/or loss of profits arising from said breach, including any administrative fines that may be imposed on the Company by the competent Data Protection Authority or any other supervisory authority due to said breach. The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Services Agreement.
5.2 In case of claims by a Data Subject or financial penalties imposed by supervisory authorities or other competent authorities, the Company shall, where this would not jeopardize the Company’s defense: (a) notify the Service Provider promptly in writing of any such potential or pending claims or penalties; (b) use reasonable endeavors to reduce or avoid such claims or penalties; (c) allow the Service Provider to comment on any response, settlement, defense or appeal in relation to such claim; and (d) to a reasonable extent provide the Service Provider with information in relation to the same.
Article 6: Miscellaneous
6.1 Any existing agreement of the Parties in relation to the Processing of the Personal Data is replaced by this Data Processing Agreement.
6.2 Any disputes arising from or in connection with this Data Processing Agreement shall be governed by the laws of Cyprus and shall be subject to the exclusive jurisdiction of the Courts of Nicosia, Cyprus.
ANNEX A
BASIC PERSONAL DATA PROCESSING INFORMATION
Subject matter, nature and Purpose of the Processing
We collect personal data in order to be able to contact candidates and employees, get their response to surveys and questionnaires and provide reports to our customers.
Duration of the Processing
For candidates, we maintain their data on record for 24 months.
For employees, we maintain their data on record for the duration of our engagement with the customer.
Categories of Data Subjects and types of Personal Data
Data Subjects are:
Candidates
Employees
The types of personal data we maintain are:
Name (incl. first name, last name)
Contact details (e-mail address)
Job application data (incl. information on the professional career, education and qualifications of candidates)
4. Sub-processors
The current list of sub-processors is available on https://www.bryq.com/subprocessors and may be amended from time to time according to clause 3.2.3 of this DPA.
ANNEX B
MINIMUM TECHNICAL & ORGANISATIONAL MEASURES
The Service Provider needs to be able to prove that it implements an applicable and recognized cybersecurity standard, framework and/or scheme and apply at least the following technical and organizational measures while Processing the Personal Data and throughout the duration of this Data Processing Agreement, in order to ensure an adequate level of protection of the Personal Data. Bryq is certified according to both ISO 27001 and SOC 2 Type II standards.
The Service Provider shall review the below measures regularly and at least once every year and shall inform the Company on any possible changes or reviews, taking into consideration the technological developments and the possible future risks for the Personal Data.
The Service Provider shall ensure that its suppliers and sub-processors are made aware of the below Baseline Security Controls and apply analogous security controls to ensure at least the same level of protection of Company's information.
Organizational Security Controls:
Information Security Management System (ISMS):
A comprehensive ISMS aligned with ISO 27001 standards to protect the confidentiality, integrity, and availability of data.
Governance Council oversees security objectives, management reviews, and ensures compliance.
Risk Management Process:
Regular risk assessments for identifying, analyzing, and treating risks related to security.
Statement of Applicability (SoA) defines applicable controls.
Incident Response Plan:
A documented Incident Response Plan is in place to manage, respond to, and mitigate incidents.
Business Continuity and Disaster Recovery Plan (BCDR):
Procedures to ensure operations can continue during disruptive events.
Regular backups and contingency plans.
Access Control Policy:
Role-based access controls (RBAC) restrict access based on job roles.
Regular access reviews and audits.
Training and Awareness:
Mandatory security awareness training for employees to ensure compliance with policies.
Third-Party Management:
Defined procedures for managing third-party risks, including vendor assessments and contractual obligations.
Data Retention and Disposal:
Data is retained and securely deleted as per the Data Management Policy, ensuring compliance with data protection regulations.
Technical Security Controls:
Encryption and Cryptography Policy:
Encryption is used for data at rest and in transit, including TLS for communications.
Secure key management procedures.
Secure Development Practices:
Secure coding practices ensure that all applications are designed and maintained with security in mind.
Regular code reviews and security testing.
Network Security:
Firewalls, intrusion detection systems (IDS), and other protective measures are implemented to safeguard the network.
Use of VPNs and secure access protocols for remote access.
Monitoring and Logging:
Continuous security monitoring and logging for detecting potential security incidents.
Log data is stored securely for future audits.
Vulnerability Management:
Regular vulnerability scans and patch management to address security flaws.
Automated tools and manual assessments are utilized.
Backup and Recovery:
Regular data backups are performed, with secure storage locations and recovery tests to ensure data integrity.
Physical Security:
Controls in place to protect physical locations, with restricted access and environmental controls. Note that Bryq is a remote company.