Data processing agreement

PERSONAL DATA PROCESSING AGREEMENT

We are Jobbatical OÜ, an Estonian company with registry code 12671900 (Jobbatical, we, us and our). We operate an online platform at https://app.jobbatical.com (the Platform) to provide certain services relating to relocation of employees/future employees, as well as their family members from one country to the place of employment in another country (the Services).

The term “Client” or “you” refers to a legal entity named as a Client in the service agreement signed by Jobbatical and the Client (the Service Agreement). This personal data processing agreement (the      DPA) is part of a Service Agreement between Jobbatical and the Client (each also a Party and collectively the Parties).

In connection with the provision of the Services under the Service Agreement, Jobbatical processes certain personal data on behalf of the Client. To ensure the secure, correct and lawful processing of personal data, the Parties have agreed to supplement the Service Agreement and enter into this DPA as part of the Service Agreement.

In case of a conflict between any other document forming part of the Service Agreement and this DPA regarding the processing of personal data, the DPA shall prevail and apply.

1. GENERAL PROVISIONS

  1.1 The terms used in the DPA are used in the meaning given to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) or in the meaning given to them in the Service Agreement.  

  1.2 In the context of Article 28 of the GDPR, Client is the data controller of the personal data transferred or made available to Jobbatical in the course of the provision of the Services and Jobbatical is the data processor.

2. GENERAL OBLIGATIONS OF JOBBATICAL

  2.1 Jobbatical shall process personal data only in accordance with the applicable law, the terms of the Service Agreement, including the terms of this DPA.

  2.2 Jobbatical shall process personal data only for the purposes described in Annex A to this DPA.

  2.3 Jobbatical shall process personal data in accordance with the documented instructions of the Client, including those in this DPA.

  2.4 If required by applicable law, Jobbatical shall designate a competent data protection officer in accordance with the applicable law.

  2.5 Jobbatical shall keep records of all the data processing activities carried out on behalf of the Client. The records of data processing activities shall comply with the requirements set forth in Article 30 (2) of the GDPR.

  2.6 Upon the respective request by the Client, Jobbatical shall make available to the Client the records described in section 2.5 regarding the personal data processed on behalf of the Client immediately and free of charge but not later than within 15 (fifteen) business days as of the respective request by the Client.

  2.7 Jobbatical shall, taking into account the nature of the processing, provide reasonable cooperation to assist the Client by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the DPA. In the event that any such request is made directly to Jobbatical, Jobbatical shall not respond to such communication directly without Client's prior authorization, unless legally compelled to do so. If Jobbatical is required to respond to such a request, Jobbatical shall promptly notify the Client and provide it with a copy of the request unless legally prohibited from doing so.

  2.8 Jobbatical shall assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to Jobbatical.

3. GENERAL OBLIGATIONS OF THE CLIENT

  3.1 The Client warrants that upon transferring any personal data to Jobbatical, the Client has an appropriate legal basis to submit such personal data to Jobbatical.

  3.2 The Client warrants that upon transferring any personal data to Jobbatical, Jobbatical is entitled to further process such personal data for the purposes of performing the Service Agreement.

  3.3 The Client warrants that upon transferring any personal data to Jobbatical, all personal data submitted by the Client to Jobbatical is accurate, true, relevant and necessary with reference to the performance of the Service Agreement.

4. CONFIDENTIALITY

  4.1 Jobbatical shall ensure the confidentiality of the personal data processed on behalf of the Client.

  4.2 Jobbatical shall ensure that no unauthorized third parties can access the personal data processed on behalf of the Client.

  4.3 Jobbatical shall ensure that all the representatives, employees of Jobbatical and other persons who through Jobbatical come into contact with the personal data processed on behalf of the Client are subject to the confidentiality obligation assumed under a contract or the law and      Jobbatical shall ensure that their representatives, employees and other persons acting for their benefit maintain the full confidentiality of the personal data.

  4.4 Jobbatical shall ensure that all the representatives and employees of Jobbatical who come into contact with the personal data processed on behalf of Client have received appropriate training and instructions for the processing of personal data in accordance with the Service Agreement,      the DPA and the applicable law.

5. SECURITY MEASURES

  5.1 Jobbatical shall ensure the security of personal data processing for the purposes of protecting personal data from accidental or unauthorized processing, disclosure or destruction by implementing measures required under Article 32 of GDPR.

  5.2 Taking into account the state of the art and costs of implementation, and the nature, scope, context and purposes of the personal data processing as well as the risk to the rights and freedoms of natural persons, of varying likelihood and severity, that may result from personal data processing, Jobbatical shall apply appropriate technical and organizational measures upon personal data processing to ensure the security of personal data. A more detailed description of technical and organisational measures is provided in Annex B to this DPA.        

6. AUDIT

  6.1 The Client shall have the right, once in every twelve (12) months upon the provision of fifteen (15) business days' prior written notice to audit Jobbatical’s operations relevant to the performance of the DPA. If the date proposed by the Client is not suitable for Jobbatical, the Client can appoint another date that cannot be later than fifteen (15) business days from the original date. The audit methodology will be specified between the Parties before the audit is carried out. The Client shall be responsible for the costs of the audit.

  6.2 The audit must be performed on a business day during the working hours of Jobbatical, and it must not unreasonably disturb Jobbatical's course of business or jeopardise the confidentiality of any third party's information in Jobbatical's possession. Jobbatical undertakes to co-operate in good faith with the Client, contribute to inspections and audits by the Client, and provide the Client with such information relating to this DPA that the Client may reasonably request in order to demonstrate that it has acted in compliance with the GDPR.

7. PERSONAL DATA BREACH

  7.1 In case of a personal data breach Jobbatical shall as immediately as possible notify the Client of this. Jobbatical shall send to the Client a notification about the personal data breach, which shall include the following information:

     7.1.1 a description of the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;    

     7.1.2 the name and contact details of the data protection officer or other contact person of Jobbatical if applicable;

     7.1.3 the likely consequences of the personal data breach, incl. the likely consequences to data subject;

     7.1.4 measures taken or proposed to be taken by Jobbatical to address the personal data breach or measures to mitigate its possible adverse effects.

  7.2. Jobbatical shall send the notification specified in section 7.1 to the Client immediately and if possible, not later than within 48 hours as of the occurrence of the personal data breach.

  7.3. In case and insofar as Jobbatical is not able to submit the information described in section 7.1 to the Client within the term set forth in section 7.2, Jobbatical may submit the information to the Client in phases but without undue further delay accompanied by a justification of the delay.

  7.4. Jobbatical shall cooperate fully with the Client for the purposes of preventing personal data breaches. If a personal data breach occurs, Jobbatical shall cooperate fully with the Client to address the personal data breach as efficiently and quickly as possible and/or mitigate its possible adverse effects.

  7.5. Jobbatical shall document all personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken.

8. RETURN, DELETION AND DESTRUCTION OF PERSONAL DATA

  1. Upon each request of the Client and/or after the termination of the Service Agreement, Jobbatical shall delete all personal data processed on behalf of the Client within fourteen (14) calendar days, unless Jobbatical has a legal basis to retain certain data.

9. SUBPROCESSORS AND TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

  9.1. The Client grants Jobbatical a general authorization to subcontract the personal data processing conducted under this DPA to subprocessors provided that:

     9.1.1. the engagement of the subprocessor is necessary for the provision of the Services;

     9.1.2. Jobbatical has entered into a written agreement containing data protection obligations no less protective than those in this DPA. Jobbatical shall be liable for any breaches by the subprocessor in accordance with the terms of this DPA;

    9.1.3. Jobbatical will evaluate the security, privacy and confidentiality practices of a subprocessor prior to selection to establish that it is capable of providing the level of protection of personal data required by this DPA. When the personal data is transferred outside the European Economic Area, Jobbatical shall ensure that either the personal data is transferred to a country in relation to which the European Commission has decided that the country ensures an adequate level of protection or if there is no adequacy decision about the country, territory or sector for the transfer, Jobbatical shall ensure the transfer is subject to appropriate safeguards listed in the GDPR.

  9.2. The list of subprocessors approved by the Client at the time of the conclusion of this DPA is set out in Annex C to this DPA. Jobbatical shall inform the Client of any intended changes concerning the addition or replacement of other subprocessors, thereby giving the Client the opportunity to object to such changes. The Client is considered to have agreed with the changes in subprocessors provided that the Client has not submitted its objection within      ten (10) business days as of the receipt of the notice.

  9.3. If Jobbatical uses subprocessors, Jobbatical shall assume full liability for the subprocessor to process personal data in accordance with the applicable law and this DPA.

10. LIABILITY JA COMPENSATION FOR DAMAGE

  1. Jobbatical shall assume liability for damage, administrative fines or any other claims with regard to Jobbatical’s violation of the Service Agreement, the DPA or requirements of the applicable law.

  2. Jobbatical shall not be liable in any case for an administrative fine imposed on the Client, damage caused to the Client or a claim submitted with regard to the Client if these are based on a violation by the Client and/or if Jobbatical has not committed such violation.

  3. The Client shall assume liability for damage, administrative fines or any other claims with regard to the Client’s violation of the Service Agreement, the DPA or requirements of the applicable law.      

11. VALIDITY

  1. The DPA shall be valid from the moment of conclusion of the Service Agreement until Jobbatical is processing personal data on behalf of the Client or until the end of the term of the Service Agreement, whichever is the later.

12. FINAL PROVISIONS

  1. The DPA shall be governed by the laws of the Republic of Estonia.

  2. Disputes arising from the DPA shall be resolved by negotiations or in Estonian courts, Harju County Court being the court of first instance.

________________

ANNEX A to the DPA

1. PURPOSE OF DATA PROCESSING

Provision of the relocation services to the Client in accordance with the Service Agreement.

2. DATA SUBJECTS

The Platform users designated by the Client.

3. CATEGORIES OF PERSONAL DATA

Name, surname, email address.

4. PROCESSING OPERATIONS

Jobbatical processes the personal data in the Platform to allow the Client’s employees and other contractors to use the Platform in relation to fulfilment of the Service Agreement.

5. PROCESSING PERIOD

The term of the Service Agreement and maximum fourteen (14) days after the termination of the Service Agreement, unless pursuant to applicable law Jobbatical has the right or obligation to retain data for a longer period.

                                 

________________

   

ANNEX B to the DPA – Technical and organizational measures
1. INFORMATION SECURITY PRACTISES AND PRINCIPLES

  1. Jobbatical shall ensure methodological and purposeful information security management in its organisation, preferably based on a widely accepted standard (such as ISO/IEC 27001, CIS Security Controls, Estonian national information security standard E-ITS), ensuring:

     1. information security risk management;

     2. assigned information security roles and responsibilities;

     3. access management;

     4. information security incident management;

     5. endpoint security management;

     6. cryptography management;

     7. periodic review of information security measures.

  2. Jobbatical’s personnel must have completed information security training at least once a year or ensure information security competence in other ways (such as maintaining information security certificates).

  3. Jobbatical shall implement the information security management requirements throughout its relevant supply chain to the extent that may affect the Client’s personal data.

  4. The Client has the right to audit Jobbatical’s information security management system and information security measures to the extent that may affect the Client’s personal data.

2. INFORMATION AND ACCESS MANAGEMENT

  1. Jobbatical must prevent unauthorized access to confidential information.

  2. Documentation must be marked with classification labels if specific instructions have been received from the Client.

  3. Information stored in the Client’s information systems and intended for processing strictly there may not be copied into Jobbatical’s systems unless otherwise agreed.

  4. Managing access to confidential information must be based on need-to-know and the principle of least privilege.

  5. Confidential information may only be transmitted over the Internet in an encrypted form (such as encrypted e-mail attachments, HTTPS web sessions, TLS protected collaboration tools, VPN connections).

  6. Confidential information may only be stored in an encrypted form (such as full hard disk encryption, encrypted files, encrypted database).

  7. Jobbatical shall immediately notify the Client of the need to close the user account if any of Jobbatical’s personnel is no longer involved in the performance of the Services.

3. INFORMATION SECURITY INCIDENT MANAGEMENT

  1. Jobbatical must notify the Client within 48 hours of any registered information security incident that may affect the Client’s personal data.

  2. The notification shall contain detailed information on the nature, extent and technical characteristics of the incident enabling the Client to implement additional measures to protect the personal data.

  3. Information about information security incidents is considered confidential and must be transmitted in an encrypted form.

  4. Jobbatical shall not take actions on public communication to the extent that allows identifying the Client and its security measures.

  5. Jobbatical shall fully cooperate with the Client in handling information security incidents, including analysis, isolation and restoration of the normal situation.

  6. Contact persons for reporting information security incidents and transmitting encrypted messages are: dpo@jobbatical.com for Jobbatical, and […] for the Client.

Sub-processor Reason Storage location ISO If yes, which one? SCCs
Auth0 Used to manage authentication and authorization of different types of platform users EU Yes ISO 27001/27018 Yes
Cloudflare Traffic goes through Cloudflare for better security and reliability EU Yes ISO/IEC 27001 Yes
Directo ERP software, used for accounting EU Yes ISO/IEC27001 No (EU only)
GCP Jobbatical uses services under GCP. Notably kubernetes engine, storage, pub-sub, build, and logging EU Yes ISO/IEC 27001 Yes
Getstream Used to support real-time in-app notifications EU Yes ISO 27001 No (EU only)
LogRocket Frontend and UX monitoring tool EU No SOC2 Type II Yes
MongoDB Atlas Used for data storage EU Yes ISO/IEC 27001:2013 Yes
Sendgrid Used to send transactional emails to the users from the platform EU Yes ISO 27001 Yes
Stitchdata Data source aggregator for BI EU Yes ISO/IEC 27001 Yes