CPRA Data Processing Addendum

This CPRA Data Processing Addendum (“CDPA”) forms part of the agreement that references this CDPA (the. “Agreement”) by and between and Employ, Inc. (“Jobvite”) and Customer. This CDPA shall apply to “Personal Information” of a “Consumer” as defined under the California Privacy Rights Act of 2020 (“CPRA”) (referred to hereafter as “Customer Data”), that Jobvite processes in the course of providing Customer the Services under the Agreement.

The terms used in this Addendum shall have the meanings set forth in this CDPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. If there is a conflict between any other agreement between the Parties including the Agreement and this CDPA, the terms of this CDPA will control.

This CDPA was last updated January 3, 2023. Jobvite reserves the right to periodically modify this DPA upon written notice to Customer, and such modification will automatically become effective in the next Service Term.

1 Effectiveness

1.1 This CDPA will only be effective (as of the Effective Date) if executed and submitted to Jobvite accurately and in full. If you make any deletions or other revisions to this CDPA, it will be null and void.

1.2 Customer signatory represents to Jobvite that he or she has the legal authority to bind the Customer and is lawfully able to enter into contracts (e.g., is not a minor).

1.3 This CDPA will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this CDPA.

2 Data Processing

2.1 Customer’s Role. The Customer is a Business (as such term is defined under the CPRA), and as such Customer determines the purpose and means of processing Customer Data. Customer will provide Customer Data to Jobvite solely for the purpose of Jobvite performing the Services.

2.2 Jobvite’s Role. Jobvite is a Service Provider (as such term is defined under the CPRA), and as such Jobvite shall provide the Services and process any Customer Data in accordance with the Agreement. Jobvite may not retain, use, or disclose Customer Data for any other purpose other than for providing the Services and in performance of the Agreement.

2.3 Data Processing, Transfers and Sales. Jobvite will process Customer Data only as necessary to perform the Services, and will not, under any circumstances, collect, combine, share, use, retain, access, share, transfer, or otherwise process Customer Data for any purpose not related to providing such Services. Jobvite will refrain from taking any action that would cause any transfers of Customer Data to or from Jobvite to qualify as “selling personal information” as that term is defined under the CPRA.

2.4 Sub-Service Providers. Notwithstanding the restrictions in Section 2.3, Customer agrees that Jobvite may engage other Service Providers (as defined under the CPRA), to assist in providing the Services to Customer (“Sub-Service Providers”). A list of Jobvite’s Sub-Service Providers can be found at www.jobvite.com/terms-of-use/sub-processors/, provided always that such engagement shall be subject to a written contract binding each such Sub-Service Provider to terms no less onerous than those contained within this CDPA. Jobvite shall be responsible for all acts or omissions of its Sub-Service Providers as if they were the acts or omissions of Jobvite.

2.5 Security. Jobvite will use commercially reasonable security procedures that are reasonably designed to maintain an industry-standard level of security, and prevent unauthorized access to and/or disclosure of Customer Data. An outline of Jobvite’s minimum security standards can be found at https://www.jobvite.com/security-exhibit/.

2.6 Retention. Jobvite will retain Customer Data only for as long as the Customer deems it necessary for the permitted purpose, or as required by applicable laws. At the termination of this CDPA, or upon Customer’s written request, Jobvite will either destroy or return Customer Data to the Customer, unless legal obligations require storage of the Customer Data.

2.7 Consumer Rights Requests. Jobvite provides Customer with tools to enable Customer to respond to a Consumer Rights’ requests to exercise their rights under the Data Protection Laws. To the extent Customer is unable to respond to Data Subject’s request using these tools, Jobvite will provide reasonable assistance to the Customer in responding to the request.

2.8 Assistance with Consumers’ Rights Requests. If Jobvite, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CCPA in relation to that Consumer’s Customer Data, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with Consumers in relation to such requests.

3 Assessments & Third-Party Certifications

3.1 Impact Assessment Assistance. Taking into account the nature of the Processing and the information available, Jobvite will provide assistance to Customer in complying with its obligations under Applicable Law (inclusive) (which address obligations with regard to security, breach notifications, data risk assessments, and prior consultation). Upon request, Jobvite will provide Customer a list of processing operations.

3.2 Certification/SOC Report. In addition to the information contained in this CDPA, upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement place, Jobvite will make available the following documents and information regarding the System and Organization Controls (SOC) 2 Report (or the reports or other documentation describing the controls implemented by Jobvite that replace or are substantially equivalent to the SOC 2), so that Customer can reasonably verify Jobvite’s compliance with its obligations under this CDPA.

3.3 If Customer has reasonable cause to suspect that Jobvite is not providing the platform in a manner consistent with CPRA and allowing unauthorized use of personal information, Customer may (i) submit an inquiry to privacy@employinc.com, (ii) cease use of their license until they are able to confirm Jobvite’s compliance, or (iii) with evidence of non-compliance of CPRA terminate the Agreement between the parties.

4 Enforceability. Any provision of this CDPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into this CDPA.

5 Liability. To the extent permitted by applicable laws, liability arising from claims under this CDPA will be subject to the terms of the Agreement.

6 Signatures. Facsimile or scanned signatures and signed facsimile or scanned copies of this CDPA shall legally bind the parties to the same extent as originals. This DPA is executed, accepted and agreed by the authorized representative party from Jobvite and Customer side as of the Effective Date per above.